AP imposes GDPR fine for processing biometric data without a demonstrated authentication or security need

Written on 7 May 2020

The Dutch Data Protection Authority (AP) has imposed an administrative fine of €725,000 on an unnamed Dutch organisation for unlawfully processing employee fingerprint data. The AP concluded that the organisation did not demonstrate that it had an authentication or security need to process employee fingerprint data.

What happened?

In 2017, the organisation implemented fingerprint scanners with the primary purpose of reducing abuse with clocking in and out and to better track working hours for time registration purposes of 337 (former) employees. Additionally, the organisation indicated that the use of the fingerprint scanners provided practical benefits and reduced costs for replacing and updating a RFID tag-based system. The organisation also argued that fingerprint scanners could potentially reduce future security risks such as espionage and hacking.

AP’s assessment

The AP focused on whether the organisation could rely on one of the article 9 (2) GDPR exceptions to the prohibition to process biometric data. According to the AP, two exceptions were relevant in this case:

  • explicit consent (article 9 (2) (a) GDPR); and
  • necessary for authentication or security purposes (article 29 Dutch GDPR Implementation Act; based on article 9 (2) (g) GDPR).

Explicit consent

The organisation contended that employees had given consent, were happy with the fingerprint scanners, did not object to the use thereof, and were not compelled to provide their fingerprint data but could continue using the RFID tag system.

The AP did not accept this argument. Firstly, the AP reiterated that consent is not likely to be freely given due to the dependency that results from the employer/employee relationship and the fear or real risk of detrimental effects as a result of a refusal. The organisation had not demonstrated that consent for processing fingerprint data was freely given by employees. The AP learned through interviews with employees that the employees considered that the use of fingerprint scanners was mandatory, and that employees who refused to provide their fingerprint data had to report to the organisation’s manager.

Secondly, the AP concluded that the organisation had not adequately informed its employees about the processing of their fingerprint data and that consent was therefore not informed. Employees were merely informed about the organisation’s intention to fully switch to fingerprint scanners. The AP concluded that the organisation could not demonstrate that the employees consented to the processing of their data.

Necessary for authentication or security purposes

The Dutch GDPR Implementation Act contains an exception to the prohibition of processing biometric data, which applies where the processing is necessary for authentication or security purposes. This exception is based on article 9 (2) (g) GDPR. In order to rely on this exception, organisations should carefully consider whether the relevant building or information system requires a level of security that can only be achieved through the use of fingerprint scanning.

The organisation used fingerprint scanning for (reducing the misuse of) time registration and administration of salaries, holiday and sick leave. The AP accepted that the organisation had an interest to use fingerprint scanning for these purposes. However, it concluded that the use of fingerprint data was not proportionate nor necessary for these purposes and therefore did not justify an exception to the prohibition to process biometric data.

Administrative fine

Based on the above, the AP found that the organisation had violated Article 9 of the GDPR, and imposed a fine of €725,000. The fine was calculated in accordance with the AP’s fining policy under the GDPR. This is based on a four category structure for the fines it will administer, based on the seriousness of the breach. According to this policy, a breach of the prohibition to process special categories of personal data results in the “base fine” of €725,000.

The AP considered the breach severe as: (i) it concerned a special category of data; (ii) the breach took place for a long period, regarded a large number (337) of (former) employees and therefore occurred in a systematic and structural manner; (iii) the employees were inadequately informed; and (iv) the data of former employees were retained longer than required. However, these elements did not result in an increase of the base fine. The fact that the data was encrypted and only limited employees had access to the data did not result in a decrease of the base fine.

Preliminary injunction to prevent publication

The organisation filed a preliminary injunction with the Court of Limburg to prevent the publication of the decision and the publication of the organisation’s name, address, and Chamber of Commerce registration number. The organisation argued that the publication when court proceedings are still pending (and the AP’s decision could be overturned) would have serious detrimental consequences for the organisation’s financial position, its competitive position, and its reputation. The AP argued that publication was important as it acts as a deterrent for other organisations, informs the public of consequences of GDPR violations, and provides the public with insights on how the AP meets its supervisory task. After balancing both interests, the Court of Limburg ruled that the decision may be published, but without reference to the organisation’s name, address of Chamber of Commerce registration number.

Why this matters

The AP emphasizes in its decision the importance of safeguarding the privacy of individuals when processing biometric data, and sets a high bar for organisations to process fingerprint data of their employees (for authentication or security purposes).

Organisations that wish to implement fingerprint scanners, should carefully analyse the necessity and proportionality of those systems and record this analysis and outcome in a data protection impact assessment.

Another relevant element for controllers is the partial success the organisation had in filing a preliminary injunction to prevent the publication of the company’s details. This provides an angle for controllers to mitigate reputational risks of GDPR violations when court proceedings are still pending.