Use of biometric data in labor control: AEPD criteria
The use of fingerprint and facial recognition in the workplace has been analyzed by the Spanish Data Protection Agency (AEPD). Its recent guide concludes that these systems, considered biometric data processing, present high risks for the rights of workers and that their legal legitimacy is very limited.
AEPD limits the use of biometrics in the workplace
The General Data Protection Regulation (GDPR) establishes that biometric data is a special category of personal data. The AEPD reminds that their processing cannot be based on the employee's consent, as there is a clear imbalance in the employment relationship. In addition, it insists that less intrusive alternative measures (such as cards or digital clocking systems) should always be prioritized.
Alternatives and recommended security measures
Although exceptions are considered, the AEPD stresses that only exceptionally and under a strict analysis of necessity and proportionality could the use of biometrics be justified. If implemented, companies should:
- Conduct a data protection impact assessment prior to use.
- Implement advanced security measures (encryption, template revocation, protection from design).
- Guarantee the right to human intervention in automated decisions affecting the worker.
Download the report on the use of biometric data
Access our complete analysis of the AEPD guide and find out what implications the use of fingerprint and facial recognition has for your organization in day and access control.
This report will help you:
- To understand the AEPD criteria.
- Identify the legal risks of biometrics.
- Know less intrusive alternatives.
- Prepare your company to comply with the GDPR.
Conclusion
The AEPD concludes that, in most cases, the processing of biometric data is neither necessary nor proportionate for time recording or access control. Companies should opt for less invasive alternative systems to comply with regulations and protect the rights of their workers.
