Recently, the Data State Inspectorate has been receiving more and more questions about the processing of biometric data (fingerprints and facial images) in the workplace, which demonstrates the increasing popularity of this technology and its spread in the business environment. As has been observed in practice, then the biggest “stumbling block ” for employers when introducing a biometric data processing system is not security, but how to process data lawfully?
1. It should be understood that if the desired purpose – e.g. the recording of working time or entry into the office – can be achieved with less interference with the employee’s privacy, then the use of biometric data can be considered excessive by the employer and does not comply with the requirements of laws and regulations. For example, using the same chip card can achieve these objectives without processing the employee’s biometric data. In order for the employer to comply with the requirements of the protection of the personal data of its subordinates and to respect the right to privacy of employees, it is necessary to clearly define why the processing of biometric data is therefore necessary. For example, if a company needs to increase the level of security and prevent unauthorised persons from entering the premises.
2. It should be remembered that biometric data are special categories of data, the processing of which is permissible for employers only in certain cases referred to in the Data Regulation.
3. Companies that intend to use fingerprints or face scans of their employees to enter the workplace could justify the processing of biometric data with their employees’ consent. It should be remembered that the employee’s consent must be freely given, specific and informed. There must be no negative consequences for the employee because he or she has not given his consent.