Company fined for processing employees’ fingerprint data Summary Our remarks An unnamed company scanned the fingerprints Monitoring measures of employees in order to monitor attendance and • A consideration when implementing measures to absence. monitor employees is that this should always be The scanning machines calculated a template of the done in the least impactful manner. In this case, fingerprint and stored it as a text file. both attendance and absence could have been monitored by using a chip or keycard, resulting The fingerprint templates were recorded at the in the employer refraining from processing any beginning of 2017 and were still stored in 2019. This sensitive data. included employees that had resigned from the • The use of biometric data for access monitoring is company. only suitable when unauthorized access can have There was no documentation of any policies or major negative consequences. This is, for example, procedures relating to employee consent, either the case when monitoring access to high-security permitting or refusing the recording or storage of facilities like nuclear power plants. fingerprints. Consent as a legal basis in employment The company argued that the supplier of the scanning • An employer should think twice before using system should have pointed out the GDPR violation but consent as a legal basis for processing personal this argument was found to be irrelevant by the Dutch data about their employees. It is difficult to obtain DPA. consent that is freely given due to the inequality between employees and employers. In some cases, The decision of the Dutch DPA the legal basis for these processing activities can The Dutch DPA imposed a fine of 725,000 EUR on the be a legitimate interest if the employer can justify unnamed company for processing biometric data in the purpose of the processing. the form of fingerprints for the purpose of monitoring • If an employer decides to use the consent of absence (GDPR, Article 9(1)). employees as a legal basis, policies or procedures for how the consent is obtained and recorded should be provided/readily available. To ensure that consent is freely given, it is necessary that the employee does not suffer any negative consequences by refusing to consent. Accountability • A data controller cannot put the responsibility on suppliers when it comes to the choice of measure to achieve a purpose. It will always be the data controller’s responsibility to ensure compliance with the services they use. Published: 09-04-2021 Journal number: N/A Tags: 02 Right of access and obligation to provide information Published: 30-04-2020, Journal number: N/A Tags: 01 Legal basis and principles of processing 21