More reasons not to use Biometrics
More reasons not to use Biometrics
Again with biometric data, since November 23, 2023, the Spanish Data Protection Agency(AEPD) published the Guide on the use of biometric data (e.g. fingerprint) to carry out the registration of working hours or access control to facilities, many doubts have arisen around the use of biometric data by companies as they have been using these data.
On December 1st Business Adapter® wrote about this issue, in order to shed light on this matter for our clients and readers, resolving in parallel numerous queries, given the different interpretations that clients gave to the Guide, detecting a logical disillusionment and even impotence for the answers given by our legal and consulting department. different interpretations that clients gave to this Guide, detecting a logical disappointment and even impotence for the answers given by our legal and consulting department.
We say logical and understandable, because in November 2023 the AEPD changed its interpretation, since in a previous publication, specifically the Guide on labor relations of May 2021, the AEPD supported the lawfulness of processing biometric data in articles 20.3 and 34.9 of the Workers’ Statute. In other words, it legitimized companies to process biometric data on a very specific legal basis.
Once again, we return to this issue to reconfirm our advice, after a new Resolution of the AEPD (PS/00170/2023) where the Agency makes a meticulous analysis of the requirements that must be met to carry out the processing of biometric data, in this particular case, to carry out the registration of working hours.
Analysis of the Resolution for the use of biometrics
The case deals with a complaint filed before the AEPD by an employee against his company, due to the fact that he was asked to register his fingerprint for a clocking system.
Faced with the employee’s complaint, the AEPD requires the company to provide the corresponding allegations and the company defends itself as follows:
Biometric system used
The system implemented is not for identification, but for authentication/verification, as the system is configured to perform a 1:N fingerprint comparison.
There is no storage of the fingerprint, but a hash code is created.
Result of the Impact Assessment
The Impact Assessment(EIPD) states that the judgment of suitability, necessity and proportionality is overcome because there is no other way of recording working hours that is 100% reliable, since with the use of cards, anomalies had been observed in their use (they were lent to persons other than the cardholders) and since the fingerprints were not stored, there was no risk to the rights and freedoms of employees.
Information to employees
Regarding the information provided to employees about this fingerprinting system, an email was sent indicating that there was an update of the Data Protection Clause, which they had to accept. In this clause the only reference to the treatment of biometric data is the following: “A fingerprint reader is installed for access to offices”.
AEPD’s position on the use of biometrics
Following the allegations presented by the company complained against to the AEPD, the latter refutes them with the following arguments:
Biometric system used
Regarding whether the system used is for authentication or identification, from the CEPD Guidelines 05/2022, on Facial Recognition Technologies, it is made clear that both systems (identification and authentication) constitute a special category processing of personal data, therefore, the regime established for special category data in the RGPD and LOPDGDD applies to the present case.
Regarding compliance with security measures, it is not noted that the process for deleting fingerprints after fingerprint capture, as well as the separation of the personal data of workers and the hash of the fingerprint.
Result of the Impact Assessment
Effectively there is no PIDD performed, as the respondent claims that no special category data was being processed, since the fingerprint was not stored. Therefore, the document prepared by the respondent cannot be accepted since it does not contain the analysis of the processing of special category data. Nor does it pass the triple test of necessity, suitability and proportionality.
Information to employees
With respect to compliance with art. 13 RGPD, the information provided to workers initially did not meet the requirements of the regulation; so much so that the entity itself, after the requirement of the AEPD, modified and expanded it to include more information on the processing of the fingerprint, a basis of legitimacy different from the initial one (previously it was based on the employment contract, but later it was based on a legal obligation), conservation period (4 years) and the right to file a complaint with the supervisory authority.
The AEPD resolves with sanction for the use of biometrics
In the Resolution published by the AEPD(PS/00170/2023) the following sanctions were imposed on the company:
100.000€
For not preparing a real Impact Assessment prior to the processing, which determines the technical and organizational measures to be implemented and that guarantee the rights and freedoms of workers, in breach of art. 35 of the RGPD.
75.000€
For not applying the necessary technical and organizational measures to guarantee the rights and freedoms of employees, in breach of art. 32 of the RGPD.
200.000€
For not applying the fundamental criteria on the information to be provided to employees, in breach of art. 13 of the GDPR.
As a consequence of all these circumstances, the supervisory body sanctioned the company with 365,000 euros.
Business Adapter® at your service
If you need help, contact us by email: info@businessadapter.es, you can also call 96 131 88 04, or leave your message in this form:
[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]