Biometric time and attendance systems restricted by European data protection rules, Dutch authority issues fine

Biometric time and attendance tracking of employees through a fingerprint-based system has been ruled illegal in Germany unless exceptional circumstances make it necessary, according to a court decision covered by Lexology.

The court ordered a pair of warnings issued to an employee who refused to use the biometric system be struck from the person’s employment file, as the system was not being used in compliance with the relevant data protection law. As the employee had not given consent or signed a contract specifying the use of the system, the labor court reviewed the system’s legality under the European Union’s General Data Protection Rule (GDPR) and the German Federal Data Protection Act.

The criteria established by the court for the use of a biometric employee tracking system includes a history of misuse of a previous manual system at the workplace, a significant risk of misuse of a different type of system if introduced, and past misrepresentations by the employee of his or her working hours. As a general rule, the more past time recording abuse there has been, and the less effective other measures of preventing future abuses would be, the stronger the legal case for special circumstances becomes.

The article also notes that consent by employees could be challenged on the grounds that it does not meet the standard for being truly voluntary.

Dutch authority issues fine

The Dutch Data Protection Authority, meanwhile, has levied a €725,000 (roughly US$791,000) fine against a company for scanning its employee’s biometrics with a fingerprint time and attendance system.

The Autoriteit Persoonsgegevens ruled that the company did not establish the exceptional grounds for the system’s implementation which would have provided a legal basis for its use.

Exceptions to the prohibition against the use of fingerprints or other biometrics for employee tracking are cases of explicit consent, or necessity for security purposes, according to the authority’s announcement. The latter reason is only acceptable if biometrics collection is necessitated by the inadequacy of other measures, and the authority notes that good alternatives will be available in many cases.

“This category of personal data is extra protected by law. If these data get into the wrong hands, this could potentially lead to irreparable damage. Such as blackmail or identity fraud,” comments AP Vice President Monique Verdier, per Google translation. “A fingerprint cannot be replaced, such as a password. If things go wrong, the impact can be huge and have a lifelong negative effect on someone.”

The relationship between employers and employees also generally prevents legal consent, which “must be unambiguous, specific, informed and free.”

The organization fined has not been identified by the regulator.

France’s CNIL set rules for biometric time and attendance systems for employees a year ago.

Article Topics

biometric data  |  biometrics  |  data protection  |  Dutch Data Protection Authority  |  Europe  |  fingerprint biometrics  |  legislation  |  time and attendance