Skip to content Skip to sidebar Skip to footer

Facial recognition: no to the processing of employees’ biometric data for attendance monitoring in the workplace

The Italian Data Protection Authority (‘Garante‘): no to the processing of employees’ biometric data for attendance monitoring in the workplace

With resolution no. 338 of June 6, 2024, the The Italian Data Protection Authority (hereinafter ‘Garante‘) imposed a fine of 120,000 euros on a company operating in the car trade sector (hereinafter ‘the Company‘) for several unlawful personal data processing activities within the employment relationship with its employees, in violation of the GDPR.

The complaint submitted to the Garante and the preliminary investigations

Following the Garante’s inspection, initiated by a private complaint, it emerged that the Company required its employees to record their entry and exit times from work and the times and methods of their work performances, specifying the hours dedicated to each task and any breaks. To collect and record all the requested information, the Company used:

  • a management software called Infinity DMS (‘Software‘) through which employees had to record their working hours, breaks and the time dedicated to each task;
  • a hardware consisting of a biometric access control and attendance tracking/detection system, called X-Face 380 (‘Hardware‘), which recorded attendance and entry and exit times from work through facial recognition of employees.

Regarding the case in question, the Garante identified several practices contrary to the GDPR, both in terms of personal data processing carried out with the aid of the Software and that conducted through the use of the Hardware.

Unlawful processing of particular personal data carried out through the Hardware

The Garante found that the Company processed the biometric data of the individuals concerned in two distinct phases: an initial registration phase (so-called enrolment), where the facial features of employees were acquired, and a biometric recognition phase that was performed daily when recording attendance and exits from work.

Given that biometric data fall within the group of so-called special categories of data, their processing is generally prohibited, being permitted only in the event of limited exceptions, in particular where there is a legal basis legitimising the processing itself. With regard to the processing carried out in the workplace, the GDPR does not allow the processing of employees’ biometric data for attendance detection purposes, (as repeatedly reiterated by the Garante in numerous rulings/resolutions, the last of which was adopted on 22/02/2024).

Also with regard to the storage of processed data, the Garante found that employees’ biometric data were deleted by the Company only after the termination of the employment relationship. This was in open contrast with the Garante’s provisions (resolution of 12/11/2014), which stipulate that biometric data may only be processed during the registration and acquisition phases necessary for biometric comparisons, and must not be stored longer than strictly necessary; therefore, the processing was also judged non-compliant with the principle of storage limitation.

Lastly, consent, as the legal basis for processing biometric data, obtained by the Company, is not a suitable legal basis, especially within the employment relationship due to the inherent asymmetry between the parties (employer and employee).

Unlawful processing of personal data carried out using the Software

From the examination of the acquired documentation, it emerged that employees, through an individually assigned barcode, had to record the various phases of their work activity in the Software. The Software also allowed the collection and processing of personal data related to the customers of the workshop and information regarding the type of interventions performed.

Although the Company had prepared the processing register, it provided very genereric and evasive responses without allowing the Garante to fully understand:

  • the processing carried out;
  • the nature and type of data processed,
  • methods and duration of data retention;
  • the actual necessity and proportionality in relation to the purposes to be pursued.

Moreover, such information was not even disclosed to the employees, who were provided with an incomplete notice, especially concerning the identification of an appropriate legal basis for the processing carried out.

Therefore, it emerged that the processing was conducted by the Company in violation of the principles of lawfulness, fairness, and transparency.


Leave a comment

La “Certificazione B Corporation” è un marchio che viene concesso in licenza da B Lab, ente privato no profit, alle aziende che, come la nostra, hanno superato con successo il B Impact Assessment (“BIA”) e soddisfano quindi i requisiti richiesti da B Lab in termini di performance sociale e ambientale, responsabilità e trasparenza.

Si specifica che B Lab non è un organismo di valutazione della conformità ai sensi del Regolamento (UE) n. 765/2008 o un organismo di normazione nazionale, europeo o internazionale ai sensi del Regolamento (UE) n. 1025/2012.

I criteri del BIA sono distinti e autonomi rispetto agli standard armonizzati risultanti dalle norme ISO o di altri organismi di normazione e non sono ratificati da parte di istituzioni pubbliche nazionali o europee.

“Certified B Corporation” is a trademark licensed by B Lab, a private non-profit organization, to companies like ours that have successfully completed the B Impact Assessment (“BIA”) and therefore meet the requirements set by B Lab for social and environmental performance,accountability, and transparency.

It is specified that B Lab is not a conformity assessment body as defined by Regulation (EU) no. 765/2008, nor is it a national, European, or international standardization body as per Regulation (UE) no. 1025/2012.

The criteria of the BIA are distinct and independent from the harmonized standards resulting from ISO norms or other standardization bodies, and they are not ratified by national or European public institutions.