The Court of Amsterdam (‘the Court’) issued, on 15 August 2019, its decision (‘the Decision’) on Case 7728204 CV VERZ 19-9686, where it upheld the choice of an employee of Manfield Schoenen BV, a retail company, who refused to provide their fingerprint for a newly introduced system of finger scan authorisation for cash registers. The Decision highlights that Article 29 of the Act Implementing the GDPR (‘UAVG’) allows the processing of biometric data, such as fingerprints for the purpose of unique identification if the same is a necessity to fulfil authentication or security purposes. In addition, the Decision also notes that the processing of such biometric data is forbidden under Article 9(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).
Berend van der Eijk, Associate at Bird & Bird, told OneTrust DataGuidance, “There are two important factors that made the Court rule in favour of the employee. To start, the threshold for the use of fingerprints is high: biometric data cannot be used, unless a specific exemption applies. This high threshold in turn also puts more weight on the necessity and proportionality test the employer has to make. This did not go well for Manfield in the ruling as the Court was of the opinion that other, less invasive, solutions were not sufficiently explored, and that Manfield did not take any other measures in light of the security purposes the biometric system aimed to serve. [As illustrated by the legislative history] a local garage is not likely to be able to rely on this exemption for access to the garage by employees, but a nuclear plant might be able to use the exemption to secure its premises.”
Further to the above, Manfield argued that numerical codes were replaced by fingerprint scans as a security measure to protect the financial, employee and customer data visible on the system from being accessed remotely or by a third party who had witnessed a code being entered, in accordance with Article 24 of the GDPR. The Court noted that a fingerprint scan authorisation system constituted a disproportionate measure for the security level required at Manfield’s retail stores, and as a result is an unjustified violation of the employees’ privacy. In addition, the introduction of the biometric scanning system was not communicated to them prior to its implementation.
The law suddenly became stricter for existing applications and uses, which was something not every company had (or has) identified
Van der Eijk added, “Manfield showed little evidence to the Court that it explored any other measures for the purposes (security) it tried to achieve. The number one lesson here is to perform data protection impact assessments (‘DPIAs’) for the implementation of such measures/data processing operations. This applies to the use of fingerprints, but also to the installation of CCTV systems and analytic tools [among others things]. Doing such assessments force companies to articulate why certain measures need to be implemented, which helps tailor the solution to the purposes and convinces stakeholders (including employees) that the solution is indeed needed. If such an assessment is properly done, companies may still have good reason to process sensitive data such as fingerprints.”
Moreover, the Court highlighted that the increased use of fingerscans in recent years is not a valid justification for the implementation of such a system. The Court decided that Manfield may not impose the obligation to supply the required biometric data for the finger scan authorisation system.
Van der Eijk noted that, “It is true that fingerprints and biometrics have been used more frequently in recent years. What makes it more difficult here, however, is that this is a trend that predates the UAVG. Companies had, in the past, already made the decision to use biometric identifiers, but […] with the introduction of the GDPR and UAVG last year, such use was much more restricted [and] not allowed unless exempted and only for security and authentication purposes. In other words, the law suddenly became stricter for existing applications and uses, which was something not every company had (or has) identified, especially in light of many more pressing GDPR matters during the coming into force of the GDPR and the UAVG.”
AMELIA WILLIAMS Privacy Analyst