The use of biometric Data at the workplace in Belgium and some neighboring countries

THE USE OF BIOMETRIC DATA AT THE WORKPLACE IN BELGIUM AND SOME NEIGHBORING COUNTRIES

The use of biometric data (such as fingerprints and facial recognition) is already a reality for many employers in Belgium and elsewhere in Europe. These data are given special attention under the EU General Data Protection Regulation (GDPR). This article aims to provide an overview of the current legal framework applicable to the employers in Belgium wishing to use biometric data at the workplace, as well as a quick comparison with the situation in The Netherlands, France and Germany.

Over the past decade, we have seen the emergence of the use of biometrics in the workplace. The most common examples of processing activities involving biometric data are facial or voice recognition and fingerprint access systems.

More and more organizations are considering implementing biometrical technologies for authorization, authentication and security purposes (e.g. accessing work premises or tools, monitoring employees working hours, building security etc.) as it cuts down on paperwork, increases processing speeds and lowers the risk of human error. However, the use of such systems shall be carefully assessed.

Identification vs authentication (verification) purposes

The GDPR defines biometric data as personal data resulting from specific technical processing relating to physical, physiological or behavioral characteristics of individuals, which allows or confirms the unique identification of a natural person. Hence, the definition covers two possible purposes of the processing of biometric data: identification or authentication/verification of identity.

Because of its sensitive nature, a special regime exists under the GDPR which prohibits the use of biometric data for the purpose of uniquely identifying natural persons and which only provides limited room for exceptions. For example, processing is permitted when the data subject has given explicit consent to the processing, when the processing is necessary for substantial public interest or for reasons of public health.

Since the special regime under the GDPR does not make any reference to the processing of biometric data for the purposes of authentication or verification (i.e. for the purpose of confirming the identity of an individual) but only refers to the processing of biometric data for the purpose of uniquely identifying a natural person, it could be argued that the prohibition to process biometric data under the GDPR applies to processing activities for identification purposes only. This would also be consistent with the fact that the use of biometric data for verification purposes is regarded as less problematic from a data protection perspective considering that verification (or authentication) does not necessarily require storage of personal data in a centralized database and typically involves the processing of data on fewer numbers of persons. The processing of biometric data for verification/authentication purposes would, however, still be subject to the general requirements of the GDPR (e.g. legal basis, information requirement, record-keeping, etc).

Use of biometric data in Belgium

There is no legal framework in Belgium which explicitly allows the processing of biometric data in the workplace.

The Belgian Supervisory Authority (the "Belgian DPA") released its draft recommendation (Draft Recommendation of 15 July 2021 for processing biometric data) on the use of biometric data, which pro-vides guidance to data controllers and data processors on the correct application and interpretation of the applicable provisions relating to the processing of biometric data. In its draft recommendation, the Belgian DPA does not draw a distinction between the identification and authentication/verification purposes but takes the view that the processing of biometric data is prohibited under the GDPR, irrespective of the fact that such data is processed for identification or verification/authentication purposes. As a result, in Belgium, it remains unclear whether the prohibition to process biometric data relates to both purposes or to identification purposes only.

In its draft recommendation, the Belgian DPA also outlines that explicit consent (with all the GDPR requirements attached to it) is currently the only legal basis that enables the processing of biometric data because Belgian lawmakers failed to adopt a national legislation which would allow the processing of biometric data (except in the context of the eID). Thus, in its draft recommendation, the Belgian DPA is inviting the Belgian lawmakers to adopt such a legislation. Even if explicit consent constitutes one of the exceptions to the general prohibition of processing biometric data, this legal basis will often not be valid in an employer-employee relationship due to the power imbalance between an employer and an employee. It is often argued that consent cannot be freely given in such a case.

It should also be noted that under the Belgian Act of 30 July 2018 on the protection of individuals with regard to the processing of personal data, any employer which processes biometric data shall list the categories of individuals having access to such data and make this list available to the supervisory authority upon request. The employer shall also ensure that those designated individuals are bound by an appropriate obligation of confidentiality.

Recommendation for Belgian employers

Since there is currently no legal framework in Belgium that allows an employer to process biometric data and as the reliance upon consent is often problematic in an employment relationship, no clarity exists as to the lawful use of biometrics in the workplace. However, it can be argued that only biometric systems that are used for the purpose of identification are subject to the general prohibition of the GDPR.

Therefore, the use of biometric systems such as face recognition or fingerprint scans in the workplace is possible but the employer must carefully assess whether these systems are used for authentication/verification or identification purposes. With regard to the former, the employer is allowed to process biometric data provided that it meets the general requirements of the GDPR (i.e. the need for a legal basis for personal data processing, transparency/information obligation, record keeping etc.). By way of illustration, a system that locally stores a fingerprint-based computer file to serve as a way of authentication and that does not reconstruct the fingerprint of the employee could fall under this regime. With regard to the latter, the employer is prohibited to process the biometrics, except if the employee has given his/her consent. However, it should be remembered that consent as a legal basis is usually not accepted, due to the power imbalance between the employer and employee. Since Belgian legislation does not provide any other legal basis for the use of biometrics for identification purposes, the employer who still wants to implement such systems must ensure that the employee's consent meets the requirements of the GDPR (i.e freely given, specific, informed and unambiguous).

Moreover, when the processing activity involves the processing of biometric data, the conduct of a data protection impact assessment ("DPIA") is highly recommended (EDPB, Guidelines on DPIA, WP 248 rev.01, see also Guidelines 3/2019 on processing of personal data through video devices).

Use of biometric data in neighboring countries

Whilst Belgium has not yet provided a legal basis to allow the processing of biometric data in the workplace, neighbouring countries such as The Netherlands, France or Germany have.

THE NETHERLANDS

The Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordering gegevensbescherming: "DGIA") of 16 May 2018 contains, in addition to obtaining consent, an exception to the prohibition of processing biometric data, which applies where the processing is necessary for authentication or security purposes. In order to rely on this exception, employers should carefully consider whether the relevant building or information system requires a level of security that can only be achieved through the processing of biometrics.

Hence, the employer must prove that implementing biometric systems is both necessary for security reasons and proportionate in order to rely upon the exception provided in the DGIA. According to the explanatory memorandum to the DGIA, the exception may only be relied upon where the buildings and information systems need to be secured in such a way that this must be done through biometric systems. The Dutch legislator clarified that the necessity and proportionality threshold is not easily reached and provides the example of a nuclear power station. The high threshold also follows from a decision of the Dutch court in which the court ruled that the use of (mandatory) fingerprint data by a retailer for security purposes was not necessary and proportionate (ruling of the Dutch court of 12 August 2019). The court argued that the retailer could have used different and less intrusive means for the privacy of employees such as access cards, employment cards and/or passwords.

In addition, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens: "Dutch DPA") has recently imposed a fine of EUR 725,000 on a Dutch organization for unlawfully processing employees fingerprint data (Decision of the Dutch DPA of 4 December 2019). The organization used fingerprint scanning for time registration and administration of salaries, holidays and sick leaves. The Dutch DPA acknowledged that an organization may have an interest in using fingerprint scanning for these purposes. However, given the purpose of the processing and taking into account the business activities of the organization, the Dutch DPA concluded that the interest did not justify the processing and it was not necessary to introduce these access controls for achieving the purpose.

The Dutch DPA also argued that employers cannot use consent as a legal basis for the use of biometric systems for the purpose of controlling access to premises, applications and work tools. The GDPR requires consent to be freely given, specific, informed and unambiguous. Due to the imbalanced relationship between employer and employee, consent is generally considered not freely given. Therefore, employers (in light of the imbalanced relationship), in most cases, cannot rely on consent as a legal basis for the processing of data of employees.

FRANCE

In France, the use of biometric data is explicitly provided for by the Law "Informatique et Libertés" (Loi Informatique et Libertés of 6 January 1978). The French data protection authority ("CNIL") has published a "Model Regulation" (Délibération n°2019-001 of 10 January 2019) which specifies the ob-ligations of organisations or companies wishing to equip themselves with biometric systems for the purpose of controlling access to premises, applications and work tools. This Model Regulation aims to complete or clarify certain general obligations arising from the GDPR.

More specifically, the Model Regulation requires each organization or company to justify to the CNIL any use of biometric systems. In order to justify the deployment of such systems, the employer must identify a specific context that requires a high degree of security, and prove that no "less intrusive" means exists to that end. If the use of biometric data is justified according to the CNIL, the consent of the employee concerned is not required.

GERMANY

According to the German Federal Data Protection Act (20 November 2019) an employer may only use biometric systems in the workplace if the employee has given its consent or where this is necessary to exercise rights or comply with legal obligations derived from labor law, social security and social protection law, and the data subject has no overriding legitimate interest in not processing the data.

A recent court ruling in Germany (Higher Regional Labour Court Decision of 4 June 2020) has considered the tracking of time and attendance of employees through the use of a fingerprint-based system to be illegal, unless if exceptional circumstances make it necessary. The court ruled that less intrusive means existed in order to record working time of employees.

If the employees have elected a works council, such technical devices able to monitor the behavior or performance of the employees can only be implemented and used by the employer after undergoing the co-determination process.

Conclusion

Unlike its neighboring countries, Belgium has still to provide clarity as to the appropriate legal basis for the processing of biometric data in the workplace. However, although Germany, France and The Netherlands have adopted rules or guidance on this matter, the possibility to use biometric systems on the workplace remains subject to a case-by-case assessment.

For an employer in Belgium, it can be argued that the implementation of biometric systems for authentication purposes only does not fall under the prohibition to process biometric data under the GDPR. Hence, the employer in Belgium which would only use a biometric system for authentication purposes only would not be subject to the protective rules for biometric data processing but only to the general requirements of the GDPR. In any case, the performance of a DPIA is, also highly recommended.

Disclaimer – The views expressed in this article are the personal views of the authors and are purely informative in nature.