The Spanish Data Protection Authority (AEPD) has issued a set of guidelines on the use of biometric systems for access and employee attendance control defining the criteria for using these systems (and the measures to be considered in the context of these processing activities) in compliance with the General Data Protection Regulation (GDPR).

Cleaning Up the Stage

The AEPD begins its analysis by clarifying some concepts and adopting a new approach to the nature of biometric data processed to verify the identity of the data subject.

First, regarding the notion of biometric data, the AEPD clarifies that information about human biometric characteristics stored in the form of a pattern constitutes biometric data. Therefore, a biometric pattern for identification or authentication purposes is considered personal data per se, and as a unique identifier.

Second, in relation to identification and authentication, the AEPD defines identification as the process of recognizing a particular individual within a group by comparing the data of the individual to be identified, with the data of everyone in a group (one-to-many) and defines authentication as the process of proving that the claimed identity of an individual is true by comparing the individual’s data only with the data associated with that claimed identity (one-to-one).

After this, the AEPD, which traditionally interpreted biometric authentication as not involving the processing of special categories of personal data, since it does not aim to identify a person but to verify its identity, following the EDPS’s Guidelines 05/2022 on the use of facial recognition in the area of law enforcement, adopts a new approach and establishes that both techniques involve data intended to identify a natural person and, more specifically, that imply the processing of special categories of data.

Consequently, the AEPD’s sets a new position, which is that both processes fall under the general prohibition set out in Article 9(1) GDPR (which prohibits the processing of special categories of personal data except in the certain circumstances listed in Article 9(2)).

Drawing Conclusions

Once it has set the rules, the AEPD analyzes whether the processing of biometrics for working time registration and access control could benefit from any of the circumstances contained in Article 9(2) GDPR and, although not explicitly, virtually bans the use of this kind of data for said purposes.

The AEPD clarifies that:

1. Since current Spanish law does not contain a sufficiently specific authorization to consider the processing of biometric data necessary for the purpose of monitoring working time, applying Article 9(2)(b) GDPR (…processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment…) is not possible.
2. Since there are alternatives to the processing of biometric data that achieve the same purpose but pose less risk to the data subject, they cannot be considered as equivalent alternatives and, therefore, the imbalance of power between employee and employer is not remedied, which excludes the applicability of Article 9(1)(b) (…the data subject has given explicit consent to the processing…).
3. High-risk processing activities [such as those involving the processing of special categories of personal data and vulnerable groups, for instance, employees] must pass a Privacy Impact Assessment (PIA) and,consequently, the successful completion of a triple analysis on the suitability, necessity and proportionality of the processing. In this context, while it recognizes that the European Court of Human Rights (Handyside v. UK, Case No. 5493/72, 7 December 1976) has established that “necessary” is not synonymous with “indispensable,” it also finds that the necessity test cannot be passed if there are equivalent options to biometric processing. Concerning the proportionality test, the AEPD also clarifies that, according to the Art. 29 Working Party Opinion 3/2012 on developments in biometric technologies, if the benefit resulting from it is relatively small (such as an increase in convenience or a small cost saving), the loss of privacy is not proportionate to the expected benefit of the processing (page 8).

The only open door to this processing is the fact that the AEPD concludes its analysis by listing a series of measures aimed at guaranteeing the rights of data subjects and minimizing the risks of data processing, should the need arise, and the processing be carried out, which implies that it does not completely rule out the lawfulness of these types of processing activities. These measures include, among others, the provision of adequate information to the data subject, the possibility of withdrawing the link between the biometric pattern and the identity of the natural person, the use of encryption techniques and the implementation of automated data deletion mechanisms.

Is The EU Moving Toward a Prohibitionist Model?

While just a few years ago, EU DPAs, including the very same AEPD or CNIL (see its Model Regulation, published in 2019), seemed to accept that the use of biometrics in the workplace may be feasible under certain circumstances, the truth is that the AEPD is not alone in its restrictive stance, but rather is following the path already travelled by the Belgian DPA (APDD) and Italian DPA (GPDP), which, in 2021 (APDD’s Recommendation/GPDP decision), well before the EDPB issued its guidance on the use of facial recognition in law enforcement, took the approach that employee consent is not an option and that current employment laws do not provide grounds to rely on the public interest or compliance with the law to deem these types of processing activities lawful.

Is There a Glimmer of Hope for Biometric Processing in the Workplace?

Although companies using these systems must carefully analyze the situation on a case-by-case basis, this restrictive approach could still be argued.

• First, in principle, consent should not be automatically excluded simply because the data subject is an employee. If an alternative to consent exists, i.e., in our case, if data subjects are offered a choice that allows them to avoid the processing of biometric data without being subject to retaliation (in particular, if the purpose of the processing is merely access control), and regardless of the risk of the consented processing, explicit consent may override the general prohibition contained in Article 9(1) GDPR. Moreover, despite the position of the AEPD, in our view, the assessment of the lawfulness of the processing (see below) and the validity of the consent are not exclusive matters.
• Second, the existence of alternatives to biometrics for working time registration and access control does not necessarily mean that these alternatives achieve the same results, and that the necessity and proportionality tests in the context of a PIA cannot be passed. In fact, it could be stated that the use of biometrics provides a level of data security that is difficult to achieve with alternative means. For example, the common alternative, badges, can be shared with third parties, especially in remote working scenarios where the employee is working from outside the workplace. In summary, biometric processing offers benefits that other alternatives do not and, therefore, in our view, cannot be ruled out in all scenarios automatically.