On 21 June 2021, the State Data Protection Inspectorate (SDPI) imposed a fine of 20 thousand EUR on the sports club VS FITNESS, UAB, for violations of the General Data Protection Regulation (GDPR) regarding the processing of biometric data.
The SDPI investigated whether the processing of fingerprints of the clients and employees of the sports club was carried out lawfully and whether the sports club had properly implemented the obligations related to the processing of such personal data.
Fingerprints are personal data that are classified as biometric data and the regulation of their processing is stricter than other personal data.
The sports club based the processing of biometric data on the consent which formally complied with the requirements of the GDPR. However, the investigation by the SDPI established that even when formally complying with the requirements of the GDPR, i.e. having the consent of the data subjects, the sports club did not provide the necessary conditions for such consent.
Regarding the processing of fingerprints of employees
The SDPI expressed their opinion on the processing of fingerprints of employees and stated that, although it was based on the employee’s consent, the subordinate relationship between the employee and the employer essentially meant that such consent could not be regarded as voluntary.
The European Data Protection Board has emphasized more than once that consent as a basis for the processing of personal data in the relationship between an employee and an employer must be avoided because it does not guarantee the requirements for consent.
Regarding the processing of fingerprints of clients
The SDPI established that the company processed the fingerprints of its clients on the basis of the client’s consent but, as the clients were not provided an alternative possibility to enter the sports club, the SDPI stated that such consent for the use of fingerprints was not voluntary and did not meet other requirements for valid consent.
One of the conditions for consent is its voluntary nature, which essentially means that the client must be given an alternative. In the absence of alternative options, it is considered that the client had no other choice but to choose and consent to the processing of biometric personal data.
Regarding other circumstances identified by the SDPI
When investigating the processing of biometric personal data, the SDPI also pointed out that the lawfulness of the processing of such personal data does not end only after the proper establishment of the basis for data processing, i.e. consent. In this case, the sports club had to carry out a data protection impact assessment (DPIA) before processing such personal data and properly inform both clients and employees about the processing of personal data.
What can we learn?
- The processing of biometric data requires proper assessment of the legal basis for the processing of such personal data and, in the case the basis is the consent, the consent must comply with the conditions set for it (it must be voluntary, specific, substantiated with information, unambiguous, verifiable and revocable);
- When processing biometric personal data, the data subjects must also be given an alternative option of identification when biometric data are not processed;
- Consent is the legal basis for the processing of personal data in the relationship between the employee and the employer is avoidable due to the subordination of the employee and the employer;
- When collecting any biometric data, the company or organization must carry out the data protection impact assessment to assess potential risks and to arrange the measures to reduce or eliminate those risks.
For more information or advice on data protection, please consult the specialists of ECOVIS ProventusLaw.
Prepared by Brigida Bacienė, Certified Data Protection Expert (CIPP/E) of ECOVIS ProventusLaw, and Andrius Karmonas, Associate of ECOVIS ProventusLaw