Spain – Data regulator's new approach to the use of biometric data for daily employee work hours record, Ceyhun Pehlivan, Elena Valín

Knowledge

Welcome to the Knowledge Portal. You can browse, search or filter our publications, seminars and webinars, multimedia and collections of curated content from across our global network. Create an account and set your email alert preferences to receive the content relevant to you and your business, at your chosen frequency.

The Spanish Data Protection Agency (AEPD) has recently issued guidelines on the use of biometric systems for daily employee work hours record required by the Spanish labour law.

As a drastic change in approach, AEPD now considers that the use of biometric data for work hours log purposes is generally unlawful, even if data subjects have given consent when an alternative to the use of biometric data is made available.

These guidelines are particularly important for companies that use biometrics for keeping records of working time under Spanish labour law considering the AEPD’s ramping enforcement. In this post we discuss some of the main aspects of the guidelines.

Biometric data in employment

In Spain, employers are legally required to record working hours of their employees under the Workers' Statute. Biometric data is increasingly being used for this purpose.

Record of working hours can serve a number of purposes, such as time recording in employment monitoring and access controls to certain premises.

This has led the AEPD to issue guidelines on how to process biometric data for work hours log purposes in compliance with GDPR requirements.

Lawfulness

According to the AEPD, the use of biometric technologies for work hours log, both for identification and authentication purposes, entails a high-risk processing of special categories of personal data.

According to Article 9 of the GDPR, the processing of special categories of data is prohibited unless an exception to such prohibition applies.

The AEPD sets forth in its guidelines that, in most cases, there is no valid exception that allows biometric data processing for work day log.

Consent of data subject

According to the AEPD, explicit consent of data subjects (Article 9(2)(a) GDPR) is not valid to lift the prohibition on processing special category data given that:

such consent cannot be considered to be freely given in light of the imbalance of powers that generally exists between the data controller and data processor, as occurs in the context of an employment relationship; and
the “necessity test” (required under the GDPR for any high-risk processing) is not met because there are alternatives to the processing of biometric data for work hours log purposes (e.g. using a card).

Unlike the AEPD, other regional data protection authorities in Spain (the Catalan Data Protection Authority (Autoridad Catalana de Protección de Datos) and the Andalusian Transparency and Data Protection Council (Consejo de Transparencia y Protección de Datos de Andalucía)) have generally considered that consent of data subjects for these purposes is valid as long as an alternative is provided.

The AEPD considers that, if such alternative exists, the processing is not "necessary" and therefore, the required “necessity test” would not be met.

Legal obligation

As per the AEPD guidelines, in the current Spanish legislation, there is no sufficiently specific authorisation to consider the processing of biometric data necessary for the purpose of workday log.

This is because, as set forth in the guidelines, for such processing to be based in a legal obligation (Article 9(2)(b) GDPR), there must be a law that specifically authorises the processing of biometric data for workday log and, additionally, this processing must be necessary to comply with such law.

As discussed by the AEPD in its guidelines, in Spain, the Workers' Statute establishes the obligation of companies to keep a workday log for their workers, but does not specify that the use of biometric data is allowed for this purpose.

Additional safeguards

The AEPD's guidelines sets out that carrying out a data protection impact assessment (DPIA) is required before the processing of biometric data for workday log purposes.

Further, according the AEPD, a number of measures have to be established by design and by default in relation to such processing, including:

Informing data subjects about the biometric processing and the high risks associated with it;
Implementing technical measures to ensure it is impossible to use the biometric templates for any other purpose;
Using encryption to protect the confidentiality, availability, and integrity of the biometric template; and
Using specific technical measures to prevent the interconnection of biometric databases and the unverified disclosure of data.

Next Steps

Companies that keep records of working time should assess GDPR compliance in light of this new AEPD guidelines. If you would like to hear more, let us know.

If you would like to hear more about the use of biometric data for workday log, reach out to us!

{

Biometric data operations in a particular processing will have a different degree of intrusiveness and impact on the privacy of individuals depending on the technique used [...]

https://www.aepd.es/en/prensa-y-comunicacion/blog/biometric-data-assessment-from-a-data-protection-perspective