On April 28, 2020, the Dutch Supervisory Authority (“Dutch SA”) announced its decision to impose a fine of €725,000 on a company for unlawfully processing the biometric data of its employees.

In 2018, the company concerned installed an access and time management system that collected and processed biometric templates of employees’ fingerprints.  This initiative came about following indications of fraudulent use of the company’s existing badge-based time management system.  After installation, the company’s old system co-existed with the new system, and employees were free to choose the method by which to sign in to work.  One of the employees subsequently filed a complaint with the Dutch SA, which led to this investigation.

In its decision, the Dutch SA identified several violations of data protection law, in particular:

  • no evidence that employees explicitly and freely consented to having their fingerprints scanned;
  • insufficient information provided to employees about how their biometric data would be used; and
  • over-retention of ex-employees’ biometric templates, which were “blocked” in the system but not actually deleted.

The Dutch SA noted that, in the absence of valid consent (Art. 9(2)(a) GDPR), the processing of biometric data is permitted only when necessary for “authentication or security purposes” (Art. 29 of the Dutch Implementing Law).  In the matter at hand, the Dutch SA found that this was not the case.  According to the Dutch SA, the company’s use of biometric data was disproportionate to the aim pursued because the security risks were not particularly high in this case.  Moreover, less intrusive means could have been used to achieve the company’s objectives.

In light of the severity of the violation, its “long” duration (ten months) and the “high” number of individuals concerned (337), the Dutch SA decided to impose a significant fine.  In an effort to reduce the fine, the company asserted that the encryption of the biometric templates and ISO certification of the technology supplier (and its sub-processor) should serve as mitigating factors.  In the end, the Dutch SA found the company’s arguments unconvincing to reduce the fine, which was calculated in accordance with the Dutch SA’s fining model announced last year.