Under the EU General Data Protection Regulation (GDPR), biometric data is considered special category data, which requires more stringent conditions for processing. Fingerprints are an example of biometric data, and employers need to consider carefully how and where they use such data.
When processing any personal data, an organisation needs to have legal grounds for doing so. And, in the case of special category data such as fingerprints, an additional Article 9 Condition must be applied.
A company in Holland, who used fingerprints inappropriately to monitor their employee’s attendance and time registration, was recently fined E750,000.
The company had obtained Consent from its employees, but under the GDPR Consent must be freely given, which means that the individuals must be allowed to refuse to give Consent. Because there is a significant imbalance in power between an employer and an employee, it can be difficult for employers to demonstrate that employees have been given an genuine opportunity to refuse Consent.
In this case, some employees had felt obliged to give Consent, so the Dutch DPA found that the company did not have valid legal grounds to process the data for this purpose.
Though there may be an appeal, this illustrates the seriousness of processing special category data in a way that is not considered unnecessary or disproportionate.
If you have any questions about biometric data or data protection in general, please contact us via email firstname.lastname@example.org or call 01787 277742.
Victoria Tuffill, 25th May, 2020