Data protection and the use of biometrics in the workplace: analysis of a key court ruling

Key points of the Judgment

The judgment analyses the legal conformity of the use of biometric systems, specifically fingerprint identification, for the registration of working hours and access control in a private hospital. The Works Council and the plaintiff trade union organisation alleged infringement of fundamental rights - privacy, health and freedom of association - and requested the withdrawal of the system, its replacement by alternative methods and the payment of compensation.

The court dismissed the claim and concluded that the system in place complied with the principles of lawfulness, necessity and proportionality required by the applicable data protection legislation. In particular, the decision highlights the following aspects:

• The complete image of the fingerprint is not stored: according to the characteristics of the system, only a partial biometric template is kept, encrypted and generated by algorithms that prevent the reconstruction of the original fingerprint. This mechanism reinforces compliance with the principle of data minimisation provided for in Article 5(1)(c) of the GDPR, by limiting the processing to the information strictly necessary for the intended purpose.
• Assessments and risk analysis had been carried out: the hospital conducted several Data Protection Impact Assessments (DPAs), both before and after the implementation of the biometric system. These assessments included a detailed analysis of the appropriateness, necessity and proportionality of the processing, as well as the identification and mitigation of the associated risks. The court assessed this positively, noting that the organisation took measures to ensure security and minimise the impact on workers' rights.
• The duty of information was fulfilled: it is proven that workers and their legal representatives were informed of the implementation and operation of the biometric system. This communication took place through meetings of the Works Committee, specific contractual clauses and through the employee portal, where the characteristics of the processing, its purpose and the guarantees applied were detailed. This ensures compliance with the principles of transparency and the right to information provided for in Articles 12 and 13 of the GDPR.
• Enhanced legitimacy basis: the court considers that the biometric system has an enhanced legitimacy basis. It bases the lawfulness of the processing of biometric data on Article 9.2.i) of the GDPR, on the understanding that there are reasons of public interest in the field of health, as well as on the regulations on the protection of critical infrastructures. In addition, the ruling refers to the Artificial Intelligence Regulation (AI Act), arguing that in-person biometric verification presents a low or even non-existent level of risk to the rights and freedoms of data subjects.

Furthermore, the court underlines that the hospital implemented advanced security measures, including encryption of information, automatic deletion of data in case of tampering with the device and event logging in line with the requirements of the GDPR.

Conflict with the GDPR and the criteria of the Spanish Data Protection Agency (AEPD)

Although the court has considered biometric processing to be lawful in the hospital context, its reasoning presents substantial discrepancies with respect to the consolidated criteria of the AEPD, which maintains a more restrictive interpretation of the use of biometric data in the workplace. The main points of conflict include the following:

• Nature of the data processed: the AEPD considers that the biometric template constitutes personal data and, when used to identify or authenticate a natural person, it qualifies as biometric data belonging to a special category under Articles 4.14 and 9.1 of the GDPR. The fact that the template does not allow the full image of the fingerprint to be reconstructed does not alter this qualification, since the decisive element is the purpose of the processing, i.e. the identification or authentication of the individual.
• Prohibition of art. 9.1 RGPD: in the area of time recording and access control for employment purposes, the AEPD maintains that, at present, there is no regulation in Spain with the status of law that expressly authorises the use of biometric data in accordance with article 9.2.b) of the RGPD. Furthermore, the consent of the employee is not considered a valid legal basis, due to the inherent imbalance in the employment relationship and the availability of alternative, less intrusive methods. Consequently, the processing of biometric data does not pass the necessity test except in exceptional cases, which must be strictly and sectorally accredited.
• On the application of Article 9(2)(i) of the GDPR: Article 9(2)(i) of the GDPR allows the processing of special categories of data for reasons of public interest in the area of public health, provided that there is a regulatory basis in Union or Member State law and specific safeguards apply. However, a clocking-in system - even in a hospital - does not automatically fall under this exception, as its main purpose is work-related and not health-related. There is currently no specific legal authorisation authorising biometric time recording for public health reasons, a circumstance that the AEPD has repeatedly stressed when it notes the absence of a legal basis in the labour sphere.
• Carrying out an Impact Assessment (EIPD): although labour legislation obliges companies to keep a daily record of the working day, it does not impose the use of a specific system: cards, mobile applications or terminals can be used, as long as they guarantee reliability and objectivity. This does not imply that the use of biometric data is automatically permitted. The AEPD maintains that this type of processing is only admissible when it is accredited that there is no less intrusive alternative and a PIDD has been carried out with a favourable result, also applying reinforced security measures. Recent sanctions imposed for fingerprint-based record systems confirm that the current approach is particularly restrictive.
• On the AI Act and the risk of biometric systems: Regulation (EU) 2024/1689 (AI Act) does not automatically qualify face-to-face biometric verification used for time clocking as "low risk". Its main purpose is to prohibit or regulate high-risk practices, such as remote biometric identification in public spaces, and to establish differentiated obligations according to risk categories. Therefore, the judicial assertion that non-remote verification implies "low or no risk" does not follow from the text of the AI Act and its classification system.

Conclusions reached

Although this judgment provides a relevant criterion by considering the use of biometric systems in healthcare environments legitimate, provided that robust technical measures are applied and that PIAs are carried out to prove their proportionality, the court's interpretation generates some uncertainty.

The court bases the lawfulness on article 9.2 of the RGPD and reinforces it with references to the AI Act, despite the fact that there is currently no Spanish regulation that expressly authorises the use of biometrics for time and attendance control, a position that has been established by the AEPD, and where a specific legal basis is required for the processing of biometric data in the workplace, considering the consent of the worker to be insufficient given the inherent imbalance in the employment relationship, which may lead to legal uncertainty.

Furthermore, it should be clarified that the exception in Article 9.2.i of the GDPR -related to the public interest in public health- is only applicable to entities in the health sector and cannot be extrapolated, per se, to organisations in other areas, where the use of biometrics for time and attendance control could lack sufficient legal coverage.

Consequently, it should be noted that the ruling offers defensive arguments against the use of this type of system, and that in order to reduce the risk of administrative sanction, it is a priority for organisations to have specialised legal advice to assess all the available alternatives and to adequately regulate if they opt for biometrics, exhaustively documenting the need, proportionality and guarantees applied.

Information note prepared by the Data Protection area of ECIJA Madrid.