Control horario biométrico, Ana Belén Muñoz explica cómo afecta a las empresas.

How should companies use biometric time tracking?

Ana Belén Muñoz, member of the Advisory Board of IA+Igual, explains how the document from the Spanish Data Protection Agency (AEPD) regarding the time tracking system using biometric data of workers affects companies.

Madrid, March 12. Ana Belén Muñoz, Professor of Labor Law and Social Security and member of the Advisory Board of IA+Igual, has shared on the blog El Foro de Labos An interesting article about how the new document from the Spanish Data Protection Agency (AEPD) affects companies that have implemented a time tracking system using biometric data of employees, such as fingerprint registration, which affects all biometric data (facial or iris recognition, voice, among others). This document changes the criteria applied so far in Spain on the matter.

To understand the scope of the modification, it is useful to remember the criteria applied so far by the Spanish Data Protection Agency (AEPD). The treatment of fingerprint for access control by workers could be considered a control measure protected by Article 20.3 of the Workers' Statute (and also by Article 34.9 of the Workers' Statute), so it would not require the consent of the employee. However, to implement this measure, the principle of minimization must be applied; that is, it must be limited to cases where it is considered truly necessary for effective control and inform the employee about this measure.

The AEPD has indicated in various reports that there are good practices that allow control through fingerprint without the system having to store the biometric data (for example, by incorporating it into a smart card that is contrasted with the fingerprint and always kept in the possession of the worker) (Report 0324/2009, AEPD working document of 2018 and... The Data Protection Guide in labor relations of 2021, pp. 30-32).

The same doctrine has also been upheld by the 3rd Chamber of the Supreme Court in Judgment STS 2.7.2007 (Case No. 5017/2003) and appellate doctrine (among others, the STSJ of Murcia of 25.1.2010, Case No. 1071/2009). In the STSJ of the Canary Islands of 21.7.2007 (Case No. 93/07), on the same subject, the union argument that this time control reduces individuals to an algorithm is rejected, as the scope of the system does not go that far.

At this point, the general position in Spain was different from the line defended by other countries (Austria, France, Italy, and Norway), which warned of the dangers of using biometric data for time control and applied an interpretation of Article 9 of Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (GDPR) that was more protective of the rights of employees. 

Starting from November 2023, we have a new legal interpretation formulated by the AEPD in the Guide on Presence Control Treatments through Biometric Systems, Taking into account the criteria of the European Data Protection Committee. The new guide establishes the following:

  1. Current Spanish regulations: There is no sufficiently specific authorization to consider the processing of biometric data necessary for controlling working hours. Neither articles 20.3 and 34.9 of the ET for workers nor article 54.2 of the consolidated text of the Basic Statute of Public Employees (EBEP) for public employees constitute a legal basis to authorize this use in companies and public entities. In the event that the collective bargaining agreement includes timekeeping based on the biometric data of the employee, the need for this processing should be justified, and why existing systems such as cards, certificates, passwords, systems contact-less, etc.
  2. Consent of the individual: In a work hour registration process implemented using biometric techniques, the consent of the employee cannot override the prohibition of the processing, nor can it serve as a basis for determining legality, as there generally exists a situation of imbalance between the employee and the company or public entity responsible for the processing.
  3. Preventive approach: in the event that there is a legal basis to carry it out, public companies and entities must pass the impact assessment, prior to the start of the processing and comply with certain guarantees, transparency and security obligations.

The reason for this change is that this type of data processing is high risk, as it includes special categories of data, including health data. For example, in ethnic-based biometric systems, facial recognition can process data that reveals racial origin and can also extract health information, physical or psychological problems as in the case of voice, even some fingerprint identification systems allow the recording of parameters such as temperature or blood pressure. In addition, factors such as the technology offered in the market usually collect more information than is actually necessary for the purpose of the treatment or in much more detail. The situation described may violate the principle of data minimization.

As a final reflection, from our point of view companies and public entities should review the time recording systems if these are based on biometric data of the employed persons and implement, where appropriate, other systems more respectful of fundamental rights of protection of personal data and privacy. Similarly, it would be desirable for collective agreements to purge clauses that legitimize the use of this type of time control system.

Related Information

  • Biometrics and automated emotion recognition systems: legal and labor implications, Ana Belén Muñoz. Tirant Lo Blanch, 2023.
  • Blog Forum Lab

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll al inicio