PUODO penalty for the school for processing students biometric data

The President of the Office for Personal Data Protection has issued another decision imposing a financial penalty for non-compliance with the rules of the GDPR – PLN 20 000 will have to be paid by the school which identified the students using the canteen with the use of fingerprints. The school argued that in fact it did not collect personal data because the fingerprint was recorded by the system in the form of a sequence of bytes, and it had the consent of the students parents to process the data.

If you use biometric readers (fingerprint scan, retina scan), the PUODO decision can help you verify that you are doing so legally.

Do I have a legal basis for processing biometric data?

A fingerprint or a retinal scan is the so-called „fingerprint” the sensitive data referred to in Article 9 § 1 GDPR. Such data are subject to special protection – as a general rule, they should not be processed unless one of the exclusionary circumstances indicated in this provision applies. Such circumstances are, among others:

1. to obtain explicit consent from the data subject for processing such data for a specific purpose,
2. the necessity of the processing for the fulfilment of the obligations and specific rights of the controller or of the data subject in the field of labour, social security and social protection law,
3. prior publication of the data by the data subject,
4. the prior publication of the data by the data subject,
5. the necessity of the processing for the establishment, assertion or defence of claims or in the course of the exercise of justice by the courts,
6. the need for processing for the purposes of health prevention or occupational medicine, for assessing the worker’s fitness for work, for a medical diagnosis, for the provision of health care or social security.

It is worth noting that among the prerequisites for biometric data processing there is no equivalent to Art. 6 (1) lit. b GDPR – so you cannot justify fingerprint processing by simply having to perform the contract.

According to the PUODO, the school penalised identified its data processing basis incorrectly, because it had other bases for processing pupils data.

Can I process biometric data on the basis of consent?

While consent is one of the prerequisites for the processing of biometric data, it should be approached with great care. Firstly, consent to the processing of personal data may be collected if the controller has no other legal basis for processing the data. Secondly, the condition for consent to be considered properly granted is that it is voluntary and concrete. Voluntary nature will not be maintained if there is an inequality of strength between the controller and the data subjects.

The refusal to grant consent may not cause negative consequences – including the refusal to provide the service. Moreover, it should be remembered that consent can be revoked at any time, which will require the cessation of data processing.

The school, on which the penalty was imposed, admittedly collected permissions from students’; parents to process the data, but their validity was questioned by PUODO. Apart from doubts as to the legal basis of data processing, the President of the UODO decided that the lack of consent negatively affected the situation of students who were admitted to the canteen last.

Will I be able to demonstrate the necessity of biometric data processing for my purposes?

In accordance with the principle of minimisation, the controller should process only those data which are necessary to achieve the stated purpose. When deciding on access control by means of biometrics, it is therefore necessary to examine whether the same purpose, for example Protection against unauthorized access to the building cannot be provided in any other way – by means of an entry card, control by building security etc.

For the purpose of implementing the accountability principle, document the performance of such an analysis. It should also be borne in mind that processing of biometric data to identify individuals may require a data protection impact assessment.

In the punished school, students also used other verification options that did not require biometric data processing. Fingerprinting was not necessary to verify pupils entitled to use the canteen. The school may have chosen solutions that interfere less with the students’ privacy in order to achieve the same goal (probably also at a much lower cost).

Can I introduce fingerprint access control at the workplace?

If you are processing staff biometric data, please pay attention to Article 22^1b § 2 of the Labour Code, according to which the processing of an employee’s biometric data is permitted if the provision of such data is necessary to control access to particularly important information, the disclosure of which may expose the employer to harm, or access to premises requiring special protection. It is therefore permissible to enter access to a fingerprint, e. g. to a server room or a room with special relevant documents or valuable equipment. In such a case, you should not collect from your employees’; consent to the processing of personal data.

When deciding on such an inspection, remember that as an employer you will be required to demonstrate that it was reasonable to introduce it in the area and that it was not possible to provide the required level of safety with less intrusive methods.

NOTE! Do not use fingerprint or retina scan to control employees working time – PODO has clearly indicated that such action is prohibited, even if employees agree to this form of control.