Processing biometric data of employees: legal considerations under the GDPR

The processing of special categories of personal data - such as biometric data - requires careful attention to legal requirements set out in the GDPR. A recent decision by the Dispute Chamber of the Belgian Data Protection Authority highlights important aspects of the processing of this type of data in an employment context.

Processing of biometric data

Biometric data are personal data resulting from specific technical processing related to the physical, physiological, or behavioral characteristics of a natural person, allowing or confirming the unique identification of that individual, such as facial images or fingerprint data.

Under Article 9 of the GDPR, certain types of personal data are considered special categories. These include the processing of biometric data for the purpose of uniquely identifying a natural person. These special categories require enhanced protection due to their sensitive nature. The GDPR prohibits the processing of these data types unless one of the listed exceptions applies. These exceptions include for instance: explicit consent from the data subject, the protection of vital interests, the performance of obligations in the field of employment, social security, or social protection law., etc.

In its decision of 6 September 2024, the Dispute Chamber confirmed that when processing special categories of personal data, the controller must have both a legal basis and a ground for exception. In this case, employees' fingerprints were processed as part of a time registration system. This falls under Article 9 because it constitutes processing of biometric data for the purpose of uniquely identifying a natural person. Here is a brief summary of some of the key considerations and findings in this decision.

Explicit consent “unlikely” in employment context

The Dispute Chamber confirmed that it is highly unlikely that valid consent can be given for the processing of biometric data in the context of an employment relationship. The fact that no objections had been raised by any of the employees, does not prove that the consent was freely given.

This aligns with the interpretation of the EDPB as confirmed in earlier decisions of the DPA. This is due to the power imbalance between employer and employee, where employees may feel pressured to give their consent, undermining the requirement that consent be freely given under the GDPR. While the Dispute Chamber does not outright exclude consent in an employment relationship, it evaluates it strictly. Free consent would imply at least that an alternative solution should be offered to avoid negative consequences when an employee does not consent with the processing of their biometric data and that there is no pressure whatsoever on the employee to accept the biometric processing.

Apart from being freely given, to be valid, consent must also be given in an informed and unambiguous way. The decision under discussion highlights that in order to be informed, the data subject must receive the necessary information in a timely manner: a welcome brochure with limited information, followed by more detailed information later incorporated into the work rules, does not suffice to adequately inform the employee in a timely way. Therefore, no informed consent could have been given by the employee.

Additionally, the Dispute Chamber rejects the argument that signing to acknowledge receipt constitutes unambiguous consent. Moreover, the absence of requests from employees for an alternative method (in this case, for time registration) cannot be taken as evidence of unambiguous consent.

Other requirements

Using biometric data (for time registration) presents significant privacy risks. The Dispute Chamber determined that in this specific case 5 out of 9 criteria from Working Party 29 were met, indicating a high risk to individual rights. Consequently, a Data Protection Impact Assessment (DPIA) was mandatory, and the employer's failure to conduct one violated the GDPR. It is likely that other applications that use employee biometric data will also require a DPIA. This will need to be verified on a case-by-case basis.

It was also confirmed that the principles of purpose limitation and data minimisation apply to the processing of biometric data. By failing to clearly define the purpose in advance, the principle of purpose limitation was violated. Data minimisation requires verifying whether less intrusive alternatives could achieve the same objectives.

Right of access through a union secretary

The Dispute Chamber also takes a surprising position by ruling that responding to a request for access can be done orally in a meeting with a union secretary. Since the initiative for this meeting indirectly came in this case from the employee – through the union secretary – the Dispute Chamber ruled that the employer could reasonably assume that it was lawful to fulfil the access request orally during a meeting with the union secretary.

Key takeaways

Employers should exercise caution when handling biometric data of their employees. Employee consent is rarely valid as a legal ground. Additionally, the principles of purpose limitation and data minimization must be adhered to, and a Data Protection Impact Assessment (DPIA) will be required.