Employer may not simply require fingerprinting
A shoe store in Tilburg may not oblige employees to provide their fingerprints to operate the cash register. According to the judge, the retail chain cannot explain clearly enough why this measure is necessary. That is against the GDPR.
That is the ruling in a case between shoe store chain Manfield and an employee. The shoe store required employees to provide their fingerprints to operate a new cash register system. One employee disagreed. She and Manfield went to court to clarify whether this way of working is allowed.
According to the employee, taking a fingerprint violates her privacy too much. Moreover, according to the AVG, this method would be disproportionately large. According to the employee, the store could have used other options to secure the cash register system. The judge agreed with this, especially because a fingerprint is a special personal data. Under the GDPR, such personal data may only be collected under very strict conditions, for example if this is necessary for business operations.
The store itself did find it necessary to collect the fingerprints. This has happened since the introduction of a new cash register system. In the older system, employees still used a PIN, but the store had previously experienced theft cases where employees used other employees’ PINs. A fingerprint should counteract that, the owners reasoned. In addition, they say, the use of fingerprints as authorization has become more common in recent years, for example to secure smartphones.
The judge says that the use of fingerprints in this case is not proportional, because other authentication methods may work better. The main problem with this is that the store did not map out well enough beforehand whether a fingerprint was really the only way. In the case of such a privacy-violating measure, an employer must conduct a privacy impact assessment to find out whether a measure is proportional. That didn’t happen in this case. “Now that Manfield can also achieve its intended purpose in another way, there is no need and the interests of Manfield do not outweigh those of its employees, so that this processing is not only unnecessary, but also disproportionate”, writes the judge.
The ruling is the first of its kind under the General Data Protection Regulation. One of the most important parts of this is that there must be a solid interest in collecting data. In any case, this part has not yet been tested very much in the case of special personal data and there is not yet much case law for it.