In a decision dated 6 September 2024, the Dispute Chamber of the Belgian Data Protection Authority (DPA) confirmed its earlier position (see our newsflash of 23 December 2021, regarding the DPA’s recommendation on the processing of biometric data) that it is highly unlikely that valid consent can be given for the processing of biometric data in the context of an employment relationship. Additionally, the Dispute Chamber ruled that a request to exercise the right of access can be lawfully made through a union secretary and that the employer may therefore lawfully provide an oral response to the union secretary instead of directly to the employee.

Facts

The employee (complainant) was initially employed as a temporary worker and later as a full-time employee of the employer. The employer used a time registration system based on fingerprint recognition. The system provider was a subsidiary of a group with headquarters in Japan. The employee feared a violation of the GDPR, particularly due to the risk of data being transferred to a non-EU country with lower protection.

Processing of biometric data

In its decision of 6 September 2024, the Dispute Chamber confirmed that when processing special categories of personal data, the controller must have both a legal basis and a ground for exception.

Biometric data are personal data resulting from specific technical processing related to the physical, physiological, or behavioural characteristics of a natural person, allowing or confirming the unique identification of that individual, such as facial images or fingerprint data. This constitutes a special category of personal data under Article 9 of the GDPR, which enjoys heightened protection.

No legally valid consent

During the procedure, the employer relied on various legal bases but ultimately decided that the processing was based on the employees’ consent. The Dispute Chamber examined whether this consent had been validly obtained but concluded that it was not, for reasons including the following:

• No informed consent: The information was provided only through a welcome brochure at the time of hiring and was only later included in the work rules. However, according to the Dispute Chamber, the welcome brochure contained insufficient information. Although the work rules later included adequate information, this was too late for the employee who filed the complaint. Consequently, the employees were not informed about the processing of their data at the time they should have given their consent.
• No unambiguous consent: Although the employees signed the work rules and the welcome brochure to acknowledge receipt, the Dispute Chamber did not consider this to constitute unambiguous consent for the processing of their biometric data.
• Additionally, the employer claimed that the employees had the option to request an alternative method of time registration. However, the Dispute Chamber found that this option was not explicitly mentioned at the time that the system was implemented.
• No freely given consent: The consent was not considered to be freely given, as there were negative consequences associated with not consenting. For instance, the welcome brochure explicitly stated that employees’ pay was based on the “clockins”. Moreover, the work rules made use of the time registration system mandatory for all employees and linked non-compliance with penalties. Fingerprint-based time registration was also the only time-tracking method in use by the employer. As a result, employees could not refuse to use the system without facing adverse consequences.
  The employer argued that no objections were raised by the other employees, which would imply that consent was indeed freely given. However, the Dispute Chamber rejected this argument. It recalled that, in accordance with the guidelines on consent from the European Data Protection Board (EDPB), the power imbalance between employer and employee makes free consent unlikely in an employment context. Employees may be less inclined to voice their objections to obligations imposed by their employer due to their dependent position. From this, it can be inferred that while the Dispute Chamber does not outright exclude consent as a legal basis in an employment relationship, it evaluates it strictly. It is assumed that this at least implies that an alternative solution for time registration should be offered.

Purpose limitation

The Dispute Chamber also noted that the purposes of the time registration system were not consistently mentioned in the available documentation. The objectives must be determined before the data are collected. The other purposes invoked by the employer before the Dispute Chamber were only added later.

Data minimisation

In its defence, the employer referred to the demanding nature of its clients in terms of security. To obtain certain certifications, it had to meet very strict requirements, which led it to use the fingerprint time registration system. This argument did not convince the Dispute Chamber.

The Dispute Chamber identified many alternatives to biometric time registration that could achieve the objectives while being less intrusive on employees’ privacy, such as punch clocks, staff cards, or access codes. It therefore concluded that the processing of fingerprints was not necessary to achieve the purposes. However, it emphasised that the use of biometric data could be relevant when less strict measures are insufficient, such as for areas with special security concerns, such as food handling or hazardous materials. It noted, however, that this was not the case here.

Data protection impact assessment (DPIA)

The Dispute Chamber ruled that the use of biometric data for employee time registration poses significant risks to the privacy of the individuals concerned. It also reviewed the criteria set by Working Party 29 and found that 5 of the 9 criteria were met. Based on this analysis, it was concluded that the processing in question likely entails a high risk to the rights and freedoms of the individuals, and that a Data Protection Impact Assessment (DPIA) was therefore mandatory. The employer should have conducted this assessment before starting the processing of biometric data. By failing to do so, the employer violated the GDPR.

Right of access through a union secretary

The employee has made a written request for access on two occasions. The first request was sent via e-mail, and the second by registered mail. Regarding the first request, the Dispute Chamber decided that the employer is deemed to have fulfilled its obligations, as it allegedly responded to this request orally during a meeting with the union secretary.

Since the initiative for this meeting indirectly came from the employee – through the union secretary – the Dispute Chamber ruled that the employer could reasonably assume that it was lawful to fulfil the access request orally.

Penalty

The employer was fined EUR 45,000 for the violations described above, along with several other infringements.

Key message

As an employer, be cautious when processing biometric data (e.g., fingerprints) of employees. Only in exceptional cases will employee consent be accepted as a legal basis. Additionally, the principles of purpose limitation and data minimisation must be adhered to, and a Data Protection Impact Assessment (DPIA) will be required.