Biometrics for workday and safety registration

Biometrics for workday and safety registration

The use of Biometrics for workday and access controlis on everyone’s lips due to the publication, last November 23rd, of the “.Guidance on the use of biometric data for time and attendance and access control“elaborated by the AEPDThe new criteria for the use of this type of personal data, which are commonly used for the registration of working hours and the security control of access to facilities, are set out and thus comply with the requirements established in the data protection regulations (GDPR 679/2016).

Biometrics: high risk data

Recall that Article 4(14) of the GDPR identifies biometric data as personal data obtained from specific technical processing, relating to the physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification of that person, such as facial images or dactyloscopic data.

Through biometric data (e.g. fingerprint or facial recognition) we can uniquely and unequivocally identify a person, hence the high risk that its processing entails for fundamental rights and freedoms. the fundamental rights and freedoms of individuals.

Also, biometric data are considered special category according to Article 9 of the GDPR, their processing considered high risk and prohibited except in the cases set out in Article 9.2 a) and b) of the GDPR, ie:

1. La persona trabajadora de su consentimiento explícito para el tratamiento de sus datos biométricos.

2. Cuando el tratamiento de datos biométricos es necesario para el cumplimiento de una obligación legal.

With this it could be understood that if the company requests authorization to the worker to treat his biometric data and also informs him that such treatment is necessary to comply with an obligation of the company, (the mandatory record of working hours), we would be complying with the provisions of the aforementioned articles 9.2 a) and b), but the conclusion of the AEPD exposed in the new Guide to biometrics, determines that this is NOT so and that this is not enough. We explain why:

The employee’s signature alone is insufficient:

Consent alone will not be sufficient, because the AEPD considers that there is a situation of disadvantage of the worker against the employer, where if the processing of biometric data is not accepted, the worker may compromise his employment situation.

Comply with the obligation to keep the workday record:

The AEPD understands that the company’s obligation to comply with article 34.9 of the Workers’ Statute, which requires it to keep a record of each worker’s working day, does not necessarily imply that this must be done using biometric data, since there is no regulation in the Spanish legal system with the rank of law that explicitly provides for the processing of biometric data for this purpose, and also determines that this record can be made by other less intrusive means.

Here there is a change of interpretation by the AEPD, in relation to what was stated in the Guide “Data Protection in Labor Relations” of May 2021, where the lawfulness was based on compliance with articles 20.3 and 34.9 of the Workers’ Statute.

Requirements for using biometrics

So we are facing a new situation and biometric data can only be processed if the following assumptions are met:

Lawfulness of treatment:

If the processing is not lawful, it is impossible to carry it out. In other words, it is necessary to lift the prohibition and this could be carried out by means of a truly free consent that allows the person to decide on the use of his biometric data or to opt for another alternative, after informing the worker clearly about the high risks involved in the processing of biometric data.

Another possibility that would make the processing lawful would be for collective labor agreements to provide for the recording of working hours or access control through the use of biometric data.

Choice of biometric system

Once the essential step of legality has been overcome, it is necessary to choose a system that guarantees the rights and freedoms of the users of the biometric system and something that could help in this choice will be to ask the supplier or manufacturer to provide its own Impact Assessment of the system to be implemented by the responsible party and that this system certifies that the biometric reader system complies with at least the following:

Organizational measures
  • That such a system can revoke the identity link between the biometric template and the natural person.
  • Delete biometric data when they are no longer related to the purpose for which they were collected.
  • Minimization of biometric data, processing only what is necessary and without additional data.
  • That the system is contemplated and authorized by the collective bargaining agreements and that it complies with the set of guarantees in relation to these treatments.
Technical measures
  • That it has guarantees that prevent the use of biometric templates for any purpose other than the registration of the working day as a control measure and access control as a security measure.
  • Encrypt the biometric data information, guaranteeing its confidentiality, as well as its availability and integrity.
  • Use technologies that prevent the interconnection of biometric databases.
  • Periodic review of the systems, as well as their updates.
  • If Artificial Intelligence is used in biometric systems, they must comply with industry standards, such as the future European Regulation on Artificial Intelligence.

Conduct an Impact Assessment:

Having overcome the above, the Controller must prepare an Impact Assessment(EIPD) which must offer a favorable result after the analysis of the risks of the processing of biometric data, overcoming the necessity, suitability and proportionality of the system to be implemented.

This means that the data controller must be able to justify and document that there is no other less intrusive measure for the desired purpose (recording of working hours), thus overcoming the requirement of necessity, and that the processing of biometric data is suitable for the intended purpose and that it is proportional, since it generates more benefits than disadvantages for the data subjects.

Do I remove the biometric readers?

As we have seen, implementing a workday registration or access control system through the use of biometric data implies assuming significant risks and legal implications, which must be overcome and with guarantees to avoid sanctions, which must be used to decide whether its use is worthwhile.

If you need personalized advice contact your consultant or request advice by email: info@businessadapter.es, you can also call 96 131 88 04, or leave your message in this form:

[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]

Contact us, we will be pleased to help you.
error: Content is protected !!