Penalty due to finger scan obligation
It was recently announced that a substantial fine was handed out to an organisation for using employee fingerprints for time registration. The company in question had incorrectly implemented the processing of the fingerprints in several areas and did not comply with the gpdr.
Permission
Employees within the company felt obliged to register the finger. No clear procedures were established. As a result, there was no free choice between a pass and a finger, for example, and it was not possible to give and record explicit permission.
Biometrics stands for convenience and security. No lost cards, forgotten codes and no passes in circulation. A lot of convenience for employer and employee, but never mandatory for time registration. And the latter is of crucial importance. The employee always has a choice.
Advice
In recent years we have given you advice via our website, your software environment and various mailings about the recording of fingerprints under the gpdr. We would like to repeat this advice. For more information, please see our privacy page.
Free choice
Our advice is that you ask explicit permission from the employee with a completely free choice between a card or biometrics. Again: there is a completely free choice for the employee between a card or finger. Also put this choice in writing.
Our systems never store fingerprints but unique features of the finger. It is impossible to retrieve a picture of the finger from this. Our experience is that people often choose the finger because of its convenience and the fact that the template can never be retrieved.
There should not be any form of coercion from the employer. That is why employees must know what happens to their data and what does not. What the data is processed for and for how long, and who has access to that data. In addition, they must be able to choose between the use of biometrics and other means and must also be able to make that choice in freedom.
Always a card reader available
All our products have a card reader. It is always possible to register with a drop or a card. It is also possible to give all your employees a standard drop or card and offer biometrics as an extra option.
This indicates that there is absolutely no obligation to use biometrics. You can also order passes and tags from us(info@easysecure.com).
It is possible to disable the use of biometrics in your software environment. There is also a special privacy menu to set all your retention periods.
Alternatives
Our biometric readers always include a card reader. Besides our fingerprint scans and facial recognition terminals, there are many other options. Think for example of registration with a code or with the mobile phone.
Access control
For access control, the use of biometrics only is permitted when there is a compelling interest in using the finger scan. Think for example of a server room where it is very easy to demonstrate why biometrics increases security. In locations where biometrics is not necessary, access control can also be used with a completely free alternative and a choice for the employee.
The ideal access control situation is a combination of the right components. Here too, you can choose from our card readers, code tables, wireless cylinders, mobile phone, finger scan or face recognition. We will be happy to inform you about the possibilities.
Documenting
Do you use biometrics? Make sure it is well documented. An impact assessment (DPIA) must be available. This is a tool to record the objectives of the processing, the manner of processing, the risks and the measures that have been taken with regard to data processing. In this way the risks are also reduced. We have had our lawyers draw up an example DPIA with the correct format and the necessary information
Furthermore, the use of fingerprint scanning and cards must be clearly communicated to the employees, for example in the employment contract, and the choice for biometrics must be made in consultation with your works council or employee representatives.
The employee's choice must also be clearly recorded. Not just when someone chooses a card. Open and honest explanations about the possibilities and documenting this choice. Permission may also be withdrawn at any time.
Questions
Do you have any questions? Or is there anything else we can do for you? We will be happy to help!
privacy@easysecure.com