Spain: AEPD fines Daviser Servicios €20,000 for unlawful use of fingerprints
The Spanish data protection authority ('AEPD') published, on 30 November 2021, its resolution in proceeding PS/00010/2021, in which it imposed a fine of €20,000 to Daviser Servicios, SL, in violation of Article 5(1)(c) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') for the unlawful use of fingerprints at the changing rooms and toilets.
Background to the case
In particular, the decision states that the AEPD's investigation was initiated following a claim made by the claimant against Daviser Servicios, on 25 November 2019, for the instalation of fingerprint reading and an operator for the entrance and exit accesses. Furthermore the decision states that the claim also concerns the installation of fingerprint readers and an operator for the access doors to the changing rooms, which have access to toilets. The decision notes that images are taken with the use of video surveillance system focused on the access door to the toilet.
Findings of the AEPD
The AEPD noted that the information taken by the fingerprints constitute special categories of data as they are defined as biometric data pursuant to Article 4(14) of the GDPR.
Moreover, the AEPD emphasised that the use of fingerprints to access changing rooms and toilets violated Article 5(1)(c) of the GDPR as the intended purpose by the entity can be achieved by other means. Furthermore, the AEPD highlighted that the use of fingerprints to access changing rooms and toilets produced an unjustified interference to the rights and freedoms of employees repeatedly and continuously.
In finding the offence to be very serious in nature, the AEPD considered, amongst others, the sanction imposed should be based on following aggravating factors:
- the nature, severity, and duration of the infringement, considering the effects that the treatment continuously produces on the privacy of the affected personnel;
- The entity did not take into account additional elements of compliance and their actions displayed a clear and serious lack of diligence; and
- some of the data in question was of a special nature.
In addition, the AEPD considered the fact that the entitiy's corporate purpose is not to process personal data as a mitigating factor.
Finally, the AEPD stated that the offence was serious, and that it therefore deemed it appropriate to impose upon the defendant a penalty of €20,000, for violating Article 5(1)(c) of the GDPR.
You can read the decision, only available in Spanish, here.