Employee database 
Documents and e-signature 
Reporting and analytics 
Payroll and incidents 
Time and Attendance Software 
Shifts and task list 
Absences & time-off 
Workflows 
Expense management 
Recruitment and selection software 
Onboarding 
Training and procedures 
Internal communication 
Performance assessment software 
HR surveys and forms 
Chatbot 
This week we talked with Soraya San Segundo: Senior Data Protection Consultant at Datages Consulting, about the legal limits of the use of biometric data for labor registration, due to the GDPR regulation update.
Welcome, Soraya. To begin the interview, tell us who you are and what you are passionate about.
I am a data protection consultant. In the workplace, one of the fields in which I enjoy is helping companies understand and comply with privacy regulations beyond an obligation, but from the vision of guaranteeing the viability of the company, ensuring that employees feel safe and respected in an increasingly digitized world.
I believe that a balance between technological innovation and respect for people's privacy is possible, and working in this field allows me to contribute to that balance.
Give us a brief introduction on biometric systems and data and workday registration: How has it been used so far?
Biometric data systems, such as facial recognition or fingerprint recognition, have traditionally been used for access control and time management in the workplace. These systems enable more accurate and secure recording of working hours, helping companies to comply with their legal obligations and efficiently manage the attendance of their staff.
And what has changed since the regulatory update and why?
Regulatory updates, such as GDPR, have introduced significant changes in the way biometric data can be used.
Prior to the guidance published by the AEPD on November 23, 2023, it was established that the consent of the data subjects could validate the use of biometric data. That included being able to use such a method for work time recording. However, the guidance issued by the AEPD makes it clear that there is no legal backing for this practice.
Even if employees give their consent, this is not sufficient to consider the processing of such data as lawful.
These restrictions are based on the principles of appropriateness, necessity and proportionality. In other words, it must be clearly demonstrated that the use of biometric data is absolutely necessary and proportionate to achieve the desired objective, and that less invasive alternatives do not exist. This clarification is crucial, as it highlights that consent alone is not sufficient to validate the use of biometric data, especially in a work environment where there is an imbalance between employee and employer.
In which cases is the use of biometric data considered legitimate?
First, one of the basic requirements is to conduct an Impact Assessment prior to using these data. This process carefully examines the potential risks and benefits associated with the processing of biometric data. However, it is important to note that this assessment alone does not guarantee the legitimacy of the processing.
In addition, it should be considered that the use of biometric data should be a last resort. This means that the company must clearly demonstrate that the use of this data is absolutely necessary and proportionate to achieve the desired purpose. In other words, there must be no less invasive alternatives available. This condition is fundamental to ensure that the processing of biometric data is conducted in an ethical and respectful manner towards employee privacy."
Even if employees give their consent, this is not sufficient to consider the processing of such data as lawful. These restrictions are based on the principles of adequacy, necessity and proportionality. In other words, it must be clearly demonstrated that the use of biometric data is absolutely necessary and proportionate to achieve the desired objective, and that there are no less invasive alternatives.
So, in what ways can workers clock in without companies being in breach of the regulations?
- Identification cards
- PIN codes
- Mobile applications
- Electronic signatures
- Manual registration
- Proximity cards
- Voice recognition systems
- Facial recognition systems without storage of biometric data
These are just a few of the alternative forms of employment clocking that do not require the processing of biometric data and can be implemented by companies to comply with data protection regulations.
Finally, what penalties could companies face in the event of non-compliance with biometric data regulations?
Companies that fail to comply with the regulations on the processing of biometric data can face various sanctions, ranging from warnings and cease-and-desist orders to significant financial penalties. Although in the past the Spanish Data Protection Agency (AEPD) did not impose financial penalties for the use of these controls in the workplace, as we have been discussing, circumstances have changed.
Now, the AEPD could impose fines for failure to report on these systems, failure to carry out the corresponding impact assessment, or for disproportionate use of these controls. These fines have ranged from €5,000 to €200,000 in the past. However, the General Data Protection Regulation (GDPR) provides that non-compliance with the regulation can be penalized up to €20 million or 4% of the total annual global turnover of the previous financial year, whichever is higher.
It is important to note that the payment of the fine does not legitimize the processing of biometric data. In addition to administrative sanctions, companies may also face compensation claims from the affected workers, both in labor and civil law.
You can learn more in the guide on the use of biometric data for time and attendance and access control published by the Spanish Data Protection Agency (AEDP).
This Tuesday, April 23rd at 11:00h (Spanish time) we will talk with Soraya San Segundo about the use of biometric data for labor registration and more. Don't miss it!
