Biometric Data processing.
To be legally compliant with data protection law, an employer must have a “lawful basis” or justifiable reason to process an employee’s personal data.
Ordinarily, under the GDPR, these reasons could include:
a) employee consent;
b) where the processing is necessary for the performance of
a contract to which the data subject has agreed to;
c) for compliance with an employer’s legal obligation;
d) where the processing is necessary to protect to protect
an individual’s vital interests;
e) where the processing is necessary in the public
f) where the processing is necessary for the
purposes of legitimate interests pursued by the
Biometric data used to uniquely identify individuals is considered a ‘special category’ of personal data under the
GDPR. Processing of special categories of personal data is prohibited unless additional legal bases apply. Therefore, in addition to having one of the above legal bases for processing, the employer must ALSO have one of the following
g) explicit consent;
h) where the processing is necessary for the
performance of specific rights or obligations in
employment/social security/social protection law
or a collective agreement;
i) where the processing is necessary to protect to
protect an individual’s vital interests where the
data subject is physically or legally incapable of
j) where the processing is carried out by a non-profit
body in certain circumstances;
Explicit consent (i.e stated consent, or
consent signified by some positive
action such as ticking a box, not just consent which
may be inferred from circumstances) given by the data subject to process their biometric data is one of these additional legal bases, however employee consent is
often not considered true consent due the
asymmetrical nature of the employer/employee
relationship. Readers will also note from the list at g)- n) above that ‘Legitimate interests’ are not available
as a legal basis to process biometric data.
k) where the processing related to personal data
made public by the data subject themselves;
l) where the processing is necessary for the
establishment, exercise or defence of legal claims;
m) where the processing is necessary for reasons of
substantial public interest;
n) where the processing is necessary in some limited
other circumstances as set out in Article 9 of the
Considering these stricter consent obligations under the GDPR and the Article 29 Working Party guidance (the Article 29 group is now effectively the European Data Protection Board, the overseeing body of the
GDPR), an employer who is processing biometric data of employees used to uniquely identify individuals
should seek alternative bases to explicit consent or
‘legitimate interests’ to process its employees’
biometric data. Unless an employer can make an
argument that it is processing biometric data under a collective agreement, or is doing so in the public
interest, no other alternative basis is currently
In our opinion, employees should be offered
alternatives to biometric clock in systems used to uniquely identify individuals. This is based on a pre- existing pre-GDPR decision from the Irish Data
Protection Commission to that effect, which has now been reinforced by a recent Swedish decision in which a school was fined 200,000 Krona (about €19,000) for processing biometric data.
One potential solution is to use biometric data for
non-identification purposes. Biometric data which is
used to authorise entry without identifying an
individual, but only identifying the fact that they are
one of a class of people who are entitled to entry or
access is not ‘biometric data for the purpose of
uniquely identifying a natural person’ and is therefore not Special Category Data and therefore only subject the less onerous legal bases in the list at a)-f) above.
When is a Data Protection Impact Assessment (‘DPIA’) required in Ireland?
Following the EDPB’s Opinion, the Irish Data Protection Commission (DPC) has published a non-exhaustive list of
processing activities which require a DPIA to be carried out. The list encompasses both national and cross-border
data processing operations. It should be read in conjunction with Article 35 of the GDPR and the Article 29 Working Group Guidelines
The DPC has determined that a DPIA will be mandatory for the following types of processing operations:
1. Use of personal data on a large-scale for a
purpose(s) other than that for which it was
initially collected (a compatibility test must also
be carried out pursuant to Article 6(4) GDPR).
2. Profiling vulnerable persons including children to
target marketing or online services at such
3. Use of profiling or algorithmic means or special
category data as an element to determine access
to services or that results in legal or similarly
4. Systematically monitoring, tracking or observing
individuals’ location or behaviour.
5. Profiling individuals on a large-scale.
6. Processing biometric data to uniquely identify an
individual or enable the identification or
authentication of an individual in combination
with any of the other criteria set out in the WP29
7. Processing genetic data in combination with any
of the other criteria set out in WP29 DPIA
8. Indirectly sourcing personal data where GDPR
transparency requirements are not being met,
including when relying on exemptions based on
impossibility or disproportionate effort.
9. Combining, linking or cross-referencing separate
datasets where such linking significantly
contributes to or is used for profiling or
behavioural analysis of individuals, particularly
where the data sets are combined from different
sources where processing was/is carried out for
different purposes or by different controllers.
10. Large scale processing of personal data where the
Data Protection Act 2018 requires “suitable and
specific measures” to be taken in order to
safeguard the fundamental rights and freedoms
You will see that biometric data processing is at number 6. In our opinion that DPIA should conclude that you should offer an alternative to its employees. There is no requirement that such alternative be more convenient for the
Brexit : this advice from August is worth repeating.
Are you an Irish company that transfers personal data to the UK?
The proposed withdrawal agreement would have preserved the status quo in data protection terms, at least until the end of the transition period in December 2020. However, if the U.K. leaves the EU without a deal, the implications for
international data flows and privacy compliance generally will be severe. Without additional actions, UK based processing of EU personal data will be illegal.
How to ascertain ways you might be transferring data to a UK-based company
• Are you outsourcing your HR, IT or Payroll function
to a UK based organisation?
• Are you using a UK based marketing company to
send marketing communications to your customer
• Is your pension scheme based in the UK?
• Are you using a UK based company to analyse data
on visitors to your website?
In a ‘No Deal’ Brexit scenario you will need to put extra
measures in place to legally transfer this data. EU based
data controllers are not permitted to transfer personal data outside the EU/EEA unless those standards are maintained. In a “no-deal” Brexit scenario, the UK will no longer be
a member of the EU; instead, it will become a ‘Third
Country’. It will have to look for an Adequacy Ruling
like Japan in time. This means that transfer of personal
data from Ireland to the UK will be treated in the same
way as transfers of personal data to countries like
Australia or India etc.
What this means in practice is that, in order to comply
with GDPR rules, an Irish company intending to
transfer personal data to the UK will need to put in
place specific safeguards to protect the data in the
context of its transfer and subsequent processing.
Recent Cases from around the world
• Are you storing or processing data in the UK on a
server or in the cloud?
• Are you using web-based tools provided by or via
This can be done in a number of different ways,
depending on the circumstances in which the data is
to be transferred. One such way is the use of
“Standard Contractual Clauses” or “SCCs” or” Model
Clause Agreements “and this is likely to be relevant to most Irish businesses that transfer personal data to
The Model Clause Agreements consist of standard or template sets of contractual terms and conditions that the Irish-based controller and the UK-based recipient both sign up to. The basic idea is that each of the
parties to the contract gives contractually binding
commitments to protect personal data in the context of its transfer from the EU/EEA to the Third Country.
Importantly, the data subject is also given certain
specific rights under the SCCs even though he or she is not party to the relevant contract.
Recently the data protection authority of North Rhine – Westphalia in Germany
has brought the matter into sharp focus into an investigation into the car industry.
It pointed at the following: –
1. Vehicle data can be considered personal data if it can be linked to the
customer’s name, or to a vehicle identification number;
2. Data processing by a garage necessary for repair, service and maintenance including data transmission to the
manufacturer is legitimate where that is necessary for the purpose of fulfilling a contract to which the data
subject is party, but even in such circumstances the exact nature of the processing must be made clear to the
data subject. The recommendation was that this be done at the time of the order, in an addendum to order
3. The data protection authority was more sceptical of transmission of personal data to manufacturers. In
particular, it formed the view that the garages and manufacturers were possibly both joint controllers of the
It seems that the automotive industry is now becoming a focus for data protection, and that the data protection
commission here will be aware of this German investigation, as there is a regular formal coordination process
between all of the data protection authorities in the EU. We can expect that the DPC will be considering launching its own investigation, now that a large proportion of the work involved has already been done in Germany.
Department of Social Protection, the DPC has directed that the department cease processing applications for
Breaking news in Ireland
We explained in our August Newsletter that the State has been told it must delete data held on 3.2 million
citizens, which was gathered as part of the roll-out of the Public Services Card, as there is no lawful basis for retaining it.
In a report on its investigation into the card, the Data Protection Commission found there was no legal
reason to make individuals obtain the card in order to access State services such as renewing a driving
licence or applying for a college grant.
While the card will still be sought from people
accessing some services directly administered by the
cards needed for such functions.
The Minister has now said she is going to challenge any outcome arising from the findings. The report is below:
It seems that the government is waiting for the DPC to issue a prosecution or fine, before reacting, so we will have to await any such prosecution or fine and the
inevitable Appeal/Judicial Review.
Polish DPA imposes €645,000 fine for insufficient organisational and technical safeguards which led to personal data of 2.2 million data subjects being breached.
In the decision imposing the fine, the Polish DPA concluded that the company by failing to comply with the required technical means of data protection, had
breached, inter alia, the principle of confidentiality, as set out in Article 5 (1)(f) of the GDPR. Therefore, there had been unauthorised access to and obtaining of
customers’ data. The authority considered that unsuccessful measures for the
authentication of data access were put in place. The company had implemented additional technical security measures after the breach.
The investigation revealed that the infringement occurred also because of ineffective monitoring of potential risks.
Google wins landmark right to be forgotten case
The Court of Justice of European Union on 24 September 2019 has agreed with the earlier decision of the Advocate
General (on 10 January 2019) in its ruling on this landmark case and found that the “Right to be Forgotten” as applied to Google search results only applies within the EU. Therefore, only domain names corresponding to EU Member
States may be dereferenced TOGETHER WITH geo-blocking preventing all access to that partially dereferenced
material from within the EU.
This case was decided on jurisdictional grounds. It can just about be distinguished from Article 3.2 which does confer extra-territorial jurisdiction, as that extra-territorial jurisdiction is only in the context of the sale of goods or services, or of the monitoring of the behaviour of data subjects.
It does make the Right to be Forgotten of only very limited use, as the information can now be accessed by technical means or simply by accessing the information from outside the EU.
ECJ Decision 24 September 2019
Advocate General’s Decision 10 January 2019