Employer is not Allowed to Use an Employee’s Fingerprint in order to Grant Access to Point-of-Sale System

Year of publication

2019


Year of publication

351


Reference

Sub-district Court Amsterdam, 12 August 2019, ECLI:RBAMS:2019:6005


Decision

An employer acted contrary to the rules on privacy protection of his employees by using his employees’ fingerprints, because the necessity of using such information had not been demonstrated and because the importance of using a fingerprint did not justify infringement of the employees’ privacy.

A retail chain that was active in the sale of shoes had introduced a new point-of-sale system (POS), asking employees to identify themselves by entering their fingerprint on a scanning device. One employee then complained about its infringement of her privacy. Since the retail chain and the employee could not agree on the question whether this privacy infringement is in accordance with the law, they decided to together submit the question to the Sub-district Court of Amsterdam on a voluntary basis. Thereby they refrained from lodging an appeal in advance.
First of all the Sub-district Court considered that, in this case, the applicable law is the General Data Protection Regulation of the European Union (GDPR). This regulation is directly effective in all Member States of the European Union. Only insofar as this is permitted by the GDPR, Member States may derogate from it in national legislation, as has happened in the Netherlands in the GDPR Implementation Act (AVG Uitvoeringswet).
According to the Sub-district Court, a fingerprint scan constitutes personal data within the meaning of the GDPR, because it makes it possible to identify a person. The GDPR contains a prohibition on processing so-called "biometric data", such as face images and fingerprint data. But the GDPR also has a number of exceptions to this prohibition, including in the event that permission for processing biometric data was granted. In the present case, however, the employee had actually not granted this permission. Neither had the employer asked for it and he had simply decided to introduce the new fingerprint activated POS.
The GDPR also allows the Member States of the European Union to grant derogation from the prohibition on processing biometric data in national legislation in the case of exercising an employer’s specific rights, provided that the interests of the employee are appropriately guaranteed. The Dutch GDPR Implementation Act provides for such an exception for the unique identification of a person, if it is necessary for authentication or security purposes. The question now arises whether this exception applied in this case.

The legislative history shows that it was the legislator’s intention to create an exception for e.g. access to a nuclear power plant, but not, e.g., to the garage of a repair facility. But the legislator had also acknowledged that protection of information systems containing a large amount of personal data against unauthorized access by employees was an example in which the use of biometric data should be permitted. Derogation from the prohibition on using biometric data should be necessary for authentication and the fact that biometric data are used should be proportionate to the aim of the use of these data, according to the legislator.

The retail chain had argued that the fingerprint scan was necessary in order to prevent fraud by employees and that using a personal code to gain access to the POS had proved inadequate in practice, since the codes were also found to be used by colleagues.
The code could also be ‘stolen’ while it was entered. An access badge would not guarantee adequate security either, since the badge could also be used by a colleague.
The Sub-district Court was not really convinced, however, of the importance of using biometric data, as expressed by the employer. According to the Sub-district Court, the retail chain failed to prove why the combination of the badge and a code could not be used. And likewise, the Sub-district Court considered the importance of preventing fraud insufficient to justify derogation of the prohibition on the use of biometric data, because the retail chain had hardly taken any protective measures for preventing loss of sales, such as camera surveillance or detectors at the exit. Therefore, the Sub-district Court decided that, in this case, using the fingerprint scan is in breach of the GDPR and the GDPR Implementation Act.


Comments

The decision of the Sub-district Court does not exclude employers from processing biometric data of their employees but, in that case, the employer will have to better substantiate the need to do so and its proportionality than the employer in the present case had done.
It is not very likely that the employer can solve the problem by asking all employees permission to use the fingerprint scan.
Permission requires that it is given freely and the Dutch Data Protection Authority takes the view that an employee in a relationship of authority to his employer is unable to give such permission "freely". Moreover, given permission can always be withdrawn, so that even permission would be a shaky foundation for using biometric data.



Leave a comment


Name: *
E-mail address: *
Your comment:
Fill in the code: *


Reactions


No comments.