The Spanish Data Protection Agency (AEPD) has imposed two fines, for a total amount of 220,000 euros, on a company in Banyeres de Mariola (Alicante), for using facial recognition technology in the signing system of its workers. An employee of Cartonajes Bañeres SA made a request for the right of access on August 29, 2022, without ultimately receiving a formal response from the company. A month and a half later, the worker turned to the AEPD, denouncing that “as an employee”, the company “obliges him to clock in at the entrance to his workplace with a facial recognition device, with no alternative to use another means.” ”.
It was a 3D facial recognition terminal that captured several images of the face and generated a biometric pattern using a mathematical algorithm. The biometric data was stored in a database of the time control software located on the server at the company’s facilities.
In the copy of the consent on the processing of employees’ personal data, provided to the AEPD, only the digital fingerprint was referred to for “control of compliance with the working day.” Furthermore, according to the proven facts section of the resolution, the document “does not have any section to select affirmative consent, or deny it, nor any option to revoke consent, nor ultimately any invitation to accept a treatment operation.”
In an inspection visit, the AEPD confirmed that Cartonajes Bañeres SA had been acquired by the Saica Group on July 7, a month and a half before the worker’s request for access on account of facial recognition.
The Data Protection Committee of the Saica Group, after the integration of the Alicante subsidiary, analyzed the signing system and recommended that it be replaced “immediately.” Despite this, “it is proven” that the company continued using the biometric facial treatment system until May 29, 2023. Subsequently, it resorted to a signing system with individualized employee cards, typical of the rest of the company’s plants. parent company.
The AEPD verified during its inspection that the data from the workers’ signing record, prior to the change in the system, was kept in a file and the ‘hashes’ (the biometric pattern) stored had been destroyed.
Cartonajes Bañeres SA hid behind the fact that the worker had given his express consent for the processing of his data, including also for the biometric “fingerprint” for “control of compliance with the working day.” The company also alleged that the facial recognition system was established in 2016, when, in its opinion, state and European data protection regulations did not apply to it. The firm considered that a regulation “that was not applicable when the sanctioned events occurred” had been applied retroactively.
The AEPD resolution, on the contrary, recalls that “the facts constituting the infringement and which have been proven have occurred” since the entry into force of the General Data Protection Regulation, a European standard of “full application.”
The fined company also considered that the agency had incurred a lack of proportionality in the sanction, by not having applied any mitigating circumstance. However, the resolution takes into account the “degree of intentionality, carelessness or negligence revealed by the conduct.”
New scenarios with “multiple risks”
The AEPD also argues that facial recognition processing with biometric reading and registration tools “presents high risks for fundamental rights and freedoms.”
“Before implementing a data processing project, as long as it is likely to pose a significant risk to the rights and freedoms of people, as is the case in this case, it is necessary to audit its operation, not in isolation but in the framework of the specific treatment in which it is going to be used,” states the resolution. In any case, those responsible for the use of this technology must consider, from the outset, “less intrusive means to achieve their legitimate processing objective.”
Biometric processing, recalls the AEPD, “conjugates” technological products that evolve very quickly, “undoubtedly influencing the essence of processing operations, transferring exposure to multiple risks to new scenarios that require continuous re-evaluations to which organizations They must respond at a technical and organizational level.”
However, the company did not provide the Personal Data Protection Impact Assessment (DPIA)—the tool provided for by the European regulation—which “should have been passed to carry out the processing it carried out.”
“The fact that the respondent considers that it should not carry out a DPIA,” the resolution concludes, “does not diminish the general obligation of those responsible to apply measures to adequately manage the risks to the rights and freedoms of the interested parties.”
A “context of power imbalance”
The AEPD also considers that the situation affected “all employees” (not just the worker who complained) and, in addition, the “lack of the enforceable obligation” has continued since it was incorporated into the European regulation in May 2018. In short, it is an “infraction that persists over time.”
On the other hand, the resolution also highlights that the collection and processing of data occurs between the company and the workers, “which implies a context of power imbalance between the parties, associated with poor information on the processing of their data.” . The AEPD recalls that the company indicated to its employees that they had to “grant express consent for the processing of their data, including facial recognition, when they were given no other option.”
The resolution, published last fridaybecomes “executive” (firm) once the one-month period to file an optional appeal for resolution has passed. In addition, the sanctioned company may also file an appeal for reconsideration before the director of the agency or a contentious-administrative appeal before the National Court. The Saica Group, current owner of the sanctioned firm, affirms that it will appeal the resolution.
#Fines #euros #company #Alicante #facial #recognition #workers #clock
