Fingerprint yn oertreding fan GDPR

Yn dizze moderne tiid wêryn't wy hjoed libje, wurdt it hieltyd faker om fingerprinten te brûken as in middel foar identifikaasje, bygelyks: it ûntsluten fan in smartphone mei in finger scan. Mar wat oer privacy as it net mear fynt plak yn in privee saak wêr't bewust frijwilligens bestiet? Kin wurk-relatearre fingeridentifikaasje ferplicht wurde makke yn 'e kontekst fan feiligens? Kin in organisaasje in ferplichting oplizze oan har meiwurkers om har fingerprinten yn te leverjen, bygelyks foar tagong ta in befeiligingssysteem? En hoe hat sokke ferplichting te krijen mei de privacyregels?

Fingerprint yn oertreding fan GDPR

Fingerprints as spesjale persoanlike gegevens

The question we should ask ourselves here, is whether a finger scan applies as personal data within the meaning of the General Data Protection Regulation. A fingerprint is a biometric personal data that is the result of specific technical processing of a person’s physical, physiological or behavioral characteristics.[1] Biometryske gegevens kinne wurde beskôge as ynformaasje oangeande in natuerlike persoan, om't se gegevens binne dy't troch har aard ynformaasje leverje oer in bepaalde persoan. Troch biometryske gegevens lykas in fingerprint is de persoan identifisearber en kin er ûnderskieden wurde fan in oare persoan. Yn kêst 4 GDPR wurdt dit ek eksplisyt befestige troch de definysjebepalingen.[2]

Fingerprintidentifikaasje is in skending fan privacy?

It Subdistrict Court Amsterdam besleat koartlyn oer de tastean fan in finger scan as in identifikaasjesysteem basearre op nivo fan feiligensregeling.

De skuonwinkelketen Manfield brûkte autorisaasjesysteem foar finger scan, dat joech meiwurkers tagong ta in kassa.

According to Manfield, the use of finger identification was the only way to gain access to the cash register system. It was necessary, among other things, to protect employees’ financial information and personal data. Other methods were no longer qualified and susceptible to fraud. One of the employees of the organization objected to the use of her fingerprint. She took this authorization method as a violation of her privacy, referring to article 9 of the GDPR. According to this article, the processing of biometric data for the purpose of the unique identification of a person is prohibited.

Needsaak

This prohibition does not apply where the processing is necessary for authentication or security purposes. Manfield’s business interest was to prevent loss of revenue due to fraudulent personnel. The Subdistrict Court rejected the employer’s appeal. Manfield’s business interests did not make the system ‘necessary for authentication or security purposes’, as stipulated in Section 29 of the GDPR Implementation Act. Of course, Manfield is free to act against fraud, but this may not be done in violation of the provisions of the GDPR. Furthermore, the employer had not provided its company with any other form of security. Insufficient research had been carried out into alternative authorization methods; think of the use of an access pass or numerical code, whether or not a combination of both.  The employer had not carefully measured the advantages and disadvantages of different types of security systems and could not sufficiently motivate why he preferred a specific finger scan system. Mainly because of this reason, the employer did not have the legal right to require the use of the fingerprint scanning authorization system on his staff on the basis of the GDPR Implementation Act.

As jo ​​ynteressearre binne yn it yntrodusearjen fan in nij befeiligingssysteem, sil it moatte wurde beoardiele as sokke systemen binne tastien ûnder de GDPR en de ymplemintaasjewet. As der fragen binne, nim dan kontakt op mei de advokaten op Law & More. Wy sille jo fragen beantwurdzje en jo juridyske bystân en ynformaasje jaan.

[1] https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/identificatie/biometrie

[2] ECLI: NL: RBAMS: 2019: 6005

Diele