Workplace Biometrics and GDPR: Limits and Alternatives

·

Biometric clocking-in or access control involves a special category of processing whenever it uses a fingerprint, face or other trait to uniquely identify a person. The legal duty to record working time does not automatically authorise the use of biometrics. The employer needs a basis under Article 6, an exception under Article 9, must pass the necessity and proportionality tests, carry out a DPIA and demonstrate that less intrusive alternatives do not achieve the intended purpose.

What counts as biometric data

The GDPR defines biometric data as data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that person.

A photograph is not always biometric data; it becomes so when it is processed to identify someone unambiguously. A biometric template still counts as special category data even when it cannot be reversed into an image.

Time recording: the obligation and the method

The Workers' Statute (Estatuto de los Trabajadores) requires employers to record working time, but it does not impose the use of fingerprint or facial recognition. Alternatives such as a card, a PIN, a mobile app, a signature or organisational controls must be assessed.

The relevant question is not whether biometrics is convenient, but whether it is strictly necessary and proportionate compared with those alternatives.

A double legal basis

Processing biometric data for identification purposes requires two simultaneous legal grounds:

  1. a basis under Article 6 of the GDPR;
  2. an exception under Article 9(2) for processing special categories of data.

Consent in the employment context is usually problematic because of the imbalance between employer and employee, and because refusal must be genuinely free and cannot carry any consequences. The AEPD (Spanish DPA) applies a restrictive criterion in this area.

A general obligation to clock in does not, by itself, constitute a specific legal basis for processing biometric data.

Suitability, necessity and proportionality

Suitability

Does the system effectively record attendance?

Necessity

Is there an equally effective, less intrusive alternative?

Proportionality

Does the benefit obtained outweigh the impact, taking into account the risk of irreversibility and surveillance?

If any of these three tests fails, the biometric system should not be deployed.

Data protection impact assessment (DPIA)

AEPD guidance treats this processing as high risk and requires a prior data protection impact assessment. It must include:

The DPIA is carried out before purchasing or deploying the system, not to justify a decision already made after the fact.

Identification versus verification

Choosing the 1:1 model does not remove the special category status or the legal obligations, but it can be less intrusive.

Architecture and storage

If the processing were legitimate, priority should be given to:

A central database of biometric templates considerably increases the impact of any incident.

Risks

A password can be changed; a biometric trait cannot, at least not easily.

What to check about the provider

It is advisable to check:

A generic "GDPR compliant" claim should not be accepted as sufficient evidence.

Accuracy and discrimination

False acceptance and false rejection rates must be tested on a real population, under different conditions of light, humidity, age, disability or physical work.

An immediate operational alternative must exist for anyone unable to use the biometric system. That alternative must not stigmatise those who use it.

Information and rights

Employees must be informed of:

The right to object or to erasure may be limited depending on the basis applied, but a procedure for exercising it must exist in every case.

Retention

Biometric templates are deleted once the need that justified them, or the employment relationship, ends, unless a specific basis supports keeping them longer. Working-time records have their own retention period; the biometric template is not automatically kept for the same length of time.

Backups must include deletion or expiry mechanisms.

Security

In the event of a security breach, the special impact of the biometric data affected and the possibility of revoking the compromised templates must be assessed.

Outsourcing and temporary work agencies

It must be clearly defined who is the controller among the company, the temporary work agency and the technology provider. The biometric database is not shared without justified need and without the corresponding agreement. The main company does not gain general access to that data merely for convenience.

Alternatives matrix

AlternativeIntrusivenessRisk of sharingCost
CardLowCan be lentLow
PINLowCan be sharedLow
AppMediumDepends on the deviceMedium
SupervisorVariableHuman errorMedium
BiometricsHighHard to lendHigh risk

Occasional fraud does not automatically justify the use of biometrics: it must be quantified, and less intrusive controls must be tested first.

Decision plan

  1. Define the problem.
  2. Measure the actual fraud or risk.
  3. Assess the alternatives.
  4. Analyse the legal bases.
  5. Carry out the DPIA.
  6. Consult the DPO and employee representatives.
  7. Run a technical pilot if appropriate.
  8. Make the decision and review it periodically.

Common mistakes

  1. Confusing the duty to clock in with permission to use biometrics.
  2. Relying on employee consent.
  3. Buying the system before carrying out the DPIA.
  4. Not assessing alternatives.
  5. Centralising templates without need.
  6. Not testing false rejections.
  7. Keeping the data after the employee leaves.
  8. Not offering an alternative.
  9. Reusing the system for access control or productivity monitoring.
  10. Blindly trusting the provider.

Checklist

Frequently asked questions

Is all workplace biometrics illegal?

It cannot be stated in absolute terms, but the AEPD's criterion is very restrictive and requires a strict legal basis and a strict necessity test.

Is consent enough?

It is usually problematic in the employment context because of the imbalance between the parties, and it does not replace the requirement of necessity.

Does a non-reversible template stop being biometric data?

No. It remains biometric data if it is used to uniquely identify a person.

Must a DPIA always be carried out?

The AEPD treats this processing as high risk and requires a prior impact assessment.

Summum Consultoría can review the alternative chosen, the legal basis, the DPIA, the provider and the security measures your company needs.