Technological progress has undoubtedly dominated the 21st century. As a result, employers are increasingly using tools that leverage employee biometric data to meet business needs. To identify employees and record work time, they are increasingly turning to tools that enable facial recognition, fingerprint identification, and even retinal scanning. But are such solutions legal?

Biometric data

Article 4, point 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC defines biometric data as: "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person and allowing or confirming the unique identification of that person, such as a facial image or dactyloscopic data." Biometric personal data include, for example, a fingerprint pattern, the pattern of blood vessels, the iris pattern, hand geometry, or facial geometry, which we use in everyday life to authorize phones.

Basics of employer use of biometric data

An employer may process biometric personal data pursuant to Article 21 of the Labor Code only where necessary to fulfill the obligations and exercise specific rights of the controller or the data subject in the field of labor law, social security, and social protection. Pursuant to Article 221B of the Labor Code, an employer may also use biometric data to restrict access to premises requiring special security.

A key issue is the fact that Article 9(2) of the GDPR stipulates that such data may only be processed with the express consent of the data subject. For evidentiary purposes, it is important that such consent be in writing. The employer must also inform the employee and allow them to withdraw such consent at any time without negative consequences.

Working time control and biometric data

According to the judgment of the Supreme Administrative Court of 1 December 2009, in case file reference I OSK 249/09, the use of biometric data for working time monitoring is disproportionate to the intended purpose of processing. Therefore, even voluntary consent does not provide an employer with a basis for using biometric data for working time recording.

Legality of processing employee biometric data

In summary, an employer may process an employee's biometric data only if:

  1. Meets the basic principles of personal data processing under Article 5 of the GDPR,
  2. Notify the employee of his or her rights,
  3. Authorizes the employee processing biometric data, obliging him to maintain confidentiality,
  4. It has a legal basis for the processing of biometric data.
  5. It will ensure an appropriate level of security for the processing of biometric data.
  6. Will conduct a risk analysis.
  7. Obtain the employee's consent to process his/her biometric data

Consequences of unlawful processing of biometric data

An employer who processes biometric data unlawfully risks initiating proceedings before the President of the Personal Data Protection Office and administrative liability, including the imposition of financial penalties. The risk of civil and criminal liability should also be noted. An employee whose biometric data is processed unlawfully also has the right to file a complaint with the National Labor Inspectorate and bring a lawsuit before a labor court.

We draw your attention to the need to verify the applicable rules within the organization and adapt them to applicable regulations.

This article is for informational purposes only and does not constitute legal advice.

Legal status as of December 20, 2023

author/editor of the series:
Mateusz Grosicki

Mateusz Grosicki

Attorney, partner
+48 506 367 109 | m.grosicki@kglegal.pl

    Have any questions? Contact us – we'll respond as quickly as possible.

    Post Views: 27