Processing biometric data for employee attendance tracking: the absence of an appropriate legal basis

 

With decision no. 16 of 2021 (“Decision”) concerning the Azienda sanitaria provinciale of Enna (a provincial health authority, “Azienda Sanitaria”) the Italian Supervisory Authority (“Authority”) provides interesting insights on legal bases to process biometric data for the purpose of recording employee attendance and more generally, in the area of labour law.

 

The processing of biometric data covered by the Decision

The Decision concerns data processing in the context of an attendance recording system used by the Azienda Sanitaria (“System”) which is capable of collecting the biometric data of employees. Specifically, it used their fingerprints in order to unambiguously ascertain their identity. The System – according to the statements made by the Azienda Sanitaria – would have ensured “greater technical reliability in verifying the identity of each employee”, also taking into account “the existence of decentralised facilities […] and the type of activity carried out (several operators work two and/or three shifts over 24 hours, sometimes also in hospital and territorial facilities) which entail considerable complexity in the management of employees”. The Azienda Sanitaria also argued that the System would “discourage absenteeism” and thus ensure the protection of the principle of sound administration.

From a technical point of view, an analysis of the Decision shows that the System adopted by the Azienda Sanitaria was based on a software capable of transforming the employee’s fingerprint into a biometric string which was then stored the employee’s badge in an encrypted form. Concretely, the verification of the employee’s identity took place by comparing the biometric string, stored inside the badge, with the fingerprint placed on the device before accessing the workplace. When the employee punched in, the terminal transmitted the employee’s ID number and the date and the time he/she clocked in.

After formally denying the processing of biometric data, due to the almost simultaneous deletion of the biometric string associated with the employee’s fingerprint – the Azienda Sanitaria argued that its processing was in line with the requirements of Law 56/2019. The Azienda Sanitaria also indicated the consent of the employee [1] and the performance of a task carried out in the public interest, also in light of the legitimate interest of the Azienda Sanitaria itself [2], as the legal bases for processing.

 

The outcome of the preliminary investigation and the position of the Authority

Having rejected the Azienda Sanitaria’s preliminary argument, according to which there was no processing of personal data [3], the Authority analysed the use of the System and ascertained that the conditions for the lawfulness of the processing of biometric data were not met, as explained below.

The Authority highlighted how EU Regulation 679/2016 (“GDPR”) and Legislative Decree 196/2003 (“Personal Data Protection Code”), amended by Legislative Decree 101/2018, strengthened the safeguards relating to the processing of biometric data, including them as special categories of personal data under Article 9 GDPR [4], thus subjecting them to the relevant strict processing regime. The Authority noted that in theory the processing, although normally prohibited by Art. 9(1) GDPR, could be permitted in the cases provided for by Article 9(2)(b) GDPR, which concerns the labour law context, and 9(2)(g) GDPR, which instead concerns processing carried out for reasons of substantial public interest.

With regard to Article 9(2)(b) GDPR, the processing could be allowed only “in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject”. Similarly, with reference to Article 9(2)(g) GDPR, the processing should find its basis in European or Member State law. Moreover, in the latter case, Article 2-sexies of the Personal Data Protection Code, implementing the provisions laid out in Article 9(2)(g) GDPR, by prescribing the requirements of (European or Member State) law at stake, establishes that this law should “specify, in addition to the reason of relevant public interest, […] the types of data, the operations that can be performed, the appropriate measures to protect the rights of data subjects”.

Both the Article 9(2)(b) and Article 9(2)(g) GDPR require the processing to be expressly allowed by a regulatory provision which should have the characteristics required by data protection law, also in terms of proportionality of the regulatory intervention with respect to the pursued purposes. As to this aspect, however, the Authority clarified in the Decision that, as things stand at present, no such provision exists and that, consequently, Articles 9(2)(b) and 9(2)(g) GDPR cannot feasibly justify the processing of employees’ biometric data for the purposes of attendance recording and, more generally, in the employment law context.

With exclusive reference to the public sector, it shall be noted that Article 2 of Law no. 56 of 19 June 2019, invoked by the Azienda Sanitaria, does not appear to be suitable for founding the lawfulness of the processing. This is because given that the regulatory process, essential to integrate the system of the legal bases of the processing required by the GDPR and the Personal Data Protection Code with regard to biometric data, has not been concluded. Indeed, the implementing regulation that should have contained specific guarantees to circumscribe and specify the scope of the rule as well as to regulate the main characteristics and methods of processing has not yet been adopted. Moreover, Law no. 56 of 19 June 2019 was repealed by Law 178/2020.

With respect to the legal bases invoked by the Azienda Sanitaria, the Authority contested the observations made by the Azienda Sanitaria to justify the use of employee consent.

In this sense, the Authority pointed out that the consent of employees does not normally constitute a valid legal basis given that the employee is a so-called “vulnerable” subject. This assumption is in line with the indications of the European Data Protection Board with respect to data processing at work, according to which “[…] It is unlikely that an employee would be able to respond freely to a request for consent from his/her employer … Therefore, the EDPB deems it problematic for employers to process personal data of current or future employees on the basis of consent as it is unlikely to be freely given. For the majority of such data processing at work, the lawful basis cannot and should not be the consent of the employees (Article 6(1)(a)) due to the nature of the relationship between employer and employee” [5].

Furthermore, the Authority ruled out the possibility of founding the processing on the legitimate interest of the Azienda Sanitaria, as such a basis is not expressly mentioned in Article 9(2) GDPR.

 

Conclusions

In the Decision, the Authority stated that in light of the current national legal framework, the Azienda Sanitaria had unlawfully processed the biometric data of employees, having acted in the absence of a suitable legal basis and, therefore, in breach of Articles 5(1)(a), 6 and 9 GDPR.

In light of what has been explained above and the recent Decision of the Authority, if an employer wishes to use biometric data to verify the presence of employees in the workplace, it may risk being sanctioned by the Authority for processing carried out in the absence of further regulatory measures.

 

References:

[1] Firstly, in fact, since “the processing [was] carried out directly and personally by the data subject […] by performing two material operations which are under his personal and exclusive control“, such simple actions could have been considered as a gesture “unequivocally expressive of a precise will of the employee to initiate and […] to consent to the processing of the data“, as per the Decision against Azienda sanitaria provinciale of Enna – 2021, January 14: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9542071, point 2.

[2] In particular, the Azienda Sanitaria claimed that “it is clear that the requirement prescribed by Article 6(e) of the Regulation is met and that the processing of the biomedical data in question is lawful [also in the light of] Article 6(f) of the Regulation“. Decision against Azienda sanitaria provinciale of Enna – 2021, January 14: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9542071, point 2.

[3] In the present case, it has been affirmed that even though the Azienda Sanitaria did not store the biometric data of the persons concerned on a centralised database, but only on portable devices equipped with adequate cryptographic security measures (badges with smart card functions), entrusted to the direct and exclusive availability of each data subject – the processing of biometric data still took place. As confirmed by the Azienda Sanitaria itself, in fact, such data “are found (albeit for a very short time) within” systems used by the employer for the detection of attendance and for the related purposes of management of the contractual relationship with its employees; this is true both in the registration phase (so-called enrolment) with the acquisition of the biometric characteristics (fingerprints) of the data subject (see also points 6.1 and 6.2 of Annex A to the Decision of the Authority of 2014, November 12, no. 513), and in the phase of biometric recognition, at the time of checking the attendance (see also point 6.3 of Annex A to the aforementioned Decision). – Decision against Azienda sanitaria provinciale of Enna – 2021, January 14: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9542071, point 3.1.

[4] Article 4(14) of the GDPR defines “biometric data” as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”.

[5] See the consolidated approach in the European Union, EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, p. 9 (https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf); Article 29 Working Party, Opinion 2/2017 on data processing at work, WP 249, p. 7 and 26 (https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=610169); Guidelines 05/2020 on consent under Regulation 2016/679 – WP 259- of 4 May 2020 (https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf); the normative provisions in Recital no. 43; Article 4(11), and Article 7(3) and Article 7(4) of the GDPR.