Dutch Data Protection Authority Fines Company €725k for GDPR Breach

In the Netherlands, the Dutch Data Protection Authority has sanctioned a €725,000 (US$791,000) General Data Protection Regulation (GDPR) fine against a company for scanning its employees’ biometrics with a fingerprint time and attendance system.

The authority came to the conclusion that the company, which was not identified in the findings that were made public, was unable to establish a sound reasoning for using this fingerprint-scanning system and therefore should not have been using it.

In the ruling that was released to the public the Dutch Data Protection Authority said that, in most cases, using biometric data to track employee activity is prohibited under GDPR. Exceptions to this include  if explicit consent has been provided or if there are extra security reasons necessary and normal measures are inadequate for achieving this purpose.

The Dutch Data Protection said, in relation to the tracking of biometric data to monitor employee activity, that “this category of personal data is extra protected by law. If these data get into the wrong hands, this could potentially lead to irreparable damage. Such as blackmail or identity fraud,” comments AP Vice President Monique Verdier, per Google translation. “A fingerprint cannot be replaced, such as a password. If things go wrong, the impact can be huge and have a lifelong negative effect on someone. The relationship between employers and employees also generally prevents legal consent, which “must be unambiguous, specific, informed and free.”

This is not the first time that an organisation has fallen foul of GDPR when it comes to using biometric data tracking. In 2019 the Swedish Data Protection Authority (DPA) sanctioned the state authority in the Skelleftea region 200,000 Swedish Krona ($20,700) for trialing facial recognition on high-school students in Sweden to keep track of attendance without seeking the adequate permissions to do so. More recently a school in Poland was penalized for attempted to do something similar in March 2020.

Almost 12 months ago the French Data protection authority set out a list of rules for biometric data tracking in relation to GDPR also. The message is clear, to use this form of tracking explicit reason must be given and outright permission must be sought from the individual’s who are being tracked. European Union Data Protection authorities are not allowing any leeway in relation to this.