In this article we will analyze the compliance of fingerprint-based timekeeping systems with GDPR, considering the technical particularities of some of these systems, relevant legal provisions aplicable in Romania, and court decisions made in the context of contesting sanctions imposed by the Supervisory Authority from Romania for using such systems.
*
The large personnel flows, specific activities carried by some processors requiring enhanced security measures, the particular aspects of the workplace, or simply the desire to digitalize the management of work time records, determine companies to want such systems.
Often, the motivation for their use come after employee misconduct—unjustified absences, leaving the premises before the end of the workind hours, employees registering longer periods than actually worked, asking colleagues to sign in for them, or lending their access cards to their collegues with the same purpose.
In addition to substantially simplifying the work of the HR department by integrating multiple functions, fingerprint-based timekeeping systems significantly discourage the aforementioned practices, offering greater accuracy of data—a legal requirement for work time records according Romanian Laws (as long as subsequent manual changes to the collected data are minimized).
*
Typically, these systems do not allow timekeeping based on a fingerprint image—the employee must be physically present to log in—and have the feature that the fingerprint image is not stored as such but is converted in real-time into an unique, long alphanumeric sequence, associated with the respective employee.
Effective marketing might suggest that such systems fall outside the scope of GDPR as long as biometric data is not actually stored or that they are by-default compliant, regardless of the specific context of the operator at the time of implementation, based on favorable IT expertise or other European certifications for the associated software presented by suppliers.
*
Firstly, it must be clarified whether such systems fall under the provisions of GDPR (and, obviously, Romanian national legislation) and whether their specific operation pattern involves the processing of biometric data as defined by GDPR.
Secondly, , it must be clarified to what extent a validly given consent, with adequate prior information of the data subjects, is sufficient to legally implement such system, considering proportionality/data minimisation /possibility of successfully use less intrusive methods, as prescribed by GDPR, and also, the specific reasons that some processors may have to implement such systems.
*
1. It cannot be argued that fingerprint-based timekeeping systems do not fall within the scope of GDPR regulation and, consequently, within the competencies of the romanian supervisory authority, for the following reasons:
It is true that most Romanian court decisions so far are based on the old regulation, which is still largely similar in essence to the current one regarding the analyzed issue. Starting from the same aforementioned technical and IT particularities invoked in defense by sanctioned operators, opposed decisions can indeed be identified (Decision 11/2019 of the Bucharest Court of Appeal – upholds the ruling of sanction annullement of first court regarding the use of the fingerprint-based timekeeping system vs Decision 21/2019 of the Bucharest Court of Appeal – totally rejects the operator's complaint and maintains the fine). At no point was it argued that these systems do not fall under GDPR privisions and the related guarantees and measures that the operator must adhere to. On the contrary, the courts explicitly held that a processing of personal data took place.
*
2. Specifically, regarding biometric data processing, considering that such systems do not collect & stote the image of a fingerprint:
It could be considered that a fingerprint is subject to processing because it is requested for each access, meaning that identification is still essentially based on the fingerprint, even if it is an indirect identification (we are talking about continuous processing). The meaning of processing is not necessarily limited/conditioned by prior storage, as the definition of processing is extremely broad and involves "any operation or set of operations performed on personal data or on sets of personal data."
Moreover, the Romanian Personal Data Authority's view that such systems actually process biometric data appears to have been maintained over time (regardless of the regulations/assessments of regulatory authorities in other states) – although the identified practice at the Bucharest Court of Appeal and other Courts of Appeal in the country concerns processing operations that fell under the old regulation in the field, in many cases, sanctions were applied, and subsequent, trials took place after the adoption of GDPR in 2016 (it came into effect only in 2018) – the authority was aware of the new European perspective but did not change its approach – less intrusive means should be tried first.
Moreover, even the fines imposed under GDPR for the use of fingerprint-based timekeeping systems (for which we do not know the technical details and the implementation justifications invoked in defense) indicate that this perspective has not essentially changed.
See in this regard the press release of ANSPDCP regarding the sanctioning, under GDPR, of a private operator for using a fingerprint-based timekeeping system. The company contested the sanction applied at the Constanța Tribunal in 2020, the request being rejected in the first instance and later, on appeal, the Constanța Court of Appeal replaced the fine with a warning, thus evidently considering that the facts fell under GDPR provisions.
*
3. Regarding the grounds and conditions under which a fingerprint-based timekeeping system could be legally implemented by a Company operating in Romania:
Fingerprints are biometric data, therefore special data within the meaning of Article 4(14) of GDPR, and, as a rule, under Article 9(1) GDPR, their processing is prohibited/allowed only in the exceptional situations provided by law.
If the sole purpose for using the system is timekeeping, the exceptions that could theoretically apply for an operator who has already unsuccessfully tried to alternative systems (access cards) are those from Article 9(2)(a) and (b) of GDPR/Article 5(2) of Law 190/2018 – respectively the consent of the data subjects (when the legal framework would allow the removal of the prohibition by simple consent, given in full knowledge and with prior information) or the fulfillment of processors legal obligations/the exercise of its legal rights, or a prevailing legitimate interest, only if the processing is done in compliance with the expressly provided conditions in this regard.
Thus, we are apparently talking about three distinct grounds for processing – the consent of the data subjects (if it is the sole ground for processing, consent can be withdrawn at any time and the operator must cease processing, without affecting the legality of processing up to that point) / legal obligation or right recognized by law / prevailing legitimate interest.
If the purpose of fingerprint-based timekeeping also involves implementing public health protection measures (for companies with certain activity profiles, for which the law imposes additional security, hygiene measures, etc.), then a distinct ground for processing arises – fitting under Article 6(1)(d) GDPR, beyond the operator's own rights and interests, in which context the system use GDPR exceptions from Article 9(2)(a) (protecting the vital interests of a third party), (h) (preventive occupational medicine), and/or (i) (regarding public interest reasons) could be more easily justified. Here, too, obviously, the justifications are subject to the broad discretion of the Supervisory Authority.
*
4. For implementing the system in companies where there are no such specific legal obligations – according the Romanian court decisions we can say so far that the prior consent of data subjects is not enough.
It is true that keeping time records and, even more so, maintaining an accurate record in this regard falls both within the legal obligations and the corresponding legal rights of the employer.
However, the way in which a company chooses to keep these records is more in the sphere of its legitimate interests, in which context the lawfulness of processing is given by the prevalence of these interests over the rights and interests of the data subjects.
European authorities, when concluding on the lawfullness of biometric data processing in general, on "higher" grounds from the public sphere, necessarily refer to the general principles under which any processing must be carried out, including proportionality – see Paragraph (51) of the GDPR Preamble.
This was also the reasoning for which, under Article 4(c) of Law 677/2001 (the previous law in the field), the Bucharest Court of Appeal considered that the data subjects' prior consent does not remove the proportionality requirement – thus mere consent would not be sufficient. An interpretation of the new regulation in the manner described above would lead to the same conclusion.
Regarding the argument in favor of these systems concerning a more accurate record, the authority argued in court that accuracy is not achieved anyway because the data provided by these systems strictly attest to entry/exit times from the unit, not the actual working times within the unit.
*
To minimize risks, we believe that the conditions listed in Article 5(2) of Romanian Law 190/2018 must be ensured in any case:
a) A prior impact assessment must be conducted before starting to use the system, in which:
b) If the impact assessment conclusions are favorable, the employer will consult the union or, as the case may be, employee representatives before introducing the systems and will prepare the evidence regarding the result of this consultation.
c) The mandatory, complete, and explicit prior information of employees will be carried out, and, if applicable, their consent will also be obtained, keeping the relevant evidence
d) GDPR implementation documents for this system will establish reasonable storage periods, specific security and confidentiality measures and employees involved in using the system will be instructed about this measures.
