Hefty penalty for scanning employees’ fingerprints

In a recent blog we reported on the risks of scanning staff’s fingerprints. After the court reprimanded Manfield last summer for using fingerprint scans to access the tills (click here, Dutch only), HEMA decided to ban these scans at the end of last year. It had intended to roll out the use of fingerprints for punch clocks and tills in all of its stores.

The Dutch Data Protection Authority (DPA), the privacy watchdog in the Netherlands, reported in a news item (click here, Dutch only) that it issued a hefty fine of EUR 725,000 yesterday to a company for using fingerprint scanners. The company had been taking fingerprint scans of its employees for its attendance register and time records.

Ban on processing special personal data

A legal basis is required for the processing of personal data. The General Data Protection Regulation includes six – restrictive – bases. Processing is not permitted unless there is a legal basis. If it concerns so-called special personal data, which gets extra protection due to its sensitive nature, the GDPR is even stricter: processing is prohibited, unless there is a legal ground for exception. A fingerprint, i.e. biometric data, is special personal data because it can be traced back to an individual.

According to the DPA, this protection is necessary because potentially irreparable damage can arise, for instance, through blackmail or identity fraud, if special personal data falls into the wrong hands. The DPA notes: ‘A fingerprint cannot be replaced, unlike a password. If something goes wrong, the impact can be huge and have a lifelong negative effect on the person concerned.’

No legal exception?

As noted above, special personal data may be processed if there is a legal ground for exception. In this case, there may be a ground for exception (i) if it was necessary for authentication or security purposes (security); or (ii) if the employees give their express consent to use their fingerprints. Express consent requires that it be unambiguous, specific, informed and freely given.

According to the DPA, both grounds for exception did not apply in this case.

Necessary for security?

If a fingerprint scan is necessary for the employer’s security, the employee may be obliged to cooperate. That said, the DPA was of the opinion that this was not the case at the company in question. Like the court in the Manfield case, it found that having access to alternative security options is pertinent when considering the question of whether the processing of employee fingerprints is necessary for security matters. Because good alternatives are to hand, circumstances in which ‘buildings and information systems must be so well secured that this cannot be done other than by using biometrics (alone),’ will rarely arise, according to the DPA.

Express consent?

The second ground for exception also failed to apply. When it comes to employment relationships, voluntary consent almost never applies because of the employee’s position of dependence vis-à-vis the employer. Employees rarely decline to give their consent for fear of losing their jobs or missing out on a salary increase. Quite apart from the fact that the company had failed to demonstrate that its employees had given their express consent, they also felt obliged to have their fingerprints recorded, the DPA noted.

The DPA has made it known that the company has since objected to its decision. To be continued.

Eric van Dam (evd@clintlegal.com / +31 20 820 0330)