At the end of 2023, a change in criteria in European data protection regulators put companies and institutions on notice. The use of biometric data (those related to the human body, such as the face, iris or fingerprint) to carry out time control of workers became considered excessive, since they are considered “high risk”. The different organizations, therefore, had to stop using fingerprint reading or facial recognition systems for this purpose.
A year later, fines begin to hit those who haven’t transitioned. The Spanish Data Protection Agency (AEPD) has imposed a fine of 20,000 euros on the Notarial Association of Aragon for continuing to use a fingerprint reading system to carry out the signing, after a claim filed by one of its employees.
The College argued that the biometric system was necessary to “ensure and minimize security, objectivity and reliability risks in the time registration of its employees.” According to the agency, the previous system of manual paper registration was neither objective nor reliable. In addition, he argued that since the members of his management work in private notaries outside the College facilities, the reading of the fingerprint becomes especially necessary.
“In the case of the Notarial College, the circumstance arises that the implementation of the fingerprint reading system is especially justified because the members of the Board of Directors of the College, made up of nine Notaries, complete their work days, not at the College, but in their own Notaries located in any town of the Autonomous Community of Aragon, and therefore they cannot exercise on site the legal functions of labor control by not fulfilling their work day there,” he stated in his allegations.
This reason meant that the College had prioritized the fingerprint over other less intrusive systems, such as cards or codes, since they consider them less effective for the “univocal identification and authentication of users.” Taking into account the situation, they considered that the use of biometrics was justified, since “the right to labor control prevails over the right to data protection at all times.”
Prohibited data
An argument that the AEPD has decisively shot down. The privacy regulator has stressed to notaries that to restrict a fundamental right such as data protection it is necessary to evaluate “proportionality”, as settled in a ruling by the Constitutional Court in 2003. This is not only measured based on whether it achieves the proposed objective, but also “in the sense that there is no other more moderate measure to achieve such purpose with equal effectiveness.”
The AEPD recalls that biometric data, including fingerprints, are “special categories of personal data” that deserve an “especially high level of protection” due to the risks involved in falling into the hands of cybercriminals or being lost in a security breach. . Therefore, based on the new interpretation, its use is generally “prohibited.”
Only in certain exceptions, such as in areas of public health, general interest of citizens or protection of vital interests, could they lift this prohibition. Exceptions that must also be interpreted in a “restrictive” manner and do not fit with the arguments of notaries and their work in spaces outside the College of Aragon.
The regulator settles the resolution by highlighting that labor regulations do not require the use of biometric data to control the working day, that the College did not demonstrate that using the fingerprint of its workers was necessary or proportionate, and that other methods existed, such as various programs. digital, to carry out that mission. That is the system that the notaries also implemented when they learned they were being investigated by the AEPD, replacing the fingerprint reader.
Once the sanction was proposed, the Notarial College has chosen to accept the fine and take advantage of two 20% reductions to reduce its amount. One for assumption of responsibility and another for paying the penalty during the executive period, which finally left it at 12,000 euros. A sanction that puts on notice the rest of the companies and organizations that continue to use biometrics to control working hours or even to access their facilities, something that the AEPD also censored after its change in criteria in 2023.
#Fines #arrive #continuing #fingerprint #time #control
