Belgian watchdog ruling on consent sets employee biometrics use against GDPR

A Belgian company has been fined 45,000 euros (US$48,185) for using a fingerprint-based employee time tracking system with the country’s data watchdog ruling that the firm did not obtain valid consent from its employees, putting it in violation of GDPR rules.

The Belgian Data Protection Authority (DPA) issued the ruling in September after receiving a complaint from a former employee of the unnamed company. The data watchdog concluded that the company relied on employee consent as a legal ground for processing data. However, the firm is unlikely to have obtained valid consent to the processing due to the imbalance of power between the employer and the workers, the agency ruled. The employer also did not provide an alternative method for time registration.

The decision could dampen the use of biometric systems for time recording or protecting company assets, according to PwC Legal in Belgium.

“We imagine that this decision, although justifiable in view of the prohibition of biometric data, will come as a thunderbolt for many companies that use this type of security to protect their critical infrastructure or trade secrets,” the law firm says in its case study.

In 2020, the company introduced a time registration system using fingerprints for around 200 of its employees. The system was procured from an unnamed subsidiary of an international group with headquarters in Japan.

The employee submitted the complaint against the company to the Belgian DPA in March 2022, claiming he was not informed about where or how long his biometric data was being stored or whether it was transferred to third parties.

The Belgian DPA also stated that the company failed to respect data minimization rules as collecting biometric data was unnecessary for time registration –  less intrusive measures could have sufficed. In addition, the employer did not conduct a mandatory data protection impact assessment nor implement GDPR-compliant measures.

Article Topics

Belgium  |  biometric data  |  biometric identifiers  |  data protection  |  GDPR  |  time and attendance