GDPR: The next day: Biometric data and employment
The GDPR has been in place since May 25, 2018, and every day we reveal that adjusting to its requirements affects the philosophy and operation of a business. One such issue is the entry – control of employees by taking biometric data (e.g. fingerprints). Why is that so? Because while I can “clock on, on behalf of my colleague” so that my colleague “has a little bit more of morning sleep”, I cannot deceive the smart machine that “reads the fingerprints or the iris”. The GDPR sets strict barriers to such choices.
Pursuant to Article 9 par.1 of the Regulation, the processing of biometric data is generally forbidden for the purpose of undeniably identifying a person. Such processing is permitted, exceptionally, with the explicit consent of the Subject and in any case in accordance with the consensus guidelines No. 259 / 28.11.2017, adopted by the European Data Protection Board. It is a crystallized position of the Working Party 29 that there can be no question of free consent in the case of a “power imbalance”, as is the case for the employer-employee relationship.
Already since the application of Law 2472/1997, the Data Protection Authority has issued decisions on the processing of biometric data in the workplace. In these decisions, the position of the Greek Authority is developed that such processing is not necessary to achieve the employees’ time schedule compliance monitoring. As a result, such records constitute an excess, the abusive nature of which is not waived by any employee’s consent.
The Decision 56/2009 of the DPA in a relevant case, is Indicative of the scope of the exception. According to this decision, the Authority did not find it illegal to use fingerprint recognition equipment because it concerned specific employees who would have special access to a particular site, which could be classified as the highest security due to compliance with “Certification Authority Keys” namely on the basis of the public interest. In fact, this decision deals with the issue in terms of authorization, substance, and legitimacy and not technical, as the specifications had already been met: (a) data encryption, (b) non-maintenance of data, and (c) non-connection to a central system.
The decision 50/2007 is indicative of DPA’s consistent position
The Decision 50/2007 for another case is indicative of the Authority’s consistent position. Although the company’s argument was based on the fact that “the system is based on the method of finger’s geometry and the data collected from it are recorded and stored in a file that is encrypted while fingerprints are neither collected nor stored”, the DPA has overtaken the specific arguments and insisted that “the introduction and use of biometric data is a processing of personal data of employees which is not necessary for the purposes of monitoring the entry and/ or exit to premises/buildings and observance of their entering and leaving hours and is therefore illegal”.
Ultimately, receiving biometric data at a working environment is only possible by way of exception. Balancing the needs of the company and the requirements of the Regulation undoubtedly leads to choices that will also prevent the company from being harmed and employees’ rights not be affected.
P.S. A brief version of this article has been published in Greek in MAKEDONIA Newspaper (February 24, 2019).