The Personal Data Authority (AP) has fined a company, whose name it has not (yet) disclosed, 725,000 euros for unlawfully fingerprinting its employees and using finger scans.
You probably know of companies like this. Pretty big, in full swing and doing business. Constantly looking for new ways to improve processes, steer tighter and preferably optimize profits. With a good idea, dissent is difficult, or is not sought because it is simply not settled. So; a seemingly good idea is immediately acted upon! No consultation of staff, or OR: that is just inconvenient. Informing employees? Well, surely they too will understand that introducing finger scans is just convenient? And, if someone doesn't agree, they can just ask the director for dispensation. So: let's get on with it.
The above sketch is not necessarily the truth, but reading the fine decision I do come to this picture. A supplier, who is ISO-certified, could implement this system. Also, the supplier has the knowledge of the system, so it must be good. The nice thing is that the defense is that the supplier did not warn about possible privacy issues. Just nice and easy to blame someone else. See the passage:
"According to [VERTROUWELIJK], at no time did this vendor point out possible conflicts with (future) privacy regulations and trusted that this professional party would inform [VERTROUWELIJK] in case of changes. The AP finds that this circumstance does not disclose [VERTROUWELIJK]."
The AP is imposing a fine for violating Article 9(1) AVG, the processing of special personal data. This is because it is not allowed and is prohibited unless the law states that it is allowed. The AP gives a good explanation of why this is not allowed. Among other things, it reads:
"Processing of biometric data could further be permitted if necessary for authentication or security purposes. This would require weighing whether identification through biometrics is necessary and proportionate for authentication or security purposes. The AP is of the opinion that the processing of biometric data in the context of (countering abuse in) time registration, attendance control and authorized use of equipment at [VERTROUBLISHER] is not necessary and proportionate. For the work at [VERTROUWELIJK], [VERTROUWELIJK], the need for security is not so high that employees must be able to access with biometrics and, to that end, these data are recorded to exercise access control. In addition, other less intrusive ways, can accomplish this as well. [VERTROUWELIJK] cannot therefore invoke the exception possibility of Article 9(2)(g) AVG in conjunction with Article 29 UAVG with regard to the processing of fingerprints."
After which the AP proceeds to impose the fine.
In fact, this is a fine example of a company that is "not compliant," is probably not sufficiently aware of it itself (or consciously takes the risk....) AND does not get proper advice and, moreover, does not know what the rules are (I don't know that for sure, but what I do know for sure is that if any advice was given, it was not followed).
An internal or external privacy advisor would have known, even in 2017, that prior to any new processing you need to weigh up whether to conduct a PIA(Privacy Impact Assessment). This has been included in the AVG since May 25, 2018, in Article 35: the DPIA(Data Privacy Impact Assessment). If there is 'high risk' processing, you must conduct a DPIA prior to processing personal data. A DPIA examines and records the risks of the processing for the privacy of the data subjects and what management measures are appropriate for those risks. In this way, you can demonstrate that you comply with the AVG.
This is not always easy to determine, and assumes some knowledge of the AVG.
To determine whether you must conduct a DPIA, you test the proposed processing sequentially against:
Step 1: The text of Article 35(3) AVG.
Step 2: The AP's list of types of processing for which a DPIA is required.
Step 3: The WP29's nine criteria in the WP29 Guidelines for DPIAs.
Finally, you must always independently assess and justify whether there is(no) high-risk processing. I will leave further details of the DPIA for now. This is the main line.
The outcome may be:"yes, conduct DPIA," or"no, it is not necessary."
To determine this, you must consider and record whether or not a DPIA is necessary prior to any processing of personal data. Really? Yes, really!
The company fined could have easily determined the need for a DPIA through this balancing act, and would have found out on its own that good arguments are needed to support the necessity of using biometric(special) personal data and to make a proper balancing act in terms of proportionality and subsidiarity.
More articles from PrivacyTeam
This article can also be found in the Accountability file
