Case: is it allowed to using fingerprints of employees?
A client of mine wanted to use fingerprint technology to identify its employees, instead of their current ID badges. Nowadays, it is becoming more and more common to use fingerprints for devices such as mobile telephones and laptops. But have you ever wondered whether it is allowed under the GDPR?
How to answer this question?
To check whether it is allowed to use fingerprints of employees, you have to answer some questions in a so-called Privacy Impact Assessment (PIA).
A PIA is a questionnaire that you fill in in case of a ‘high privacy risk’. Some ‘high privacy risks’ are mentioned the GDPR. One example is if you want to use ‘special categories of data on a large scale’.
Fingerprints are biometric data, which is also a special category of personal data. Use on a ‘large scale’ means that you will use the fingerprints of many people, or very frequently. If employees have to check in and check out with fingerprints on a daily basis, you can be certain that a PIA is required.
Example PIA questions
Some example questions to answer in a PIA are:
- Why do you want to use fingerprints of employees?
- Is it really necessary?
- Is it possible to reach the same goal in another way?
- How do you secure the data?
- What are the risks for the employees?
- How can you lower or eliminate the risk?
In the PIA, you write down these answers and save the PIA. Just in case the privacy authority (in the Netherlands: Autoriteit Persoonsgegevens) comes knocking on your door. Should they ever have a question about this, you should be able to give your PIA immediately.
So, is it allowed to use fingerprints of employees?
Yes, but this depends for what purpose. In the Netherlands, there is a legal exception for using biometric data for security and authentication purposes. This means that fingerprints may only be used when the level of security justifies the use of fingerprints. This can be the case for securing high-risk areas such as the IT server room, where very confidential and valuable trade secrets may be stored.
Although ID badges or access codes are more commonly used options, the downside is that badges, codes and passwords can be lost, stolen or easily used by others. So the level of security risk (what may happen if the ID badge is stolen?) may justify the use of fingerprints above the use of ID badges.
Do you need a PIA?
Filling in a PIA forces you to think about the purpose, the alternatives, the risks, so you can lower the privacy risk.
There are many situations in which a PIA is required. The Dutch Privacy Authority published this list about when you need to fill in a PIA.
If you want to receive a free PIA template, or if you need help with your PIA, send me a direct message.
Check out the Privacy law page for more information about Privacy law services.
Disclaimer: The information in this blogpost contains the personal views of myself, is provided for general purposes only and does not replace legal advice. For specific cases or questions, always consult a lawyer.