Access to workplace with fingerprint or face recognition? Office for Personal Data Protection to prepare legislation

Technologies processing the biometric data of employees are spreading. The use of fingerprints or face recognition to check workplace attendance is becoming increasingly frequent. The GDPR, however, only allows for very limited processing of biometric data, while the Czech Labour Code contains no regulation of this area at all. Hence the Personal Data Protection Office has come up with a proposal to provide the legal basis for the existing practice of processing employees´ biometric data.

Biometric data means personal data resulting from the processing of physical, physiological or behavioural characteristics of a natural person which allow their unique identification. The GDPR only allows for the processing of this data in several specific cases. One of these exceptions is the processing for the purposes of carrying out the obligations and exercising specific rights of the data controller in the field of employment, albeit only where this is allowed by EU law or a member state´s national legislation.

As Czech law does not yet contain any special regulation of biometric data processing, the office has proposed the inclusion of a new provision in the Labour Code. Under the proposed provision, employers would be authorised to process biometric data using employees’ morphological features for the purpose of controlling access to their production or other operating equipment and to the premises where such equipment is located. Hence it would not be possible to use such employee data to, e.g., keep records of their job attendance. The remaining conditions for the processing of employee biometric data would be governed by the general provisions of the GDPR.

The absence of specific provisions for the regulation of biometric data processing is also apparent from the office´s decision-making practice. The office has dealt with biometric data processing repeatedly in the last couple of months. The first case involved the use of a dynamic biometric signature for the purpose of concluding and filing a credit agreement. The office held that the client´s biometric signature was unnecessary for the conclusion and filing of contractual documentation, i.e. that the personal data processing minimisation principle had been breached.

In another case, the office inspected an employer´s job attendance system, which allowed for the recording of the arrival and departure time of persons at a construction site based on face recognition. Exceptionally, the office found this processing of biometric data not to be contrary to law, as the personal data controller proved the necessity of processing the data for the purposes of ensuring the safety at a large construction site. The data controller also proved that it was impossible to meet this purpose by other, less invasive means.

Obviously, the office’s approach to  assessing biometric data processing is not fully unified: on one hand, they propose a legislative change on the grounds that there is no legal basis for processing biometric data of employees, while, one the other hand, they allow such processing for the purpose of ensuring work safety. Legislation regulating this area will definitely mean more certainty for employers.