Following on from the General Protection Data Regulation (GDPR), the Danish Data Protection Agency has come up with an ‘indicative opinion’ on the use of fingerprints for time registration. The essence of the statement is: Time registration alone by fingerprints is not permitted.
Back in 2017, TimePlan Software A/S contacted the Danish Data Protection Agency with a request to clarify the legality of using fingerprints (and thus biometrics) to record attendance and absence data in TimePlan. A number of TimePlan customers use scanning of the employees’ fingerprints as a method of recording work hours.
The response from the Danish Data Protection Agency states that biometrics are “sensitive personal data” according to Article 9. Thus, the starting point is a prohibition on having this data, unless the legal requirement is strong enough and the application is necessary.
The Danish Data Protection Agency states that the desire for proper time registration is not sufficient to use biometrics, as there may be other less intrusive methods for time registration. The risk of cheating by typing is not considered to be a strong enough legal requirement – neither for company or the employee.
Fingerprints may possibly be used for time registration, if other registration options are in place and practical, for example. access card or card number entry – and the employee is given a free choice. The choice must be clearly voluntary – and when using biometrics there must be a clear voluntary consent from the employee.
The Danish Data Protection Agency states: “It is the Data Protection Agency’s opinion that an employee’s consent to an employer being able to process information about his or her fingerprints in connection with time control, cannot be considered voluntary. If a consent cannot be considered voluntary, it may not constitute a valid basis for treatment. However, the Data Protection Agency cannot reject the existence of special circumstances under which consent may be considered voluntary.”
Do you use fingerprints for time registration in your company? Then you must read the Danish Data Protection Agency’s opinion (in Danish) to ensure the correct approach and take the necessary measures. We also recommend that you contact the Data Protection Agency in your country.