In a recent decision, the Litigation Chamber of the Belgian Data Protection Authority (DPA) indicated that it is unlikely that valid consent to the processing of biometric data can be given in the context of an employment relationship.
The employee in this case was first employed as a temporary worker and then as an employee of the employer. The employer used a time recording system based on fingerprints. The provider of the system was a subsidiary of a group headquartered in Japan. The employee feared a violation of the GDPR, in particular because of the risk of data being transferred to a non-EU country where data protection rules are less stringent.
Processing of biometric data
Biometric data are personal data resulting from specific technical processing of a person's physical, physiological or behavioural characteristics, on the basis of which that person can be identified, such as facial images or fingerprint data. This is a special category of personal data within the meaning of the GDPR, which benefits from enhanced protection.
The Litigation Chamber confirmed in its decision that when processing special categories of personal data, the controller must have both a legal basis and a ground for exception.
No valid consent
The employer invoked several legal bases during the proceedings, but ultimately argued that the processing was allowed based on the workers' consent. The Litigation Chamber examined whether this consent had been validly obtained and found that this was not the case, in particular for the following reasons:
- No ‘informed' consent: the information about the fingerprint system was only provided upon entry into service by means of a welcome brochure. (It was only subsequently included in the company's work regulations.) The Litigation Chamber held that the welcome brochure contained insufficient information regarding the use of fingerprints. The work regulations subsequently contained sufficient information, but it was too late because the employee had already filed the complaint. Consequently, the employees were not properly informed about the processing of their personal data at the time they gave consent.
- No ‘clear' consent: although the workers signed the work regulations and the welcome brochure, the Litigation Chamber held that this did not constitute clear consent regarding the processing of their personal data. Further, the employer claimed that workers had the option of requesting an alternative system for recording working time, but the Litigation Chamber found that this option was not explicitly mentioned anywhere at the time of the system's implementation.
- No ‘free' consent: the workers' consent was not considered free because there were negative consequences for not consenting. For example, the welcome brochure explicitly stated that workers' remuneration was based on ‘tics'. In addition, the work regulations made the use of the working time recording system mandatory for all workers and provided for sanctions in the event of non-compliance. The recording of working time by means of fingerprints was also the only means of recording working time in force at the employer. Workers could therefore not refuse to use this system without negative consequences.
The employer argued that no objection had been raised by other workers and that this non-opposition demonstrated that consent had been freely given. However, the Litigation Chamber rejected this argument. It held, in line with the European Data Protection Board guidelines on consent, that the imbalance of power between the employer and the worker makes free consent very difficult in a work context. Employees, due to their dependent position, are less likely to object to an obligation imposed by their employer. It can be inferred that the Litigation Chamber does not de facto exclude consent as a legal basis in an employment relationship, but that it interprets the notion of consent quite strictly in this context.
Purpose
The Litigation Chamber also noted that the purposes of the working time recording system were not always indicated in the available documentation. The purposes should be determined and disclosed before collecting the data. The other purposes invoked by the employer before the Litigation Chamber were only added later.
Minimal data processing
In its defence, the employer invoked the high security requirements of its customers. In order to obtain certain certifications, it would have to meet very restrictive conditions, which led it to use the system of recording working time by means of fingerprints. However, this did not convince the Litigation Chamber.
The Litigation Chamber stated that there were many alternatives to biometric recording of working time which could achieve the desired purposes with less interference with workers' privacy, such as time clocks, dedicated staff cards or access codes. It therefore held that the processing of fingerprints was not necessary to achieve the desired purposes. However, it stressed that the use of biometric data could be permitted when less stringent measures are not sufficient, for example in areas where security is particularly important (e.g. the handling of foodstuffs or dangerous substances). However, it noted that this was not the case here.
Data Protection Impact Assessment
The Litigation Chamber held that the use of biometric data for the recording of workers' working time was likely to give rise to a significant risk to the rights and freedoms of the data subjects, and that a Data Protection Impact Assessment was therefore mandatory. The employer should have carried out this analysis before starting the processing of biometric data. By failing to do so, the employer violated the GDPR.
Sanction
The employer was fined EUR 45,000 for the above-mentioned offences, as well as for other offences.
Takeaway for employers
Employers should exercise caution when processing employees' biometric data (such as fingerprints). Only in exceptional cases will the consent given by an employee be accepted as a legal basis for processing such data. In addition, the principles of purpose limitation and minimal data processing must be respected, and a data protection impact assessment will be necessary.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.