Biometric clocking-in or access control involves a special category of processing whenever it uses a fingerprint, face or other trait to uniquely identify a person. The legal duty to record working time does not automatically authorise the use of biometrics. The employer needs a basis under Article 6, an exception under Article 9, must pass the necessity and proportionality tests, carry out a DPIA and demonstrate that less intrusive alternatives do not achieve the intended purpose.
What counts as biometric data
The GDPR defines biometric data as data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that person.
A photograph is not always biometric data; it becomes so when it is processed to identify someone unambiguously. A biometric template still counts as special category data even when it cannot be reversed into an image.
Time recording: the obligation and the method
The Workers' Statute (Estatuto de los Trabajadores) requires employers to record working time, but it does not impose the use of fingerprint or facial recognition. Alternatives such as a card, a PIN, a mobile app, a signature or organisational controls must be assessed.
The relevant question is not whether biometrics is convenient, but whether it is strictly necessary and proportionate compared with those alternatives.
A double legal basis
Processing biometric data for identification purposes requires two simultaneous legal grounds:
- a basis under Article 6 of the GDPR;
- an exception under Article 9(2) for processing special categories of data.
Consent in the employment context is usually problematic because of the imbalance between employer and employee, and because refusal must be genuinely free and cannot carry any consequences. The AEPD (Spanish DPA) applies a restrictive criterion in this area.
A general obligation to clock in does not, by itself, constitute a specific legal basis for processing biometric data.
Suitability, necessity and proportionality
Suitability
Does the system effectively record attendance?
Necessity
Is there an equally effective, less intrusive alternative?
Proportionality
Does the benefit obtained outweigh the impact, taking into account the risk of irreversibility and surveillance?
If any of these three tests fails, the biometric system should not be deployed.
Data protection impact assessment (DPIA)
AEPD guidance treats this processing as high risk and requires a prior data protection impact assessment. It must include:
- the purpose;
- the population affected;
- the technology used;
- the applicable basis and exception;
- the alternatives considered;
- the risks identified;
- the measures adopted;
- the residual risk;
- the consultation with the DPO;
- the final decision.
The DPIA is carried out before purchasing or deploying the system, not to justify a decision already made after the fact.
Identification versus verification
- 1:N identification: compares the biometric data against the entire database; it carries a higher risk.
- 1:1 verification: confirms the data against the reference linked to one specific person; it can reduce exposure.
Choosing the 1:1 model does not remove the special category status or the legal obligations, but it can be less intrusive.
Architecture and storage
If the processing were legitimate, priority should be given to:
- keeping the template under the control of the person or the device;
- decentralised storage;
- encryption;
- making reconstruction impossible;
- separating identifiers;
- controlled keys;
- minimal retention;
- verifiable deletion.
A central database of biometric templates considerably increases the impact of any incident.
Risks
- identity theft;
- theft of an irreversible template;
- use for a secondary purpose;
- surveillance;
- discrimination;
- false rejections;
- exclusion of certain individuals;
- reuse of the data;
- improper access by the provider;
- a mass breach.
A password can be changed; a biometric trait cannot, at least not easily.
What to check about the provider
It is advisable to check:
- the algorithm and its error rate;
- presentation attack and anti-spoofing mechanisms;
- storage;
- the template generated;
- key management;
- sub-processors;
- updates;
- the possibility of exporting data;
- deletion;
- incident management;
- international transfers.
A generic "GDPR compliant" claim should not be accepted as sufficient evidence.
Accuracy and discrimination
False acceptance and false rejection rates must be tested on a real population, under different conditions of light, humidity, age, disability or physical work.
An immediate operational alternative must exist for anyone unable to use the biometric system. That alternative must not stigmatise those who use it.
Information and rights
Employees must be informed of:
- the purpose;
- the basis and exception applied;
- the technology used;
- the data processed;
- the retention period;
- the provider;
- the rights available;
- the existing alternative;
- the DPO's contact details.
The right to object or to erasure may be limited depending on the basis applied, but a procedure for exercising it must exist in every case.
Retention
Biometric templates are deleted once the need that justified them, or the employment relationship, ends, unless a specific basis supports keeping them longer. Working-time records have their own retention period; the biometric template is not automatically kept for the same length of time.
Backups must include deletion or expiry mechanisms.
Security
- encryption;
- data separation;
- multi-factor authentication for administrators;
- activity logs;
- the principle of least privilege;
- periodic testing;
- patching;
- anti-spoofing measures;
- a breach response plan;
- a ban on reusing the data.
In the event of a security breach, the special impact of the biometric data affected and the possibility of revoking the compromised templates must be assessed.
Outsourcing and temporary work agencies
It must be clearly defined who is the controller among the company, the temporary work agency and the technology provider. The biometric database is not shared without justified need and without the corresponding agreement. The main company does not gain general access to that data merely for convenience.
Alternatives matrix
| Alternative | Intrusiveness | Risk of sharing | Cost |
|---|---|---|---|
| Card | Low | Can be lent | Low |
| PIN | Low | Can be shared | Low |
| App | Medium | Depends on the device | Medium |
| Supervisor | Variable | Human error | Medium |
| Biometrics | High | Hard to lend | High risk |
Occasional fraud does not automatically justify the use of biometrics: it must be quantified, and less intrusive controls must be tested first.
Decision plan
- Define the problem.
- Measure the actual fraud or risk.
- Assess the alternatives.
- Analyse the legal bases.
- Carry out the DPIA.
- Consult the DPO and employee representatives.
- Run a technical pilot if appropriate.
- Make the decision and review it periodically.
Common mistakes
- Confusing the duty to clock in with permission to use biometrics.
- Relying on employee consent.
- Buying the system before carrying out the DPIA.
- Not assessing alternatives.
- Centralising templates without need.
- Not testing false rejections.
- Keeping the data after the employee leaves.
- Not offering an alternative.
- Reusing the system for access control or productivity monitoring.
- Blindly trusting the provider.
Checklist
- Specific purpose defined.
- Bases under Articles 6 and 9 analysed.
- Alternatives assessed.
- Necessity and proportionality evaluated.
- DPIA carried out.
- DPO and employee representatives consulted.
- Minimum-exposure architecture applied.
- Accuracy and accessibility checked.
- Information and rights guaranteed.
- Deletion and breach-response procedure defined.
Frequently asked questions
Is all workplace biometrics illegal?
It cannot be stated in absolute terms, but the AEPD's criterion is very restrictive and requires a strict legal basis and a strict necessity test.
Is consent enough?
It is usually problematic in the employment context because of the imbalance between the parties, and it does not replace the requirement of necessity.
Does a non-reversible template stop being biometric data?
No. It remains biometric data if it is used to uniquely identify a person.
Must a DPIA always be carried out?
The AEPD treats this processing as high risk and requires a prior impact assessment.
Summum Consultoría can review the alternative chosen, the legal basis, the DPIA, the provider and the security measures your company needs.