The Personal Data Authority (AP) announced yesterday that it has imposed a €725,000 fine on a company that scans employee fingerprints for attendance and timekeeping purposes. According to the AP, the way this company used the fingerprint violates the AVG. Why, according to the AP, does this violate the AVG and why is the fine so high? You can read about that in this blog.
Scanning a fingerprint for security purposes constitutes processing of special personal data. That data is given extra protection by the AVG because its processing involves high risks. The AVG therefore states that the processing of this special data is in principle prohibited, unless there is a ground for exception. The AP lists two possible grounds for exception in this matter, namely (i) explicit consent of the employee or (ii) necessary for authentication or security purposes.
Starting with the employee's consent. Consent (among other things) must be freely and informedly given. In an employment relationship, giving free consent is in principle not possible because of the employee's dependence on the employer. In this case, the company did not demonstrate that the consent was validly obtained. Indeed, an employee stated that he had to account to the board for the refusal. So much for free consent. Also, employees in question were insufficiently informed about the processing. Thus, the fined company could not rely on consent as a ground for exception.
The exception for necessity for authentication or security purposes also does not apply here, according to the AP. The company failed to demonstrate that there was a need to process the biometric data and that this processing was proportionate. In addition, there are sufficient alternative security options. This makes fingerprint scanning unnecessary, according to the AP.
The nature, severity, duration and culpability of the violation are important for the level of the fine. This is an unlawful processing of special personal data for the duration of more than 10 months without adequate disclosure and without free consent of the employee. This is a serious violation of the AVG, according to the AP.
The fact that the supplier of the fingerprint scanning equipment did not warn about the AVG is irrelevant, according to the AP, because it is the company's own obligation to investigate whether the system complies with the AVG, whether by seeking legal advice or not.
With this fine decision, the AP imposed the highest fine to date under the AVG. This emphasizes the importance of protecting special personal data. With this decision, the AP also makes clear that a security system using biometric data is only allowed in exceptional cases, such as at a nuclear power plant. What kind of companies besides nuclear power plants are indeed allowed to use such a system remains unclear. The AP is perfectly clear about one thing; the system is not allowed at a repair shop garage.
This case law can also be found in the files AVG, Privacy in the workplace and Accountability
