The use of biometric data, such as facial recognition, has become a common tool in various sectors, including the workplace. However, its implementation entails significant risks to privacy and other fundamental rights, requiring strict regulation. The Spanish Data Protection Agency, through a recent sanctioning resolution (File No. EXP202212247), has underscored the importance of adopting appropriate measures to ensure that the processing of this data complies with the General Data Protection Regulation.

The Importance of Regulating the Use of Biodataandtrichos

Biometric data, defined in Article 4 of the GDPR, refers to personal information that allows for the unique identification of an individual, such as facial patterns, fingerprints, or iris recognition. Due to its unique and permanent nature, the processing of this data poses inherent risks, such as misuse, identity theft, or lack of control by the data subject.

Pillars of Regulation

EvaluationImpact Assessment (EIPD): Article 35 of the GDPR establishes the obligation to conduct a DPIA when processing may entail significant risks to the rights and freedoms of individuals. This step is essential in systems that use facial recognition, as it allows risks to be identified, minimized, and managed before processing begins.
Necessity and Proportionality: Any biometric system must be justified as necessary and proportional to the objective it pursues. In other words, it must be demonstrated that there is no less invasive alternative that can accomplish the same goal.
MinimizationData n: Only data strictly necessary for the stated purpose should be processed, avoiding the storage or processing of additional information.
Transparency: Individuals must be fully informed about the processing of their biometric data, including the purpose, legal basis, and measures taken to protect their information.

The AEPD resolution highlights several shortcomings in the implementation of a facial recognition system used to monitor working hours. The most notable findings include:

Absence of a DPIA: Although the system involved biometric data, no impact assessment was conducted to analyze the inherent risks and establish mitigation measures. This violates GDPR requirements and demonstrates a lack of due diligence in regulatory compliance management.
Lack of less invasive alternatives: In the case analysis, it was noted that other, less intrusive methods, such as card systems or manual timekeeping, could have been used, which would better respect workers' rights.
Deficiencies in attention to the exercise of rights: The resolution also found that requests for access to data subjects' personal data were not adequately addressed, in violation of Article 15 of the GDPR.

Implications and Recommendations

The case underscores the importance of regulating and supervising the use of biometric data to ensure that fundamental rights are not violated. Some key recommendations include:

Implement regulatory compliance policies: It is critical that organizations take a proactive approach to ensuring compliance with the GDPR, from the design and implementation of systems to their ongoing use.
Prioritize transparency and informationn: People must be clearly informed about how their biometric data will be processed, enabling them to make informed decisions and exercise their rights.
Opt for mandall less invasive whenever possible: Minimizing the impact on people's rights should be a priority criterion when selecting control and management systems.
Continuous risk monitoring: Biometric systems are evolving rapidly, necessitating periodic assessments to detect and mitigate potential new risks.

The regulation of biometric data is not only a legal obligation, but also a guarantee of the protection of fundamental rights. The recent AEPD resolution highlights the importance of handling this data with the utmost responsibility, prioritizing risk minimization and respect for privacy. Data controllers must understand that advanced technologies can only be successfully implemented when aligned with ethical and legal principles that place people at the center of decisions.

Access all the information in our Professional Master in Data Protection Audit, Risk Management and Cyber Compliance and learn more related posts in our Compliance section in our Compliance blog.

Subscribe to our newsletter to stay up to date with all the news

Name and surname *

Email *

I give my express consent and accept the Privacy Policy.

EIP International Business School informs you that the data in this form will be processed by Mainjobs Internacional Educativa y Tecnológica, SAU as the party responsible for this website. The purpose of collecting and processing personal data is to manage your subscription to the newsletter as well as to send commercial information about the services of the data controller. The legitimacy is the explicit consent of the interested party. Data will not be transferred to third parties, except under legal obligation. You may exercise your rights of access, rectification, limitation and deletion of data at compliance@grupomainjobs.com, as well as the right to lodge a complaint with the supervisory authority. You can consult additional and detailed information on Data Protection in the Privacy Policy that you will find on our website.