Register now! Employment Webinar “Tricky sickness issues” (17 June 2021)

Can you use fingerprint scans of employees?

Publication date: 12 December 2019
Fingerprint authorisation is increasingly being used by employers. However, fingerprints are biometric data and their use is in principle prohibited since the introduction of the General Data Protection Regulation. It is therefore important to give good reasons for this choice and to get the consent of the employees to use it.

vingerscan

Employers are continuously implementing new, more advanced security measures. For instance, more and more employers are using a fingerprint scanning authorisation system. Employees can access a computer, cash register or company premises only with their fingerprints. But is that allowed?

The Amsterdam District Court ruled that shoe shop Manfield may not oblige employees to use a fingerprint authorisation system. This is a violation of the General Data Protection Regulation (GDPR).

Fingerprint authorisation system

Employees of shoe shop Mansfield previously logged into the cash register with a personal numerical code. Mansfield substituted this numerical code by a fingerprint authorisation system: from then on, employees could only log into the cash register system with their fingerprints.

A Manfield employee refuses to use the new system. According to her, the system infringes her privacy rights. Manfield and the employee go to court: does the employee rightly refuse to give her fingerprint?

Manfield

According to Manfield, the fingerprint scan authorisation system is necessary to protect sensitive data accessible through the cash register system, such as financial information and personal data of employees and customers. The old system with the numerical code cannot protect these data sufficiently.

Manfield was also faced with several fraud cases where employees had stolen money from the cash register. With the old system, employees could easily enter the numerical code of another employee, which made it impossible for Manfield to trace back who had stolen the money. These practices are impossible with the new system.

GDPR

The employee invoked the GDPR. Fingerprints are so-called “biometric data” and they may not be processed. This is only allowed in exceptional cases, for instance, with the employee’s consent.

Biometric data may be processed if identification with these data is necessary for authentication or security purposes. This is the case, for example, when access must be limited to small group of authorised persons, as, for instance, in a nuclear power plant. It is also important that the processing is proportional.

Please note: Asking consent from your employees to use personal data such as fingerprints is often not enough. Even then you can act in violation of the GDPR. This consent must be given freely, whereas this freedom is often not assumed in employment relationships.

District Court

Manfield falls at the first hurdle. According to the Court, the prevention of fraud on the part of the company’s employees is not considered to be ‘necessary for authentication or security purposes’. In addition, the judge has doubts as to the proportionality of the use of a fingerprint for fighting this fraud.

The Court does not share Manfield’s view that fingerprint authorisation is necessary for the protection of sensitive data either. The Court is of the opinion that Manfield did not sufficiently investigate alternatives. Manfield should have weighed the pros and cons of different systems, on the grounds of which they could have substantiated their choice for fingerprint authorisation. However, there is no such substantiation.

The Court concludes that Manfield’s fingerprint authorisation system is in breach with the GDPR. Therefore, Manfield is not allowed to oblige employees to use this system.

Our advice

On the basis of the GDPR, it is not prohibited to use fingerprints, iris recognition and other biometric data. However, the ruling shows that you must carefully consider the privacy interests of your employees and all alternatives when you consider to introduce such security measures.

You will often have to perform a Data Protection Impact Assessment (DPIA). This is mandatory where the data processing is likely to pose a high privacy risk for employees. With a DPIA, you can identify these privacy risks and the potential measures to limit them in advance. We will be happy to perform this assessment for you.

Do you have a works council (OR)? Don’t forget that the OR has a right of consent when the privacy policy is adapted.

More information

Do you want to learn more about the GDPR? Are you looking for assistance with the ‘GDPR-proof’ processing of personal data or with the execution of a DPIA? Please contact us:

    Share on social media

    • IT and ICT
    • Employment law and dismissal

    Is your staff management ready for the GDPR?

    23 May 2018

    At the end of the week, on 25 May 2018, the General Data Protection Regulation (GDPR) comes into force. This does not just have consequences for your website or online shop but also for your staff management. Is it ready for the GDPR?

    read on
    • IT and ICT
    • Employment law and dismissal

    Sick employees and privacy

    16 October 2017

    When your employee is sick you, as an employer, are interested in what is going on and how long you will have to miss your employee. But what about the employee’s privacy? What are you allowed to ask – and what not?

    read on
    • Employment law and dismissal

    Dismissal of sick statutory director

    18 June 2021

    A sick employee may not be dismissed. However, an employee who knows of imminent dismissal, cannot avoid this by reporting sick. But when does the employee know that this is the case? This question was central to the court case concerning the dismissal of a CFO of Volksbank.

    read on
    • Expats
    • Employment law and dismissal

    17 June 2021: Employment Webinar “Tricky sickness issues”

    17 June 2021

    If your employee reports sick, this may raise many difficult questions. What are your reintegration obligations during the sick leave period? What are you allowed to record about your sick employee with regard to the privacy legislation? We answered these and other questions during a webinar. Watch the video!

    read on
    • Employment law and dismissal

    Be careful with the employer’s statement!

    14 June 2021

    Before obtaining a mortgage or rental contract, banks or landlords often ask for an employer’s statement. Such a statement can sometimes have unintended consequences for the employer. What do you need to be aware of?

    read on
    • Employment law and dismissal

    Statutory minimum wage as of 1 July 2021

    2 June 2021

    As of 1 July 2021, the statutory minimum wage and minimum youth wage will be increased. What are the new amounts of the minimum wage?

    read on
    • Fashion and luxury
    • Litigation

    The advantages of arbitration

    19 May 2021

    Proceedings do not always have to be in court. There are other ways to resolve legal disputes. An important and often also appealing alternative is arbitration. In particular if you are doing business internationally. What are the advantages of arbitration?

    read on
    • Works Council
    • Employment law and dismissal

    Works council

    4 May 2021

    Is there already a works council in your company? Are you a member of your company’s works council? What are the advantages of having a works council in your company? Jan Dop and Priscilla C.X. de Leede explain the role of the works council and give an overview of the works council’s most important rights.

    read on