According to the Personal Data Protection Authority (“DPA”), employers may not process employees’ biometric data to record working time. However, this does not mean that employers may not use such data for other purposes.

When can employees’ biometric data be processed?

According to GDPR rules, biometric data are personal data which result from a specific technical process, involving physical, physiological or behavioural characteristics, such as a facial image or dactyloscopic data of an individual, and allow or unequivocally confirm their identification.

According to Article 22^1b of the Labour Code, biometric data may be processed in the following situations:

1. When the employee consents to the processing of such data, but only when such data is conveyed at the employee’s initiative;
2. When providing the data is necessary to control access to particularly sensitive information, the disclosure of which may put the employer at risk or allow access to premises requiring special protection.

In practice, this means that, apart from situations where biometric data is processed for the purpose of providing access control, the use of an employee’s biometric data by the employer can only take place if the employee consents and the employee takes the initiative to provide such data. Currently, there are no DPA guidelines to assess when an employee can be said to take such an initiative. Nevertheless, there is no doubt that the Employer cannot use the employee’s biometric data to record working time, which DPA recalls in its communique.

What should be kept in mind ?

In practice, the key issue to bear in mind when considering the introduction of technology which uses biometric data is whether there are less intrusive means by which the data controller (employer) could achieve the processing purpose.

The DPA has already commented on the use of biometric data – although these comments did not concern employees, but school pupils  whose fingerprints were used to verify payment for school meals , these comments are universal. In its decision to impose a penalty on the school, the DPA stressed that there are other, less intrusive means of such verification and the way the data is used is not proportional to the purpose for which they are processed. The DPA stated that “given the uniqueness and constancy permanency of biometric data, which are unchangeable over time, biometric data should be used with caution and consideration. Biometric data is unique in the context of fundamental rights and freedoms and therefore requires exceptional protection. A possible leak of biometric data may result in a high risk of the rights and freedoms of individuals being infringed”.

The French and Swedish authorities have also made similar statements in their decisions on the use of facial recognition in schools.

However, employers should not forget that even if they use biometric data to control access to premises or sensitive information (i.e. for purposes explicitly stated in the provisions of the Labour Code), they are subject to a number of obligations under the GDPR according to which:

• the employer should carry out a data protection impact assessment, as regulated in Article 35 of the GDPR, in order to identify the risks of processing such data. Processing of biometric data for the sole purpose of identification of an individual or to control access is one of the types of processing operations covered by the list of operations which require such an assessment, published by the GDPR;
• only persons who have written authorisation from their employer to process such data (according to the GDPR, such an authorisation may be in an electronic form) and who have undertaken to keep the protected data confidential may be allowed to process biometric data;
• employers should regularly delete the biometric data of employees whose processing is no longer purposeful, e.g. employees who have changed jobs and no longer need access to premises secured by biometric data readers.

Karolina Romanowska