La Spanish Agency for Data Protection (AEPD) published on November 24 its Guide on Presence Control Treatments through Biometric Systems. The truth is that, after some reports and guidelines from other control authorities, the sector was waiting as to what the final criteria of the Agency would be, which until now had not issued such a complete opinion regarding these treatments. We are talking, specifically, about the time control systems (clocking) and access control through biometric identification (signing in with a fingerprint or accessing through facial recognition, etc.).
The truth is that, after knowing the opinion of the AEPD, surely many would prefer that it had not commented on the matter. And this guide is a missile to the waterline of biometric identification systems in general, and particularly in both presence and access controls in the workplace. In it, the AEPD rectifies some of its criteria in this regard until now, as well as clarifies some of the essential requirements that must be met in the processing of data.
We could simplify a lot and simply say that, today, such activities cannot be carried out. But, even if by very very little, it is not exactly like that, so We will tell you below the most relevant part of this new guide. from the agency. We promise to focus on what is important and explain it in the simplest way possible.
The General Data Protection Regulation (GDPR) generally prohibits the processing of special category data, which can only be processed exceptionally if any of the cases that the Regulation itself provides for this purpose occur. Well then, Biometric data is special category data when used to “uniquely identify a natural person”. As a result of this “univocal” mathematical concept associated with the purpose of identification, it seems that the AEPD initially interpreted that, if biometric data were used for identification purposes, they would be special category data but not so if they were used in authentication systems. . We will not delve further into this point, given that the European Data Protection Committee has already clarified that, ultimately and very simply, if in an authentication process you require identification or identification occurs simultaneously, the biometric data is being used to identify to a specific natural person and that is what matters to understand that there is special category data processing. This is one of the reconsiderations which the AEPD now does.
Therefore, there is no more trying to embrace the idea that in a time control or in an access control what occurs is an authentication and not an identification, since it takes so much, it takes so much.
It is necessary, then, to see if the prohibition on the processing of biometric data can be lifted due to any of the exceptions contained in the RGPD. Well, within the assumptions that the Regulation includes for the processing of special category data, for the purposes referred to here only the following two would fit:
- If you have the consent employee experience, which must be informed and granted in an unequivocal, specific and spirit.
- If it is necessary to fulfill obligations or exercise rights within the scope of the Labor law and security and social protection. Be careful, this is conditional on being authorized by a European or national standard or a collective agreement that establishes adequate guarantees for the rights and interests, in this case of the employees.
Limitations
And here comes when the report begins to become such a horror movie that you laugh at “The Exorcist” or the entire “Saw” saga. Because? Because the AEPD in this new guide almost closes the door to these two options:
- Before, I understood that these treatments could be legitimized because there was a legal provision that stated it: Art. 20.3 of the Workers' Statute for access control and art. 34.9 for time control, presence or clocking in of the day, whatever we want to call it. Now, echoing the criteria of other data protection control authorities, it rectifies and establishes that these articles are not sufficient because they do not expressly mention the processing of biometric data and because they do not include the guarantees that must be applied to protect the privacy of users. employees.
- It also indicates that consent cannot be a basis of legitimation for these treatments either, since in an employer-employee relationship it must be assumed that the worker is not going to freely grant his or her consent given the dominant position of the company.
- Even if free consent could be given, this would imply that an alternative must be provided for those employees who do not consent to the processing of their biometric data and, if said alternative is less invasive for the privacy of workers, this means that the data processing biometrics is not essential and, therefore, by virtue of the principle of minimization of personal data (do not process data that is not strictly necessary), it is not proportional and cannot be carried out.
Conclusion: It becomes extremely difficult, if not impossible, to have biometric identification systems for these purposes in the company.
Is there no solution? We greatly fear that, as long as there is no European or Spanish standard that specifically regulates these controls using biometric data, the only solution to be able to process this type of data in the workplace is to negotiate it and expressly collect it in a collective agreement along with the guarantees that companies must implement when adopting these systems to ensure the rights of their employees.
Furthermore, if with a lot of luck this first obstacle can be overcome, it would then be necessary to complete the rest of the requirements that the AEPD establishes in this guide. And, be careful, because they are not few nor easy to comply with and because they are extended to other possible processing of biometric data outside the work environment.
So, if by chance the legislator would like to regulate these biometric control systems, please do not skip the process of the impact assessment on data protection, which will later save companies something in order to be able to adopt these systems.
Ruth Benito Martin, of Councel by ELZABURU
