Dutch employer fined €725,000 for processing biometric data unlawfully

The Dutch Supervisory Authority (Autoriteit Persoonsgegevens) (“Dutch SA”) has fined an employer €725,000 (approximately £636,800) for unlawfully processing employees’ biometric data.

Employer collects biometric templates of employees’ fingerprints

The employer (whose name was kept confidential by the Dutch SA) had concerns around fraudulent use of its badge-based time management system. It installed a new access and time management system. This collected and processed biometric templates of employees’ fingerprints (which is special category data). Once implemented, employees were able to choose whether to use the old or new system to sign in to work. 

Employee complains to regulator 

An employee filed a complaint with the Dutch SA. Following its investigations, it found:

• No evidence that employees explicitly and freely consented to having their fingerprints scanned
• Employees had not been given enough information about how their biometric data would be used
• Ex-employees’ biometric templates was being retained for too long - while it was “blocked” on the system, it was not actually deleted.

The Dutch SA decided the employees had not validly consented to the processing of their biometric data. While Dutch law allows processing of biometric data when necessary for “authentication or security purposes” (there is no similar provision under the UK’s Data Protection Act 2018), this condition was not met here. The employer’s use of biometric data was disproportionate to the aim pursued. The Dutch SA found the security risks were not particularly high and the employer could have used less intrusive means to achieve its objectives.

Despite the employer encrypting the data, the Dutch SA imposed a €725,000 fine. This was based on the long duration of the breach (ten months) and high number of individuals concerned (337). The fine was based on the Dutch SA’s fining model. 

We understand the employer has announced it will appeal the decision.

Comment

While the Dutch SA imposed the fine, UK employers should take note. 

Biometric time recording devices (such as fingerprint recognition) are common in certain industries (such as warehouses and hotels). If an employer does not have a lawful basis for processing this special category data, this could result in a large fine. 

The administrative advantages of modern time recording systems such as the one in question here (for example the reduced risk of fraudulent time recording) may be wiped out if fines are imposed for a rushed, or unlawful, implementation.   

The GDPR imposes additional hurdles for processing special category data. While explicit consent might be one of the limited grounds available, this is risky due to the hurdles of GDPR-compliant consent (and the option for employees to withdraw consent at any time). A Data Protection Impact Assessment may help you decide whether to implement such technologies and ensure compliance with the GDPR’s data protection principles.