The AEPD changes the criteria on the use of biometric systems
A few weeks ago, the Spanish Data Protection Agency published a Guide (not without controversy) on the use of biometric data for presence and access control in a document that establishes the criteria for the use of biometrics for access control, both for work and non-work purposes, where the measures to be taken into account are established so that the processing of personal data using this technology complies with the General Data Protection Regulation (GDPR), among other regulations.
New criteria on the use of biometric systems
Regarding the challenges of biometric identification in data protection, in this new interpretation, the Agency considers the processing of biometric data, both for identification and authentication purposes, as a high-risk processing involving special categories of data. As established by the GDPR, in order to be able to process these categories, it is necessary that there is a circumstance that lifts the prohibition on processing and, furthermore, a condition that legitimises the processing.
Therefore, it is necessary to justify the need for additional data processing when the same purposes have been achieved and can be achieved with another type of implementation of equivalent and less intrusive daytime registration processing.
It is neither mandatory, nor recommended, that the implementation of a processing operation be limited exclusively to the selection of technological resources. In the choices of implementing a processing system, the use of human resources, legal safeguards and organisational procedures, among others, must be considered.
Therefore, in the evaluation of equivalent and less intrusive alternatives, options that are not only technological should be explored. In this sense, when it comes to data protection in biometric identification, in biometric systems for time and attendance control, an objective assessment must be made as to whether data are being collected that are excessive for the purpose of the processing.
Previously, the AEPD interpreted biometric authentication outside the special categories of data. However, this interpretation has been superseded by the abovementioned Guidelines, so that the AEPD’s interpretation has to be adapted to the abovementioned ECDC Guidelines of 26 April 2023.
Similarly, the interpretation of these types of processing by the AEPD in its Legal Report 036/2020, based, among other documents, on Opinion 3/2012 of the Article 29 Working Party (WP29), on the evolution of biometric technologies, – published at a time, 2012, when neither biometric data nor other biometric data were considered special categories (only from the entry into force of the GDPR in 2016) -, must also be considered superseded by the new position of the ECDC, set out in the aforementioned Guidelines 05/2022.
In short, it must be considered that, as in the case of identification, biometric authentication is a process involving the processing of special categories of personal data.
An exception to the prohibition on processing special category data can only be made when one of the circumstances specified in Art. 9(2) of the GDPR applies. The controller is obliged to assess very seriously and diligently whether it has a sound reason to process special categories listed in Article 9(2) of the GDPR. The circumstances listed no longer include (a priori) legitimate interest, performance of a contract or pre-contractual measures.
Basis of legitimization and exceptions to the use of biometric data
It would seem that, with this new criterion, companies are going to have a hard time if they want to continue using these tools to record their workers’ working hours.
But what about those jobs where identity theft is a problematic and recurrent issue?
The AEPD proposes other systems such as cards, certificates, passwords, contact-less systems, etc. that avoid the processing of special categories of data. However, when it comes to identity theft, as would be the case in agricultural sectors, for example, where rotation is a daily occurrence, these types of systems would be useless as they would not be exempt from problems such as identity theft.
For these cases, we understand that the AEPD recognizes the suitability of using biometric data for access control as long as it is demonstrated that the alternative offered to employees or third parties is not equally effective in achieving the desired objective (access control). In this sense, the processing of biometric data would be acceptable if it is justified that the purpose is not fulfilled in an equivalent manner or with the same security by the alternative means provided.
On the basis of the above, it can be concluded that, a priori, it appears that the processing of biometric data necessary to provide time and attendance and clocking-in services can be legitimized by the explicit consent of the data subject, in accordance with Article 9(1)(a), provided that the following requirements are met:
- The worker is offered an alternative method of recording working time or clocking in in the field for the purpose of demonstrating that the consent has been given freely and without fear of adverse consequences on the part of the worker;
- The alternative method offered is not the same as the one implemented through the collection of biometric data in terms of efficiency or security, as in this case we are not dealing with equivalent scenarios.
Although the cases of use have been limited, we understand that the AEPD will pronounce itself in future resolutions, modelling its criteria and thus preventing a technology that is so widespread and used for so many years from being used for the purpose of collecting biometric data.
At Letslaw, as data protection lawyers, we offer advice on everything related to it, so do not hesitate to contact our team of professionals to help you in whatever you need.