Lawful control of employee’s presence using digital finger-prints.
The GDPR allows for biometric data appeals in some cases.
The decree of 15 October 2018 no. 25686 of the Court of Cassation, has confirmed the legitimacy of the order which the Guarantor of Privacy, on the 11th of November in 2012, imposed the financial sanction on a company that had implemented a badge based on biometric data (digital finger-prints converted into algorithms), which allowed for the re-entry of a worker that had gained access to an office building. The Supreme Court had not, in fact, appealed the legitimacy in itself of the processing of an employee’s biometric data, recognising it as carried out “in implementation of the declared aims and legitimate in itself to control their presence”. However, they criticised that the employer hadn’t notified the Guarantor prior, in accordance with the provisions of Article 37 Legislative Decree no.196 of 2003.
However, it is seen that the mentioned Article 37 has been annulled by the Article 27, clause 1 (a), no.2, Legislative Decree of August 10th, 2018, no. 101. That is, the legislative decree of the realization of EU Regulation 679/2016: the so-called General Data Protection Regulation, abbreviated as GDPR. The decision made by the Supreme Court was therefore unfavourable for the company only for the relation to the sanction of six years ago (11-11-2012).
The current legislation on privacy (see. Article 9 of the GDPR), regards the processing of “biometric data understood to identify a human being in a unique way” as unfavourable, it has nonetheless been allowed in some cases a) the presence of an agreement between the parties with approval of the party concerned in the mentioned data processing; b) the necessity to protect a vital interest of the concerned party or another person that finds themselves in a situation of incapacity, physical or legal, to explicitly provide approval of the processing in question; c) to ascertain or enforce a right, in court or in an out-of-court environment; d) for motives of particular public interest and for the purpose of protection of health; e) regarding work and social security relationships.
The GDPR, with regards to work relationships, does not prohibit the appeal of biometric data, as long as the data processing in question is legal in accordance with the provisions of the first clause (f) of Article 6 of the GDPR that reconnects it to the fulfilment of a legal interest.
In the present case, the legal interest subsists and is correlated to the recording of the employee’s accesses and presence. To this, pursuant to the second clause of Article 4 of legislation 300/70, as revised in legislative decree 151/2015, it is not applicable in itself nor in the provision of the previous mentioned article’s first clause, which implies the jurisdiction of the union agreement or of an administrative authorisation of the Labour Inspector.
However, it is observed for completeness sake, that if the badge in use, for its technical characteristics, is adequate not only to record the entrances and the exits of the company, but also breaks, authorisations and pauses (possibly comparing immediacy of the data of all employees), would be like a control distance function for the employee’s compliance with work timetables and accuracy of work carried out. In such a case, a prior union agreement or alternatively an administrative one would then be necessary as provided in Article 4 cit. (see Cassation 17531/2017; Cassation 9904/2016; Cassation 2531/2016).
Regarding employment relationship, the appeal of biometric data processing is possible, with or without the union agreement or the alternative administrative authorisation. However, carrying out the overall impact assessment is advisable as provided in the first clause of the seventh provision in Article 35 of GDPR when a certain data processing, which involves the use of modern technology, can “present an elevated risk for the right and liberties of the people themselves”. Said impact assessment consists of a description of the data processing carried out, of its purposes, of risks for privacy and the measures put in place for absorbing said risks. (LC)
