Processing of biometric data by employer
1. Is it possible to process biometric data based on the employee's consent?
Depending on the circumstances, yes.
In relationships of strong dependency, the data subject's consent may typically not serve as a valid legal basis for data processing. Therefore, incorporating in an employment agreement or a collective bargaining agreement an obligation to provide biometric data cannot serve as legal basis, and such data processing is not necessary for the performance of the employment agreement.
In exceptional cases, if the giving of consent can be rejected freely and without having to fear negative consequences, then the employee's consent may also serve as a valid legal basis for data processing.
Thus, if, for example, one of the alternatives of using the electronic workplace entry system is to use the employee's biometric data (e.g. fingerprints), then if the employee wishes to use his/her fingerprints (instead of an electronic card) to enter the workplace, the employee's explicit consent may serve as a valid legal basis for data processing.
2. Can there be another legal basis for the processing of biometric data?
Depending on the circumstances, yes.
According to the stance of the Hungarian Data Protection and Freedom of Information Authority, in the absence of the exceptional conditions mentioned above, the other legal basis named in Article 6 (1) f) of the GDPR may come into play, firstly, the legal basis as per Article 6 (1) f) (the legitimate interest of the employer), when it comes to the processing of biometric data at the workplace, depending on the circumstances. At the same time, the authority stresses that in case of special categories of data, such as for example, biometric data which make it possible to precisely identify someone, a legal basis as per Article 9 (2) of the GDPR must also be identified, in addition to the general legal basis. In other words, the processing of biometric data may only be lawful if a proper legal basis named in each of Article 6 (1) and Article 9 (2) of the GDPR applies.
Clarifying the above is important also because based on the GDPR and certain guidelines issued by the EU's Article 29 data protection working party ("WP29") (now referred to as the European Data Protection Board), one can conclude that in case of special categories of data, only the legal bases listed in Article 9 (2) may be used. And those named in Article 6 (1) may not which means that the legitimate interest of the data controller may not be used as reference.
Specifically, the WP29 states the following in Section 4 of its guidelines on consent (WP259 rev.01):
"Article 9(2) does not recognize “necessary for the performance of a contract” as an exception to the general prohibition to process special categories of data. Therefore controllers and Member States that deal with this situation should explore the specific exceptions in Article 9(2) subparagraphs (b) to (j). Should none of the exceptions (b) to (j) apply, obtaining explicit consent in accordance with the conditions for valid consent in the GDPR remains the only possible lawful exception to process such data."
In the cited paragraph, the WP29 makes no mention of Article 6.
Furthermore, the below paragraph can be read in the Annex of WP29's guidelines on transparency (WP260 rev.01) in the row "The purposes and legal basis for the processing":
"In addition to setting out the purposes of the processing for which the personal data is intended, the relevant legal basis relied upon under Article 6 must be specified. In the case of special categories of personal data, the relevant provision of Article 9 (and where relevant, the applicable Union or Member State law under which the data is processed) should be specified."
The WP29 does not state in the cited paragraph that in case of special categories of data, a legal basis out of those specified in Article 6 (1) and also out of those named in Article 9 (2) has to be applied.
It is worth noting, however, that the WP29's guidelines issued on automated individual decision-making and profiling (WP251. rev.01) words in a pretty straightforward way when putting in its Section III.C that:
"Controllers can only process special category personal data if they can meet one of the conditions set out in Article 9(2), as well as a condition from Article 6. This includes special category data derived or inferred from profiling activity."
It is worth emphasizing that the UK's data protection authority (ICO) is of the same view as the Hungarian authority and the paragraph as cited above from the guidelines on automated individual decision-making and profiling.
It is, thus, important to note that when it comes to the processing of biometric data (and, for example, health and genetic data), a legal basis named in each of Article 6 (1) and Article 9 (2) must apply.
In case of using the legal basis named in Article 6 (1) f) (the legitimate interest of the data controller or a third party), the data controller is required to prepare a balancing test.
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attorneys at Law, Budapest, Hungary (zoltan.kovacs@szecskay.com)
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.