Introduction
The Spanish Data Protection Agency (AEPD) has published, dated May 18, 2021, the guide “Data protection in labor relations”. This guide is intended to be a practical tool to help public and private organizations to comply adequately with the legislation in this area.
Among all the considerations contained in this guide, those referring to the use of biometric data for the management of the employment relationship are of great interest, for which it establishes a series of guidelines whose principles can also be applied to the processing of biometric data in other areas.
The guide consolidates the distinction between biometric verification and biometric identification, reserving for the latter the protected category of special category data processing; it indicates in which cases and under which requirements the processing of biometric data in the field of labor relations is permitted; and finally, it recommends the guarantees that must be applied to such processing in order to ensure that it complies with data protection regulations.
The publication of this guide, which updates the AEPD’s note on “14 misunderstandings in relation to biometric identification and authentication” published in June 2020, is a very positive step, providing security to users and companies in the use of biometrics in the framework of labor relations, while at the same time deepening privacy protection.
Veridas has always paid particular attention to the design of its systems to provide maximum privacy protection and make it easier for its customers to comply with European data protection regulations, so it is ready to comply with the recommendations of the guide.
Does biometric data always involve the processing of special categories of data?
No. The guide confirms that not all processing of biometric data involves processing of special categories of data. In doing so, it relies on the General Data Protection Regulation and the guidelines of the Artificial Intelligence White Paper.
What is the difference between biometric verification and biometric identification?
The Guide also makes clear the distinction between the two forms of biometric recognition: verification and identification.
Based on their characteristics, the AEPD guide determines that “in general, biometric data are only considered a special category of data in cases where they are subject to technical processing aimed at biometric identification (one-to-many) and not in the case of biometric verification/authentication (one-to-one)”.
- Biometric verification or authentication: Checks whether a person is who he/she claims to be by comparing his/her data only with other data associated with the identity in question (one-to-one, 1:1).
- Biometric identification: Checks whether a particular individual is one of the members of a predetermined group, comparing his data with the data of all the members of that group (one-to-many, 1:N).
In its analysis, the AEPD recommends the use of biometric verification, but does not prohibit biometric identification; on the contrary, it expressly contemplates it for access control and employee time recording, provided that the other requirements established in the RGPD are met.
The use of biometric data is legitimate within the cases provided for by the GDPR. Among them, the user’s consent is a legitimate basis for any data processing.
The AEPD now stresses that, in the context of an employment relationship, the implementation of an employee access control system and workday registration using biometric data may be covered by the fulfillment of the obligations and the exercise of the rights that labor, safety and social protection legislation provides for the employer. Therefore, it can be carried out without the need for prior consent of the workers.
Is any facial recognition system valid?
The AEPD reminds that biometric systems, whether for verification or identification, must always comply with the requirements established in the RGPD, among which are:
- Clear and transparent information to the users of the system. The worker must be informed about the processing.
- Data protection “by design” of the system. Veridas systems are designed to protect user data at all times.
- Preferential storage of biometric vectors rather than raw data (e.g. facial image, audio, etc.). Veridas technology generates irreversible biometric vectors (cannot revert to original image).
- Biometric vectors not interoperable with other systems. This is an intrinsic characteristic of the use of current biometric systems, which are based on Artificial Intelligence, such as those used by Veridas.
- Ensuring that the data is not used for any other purpose.
- Adequate protection of biometric data by means of encryption technology.
- Ability to revoke the identity link. In this regard, reference should be made to the irreversibility of vectors in AI-based biometric systems, such as those used by Veridas.
- Limiting the purpose of the processing.
- Conducting an impact assessment.