{"id":16554,"date":"2023-12-01T14:45:30","date_gmt":"2023-12-01T14:45:30","guid":{"rendered":"https:\/\/businessadapter.es\/biometrics-for-workday-and-safety-registration\/"},"modified":"2024-12-11T10:44:38","modified_gmt":"2024-12-11T10:44:38","slug":"biometrics-for-workday-and-safety-registration","status":"publish","type":"post","link":"https:\/\/businessadapter.es\/en\/biometrics-for-workday-and-safety-registration\/","title":{"rendered":"Biometrics for workday and safety registration"},"content":{"rendered":"\n

Biometrics for workday and safety registration<\/strong><\/span><\/h1>\n

The use of Biometrics for workday and access control<\/strong>is on everyone’s lips due to the publication, last November 23rd, of the “.Guidance on the use of biometric data for time and attendance and access control<\/a>“elaborated by the AEPD<\/a>The new criteria for the use of this type of personal data, which are commonly used for the registration of working hours and the security control of access to facilities, are set out and thus comply with the requirements established in the data protection regulations (GDPR 679\/2016<\/a>).<\/p>\n

Biometrics: high risk data<\/strong><\/span><\/h2>\n

Recall that Article 4(14) of the GDPR<\/a> identifies biometric data as personal data obtained from specific technical processing, relating to the physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification of that person, such as facial images or dactyloscopic data.<\/p>\n

Through biometric data (e.g. fingerprint or facial recognition) we can uniquely and unequivocally identify a person, hence the high risk that its processing entails for fundamental rights and freedoms.\"\"<\/a> the fundamental rights and freedoms of individuals.<\/p>\n

Also, biometric data are considered special category<\/a> according to Article 9 of the GDPR<\/a>, their processing considered high risk and prohibited except in the cases set out in Article 9.2 a) and b) of the GDPR<\/a>, ie: <\/p>\n

1. La persona trabajadora de su consentimiento expl\u00edcito para el tratamiento de sus datos biom\u00e9tricos. <\/p>\n

2. Cuando el tratamiento de datos biom\u00e9tricos es necesario para el cumplimiento de una obligaci\u00f3n legal. <\/p>\n

With this it could be understood that if the company requests authorization to the worker to treat his biometric data and also informs him that such treatment is necessary to comply with an obligation of the company, (the mandatory record of working hours), we would be complying with the provisions of the aforementioned articles 9.2 a) and b), but the conclusion of the AEPD exposed in the new Guide to biometrics<\/a>, determines that this is NOT so and that this is not enough.<\/strong> We explain why: <\/p>\n

The employee’s signature alone is insufficient:<\/strong><\/h3>\n

Consent alone will not be sufficient, because the AEPD considers that there is a situation of disadvantage of the worker against the employer, where if the processing of biometric data is not accepted, the worker may compromise his employment situation.<\/p>\n

Comply with the obligation to keep the workday record:<\/strong><\/h3>\n

The AEPD understands that the company’s obligation to comply with article 34.9 of the Workers’ Statute, which requires it to keep a record of each worker’s working day, does not necessarily imply that this must be done using biometric data, since there is no regulation in the Spanish legal system with the rank of law that explicitly provides for the processing of biometric data for this purpose, and also determines that this record can be made by other less intrusive means.<\/p>\n

Here there is a change of interpretation by the AEPD, in relation to what was stated in the Guide “Data Protection in Labor Relations<\/a>” of May 2021, where the lawfulness was based on compliance with articles 20.3 and 34.9 of the Workers’ Statute.<\/p>\n

Requirements for using biometrics<\/strong><\/span><\/h2>\n

So we are facing a new situation and biometric data can only be processed if the following assumptions are met:<\/p>\n

Lawfulness of treatment:<\/strong><\/h3>\n

If the processing is not lawful, it is impossible to carry it out. In other words, it is necessary to lift the prohibition and this could be carried out by means of a truly free consent that allows the person to decide on the use of his biometric data or to opt for another alternative, after informing the worker clearly about the high risks involved in the processing of biometric data. <\/p>\n

Another possibility that would make the processing lawful would be for collective labor agreements to provide for the recording of working hours or access control through the use of biometric data.<\/p>\n

Choice of biometric system<\/h3>\n

Once the essential step of legality has been overcome, it is necessary to choose a system that guarantees the rights and freedoms of the users of the biometric system and something that could help in this choice will be to ask the supplier or manufacturer to provide its own Impact Assessment of the system to be implemented by the responsible party and that this system certifies that the biometric reader system complies with at least the following:<\/p>\n

Organizational measures<\/h5>\n