Company Fined 725,000€ for Collecting Employee’s Fingerprints

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “Dutch DPA”) recently fined a company for violating the General Data Protection Regulation (GDPR) by collecting personal data using fingerprint systems.

Under the GDPR, ”biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. The term ‘dactyloscopic data’ means fingerprint data.

The company collected personal data to track the attendance and working hours of employees. According to the law, it is prohibited to collect such data using fingerprints systems, unless the data subjects are correctly informed and give their consent in a clear and explicit manner, or for security purposes. The company could not prove either of these two, and therefore it has been sanctioned with a 725,000€ fine. The name of the organization was not officially published.  This is the first time a company obtained a court order to keep its identity secret after a GDPR sanction.  The company is currently appealing the fine.

Companies and all organizations must pay careful attention when handling and collecting personal data. It is a fundamental right of every employee to clearly know how and for what purpose their data will be used.

Biometric data is categorized as sensitive data. The vice-chairman and member of the board of the Dutch Data Protection Authority (AP), Monique Verdier, pointed out in a very explicit way: ”this category of personal data is extra protected by law. If these data get into the wrong hands, this could potentially lead to irreparable damage. Such as blackmail or identity fraud. A fingerprint cannot be replaced, such as a password. If things go wrong, the impact can be huge and can have a lifelong negative effect on someone. ”

Need more information of how GDPR is applied? Check Sovy’s Knowledge portal to find out more.  For simple and affordable solutions that help you get compliant and stay compliant with data privacy regulations, visit Sovy