725,000€ GDPR fine for processing sensitive personal informationOn 30 April 2020, the Dutch Data Protection AuthorityAutoriteit Persoonsgegevens” issued a decision to fine the unknown organization for the violation of Article 9(1) of the GDPR (General Data Protection Regulation), regarding processing special categories of personal data.

Since the unlawful processing of sensitive personal data implies serious consequences for the rights and freedoms of individuals, the proposed fine is set to 725,000€ (approximately 790,000 USD), and is the highest fine issued by the Dutch DPA so far.

What happened?

In order to keep a better eye on attendance and time of arrival to work of its employees, the company used a time-management system that scanned employees’ fingerprints, therefore processing biometric data that is considered sensitive personal data.

As you may already know, processing sensitive personal data is prohibited by the GDPR, with certain exemptions that were obviously not applicable in this situation.

Article 9(1) of the GDPR states:

“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”

Additionally, even if the processing is allowed under one of those exemptions, GDPR imposes additional requirements that need to be applied to the processing of sensitive data, which the unknown company did not met.

Sensitive personal data - special category under the GDPR

The DPAs’ investigation and decision

The Dutch DPA acted on an employee complaint and revealed that there are no records proving that employees gave explicit consent to have their fingerprints scanned, nor did employees get the proper information about how their sensitive personal data will be used.

At the same time, the fingerprints of employees who left the company were also not properly deleted, they were merely blocked in the company systems. In total, the company stored 1348 fingerprint templates of 337 employees.

Although the Dutch law allows the processing of biometric data for the identification purposes or security reasons, the Dutch DPA concluded that the processing of biometric data was disproportionate, meaning the company could have used less intrusive methods for authentification purposes.

The DPA also had a problem with the fact the unlawful fingerprint scanning lasted from January 2017 till November 2018 (well over 5 months into the GDPR enforcement).

The DPA probably considered this ten-month-violation as a personal insult, since the fine was issued with no prior warning, despite their usual practice.

Companys’ defense

After the DPAs’ visit, the company stopped fingerprint scanning, and clarified that there were other, less intrusive methods for clocking in that were available to the employees, and the fingerprint scanning was optional.

However, the employees stated differently and the consents from employees who used the scanner were never collected.

Even if the company collected the consent, there is also an uneven distribution of power when it comes to an employer-employee relationship, where it is discussed if an employee is ever truly free to say no to the data processing imposed by the employer, for the fear of repercussions (even if there aren’t really any).

The sheer possibility of employee thinking he or she may face certain consequences (even if it is just frowned upon) can lead to an employee giving the consent.

This case also goes in favor to that claim. In reality, few employees who were unwilling to provide the scan were sent off to talk to the company director, after which they gave out their fingerprint scan after all.

What we know so far, is that the company will appeal the decision.

Procesing personal data of employees

To sum things up…

The DPA defends 725,000€ fine based on several serious violations of the GDPR:

• lack of proper lawful basis
• lack of additional organizational and technical measures for processing sensitive data
• lack of data deletion orchestration
• number of data subjects involved
• duration of the violation
• excessive collection of data…

As a company, you should always refrain from collecting any excessive personal data, in accordance with the data minimization principle, especially when that data is considered to be sensitive and requires additional measures to be taken.

For many companies, this is very dangerous grounds since there is rarely a justifiable reason for such processing and end result could involve a huge fine.

If there are other, less intrusive methods that could do the same job, companies should always opt for an alternative.

In this case, the surveillance of attendance could have been done with methods that do not include biometric data, such as badge scanners, and this fine could have been avoided. However, this fine is not yet finalized and there could be an addition to the story soon.