Through the Royal Decree-Law 8/2019, of March 8, of urgent measures of social protection and the fight against job insecurity in the working day, the legislator imposed the legal obligation that companies had to record the working hours of their workers in order to fight against precariousness work and carrying out overtime without being paid.
One more obligation that means that companies have to internally implement mechanisms to clearly, concisely and without deception collect the different entry and exit shifts of their workers. Many business organizations have been using the conventional “signature sheet”, where the worker, individually or collectively, was included in it, and only had to add their signature. Well, this mechanism is no longer valid according to the Sentence, of February 15, 2022, of the Social Chamber of the National Court by which the registration of a company that made its workers sign on a piece of paper at the beginning of the day being a violable medium.
What role do companies have?
Now, companies have to incorporate other means and instruments to carry out said time control, without it being violable and complying with the characteristics of the legislation and the aforementioned ruling of the National Court. Many companies have begun to use certain biometric systems, especially through fingerprints, to record the working hours of their workers, but is the use of fingerprints to record working hours really legal? It is a question that has several answers. It should be remembered that in accordance with the provisions of article 9 of the General Data Protection Regulation 2016/679, the processing of biometric data involves the processing of special category data, information protected in a greater way due to the dangers and risks that it may pose. assume the fundamental rights and freedoms of the interested parties.
What should a company take into account to incorporate a biometric system in its organization? Mainly two fundamental principles; the principle of proportionality and minimum intervention. Two principles on which the Spanish Data Protection Agency has greatly insisted in recent months in numerous sanctioning procedures on the subject of this article. The legitimation for the processing of the fingerprint for the control of workers by the employer must be sought in articles 9 and 6 of the General Data Protection Regulation. The implementation and integration of a time control system based on fingerprint by a company must be informed to employees in a complete, clear and concise manner, always complying with the provisions of article 13 of the RGPD. The installation of a control system based on the collection and processing of employees' fingerprints implies the processing of their personal data since personal data is all information about an identified or identifiable natural person in accordance with article 4.1 of the RGPD. .
Where do we go to establish the data?
We have to go to Recitals 51 and 52 of the GDPR where the restrictive nature of special category data is established. Although they are considered sensitive data, their use for work purposes would be covered by article 9 of the RGPD. The processing would be lawful and would not require the consent of the workers, when the data processing is carried out for the fulfillment of contractual relations of an employment nature.
There is the possibility of using systems based on biometric data to carry out access and time control, although it does not seem that it is or should be the only system that can be used. There are other less invasive means such as: the use of personal cards, the use of personal codes, direct visualization of the marking point, application, etc., which can constitute, by themselves or in combination with one of the other available systems, equally effective measures to carry out control. Prior to the decision on the implementation of a control system through biometric data, an Impact Assessment related to Data Protection should be carried out to evaluate both the legitimacy of the processing and its proportionality and the determination of the existing risks and the measures to mitigate them in accordance with the provisions of article 35 GDPR.
Data protection before processing
In accordance with the provisions of Opinion 3/2012 of the Working Group of article 29, the treatment must also be adequate, relevant and not excessive in relation to said purpose. Therefore, biometric data that is not necessary for this purpose must be deleted and the creation of a biometric database will not always be justified.
In different resolutions of the Spanish Data Protection Agency, it is established that the need for data processing through fingerprint registration and proportionality must be proven to comply with the legal obligation of day registration. It is considered that there may be alternative systems that comply with the principles of proportionality, necessity and minimization in data processing. Companies and organizations that decide to opt for this system will need to demonstrate high levels of proactive responsibility and default design of Data Protection before processing, including being able to justify that the system used is necessary, provided in each specific context in which it is going to be implemented and prove that less intrusive technical measures do not exist or would not work.
According to Guide 3/2019 of the European Data Protection Committee, the use of biometric data and, in particular, facial recognition entails greater risks for the rights of the interested parties. It is essential that the use of such technologies takes place respecting the principles of legality, necessity, proportionality and data minimization established in the RGPD.
In short, it can be indicated that the Control Authorities, and especially the Spanish Data Protection Agency, prefer the use of other means, other than the biometric system, to record the working day. Proof of this are the different sanctioning procedures that have occurred throughout these months, such as: EXP202209921 (€12,000), PS/00050/2021 (€20,000), PS/00131/2020 (warning) or PS/00128 /2020 (warning).
Don't miss all the latest news on Data Protection & Regulatory Compliance from the best professionals in the sector in our Professional Master in Compliance & Data Protection Management
