Does your company use fingerprints or facial recognition of your employees in order to register the moment they begin and end their working day? Or pehaps you have considered employing such a technique? We wouldn’t be surprised if you had, but the Spanish Data Protection Authority (AEPD) advises against it.
Written by Abigail Sked
Paralegal
It is mandatory to register the working day of your employees
Companies in Spain must keep daily and digital records of the working day, recording the start and end times of the working day for all employees and keeping these records for 4 years. There are multiple ways to monitor the presence of workers, some of which make use of biometric data.
And what are biometric data?
The General Data Protection Regulation (GDPR) defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”
Some characteristics that often become biometric data when processed technologically in order to uniquely identify someone are:
- Fingerprint
- Face shape
- Iris
- Voice
A biometric system will record this type of data and use it to identify or authenticate the identity of individuals. Although there are certain advantages to recording the workday using such a system, such as accuracy, ease of use, speed and even security, since biometric data is difficult to falsify, these perceived advantages must be weighed against the rights of workers, especially with regard to the protection of their personal data.
Lessons from 23andMe: How to Protect Your Business from Personal Data Breaches
The legal position on biometric data and clocking in
Last year, the Spanish Data Protection Agency (AEPD) tightened its rules on clocking in/out systems which use biometric data. In fact, nowadays, it is almost impossible to prove that the use of biometric data for to record working hours complies with data protection legislation.
Here's why.
According to the GDPR, biometric data is special category data, which means that its processing is generally prohibited unless certain exceptional circumstances apply, which include the explicit consent of the data subject and cases where the processing is necessary for the fulfilment of obligations in the field of employment law of the EU Member State and is provided for therein.
According to the GDPR, biometric data is special category data, which means that its processing is generally prohibited, unless certain exceptional circumstances apply, which include the explicit consent of the data subject and cases where the processing is necessary for the fulfilment of obligations in the field of employment law of the Member State of the European Union and is provided for therein.
WHAT IS THE GENERAL DATA PROTECTION REGULATION (GDPR) AND HOW DOES IT AFFECT ME?
In a resolution handed down in June 2024, the Spanish Data Protection Agency (AEPD) stated that the processing of biometric data in the context of monitoring working hours carries a high risk to the rights and freedoms of employees, thus requiring a prior and valid Data Protection Impact Assessment (DPIA) to be carried out.
When carrying out the DPIA, among other considerations, you would have to demonstrate that the processing of biometric data is strictly necessary for and proportional to that specific purpose in question, i.e. that there is no other less intrusive form of processing which is capable of fulfilling the same purpose. However, in this case, this will be difficult to prove given that companies have been using other means of recording working hours for years.
If you were able to prove that the processing is necessary, you would then also have to prove that the processing is legitimate by citing one of the exceptional circumstances that would lift the general prohibition on the processing biometric data. Currently, as there is no law which explicitly permits this type of processing, the only way to overcome the prohibition would be through the explicit consent of the employee, but, given the imbalance of power between the employee and the employer, consent would only be perceived as freely given if the employee were offered an equivalent and less intrusive data processing option for which he could opt instead of the processing of biometric data. However, if such an alternative were offered, this would basically mean that the processing of biometric data is not, in fact, necessary.
Careful, because this also applies to systems that use geolocation. The AEPD pointed out that it did not seem "necessary or proportional, given the balance of advantages and disadvantages, to use systems for recording working hours which are based on the processing of biometric and geolocation personal data, when there are other possible alternative methods of recording working hours that are just as effective, so it is difficult to see how this evaluation or triple test of proportionality set out in the DPIA could be satisfied”.
What should I do if my company uses biometric data to record the working day?
If your company uses a clocking in/out system based on biometric data, such as fingerprints, it is advisable to suspend its use and cease the processing of such data as soon as possible, opting instead for an alternative solution that complies with the current criteria of the AEPD.
Learn more about our data protection services
What other methods are there of clocking in and clocking out?
Some examples of alternative systems for the registration of working hours are:
- Clocking in/out applications or software: Workers record their arrival and departure using specific applications, accessible from computers, tablets or smartphones. Clocking in and out can be done by entering a username and password or with PIN codes unique to each employee.
- Card or key fob based systems: Magnetic cards, proximity cards (RFID) or electronic key fobs are used, which each employee must pass over a reader at the beginning and end of the working day.
- Recording via network or device access: The system automatically records the time of entry and exit when the worker connects to or disconnects from the corporate Wi-Fi network. It can also be controlled by logging in or out of workplace devices such as computers or terminals.
- Automatic records for remote working systems: In remote working environments, some tools can automatically record the active hours of the worker on the platform, serving as a timesheet.
- Clocking in via QR codes: Employees scan a unique QR code with their mobile phones when entering and leaving work. This code can be periodically updated to prevent misuse.
Summary
The use of biometric data to record working hours presents high risks to workers' rights and is generally considered disproportionate by the AEPD, given that less intrusive alternatives are available. As this data is considered special category data according to the GDPR, its processing is generally prohibited except in exceptional cases which, in this case, are difficult to substantiate. It is therefore recommended to discontinue the use of these systems in favour of alternative methods such as clocking-in apps, cards, QR codes or automatic records, which comply with the legislation and guarantee greater respect for the protection of personal data.
Expert legal advice on labour law and data protection
Our team of labour law and data protection lawyers and specialists is at your disposal to answer any questions you may have about the obligations of companies, both as employers and as data controllers. Don't hesitate to get in touch with us!
