Does your company use fingerprints or facial recognition of your employees in order to register the moment they begin and end their working day? Or pehaps you have considered employing such a technique? We wouldn’t be surprised if you had, but the Spanish Data Protection Authority (AEPD) advises against it.
Paralegal
Companies in Spain must keep daily and digital records of the working day, recording the start and end times of the working day for all employees and keeping these records for 4 years. There are multiple ways to monitor the presence of workers, some of which make use of biometric data.
The General Data Protection Regulation (GDPR) defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”
Some characteristics that often become biometric data when processed technologically in order to uniquely identify someone are:
A biometric system will record this type of data and use it to identify or authenticate the identity of individuals. Although there are certain advantages to recording the workday using such a system, such as accuracy, ease of use, speed and even security, since biometric data is difficult to falsify, these perceived advantages must be weighed against the rights of workers, especially with regard to the protection of their personal data.
Last year, the Spanish Data Protection Agency (AEPD) tightened its rules on clocking in/out systems which use biometric data. In fact, nowadays, it is almost impossible to prove that the use of biometric data for to record working hours complies with data protection legislation.
Here's why.
According to the GDPR, biometric data is special category data, which means that its processing is generally prohibited unless certain exceptional circumstances apply, which include the explicit consent of the data subject and cases where the processing is necessary for the fulfilment of obligations in the field of employment law of the EU Member State and is provided for therein.
According to the GDPR, biometric data is special category data, which means that its processing is generally prohibited, unless certain exceptional circumstances apply, which include the explicit consent of the data subject and cases where the processing is necessary for the fulfilment of obligations in the field of employment law of the Member State of the European Union and is provided for therein.
In a resolution handed down in June 2024, the Spanish Data Protection Agency (AEPD) stated that the processing of biometric data in the context of monitoring working hours carries a high risk to the rights and freedoms of employees, thus requiring a prior and valid Data Protection Impact Assessment (DPIA) to be carried out.
When carrying out the DPIA, among other considerations, you would have to demonstrate that the processing of biometric data is strictly necessary for and proportional to that specific purpose in question, i.e. that there is no other less intrusive form of processing which is capable of fulfilling the same purpose. However, in this case, this will be difficult to prove given that companies have been using other means of recording working hours for years.
If you were able to prove that the processing is necessary, you would then also have to prove that the processing is legitimate by citing one of the exceptional circumstances that would lift the general prohibition on the processing biometric data. Currently, as there is no law which explicitly permits this type of processing, the only way to overcome the prohibition would be through the explicit consent of the employee, but, given the imbalance of power between the employee and the employer, consent would only be perceived as freely given if the employee were offered an equivalent and less intrusive data processing option for which he could opt instead of the processing of biometric data. However, if such an alternative were offered, this would basically mean that the processing of biometric data is not, in fact, necessary.
Careful, because this also applies to systems that use geolocation. The AEPD pointed out that it did not seem "necessary or proportional, given the balance of advantages and disadvantages, to use systems for recording working hours which are based on the processing of biometric and geolocation personal data, when there are other possible alternative methods of recording working hours that are just as effective, so it is difficult to see how this evaluation or triple test of proportionality set out in the DPIA could be satisfied”.
If your company uses a clocking in/out system based on biometric data, such as fingerprints, it is advisable to suspend its use and cease the processing of such data as soon as possible, opting instead for an alternative solution that complies with the current criteria of the AEPD.
Some examples of alternative systems for the registration of working hours are:
The use of biometric data to record working hours presents high risks to workers' rights and is generally considered disproportionate by the AEPD, given that less intrusive alternatives are available. As this data is considered special category data according to the GDPR, its processing is generally prohibited except in exceptional cases which, in this case, are difficult to substantiate. It is therefore recommended to discontinue the use of these systems in favour of alternative methods such as clocking-in apps, cards, QR codes or automatic records, which comply with the legislation and guarantee greater respect for the protection of personal data.
Our team of labour law and data protection lawyers and specialists is at your disposal to answer any questions you may have about the obligations of companies, both as employers and as data controllers. Don't hesitate to get in touch with us!