Company fined for processing employees’ fingerprint data
Employees of a company were required to have their fingerprints scanned for time and attendance registration. Following an investigation the Dutch Data Protection Authority (DPA) concluded that the company was not authorised to process its employees’ fingerprint data. The company was not entitled to invoke an exemption for processing sensitive personal data and has been fined €725,000.
Sensitive personal data
Biometric data, such as fingerprints, is a special category of personal data (‘sensitive personal data’). Organisations are not allowed to use sensitive personal data unless the law provides for an exemption.
In the words of DPA deputy chair Monique Verdier, ‘This category of personal data has extra protections under the law. If sensitive personal data falls into the wrong hands, this can lead to irreparable harm, such as blackmail or identity fraud. A fingerprint isn't like a password - it can't be replaced. If something goes wrong, the impact on the person concerned can be enormous and cause lifelong problems.’
There are two possible exemptions to the prohibition against using fingerprint data that could have applied in this case: if the data subjects were asked to give their explicit consent or if the use of biometric data was necessary for authentication or security purposes.
The DPA concluded that the company was not entitled to invoke either of these two exemptions in order to capture, store and use its employees’ fingerprints.
An employer may ask an employee to give a fingerprint for access control, for example. Depending on whether it is necessary to process fingerprints for authentication or security purposes, employees may or may not be required to give a fingerprint.
The employer must determine whether its security needs are such that buildings and information systems can only be secured using biometric data. In many cases, this is not necessary because there are good alternatives.
In principle, employers are not allowed to ask their employees to consent to their fingerprints being processed. Since employees are dependent on their employers, they are often not in a position to refuse consent.
Privacy law imposes strict requirements for asking for explicit consent. Consent must be unambiguous, specific, informed and freely given.
The company in question failed to demonstrate that its employees had given explicit consent. In addition, the employees believed that they were required to allow their employer to record their fingerprint data.
The company has lodged an objection to the DPA's decision. The DPA is prevented by court order from disclosing the name of the company.