On 23 November, the Spanish Data Protection Agency (AEPD) published a new guidance on presence control processing using biometric systems. Although the AEPD guides do not have the status of a regulation, it does establish the criteria to which its actions will respond in the application of the GDPR. This guide changes the scenario, sets new limits, and establishes the necessary measures for such processing to comply with the GDPR.
Among these measures, the general principles of data minimisation and data protection by design and by default must be complied with. This means using equivalent alternative measures that are less intrusive and process as less additional data as possible.
Until now, the AEPD distinguished between biometric identification (one-to-many matching) and biometric verification/authentication (one-to-one matching), the latter not being considered a special category of data and, therefore, not banned by Article 9(1) of the GDPR.
However, the AEPD has changed its criteria, understanding now that, for time and attendance control, the use of biometric technologies, both for identification and authentication, implies a high risk that includes, in both cases, the processing of special categories of data.
To lift the ban on processing special categories of data, one of the exceptions provided for in Article 9(2) of the GDPR would have to be met. Nevertheless, the AEPD warns that, in the processing of time and attendance control by means of biometric data, neither the data subject’s explicit consent nor the fulfilment of the data controller’s obligations would lift such a ban. The performance of a contract could not be used as a justification either, as this option is not included as an exception in the aforementioned article.
At the same time, it warns that no automated decisions may be taken without human intervention that have legal effects on the data subject or that significantly affect him or her in a similar way; and, if the biometric system is implemented with AI, the provisions of the future European Regulation on Artificial Intelligence will also have to be complied with.
In addition to comply with the measures mentioned above, before starting this processing, it will be necessary, in any case, to carry out and successfully complete a Data Protection Impact Assessment, which certifies and evidences its suitability, necessity and proportionality.
Last but not least, measures should be applied in the practical implementation of the processing: informing data subjects, enabling revocation, making it impossible to use the data for another purpose, encrypting and protecting confidentiality, among others.
Many companies and administrations have already implemented control procedures in their facilities, both to record their employees’ working hours and for access control (for work or non-work purposes), using biometric systems (fingerprint or facial recognition). Given this new scenario, it is more than likely that they are in breach of the GDPR and may even be liable to be sanctioned by the AEPD.
Laura Conde
Lawyer
