In this article we will discuss...
Do you know how the new AEPD guide on biometric processing in the workplace affects your company?
In this article, we explain the main changes introduced by this guide. These modifications represent a radical shift in the AEPD’s interpretation of the use of biometric data for attendance control and biometric processing in the workplace. Additionally, we provide some tips to help you adapt to this new regulation and avoid sanctions. Keep reading to discover everything you need to know!
Introduction to the new AEPD guide on biometric processing in the workplace.
The Spanish Data Protection Agency (AEPD) has released the anticipated “Guide on Presence Control Treatments through Biometric Systems,” marking a significant change in how the AEPD interpreted the use of biometric data in the workplace. This change presents significant challenges for companies currently using this technology.
What are biometric data, and how are they regulated in Spain?
Biometric data are those that uniquely identify a person through physical, physiological, genetic, or behavioral characteristics. Examples include fingerprints, iris patterns, facial features, voice, or signature. These data are considered special categories under the General Data Protection Regulation (GDPR) and are subject to enhanced protection. In Spain, the Spanish Data Protection Agency (AEPD) is responsible for ensuring compliance with data protection regulations and sanctioning violations.
Evolution of regulations on biometric processing in the workplace.
The use of biometric data for employee attendance control has been a subject of debate and controversy in recent years. The AEPD has modified its criteria on this matter, following the guidelines of European bodies and adapting to new technologies. Here are the most important milestones in this regulatory evolution:
-
In 2012:
The Article 29 Working Party, consisting of EU data protection authorities, issued Opinion 3/2012. This opinion stated that the use of biometric data for attendance control was only possible if certain requirements were met, such as proportionality, minimization, security, and information. It also differentiated between two types of biometric processing: authentication and identification. Authentication verifies that a person is who they claim to be by comparing their biometric data with previously registered data, while identification determines a person’s identity by comparing their biometric data with a database. The opinion considered authentication less intrusive than identification and therefore more justifiable in the workplace.
-
In 2020:
AEPD published Legal Report 036/2020, relying on Opinion 3/2012 to analyze the legality of using biometric data for attendance control. Control Authority concluded that this use was only possible if it met the conditions of Article 9.2.b of the GDPR, meaning it was necessary for fulfilling obligations and exercising specific rights in the field of labor law. Additionally, the AEPD emphasized that the use of biometric data must be proportionate, meaning there were no less invasive measures for attendance control. Furthermore, the AEPD indicated that the use of biometric data must be informed, meaning employees should be aware of the treatment details and their rights regarding it.
-
In 2021:
The AEPD published the guide “Data Protection in Employment Relationships.” In this guide, various aspects related to data processing in the workplace were addressed, including the use of biometric data for attendance control. The AEPD maintained the criteria of Legal Report 036/2020 but added some clarifications and recommendations. For example, the AEPD clarified that the use of biometric data must be based on a legal provision authorizing it or on the express consent of employees. Additionally, the AEPD warned that the use of biometric data must be secure, meaning technical and organizational measures should be adopted to prevent unauthorized access, loss, or damage to the data. Finally, the AEPD suggested that the use of biometric data should undergo a data protection impact assessment and a record of processing activities.
Farewell to the Fingerprint Register: Changes in the Legality of Biometric Control
You can see a summary of the post in the following video:
The AEPD guide establishes that biometric data used for identification or authentication is considered special category data. This type of data is subject to more stringent conditions than ordinary personal data. For workplace control, the guide classifies the use of biometric data for employee attendance records as identification, thus requiring a solid legal justification for companies wishing to implement these systems.
From Authentication to Identification: A Distinction that No Longer Matters
In the past, the AEPD differentiated between authentication and identification when assessing the use of biometric data. The guide now discards this distinction, emphasizing that any process requiring identification classifies biometric data as special category. This interpretation follows the GDPR definition, which establishes biometric data as those allowing the unique identification of a person.
Guide Clarification: Identification, Authentication, and Photographs
The guide emphasizes that identifying a person means determining their identity directly or indirectly through elements of physical, physiological, genetic, or psychic identity. A treatment that allows the individualization of a person through a behavioral biometric analysis is considered an identification treatment. GDPR Consideration 51 addresses the distinction between photograph processing and biometric data processing. It clarifies that photograph processing should not automatically be considered as processing special categories of personal data. However, it notes that the content of the photograph or additional processing could turn it into special category data processing.
Exceptions and Alternatives: Exploring Consent in Attendance Records
In the intricate terrain of attendance records, where the interested party is obliged to fulfill this duty, the possibility of considering free consent for additional data processing, especially biometric data, comes into play. The guide, addressing this scenario, poses specific conditions. For consent to be genuinely free, the interested party must have a real alternative choice to fulfill the attendance record obligation, and, as detailed later, the principle of proportionality would not be met. Therefore, consent would not be a valid legal basis for biometric data processing in attendance records. In these cases, the guide recommends seeking other solutions that ensure compliance with labor and data protection regulations, such as the use of cards, codes, or barcodes.
The Principle of Proportionality: Assessing the Necessity and Suitability of Biometric Treatments in the Workplace
The principle of proportionality implies that the processing of personal data must be appropriate, relevant, and limited to what is necessary for the purposes for which it is carried out. In the case of biometric data, this principle requires an assessment of whether the processing is necessary for workplace control and whether there are other less intrusive alternatives that can achieve the same objective. For example, using fingerprints for attendance records might not be proportional if the worker performs their activities outside the workplace or if the system does not guarantee the security and confidentiality of the data.
Following these guidelines, the guide points out that the data controller may argue that they offer individuals a real choice if they can choose between a service that includes consent for additional use of personal data and an equivalent service that does not involve such consent. The key here is that both services must be genuinely equivalent. The guide establishes that the possibility of the data controller executing the contract or providing the services without consent for the other use or additional use implies that there is no longer conditionality in the service.
However, this scenario of equivalence poses additional conditions. When truly equivalent options are available to all workers, the validity of consent could be assessed, meeting the requirements of Article 4.11 of the GDPR and the other conditions of Article 7 of the GDPR. Nevertheless, the guide establishes a crucial nuance regarding the “equivalence of treatments.”
If alternatives to biometric data processing are available that pose a lower risk to the rights and freedoms of the individuals whose data will be processed and allow workers to opt for those alternatives at any time, biometric data processing is no longer necessary for implementing the treatment.
As the processing of biometric data is no longer necessary, the premise of Article 5.1.c of the GDPR is broken, and, being considered high-risk processing, the requirement of “necessity” in Articles 5.1 and 35.7.b would not be met. In the case of high-risk processing, in addition to being necessary, a positive assessment of necessity is required, a requirement that would not be fulfilled in this context due to the lack of necessity.
Navigating Regulatory Challenges: Between the Legal Maze and Prior Consultations
Despite efforts to address prior challenges, new complexities emerge. The AEPD guide emphasizes the crucial need to consult the AEPD if the controller hasn’t implemented measures per Article 36 of the GDPR. Risk management isn’t a universal remedy, providing no assurance of lifting the ban on special data or aligning with fundamental GDPR principles. The AEPD provides specific guidance on addressing these issues, including executing and overcoming a Data Protection Impact Assessment (DPIA), its documentation, and conducting prior consultations. In essence, complexity grows, making navigation through this legal maze even more challenging within the GDPR framework, where Article 35.7.b necessitates overcoming a triple assessment of suitability, necessity, and strict proportionality for compliance with stringent data protection standards.
The Only Possible Route: Collective Bargaining
In this legal maze, the only apparent option for companies wishing to implement biometric systems is negotiation in a collective agreement. This route, though filled with challenges, will require specific guarantees to protect employees’ rights.
Consent in Attendance Records and Access Control
The guide provides clarity on the treatment of attendance records and access control for labor purposes. Therefore, the employee must participate in the treatment for attendance records, not in the biometric data processing itself. Consent does not apply to the treatment of attendance records per se, where there is no room for objection, but rather to the additional processing of biometric data. GDPR Consideration 43 establishes conditions to ensure that consent is given freely. This freedom is especially important in situations of clear imbalance between the data subject and the data controller, such as in employment relationships. EDPB Guidelines 5/2020 confirm that in the employment context, there is a power imbalance between employer and employee. This imbalance makes it so that consent is not provided freely. Consent cannot, under any circumstances, lift the prohibition on processing special categories of data.
Practical Examples and Business Challenges:
To illustrate these concepts, consider a scenario where a company wants to implement a biometric system for recording work hours. Before these guidelines, the company might have relied on employee consent to justify the use of biometric data. However, with the new guide, this approach becomes more complicated. The AEPD argues that the power imbalance between employer and employee makes consent an unreliable legal basis. An employee might feel pressured to give consent, creating a scenario where consent is not freely given. Additionally, the guide notes that even if consent is obtained, the processing of biometric data must comply with data protection principles, such as data minimization and security. This poses additional challenges for companies as they must ensure that their systems meet rigorous standards.
Conclusions and Recommendations for Biometric Treatments in the Workplace
The AEPD guide offers the following recommendations and best practices for using biometric data in the workplace:
- Inform workers in advance and clearly and comprehensively about the treatment of their biometric data, the purposes, legal basis, rights, and security measures.
- Choose the labor control system complying with the principles of proportionality, data minimization, and risk to rights and freedoms.
- Ensure the security and confidentiality of biometric data by applying technical and organizational measures to prevent unauthorized access, alteration, loss, or unauthorized disclosure.
- Respect the rights of workers regarding their biometric data, such as the right of access, rectification, erasure, restriction, objection, and portability.
- Conduct a data protection impact assessment before implementing a labor control system based on biometric data, following the AEPD and European Data Protection Board guidelines.
The new AEPD guidelines not only represent a change in the regulation of biometric treatments in employment but also pose significant challenges. In this new landscape, it is crucial to consider alternative strategies, such as collective bargaining, and stay informed about possible future regulatory developments. Data protection and employee privacy are fundamental to ensuring workplace safety and preserving fundamental rights. Companies and legal professionals must adapt to these changes, staying vigilant to comply with evolving data protection standards
Leave a Reply
Want to join the discussion?Feel free to contribute!