At the end of 2019, Dutch department store chain HEMA announced it was going to stop using fingerprints for its time clocks and sales registers. HEMA had been planning to introduce this fast and reliable method of identification in all its shops. It decided to cancel the entire operation, however, because it was contrary to European privacy law as set out in the General Data Protection Regulation (GDPR).
HEMA was not the first retailer in the Netherlands to do away with its fingerprint scanners. The shoe chain Manfield had been forced to do so after the District Court of Amsterdam ruled that its authorisation system, which used fingerprint scanning to enable access to sales registers, was in breach of the GDPR.
Fingerprint scanning is reliable, but is it allowed?
According to the District Court, fingerprints are biometric data that can be used to identify individuals. Biometric data that are processed for identifying people are classified as special personal data. Given their sensitive nature, such data enjoy heightened protection. Apart from a number of statutory exceptions, the GDPR prohibits the processing of special personal data.
The District Court ruled that no such exception applied because, according to the court's Explanatory Memorandum, the following preconditions had to be met:
Identification using biometric data has to be necessary for authentication or security purposes. The employer has to consider whether its buildings and information systems require security to such an extent that biometric data is needed for this purpose. For instance, access to a nuclear power station should be (very) limited. The purpose for the data processing has to be proportionate to the individual's privacy violation. The security requirements for gaining access to a repair company's garage must not be such that employees can only gain access using biometric data, with such data being stored for that purpose. However, biometric data can sometimes provide an important means of security. One example is information systems, which contain a substantial amount of personal data and must be able to withstand unlawful access, including by employees. A legitimate interest?
Any processing of personal data requires a statutory basis. The GDPR provides six exhaustive bases. One of these is that there has to be a legitimate interest. Manfield invoked its business interest and referred to a number of instances of fraud that had recently been committed by its...