The Spanish Data Protection Agency (AEPD) has published, dated May 18, 2021, the guide “Data protection in labor relations”. This guide is intended to be a practical tool to help public and private organizations to comply adequately with the legislation in this area.
Among all the considerations contained in this guide, those referring to the use of biometric data for the management of the employment relationship are of great interest, for which it establishes a series of guidelines whose principles can also be applied to the processing of biometric data in other areas.
The guide consolidates the distinction between biometric verification and biometric identification, reserving for the latter the protected category of special category data processing; it indicates in which cases and under which requirements the processing of biometric data in the field of labor relations is permitted; and finally, it recommends the guarantees that must be applied to such processing in order to ensure that it complies with data protection regulations.
The publication of this guide, which updates the AEPD’s note on “14 misunderstandings in relation to biometric identification and authentication” published in June 2020, is a very positive step, providing security to users and companies in the use of biometrics in the framework of labor relations, while at the same time deepening privacy protection.
Veridas has always paid particular attention to the design of its systems to provide maximum privacy protection and make it easier for its customers to comply with European data protection regulations, so it is ready to comply with the recommendations of the guide.
No. The guide confirms that not all processing of biometric data involves processing of special categories of data. In doing so, it relies on the General Data Protection Regulation and the guidelines of the Artificial Intelligence White Paper.
The Guide also makes clear the distinction between the two forms of biometric recognition: verification and identification.
Based on their characteristics, the AEPD guide determines that “in general, biometric data are only considered a special category of data in cases where they are subject to technical processing aimed at biometric identification (one-to-many) and not in the case of biometric verification/authentication (one-to-one)”.
In its analysis, the AEPD recommends the use of biometric verification, but does not prohibit biometric identification; on the contrary, it expressly contemplates it for access control and employee time recording, provided that the other requirements established in the RGPD are met.
The use of biometric data is legitimate within the cases provided for by the GDPR. Among them, the user’s consent is a legitimate basis for any data processing.
The AEPD now stresses that, in the context of an employment relationship, the implementation of an employee access control system and workday registration using biometric data may be covered by the fulfillment of the obligations and the exercise of the rights that labor, safety and social protection legislation provides for the employer. Therefore, it can be carried out without the need for prior consent of the workers.
The AEPD reminds that biometric systems, whether for verification or identification, must always comply with the requirements established in the RGPD, among which are: