EUR 725k GDPR fine for unnamed Dutch employer

On 30/Apr/2020, Unnamed company received a privacy fine of EUR 725,000. The enforcement authority (Dutch Data Protection Authority) has cited these legal provisions in imposing the fine on Unnamed company: Article 9 GDPR/GDPR/

Essentials

Date of enforcement action:
30/Apr/2020
Jurisdiction: Fine imposed:
Netherlands Flag for Netherlands, which is the jurisdiction taking enforcement action EUR 725,000 (US$750,000)
Defendant company or entity: Industry segment:
Unnamed company

Case summary

Employees of an unnamed company have had their fingerprints systematically scanned for office attendance and time registration. After investigation, the Personal Data Authority (AP) concluded that the company should not have processed fingerprints of employees. Indeed, the company cannot invoke an exceptional ground for processing special personal data. The company will be fined EUR 725,000 for this.

Special personal data

Biometric data, such as a fingerprint, are special personal data. An organization may not use special personal information, unless the law provides for an exception.

Monique Verdier, vice-president of the AP: ‘This category of personal data is extra protected by law. If this data gets into the wrong hands, it can possibly lead to irreparable damage. Such as blackmail or identity fraud. A fingerprint is not replaceable, such as a password. If it goes wrong, the impact can be great and can have a lifelong negative effect on someone’.

No exception to prohibition

For the use of fingerprints, two exceptions to the prohibition could be possible in this case: if explicit consent of the data subjects is requested or if the use of biometric data is necessary for authentication or security purposes.

The AP concluded that this company cannot invoke 1 of these 2 exceptions for the collection, storage and use of employees’ fingerprints.

Security

An employer may ask an employee to give a fingerprint for, for example, access control. Sometimes an employee is obliged to give his fingerprint, sometimes not. This depends on whether the processing of the fingerprint is necessary for authentication or security.

An employer has to consider whether buildings and information systems have to be so secure that this cannot be done other than by using (only) biometrics. This will often not be necessary, because there are good alternatives.

Permission

Does an employer ask employees for permission to process their fingerprint? In principle, this is not allowed. Employees are dependent on their employer, so often not in a position to refuse.

The privacy law sets strict requirements for requesting explicit permission. Permission must be unambiguous, specific, informed and free.

This company has not demonstrated that the employees have given explicit permission. Employees have also experienced the recording of their fingerprint as an obligation.

Legal remedies

The organisation objected to the AP’s decision. The name of the organisation will not be made public by a court decision.

(Dutch DPA)

Commentary

The defendant company has not been named. The DPA’s summary suggests this is a result of a court order. Jeroen Terstegge has noted that the company has argued it shouldn’t be named until the appeal process on the fine has been exhausted, as presumably naming the company would cause irreparable damage if the fine is later reversed.

Readers may also find this analysis from DLA Piper interesting:

We agree with the Dutch DPA that in this particular case, consent could not be relied upon. However the Dutch DPA also stressed that employee consent in principle will not be valid as employees depend on their employer and will often not be in a position to refuse. In our view, this general statement is a little too blunt and this is to be assessed on a case-by-case basis. We understand that consent in an employer/employee relationship cannot easily be given, but employees should be able to freely give consent as long as they have a genuine choice to use their fingerprint or an alternative (such as a badge or phone) and there are no adverse consequences either way.

And have a look at this analysis from

“In its decision, the Dutch SA identified several violations of data protection law, in particular:

  • no evidence that employees explicitly and freely consented to having their fingerprints scanned;
  • insufficient information provided to employees about how their biometric data would be used; and
  • over-retention of ex-employees’ biometric templates, which were “blocked” in the system but not actually deleted.

The Dutch SA noted that, in the absence of valid consent (Art. 9(2)(a) GDPR), the processing of biometric data is permitted only when necessary for “authentication or security purposes” (Art. 29 of the Dutch Implementing Law).  In the matter at hand, the Dutch SA found that this was not the case.  According to the Dutch SA, the company’s use of biometric data was disproportionate to the aim pursued because the security risks were not particularly high in this case.  Moreover, less intrusive means could have been used to achieve the company’s objectives.

In light of the severity of the violation, its “long” duration (ten months) and the “high” number of individuals concerned (337), the Dutch SA decided to impose a significant fine.  In an effort to reduce the fine, the company asserted that the encryption of the biometric templates and ISO certification of the technology supplier (and its sub-processor) should serve as mitigating factors.  In the end, the Dutch SA found the company’s arguments unconvincing to reduce the fine…”

Applicable legal provisions

Enforcement information

Enforcement authority: Type of enforcement action:
Dutch Data Protection Authority Flag for Netherlands, which is the jurisdiction taking enforcement action Penalty notice
Subject to appeal?
Yes (apparently the company has appealed)

File or case number

N/A

Acknowledgments

Jeroen Terstegge

Cite this fine in your work

Data Privacy Fines Index. (2020-04-30 04:18) EUR 725k GDPR fine for unnamed Dutch employer. dataprivacyfines.com. Retrieved from https://dataprivacyfines.com/fine/unnamed-company-fined-eur-725k/

Entry last updated: 2020-05-02 10:58 GMT.