The Data Protection Authority in the Netherlands has imposed a financial penalty of €725,000 ($791,000) on a company for using fingerprint scans of its employees in its time and attendance register, without obtaining proper consent from its employees. The collection and use of employees’ biometric data was determined to be a violation of Article 9 of the General Data Protection Regulation (GDPR).
Biometric data is considered a special category of personal data which requires additional protections. The data can only be collected and used by a company if it is required for authentication for security purposes or if consent is obtained from the individuals concerned before the data is collected and processed.
The Dutch DPA determined that the company, the name of which was not disclosed in the ruling, had not met either of those requirements. The company was not using the data for authentication for security purposes and other methods could have been used to identify employees. The use of sensitive biometric data was not necessary and proportionate.
The company was unable to prove that explicit consent to process the data had been obtained from its employees. It was difficult to argue that consent had freely been given by employees, as several employees said that if they refused to provide their fingerprints a meeting was scheduled with the company director. Some employees also told the Dutch DPA that the provision of fingerprints was mandatory, so the consent was determined not to have been freely given.
“A fingerprint cannot be replaced, such as a password. If things go wrong, the impact can be huge and have a lifelong negative effect on someone. The relationship between employers and employees also generally prevents legal consent, which “must be unambiguous, specific, informed and free,” said the Dutch DPA Vice President, Monique Verdier.
This is not the first time that a GDPR fine has been issued to a company for using special category data without consent. Last year, the Swedish Data Protection Authority fined the state authority in Skelleftea 200,000 Swedish Krona ($20,700) for the use of facial recognition software in schools for monitoring attendance, when consent had not been obtained from students to collect and use their biometric data. In March 2020, a school in Poland had to pay a €4,600 ($5,200) for a similar GDPR violation.