Shoe store Manfield may not require an employee to provide her fingerprint for an authorization system for the cash register. The employee had refused to give her fingerprint because she considered this an unauthorized infringement of her privacy. The old system worked with a personal code.
Manfield defends the choice for the fingerprint scan by invoking its responsibility as a processor of personal data of employees and customers via the (online) cash register system. Manfield must adequately protect this personal data with technical and organizational measures. Recently, a serious fraud has come to light in which employees had misused the codes of their colleagues. The simple staff code is no longer sufficiently protective. The fingerprint scan has been used in smartphones for a long time, and in practice it has long been used not only for securing objects with a high security risk, such as a nuclear power plant, the example cited in the Explanatory Memorandum to Section 29 UAVG, Manfield argues.
The subdistrict court rules that a fingerprint is indeed a biometric personal data, the processing of which is prohibited, unless (i) the person concerned has given permission for this, or (ii) this is for the execution of a legal obligation, or (iii) the processing is necessary for authentication or security purposes (Article 9 paragraph 2 GDPR). In the latter case, a number of preconditions apply (Section 29 Implementation Act GDPR):
– an assessment must be made as to whether identification with biometric data is necessary for authentication or security purposes, for example at a nuclear power plant;
-the processing must be proportionate.
In the opinion of the subdistrict court, combating fraud as a business interest cannot be regarded as “necessary for authentication or security purposes” within the meaning of Article 9 paragraph 2 GDPR.
The subdistrict court also questions the proportionality, as the branch has not implemented any other form of security, such as camera surveillance, alarm gates and lockers for the staff.
Also, the responsibility to protect personal data by taking organizational and technical measures does not make the introduction of a fingerprint scan necessary. Manfield has insufficiently investigated the alternative forms of identification proposed by the employee, such as an (employee) pass, possibly combined with numerical codes (necessity and proportionality, Section 29 UAVG).
For the entire judgment, see: Amsterdam District Court August 12, 2019, ECLI:NL:RBAMS:2019:6005, http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBAMS:2019:6005
