An appellate labour court in Germany rendered a decision on 4 June 2020, stating that a biometric time recording system, in the employment context, as a rule is not lawful.
This decision is in line with earlier EU member states’ practice. There is an emerging consensus that processing of biometric data is impermissible except in the rare situations in which there are no other, less intrusive means to achieve the same purpose and the interest of controller outweighs data subjects’ rights. The stance is firm because processing of biometric data is particularly risky considering the potential for frauds and thefts (both identity and financial) and impossibility of changing or “resetting” the data. Employers should take due note of the unwillingness of the courts and supervisory authorities to condone the processing of fingerprints as a means of recording working hours.
Facts of the case and the procedural history
The claimant is an employee in a radiology practice (“Company“). The Company previously used a system for recording working time based on paper forms, which the employees filled out each time he arrived and left the office. However, in July 2018 the Company decided to implement a new system called Zeus, together with terminal “IT 8200 FP”. The system uses employees’ minutiae (endings and branching of papillary ledges of human fingerprint) for their identification and recording of working time.
The employee refused to have his fingerprints scanned as a means of recording working hours. He continued to enter his working hours in paper form. The Company issued two warnings to the employee, the second one stating that the employee would be fired if he did not immediately start using the new system. In response, the employee filed a lawsuit with the Berlin labour court, claiming that if he were obliged to use his fingerprints as a means of recording his working hours, his personal rights would be violated. A labour court in Berlin sided with the employee, in a judgment of 16 October 2019. The Company appealed, but in June 2020 the appellate Landesarbeitsgericht Berlin-Brandenburg confirmed the judgment.
Legal framework for the court’s analysis
According to the Company, the system does not store fingerprints, only the minutiae, which in the opinion of the Company is not biometric data. To this, the Company added that it pseudonymized the minutiae by converting them into a numerical code (record number). As a result, the Company claimed, no relationship could be established between the minutiae and a natural person.
The appellate court quickly dispensed with the claim that the data at issue are not biometric data. The court simply restated the definition of biometric data from Art. 4 of the GDPR and concluded that minutiae of a fingerprint are biometric data (para. 55 of the judgment). As for the pseudonymisation argument, the court did not consider it relevant for the decision, because the processing as such was impermissible so the issue of technical measures (such as pseudonymisation) employed to ensure security of the data did not in fact arise.
The legally relevant inquiry which the court undertook was, therefore, whether the processing of the biometric data was, under the circumstances, permissible.
The court cited, as the potentially suitable exception from the general prohibition of processing of special categories of data, Article 9(2)(b) of the GDPR. That provision states that “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement […]”.
Therefore, the court had to establish the following:
- whether there was an EU or national law, or a collective agreement, authorising the processing of special categories of data by the Company;
- whether there was a purpose the Company was trying to achieve, where such purpose would consist of carrying out the obligations of the Company in the field of employment; and
- whether the processing of special categories of data (biometric data) was necessary to achieve the purpose of carrying out the obligations in the field of employment.
There was no collective agreement to authorise the processing of special categories of data. However, the court concluded that there was a national law – the Federal Data Protection Act (FDSG) – that could, other conditions being met, authorise the processing of biometric data. The court referred to Art. 26 (entitled “Data processing for employment-related purposes”) of the Act as potentially applicable.
As for the purpose of the processing of biometric data by the Company, the purpose was to establish an objective, reliable and accessible system to record the time worked by each employee, in a way that prevents manipulation of working hours. Such purpose is not objectionable: in fact, the Court of Justice of the European Union recently clarified that employers have an obligation to set up objective, reliable and accessible system to record working time (case C-55/18, judgment of 14 May 2019).
However, the court found that the processing of special categories of data (biometric data) in the specific case was not necessary to achieve the stated purpose in the field of employment.
The court explained that, the more intensive the interference with the personal rights is, the weightier must be the employer’s stated purpose of processing. The court stated exempli causa that the processing of biometric data could be justified as the means of entrance control to areas with sensitive business, production, and development secrets, but not to ordinary working spaces.
Working time may be reliably recorded with less intrusive means
In this case, the use of biometric data is excessive, because the Company could use less intrusive means to achieve the same purpose.
The Company insisted that the system could not be manipulated by employees, which is in contrast to the other time recording systems, used by Company’s affiliates, that do not require the processing of biometric data. There, the employees would manipulate the systems by, for example, giving one’s ID card to other employee or falsifying the entries in paper form.
However, the court concluded that the purpose of recording working time could be achieved by using a different terminal of the Zeus system, terminal “IT 8200”, as opposed to terminal “IT 8200 FP”. The former system uses an ID card system, instead of biometric data.
The court acknowledged that there was a possibility that employees would misuse an ID card system by giving their cards to other employees, pretending to be at work. However, that would constitute a fraud, which is a criminal offence. In such case, processing of personal data is allowed only if there is reasonable doubt that an employee committed an offence, and such doubt does not exist for all employees in the Company. Also, the Company did not offer actual evidence that the time recording ID card system was misused in the affiliated companies. The court further argued that there were other means to expose misuses of the ID card system, e.g. by having a supervisor or a reporting system in which employees could report colleagues who are misusing the system.
Court rejected other arguments
The Company used several other arguments, all aimed to show that the processing of minutiae of the fingerprints was necessary. The court thoroughly analysed the arguments and rejected them all.
- Target hours argument: The paper form system allowed for frequent and non-transparent extension or reduction of the target working hours, whereas Zeus has the target working hours pre-entered in the system.
Court: This functionality can also be used without processing biometric data, in the second of the two terminals (“IT 8200”).
- Uniformity across the group argument: The Company has a legitimate interest to have a uniform system across the group, with centralised control of working hours. Such system is at the advantage of employees, because it enables their promotion.
Court: The stated goal can be achieved with the use of “IT 8200”, and in any event it is not clear how a centralised system enables the promotion of employees.
- Cost effectiveness argument: The system using biometric data is more cost effective than a system using ID cards, due to the cost of substitution of lost cards and programming the new ones.
Court: The Company did not offer any evidence in support of this argument, such as cost calculations.
- Failures of ID card system argument: The ID card system fails if the employees forget or lose their ID cards, and no such issues arise with a system using biometric data.
The system using biometric data can also fail, due to technical errors. In such cases, according to the Company’s internal acts, the employees can record time by filling out paper forms. The same solution is available in case the employee forgets or loses the ID card.
- Protection of patient data argument: The system helps protect health data of the patients, because it enables the Company to know which employees were present at the premises at the time of a privacy incident.
Court: An access control system, and not time recording system, would be fit for that purpose. Also, the Company did not present any evidence that the health data of patients are at risk.
- Risk of infection argument: The system minimises the risk of infection, by tracking the presence of employees in the premises. That enables the Company to trace potential infection chains.
Court: The Company failed to prove that there was an actual infection risk (the argument was made before the Covid-19 crisis) and did not offer any risk study concerning the potential infections.
[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU member states may therefore serve as an instructive guidance for compliance with local regulations.]