It was in 2016, when the General Data Protection Regulation (GDPR) was approved, a regulation born with the aim of protecting and strengthening users’ private data in a world that is increasingly digital and increasingly prone to cyberattacks.
The GDPR applies to all aspects of our lives, and work is not excluded. For this reason, one of the most controversial aspects of recent years has to do with the way workers clock in and out of their work day.
While it is true that there are many transfer methods, each company has the possibility of choosing the one that best suits them and prefers them according to their policy or preferences, but that does not make the company’s predilection outweigh the integrity and privacy of the employee’s dataand an Alicante company has had to learn it the hard way.
This is because The Spanish Data Protection Agency (AEPD) has imposed a fine of 220,000 euros on a company in Alicante for violating the data protection regulations in its time control system. As detailed in the sanctioning file, one of the employees did not want to have to use the facial recognition system to clock inso he requested a less invasive system for his privacy.
The company refused to do so and did not offer said employee any other alternative method of signing in. This led him to request from the company the data that was being collected and its use (a right that we all have as employees), but according to the victim, the company did not respond to his request either.
Finally, the worker decided to take his case to the AEPD and during the inspection, irregularities were detected in the way in which a company collected and used the personal data of its employees. The consent document for data processing was deficient, since it only mentioned the use of fingerprints to control the work day and did not offer options to refuse or revoke this consent.
Although in 2023 the company was acquired by a larger company and it was recommended to change this control system, continued using facial recognition until May of that same year. The company argued that when implementing the system in 2016, it complied with current regulations, but The entry into force of the GDPR forced all companies to update, except in specific cases.
For this reason, the AEPD concluded that the company had violated the regulations by using biometric data without adequate consent and without carrying out an impact assessment, for these reasons, it imposed a penalty of 220,000 euros.
#Fine #euros #Spanish #company #signed #workers
