The use of biometric data has been a recurring news item in recent months. Biometric data appear a safe and convenient method for employer to identify their employees. However, the question is whether workplace biometric systems are compliant with the special clause concerning the processing of biometric data included in the Dutch General Data Protection Regulation Implementation Act (“GDPRIA") or even with the rationale behind that clause.
If you want to know more about the definition of biometric data in the GDPR and the requirement to carry out a Data Protection Impact Assessment, then continue reading this blog.
GDPRIA: Authentication and security purposes
Pursuant to Article 29 GDPRIA, “the prohibition against processing biometric data for the purpose of enabling the unique authentication of a natural person does not apply if the processing is necessary for authentication or security purposes”.
In the Explanatory Memorandum to the GDPRIA, the legislator observed that there has been a strong boom in the use of biometric systems for regulating access to specific sites, buildings and information systems. One example mentioned is the use of biometric systems for identity verification of customers or employees. However, employees will find it virtually impossible in their relationship to the employer to withhold their consent, as access to certain locations is necessary to perform their duties. Thus, the exception clause relates to the situation where consent cannot be given freely.
It follows from the Explanatory Memorandum that current developments in the use of biometrics as a means of identification would be severely hampered if domestic legislation did not include a clause providing an exception from the prohibition against processing.
For reliance on Article 29 GDPRIA to be successful, the necessity of the processing must be supported by sufficiently compelling arguments. The employer needs to consider whether identity verification using biometric data is necessary for authentication or security purposes to secure buildings and information systems. The processing must also be proportional.
The Explanatory Memorandum lists by way of example the situation where access is to be restricted to a group of specially authorised people, as in the case of a nuclear power plant. At the other extreme, there is the garage of an auto repair shop. In the latter case, the necessity to secure the premises by means of biometric data is unlikely to be so high as to allow employees access through a biometric system only.
Amending the GDPRIA
A recent letter by minister Dekker to the lower chamber of Dutch parliament makes clear that he intends to amend some aspects of the GDPRIA, including the provisions relating to the use of biometric data.
What also emerged from the letter is that the European Commission has criticised the fact that Article 29 GDPRIA does not refer to the legitimate interests of Article 9(2)(g) GDPR as a ground for making an exception. The Commission finds the examples stated above and the explanation given in the Memorandum to have insufficient substance.
Minister Dekker notes that it is desirable explicitly to acknowledge in Article 29 GDPRIA the legitimate interests that could necessitate the processing of biometric data for authentication and security purposes. Such interests would concern the lawful access to specific locations, buildings, information or work process systems, services or products. According to minister Dekker, the amendment of Article 29 GDPRIA serves to enhance legal certainty as regards the processing of biometric data for the purposes mentioned above.
Minister Dekker aims to open the proposal to amend the GDPRIA for public consultation in the first quarter of 2020. We cannot but wait for the amended version of the GDPRIA.
Biometric data and the employer
The lingering lack of clarity regarding the use of biometric data in the workplace has been the topic of debate many times before. The biometric time recorder, for example, has been a recurring news item. This device requires employees to clock in and out using their fingerprints.
At the time, state secretary Van Ark stated that employees who are unwilling to have their fingerprints recorded would have to be offered an alternative. She reasoned that where biometric data are used to record time, this use is not to authenticate employees’ identities for security purposes. The state secretary added that it is not permitted to dock pay from employees who refuse to have their fingerprints taken.
Giving fingerprints was also at the centre of a court case between shoeware retailer Manfield and one of its employees. Manfield had introduced a new point-of-sale system that required employees to give their fingerprints. Manfield argued that the fingerprint authentication system would tackle employee fraud, because the previous system using log-on codes did not allow the fraud to be traced back to the actual culprit, as anybody could log on using someone else's code.
The court held that this use cannot be considered to be “necessary for authentication or security purposes” and questioned the proportionality of the introduction. The court also considered that Manfield failed to produce sufficient substantiation for its argument that this was the most appropriate method to combat fraud, in that Manfield did not produce documents evidencing it had considered other systems as well. Manfield's argument that the system was in the interests of the business was rejected. The conclusion must be that a thorough DPIA could have made the difference.
In other recent news, various retailers such as Dirk and DekaMarkt have communicated their intention to end the fingerprint time recording system for their employees.
Legal advise or more information
If you wish to know how your organisation can successfully introduce biometric systems, then simply contact Martin Hemmer.
Author of this blog: Jurriaan Dane.
The use of biometric data has been a recurring news item in recent months. Biometric data appear a safe and convenient method for employer to identify their employees. However, the question is whether workplace biometric systems are compliant with the special clause concerning the processing of biometric data included in the Dutch General Data Protection Regulation Implementation Act (“GDPRIA") or even with the rationale behind that clause.
If you want to know more about the definition of biometric data in the GDPR and the requirement to carry out a Data Protection Impact Assessment, then continue reading this blog.
GDPRIA: Authentication and security purposes
Pursuant to Article 29 GDPRIA, “the prohibition against processing biometric data for the purpose of enabling the unique authentication of a natural person does not apply if the processing is necessary for authentication or security purposes”.
In the Explanatory Memorandum to the GDPRIA, the legislator observed that there has been a strong boom in the use of biometric systems for regulating access to specific sites, buildings and information systems. One example mentioned is the use of biometric systems for identity verification of customers or employees. However, employees will find it virtually impossible in their relationship to the employer to withhold their consent, as access to certain locations is necessary to perform their duties. Thus, the exception clause relates to the situation where consent cannot be given freely.
It follows from the Explanatory Memorandum that current developments in the use of biometrics as a means of identification would be severely hampered if domestic legislation did not include a clause providing an exception from the prohibition against processing.
For reliance on Article 29 GDPRIA to be successful, the necessity of the processing must be supported by sufficiently compelling arguments. The employer needs to consider whether identity verification using biometric data is necessary for authentication or security purposes to secure buildings and information systems. The processing must also be proportional.
The Explanatory Memorandum lists by way of example the situation where access is to be restricted to a group of specially authorised people, as in the case of a nuclear power plant. At the other extreme, there is the garage of an auto repair shop. In the latter case, the necessity to secure the premises by means of biometric data is unlikely to be so high as to allow employees access through a biometric system only.
Amending the GDPRIA
A recent letter by minister Dekker to the lower chamber of Dutch parliament makes clear that he intends to amend some aspects of the GDPRIA, including the provisions relating to the use of biometric data.
What also emerged from the letter is that the European Commission has criticised the fact that Article 29 GDPRIA does not refer to the legitimate interests of Article 9(2)(g) GDPR as a ground for making an exception. The Commission finds the examples stated above and the explanation given in the Memorandum to have insufficient substance.
Minister Dekker notes that it is desirable explicitly to acknowledge in Article 29 GDPRIA the legitimate interests that could necessitate the processing of biometric data for authentication and security purposes. Such interests would concern the lawful access to specific locations, buildings, information or work process systems, services or products. According to minister Dekker, the amendment of Article 29 GDPRIA serves to enhance legal certainty as regards the processing of biometric data for the purposes mentioned above.
Minister Dekker aims to open the proposal to amend the GDPRIA for public consultation in the first quarter of 2020. We cannot but wait for the amended version of the GDPRIA.
Biometric data and the employer
The lingering lack of clarity regarding the use of biometric data in the workplace has been the topic of debate many times before. The biometric time recorder, for example, has been a recurring news item. This device requires employees to clock in and out using their fingerprints.
At the time, state secretary Van Ark stated that employees who are unwilling to have their fingerprints recorded would have to be offered an alternative. She reasoned that where biometric data are used to record time, this use is not to authenticate employees’ identities for security purposes. The state secretary added that it is not permitted to dock pay from employees who refuse to have their fingerprints taken.
Giving fingerprints was also at the centre of a court case between shoeware retailer Manfield and one of its employees. Manfield had introduced a new point-of-sale system that required employees to give their fingerprints. Manfield argued that the fingerprint authentication system would tackle employee fraud, because the previous system using log-on codes did not allow the fraud to be traced back to the actual culprit, as anybody could log on using someone else's code.
The court held that this use cannot be considered to be “necessary for authentication or security purposes” and questioned the proportionality of the introduction. The court also considered that Manfield failed to produce sufficient substantiation for its argument that this was the most appropriate method to combat fraud, in that Manfield did not produce documents evidencing it had considered other systems as well. Manfield's argument that the system was in the interests of the business was rejected. The conclusion must be that a thorough DPIA could have made the difference.
In other recent news, various retailers such as Dirk and DekaMarkt have communicated their intention to end the fingerprint time recording system for their employees.
Legal advise or more information
If you wish to know how your organisation can successfully introduce biometric systems, then simply contact Martin Hemmer.
Author of this blog: Jurriaan Dane.