GDPR - Work Life
Employers' use of biometric data of employees
There are rules in the GDPR regarding employers’ use of biometric data of employees. Employers need to bear in mind that biometric data is sensitive personal data and therefore the rules are stricter. In addition, the consequences may be worse if companies process sensitive personal data in breach of the GDPR, than if the personal data are not sensitive.
What is biometric data according to GDPR?
The definition of “biometric data” is personal data collected by a specific technical method and relating to the physical, physiological or behavioural characteristics of an individual, in order to confirm or enable the identification of that individual.
Examples of biometric data
The following are common examples of biometric data:
- Facial recognition,
- Iris recognition,
- Voice recognition,
- Retinal scanning,
- Fingerprints.
Rules on employers' use of biometric data of employees
There must be a compelling reason for an employer to be able to use biometric data for employee identification. Please note that efficiency reasons do not carry as much weight as safety reasons.
Examples of what the company needs to consider:
- Purpose of the processing;
- Type of biometric data;
- Retention period of the data collected;
- Risks of the processing;
- Security measures that should be implemented.
What are other requirements to process biometric data?
In order for the processing of biometric data to be lawful and not contrary to the fundamental principles of the GDPR, it is necessary that the purpose of the processing cannot be achieved in a less privacy-sensitive manner.
A school was fined for using facial recognition to record pupils' attendance
The High School Board in Skellefteå municipality in Sweden violated the rules of GDPR, when they used facial recognition for attendance control through a camera. The High School Board stated that they had received consent for the processing, and that it was therefore permitted.
On the other hand, the Swedish Authority for Privacy Protection considered that the power relationship between the pupils and the Board is unequal. Therefore, the consent in this case was invalid.
Also, attendance checks can be carried out by other means, without the use of biometric data. Therefore, it is not allowed to carry out attendance checks by using biometric data.
The consequence for the school due to their use of facial recognition for recording pupils’ attendance was a fine of SEK 200 000.
Biometric data is a special category of personal data that is sensitive
According to the GDPR, biometric data is sensitive personal data. The same applies to data concerning an individual’s health, religious beliefs, political opinions, sexual orientation, etc. These data constitute, according to Article 9 of the GDPR, so-called “special categories of personal data”, also called “sensitive personal data”.
Is it allowed to process sensitive personal data?
The processing of sensitive personal data is prohibited under the general rule, unless the processing is covered by an exception set out in Article 9 of the GDPR. However, the rules are stricter when processing sensitive personal data. For example, it requires better organizational and technical security measures to protect the personal data from unauthorized alteration, access and loss.
In addition, the company that is the controller is more likely to have to report a personal data breach to the supervisory authority within 72 hours of its discovery, if the breach involves sensitive personal data.
What legal basis can the employer use when using biometric data of its employees?
Consent
As a general rule, consent cannot be used as the legal basis by an employer who wishes to identify its employees through biometric data. This is because the consent cannot be determined with certainty to be freely given, as there is an unequal power relationship between the employee and the employer. This means that the consent does not meet the requirements for valid consents under the GDPR.
Legal obligation
If a law or collective agreement to which the employer is party contains appropriate safeguards, it may be permissible to process biometric data of employees on the basis of the law or collective agreement.
Conducting a data protection impact assessment prior to employers' use of biometric data of employees
It may be necessary for the employer to conduct a data protection impact assessment prior to its use of biometric data of employees. For example, a company that identifies employees through an entry system that uses biometric data, such as facial recognition or fingerprints, must conduct an impact assessment before processing begins. In addition, it may be appropriate to request a prior consultation with the lead data protection authority.
Use of facial recognition of travellers at airports
The French data protection authority requested an opinion from the European Data Protection Board (EDPB) on the use of facial recognition of travellers at airports. The EDPB noted that such processing may be allowed, but that both airlines and airports should use other methods that are less privacy-sensitive. The consequences of a possible misuse of biometric data can be serious. For example, there is a risk of identity hijacking, and therefore it is good to avoid processing such type of data unless absolutely necessary.
More information about processing personal data in the work place
Monitoring and control of employees at the workplace
When a company monitors its employees in the workplace and processes their personal data, the company must comply with the GDPR. In addition, it is important to bear in mind that there may be other laws in the field of labour law that regulate the supervision and control of employees at the workplace. It is normally not allowed to regularly monitor how long employees take their break or how the tasks are carried out. However, it may be justified to have camera surveillance in a warehouse that contains expensive products.