Search
Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Turn data subjects request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

GDPR Fine for Collecting Employees’ Biometric Data

725,000€ GDPR fine for processing sensitive personal information

On 30 April 2020, the Dutch Data Protection Authority decided to fine the unknown organization for violating Article 9(1) of the General Data Protection Regulation regarding processing special categories of personal data.

Since the unlawful processing of sensitive personal data implies serious consequences for the rights and freedoms of individuals, the proposed fine is set to 725,000€ (approximately 790,000 USD).

It is the highest fine issued by the Dutch DPA so far.

What happened?

To keep a better eye on attendance and time of arrival to work of its employees, the company used a time-management system that scanned employees’ fingerprints, processing biometric data that is considered sensitive personal data.

As you may already know, processing sensitive personal data is prohibited by the GDPR, with certain exemptions that were not applicable in this situation.

Article 9(1) of the GDPR states:

“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”

Additionally, even if the processing is allowed under one of those exemptions, GDPR imposes additional requirements that need to be applied to processing sensitive data, which the unknown company did not meet.

The DPAs’ investigation and decision

The Dutch DPA acted on an employee complaint and revealed that no records prove that employees gave explicit consent to have their fingerprints scanned, nor did employees get the proper information about how their sensitive personal data will be used.

At the same time, the fingerprints of employees who left the company were also not properly deleted. They were merely blocked in the company systems. In total, the company stored 1348 fingerprint templates of 337 employees.

Although Dutch law allows the processing of biometric data for identification purposes or security reasons, the Dutch DPA concluded that the processing of biometric data was disproportionate, meaning the company could have used less intrusive methods for authentication purposes.

The DPA also had a problem with unlawful fingerprint scanning that lasted from January 2017 till November 2018 (well over five months into the GDPR enforcement).

The DPA probably considered this ten-month violation a personal insult since the fine was issued without prior warning, despite their usual practice.

Companys’ defense

After the DPAs’ visit, the company stopped fingerprint scanning and clarified that other, less intrusive methods for clocking in were available to the employees, and fingerprint scanning was optional.

However, the employees stated differently, and the consent from employees who used the scanner was never collected.

Even if the company collected the consent, there is also an uneven distribution of power when it comes to an employer-employee relationship, where it is discussed if an employee is ever truly free to say no to the data processing imposed by the employer for fear of repercussions (even if there aren’t really any).

The sheer possibility of employees thinking they may face certain consequences (even if it is just frowned upon) can lead to an employee giving consent.

This case also goes in favor of that claim. In reality, a few employees who were unwilling to provide the scan were sent off to talk to the company director, after which they gave out their fingerprint scan after all.

What we know so far is that the company will appeal the decision.

Procesing personal data of employees

To sum things up…

The DPA defends a 725,000€ fine based on several serious violations of the GDPR:

  • lack of proper lawful basis
  • lack of additional organizational and technical measures for processing sensitive data
  • lack of data deletion orchestration
  • number of data subjects involved
  • duration of the violation
  • excessive collection of data…

As a company, you should always refrain from collecting any excessive personal data in accordance with the data minimization principle, especially when that data is considered to be sensitive and requires additional measures to be taken.

For many companies, this is very dangerous since there is rarely a justifiable reason for such processing, and end result could involve a huge fine.

If other, less intrusive methods could do the same job, companies should always opt for an alternative.

In this case, the surveillance of attendance could have been done with methods that do not include biometric data, such as badge scanners, and this fine could have been avoided. However, this fine is not yet finalized and there could be an addition to the story soon.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top