Before answering the main question, we have to remember that a time and attendance system using facial or fingerprint recognition will involve the processing of special category personal data, as biometric data is involved.
Recently, the Spanish Data Protection Agency (AEPD) has condemned a company that used a facial recognition system to monitor workers’ working hours for failing to carry out a data protection impact assessment (DPA) in accordance with Article 35 of the GDPR.
For its part, the offending company argued that it was not obliged to carry out a DPA based on the provisions of the aforementioned art. 35 of the GDPR, to which the AEPD replied by referring to the indicative list of types of processing that require a DPA, drawn up by the Agency itself and in accordance with the criteria of the Guidelines of the Art. 29 Working Group, pointing out that this list should not be considered exhaustive.
Although the list is not exhaustive, this case meets some of the envisaged assumptions:
4. Processing operations involving the use of special categories of data referred to in Article 9(1) of the GDPR.
5. Processing operations involving the use of biometric data for the purpose of uniquely identifying a natural person.
6. Processing of data of vulnerable data subjects… (let us recall that employees are considered vulnerable data subjects and this is set out in the aforementioned Guidelines).
The AEPD required the company to temporarily or definitively limit, within a period of ten days, the processing of the facial recognition system for the purpose of labour control, until it had a valid EIPD, which took into account the risks to the rights and freedoms of employees and the appropriate measures and guarantees for its processing, and imposed a fine of 20,000 euros, although a reduction was applied for voluntary payment, which was finally set at 12,000 euros.
In addition to the aforementioned resolution by the AEPD, on 15 September, the Alicante Social Court handed down a decision condemning the company for violation of the right to personal and family privacy and to one’s own image, to cease the company’s conduct and to pay compensation for moral damages in the amount of 6,251 euros.
The aforementioned judgment makes clear the need to carry out an EIPD, stating that: ‘biometric control systems, such as fingerprint and facial recognition systems, require a data protection impact assessment, the lack of which may lead to a financial penalty by the AEPD’. Furthermore, the Court develops that ‘since biometric data can only be used if they are adequate, relevant and not excessive, this implies a strict assessment of the necessity and proportionality of the data processed and whether the intended purpose could be achieved in a less intrusive way’.
Therefore, if you want to implement a time and attendance or clocking-in mechanism with facial recognition or fingerprint recognition, remember that you must comply with the following:
Before implementing the time and attendance system
You must carry out a data protection impact assessment to evaluate both the legitimacy of the processing and its proportionality, as well as to determine the existing risks and the measures to mitigate them in accordance with Article 35 GDPR.
Once the system has been implemented and the PIA has been carried out:
- It is advisable to offer an alternative to the facial or fingerprint recognition system, e.g. a card or a personal code.
- The processing must be adequate, relevant and not excessive and therefore biometric data that are not necessary for the purpose should be deleted.
- You should inform employees about the use of such systems. This information can be added to the annex given to the employee when signing the employment contract or, if the system is installed later, in a separate text including the information required by Art. 13 of the RGPDP.
In summary, the implementation of clocking-in or time and attendance systems using facial recognition or fingerprinting entails significant data protection responsibilities. Ultimately, transparency, accountability and respect for workers’ rights must be the cornerstones when considering and deploying such systems in the workplace.
For more information, you can access the guide published by the AEPD on the use of biometric data for time and attendance and access control by clicking here.
Article written by
Adriana Ranchal
Attorney – Privacy & IP
About Metricson
With offices in Barcelona, Madrid, Valencia and Seville and a significant international presence, Metricson is a pioneering firm in legal services for innovative and technology companies. Since its inception in 2009, it has advised more than 1,400 clients from 15 different countries, including startups, investors, large corporations, universities, institutions and governments.
If you would like to contact us, please do not hesitate to write to us at contacto@metricson.com. We look forward to talking to you!