At the end of 2019, Dutch department store chain HEMA announced it was going to stop using fingerprints for its time clocks and sales registers. HEMA had been planning to introduce this fast and reliable method of identification in all its shops. It decided to cancel the entire operation, however, because it was contrary to European privacy law as set out in the General Data Protection Regulation (GDPR).
HEMA was not the first retailer in the Netherlands to do away with its fingerprint scanners. The shoe chain Manfield had been forced to do so after the District Court of Amsterdam ruled that its authorisation system, which used fingerprint scanning to enable access to sales registers, was in breach of the GDPR.
Fingerprint scanning is reliable, but is it allowed?
According to the District Court, fingerprints are biometric data that can be used to identify individuals. Biometric data that are processed for identifying people are classified as special personal data. Given their sensitive nature, such data enjoy heightened protection. Apart from a number of statutory exceptions, the GDPR prohibits the processing of special personal data.
The District Court ruled that no such exception applied because, according to the court's Explanatory Memorandum, the following preconditions had to be met:
- Identification using biometric data has to be necessary for authentication or security purposes. The employer has to consider whether its buildings and information systems require security to such an extent that biometric data is needed for this purpose. For instance, access to a nuclear power station should be (very) limited.
- The purpose for the data processing has to be proportionate to the individual's privacy violation. The security requirements for gaining access to a repair company's garage must not be such that employees can only gain access using biometric data, with such data being stored for that purpose. However, biometric data can sometimes provide an important means of security. One example is information systems, which contain a substantial amount of personal data and must be able to withstand unlawful access, including by employees.
A legitimate interest?
Any processing of personal data requires a statutory basis. The GDPR provides six exhaustive bases. One of these is that there has to be a legitimate interest. Manfield invoked its business interest and referred to a number of instances of fraud that had recently been committed by its own employees. Its previous system of login codes had allegedly been too easy to circumvent and it did not enable thefts to be traced to the offenders. However, the District Court made short shrift of that argument. Although it understood that Manfield wanted to take action to prevent lost turnover, that interest was not "necessarily for authentication or security purposes."
The District Court also held that the use of fingerprint scans was not a proportionate response, given that Manfield had not installed security in any of its shops: it did not have any camera surveillance or alarm gates at shop entrances, nor did it provide staff with lockers.
Finally, Manfield argued that it relied on the need for fingerprint scanning to protect sensitive information that was accessible via its sales registers to no avail. According to the District Court, Manfield had not adequately investigated possible alternatives, such as access cards, employee passes and/or numerical codes, in combination or separately.
In a nutshell, Manfield did not have the right to require its personnel to use fingerprint scanning authorisation systems because they breached privacy legislation.
What is notable is that HEMA was planning to issue its employees a form requesting consent to use their fingerprints. Consent is also a statutory basis for processing, and has to be freely given, specific, informed and unambiguous. It is almost never given freely in employment relationships, and European supervisory authorities on privacy now agree on that point. Given that employees are in a dependent position in relation to their employers, they would not readily withhold their consent for fear of repercussions such as their employment contracts not being extended, or not being given a promotion or a salary increase.
Employers would therefore be wise to bear in mind the rule of thumb that consent does not constitute valid grounds for processing under the GDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.