Another interesting case. Each new case is helping us to understand better how to implement and be compliant with GDPR in our organisations.
So this is a fine of €725k by the Dutch DPA to an organisation which started using biometrics, i.e. fingerprint authentication. If you’ve checked the link above with an explanation provided by DLA Piper blog, there are 2 factors which really surface.
Firstly, consent cannot be used as a legal basis if there is an imbalance in relationship, and in the case of employer/employee, this is always the case. If fingerprinting is to be used then the employee needs to have a choice to use another method, e.g. access cards. In this example, there was a lack of choice, employees were forced to provide consent. Consent was not freely given.
Secondly, it seems that the Dutch law gives a second alternative on the using of biometrics for authentication and security purposes. However, this is only if it can be proved that it is proportionate to the purpose. For example, to use as a means to access high security facilities is proportionate, not access to office space.
Why I love this case is that it really emphasises on the use of consent in the employer/employee relationship.