Newsletter September 2019

Biometric Data processing. 

To be legally compliant with data protection law, an employer must have a  “lawful basis” or justifiable reason to process an employee’s personal data.  

Ordinarily, under the GDPR, these reasons could include:  

a) employee consent;  

b) where the processing is necessary for the performance of 

a contract to which the data subject has agreed to;  
c) for compliance with an employer’s legal obligation;  
d) where the processing is necessary to protect to protect 

an individual’s vital interests; 

e) where the processing is necessary in the public 

f) where the processing is necessary for the 
purposes of legitimate interests pursued by the 


Biometric data used to uniquely identify individuals is considered a ‘special category’ of personal data under the 
GDPR. Processing of special categories of personal data is prohibited unless additional legal bases apply. Therefore, in  addition to having one of the above legal bases for processing, the employer must ALSO have one of the following 
legal bases: 

g) explicit consent;  

h) where the processing is necessary for the 

performance of specific rights or obligations in 
employment/social security/social protection law 
or a collective agreement;  

i) where the processing is necessary to protect to 
protect an individual’s vital interests where the 
data subject is physically or legally incapable of 
giving consent;  

j) where the processing is carried out by a non-profit 
body in certain circumstances; 


Explicit consent (i.e stated consent, or 

consent signified by some positive 

action such as ticking a box, not just consent which 

may be inferred from circumstances) given by the data  subject to process their biometric data is one of these  additional legal bases, however employee consent is 
often not considered true consent due the 
asymmetrical nature of the employer/employee 
relationship.  Readers will also note from the list at g)- n) above that ‘Legitimate interests’ are not available 

as a legal basis to process biometric data.  

k) where the processing related to personal data 
made public by the data subject themselves;  

l) where the processing is necessary for the 
establishment, exercise or defence of legal claims; 

m) where the processing is necessary for reasons of 
substantial public interest; 

n) where the processing is necessary in some limited 
other circumstances as set out in Article 9 of the 

Considering these stricter consent obligations under  the GDPR and the Article 29 Working Party guidance  (the Article 29 group is now effectively the European  Data Protection Board, the overseeing body of the 

GDPR), an employer who is processing biometric data  of employees used to uniquely identify individuals 
should seek alternative bases to explicit consent or 
‘legitimate interests’ to process its employees’ 
biometric data. Unless an employer can make an 
argument that it is processing biometric data under a  collective agreement, or is doing so in the public 
interest, no other alternative basis is currently 

In our opinion, employees should be offered 
alternatives to biometric clock in systems used to  uniquely identify individuals. This is based on a pre- existing pre-GDPR decision from the Irish Data 

Protection Commission to that effect, which has now  been reinforced by a recent Swedish decision in which  a school was fined 200,000 Krona (about €19,000) for  processing biometric data. data-protection-authority-issues-first-fine-for-

One potential solution is to use biometric data for 
non-identification purposes. Biometric data which is 
used to authorise entry without identifying an 
individual, but only identifying the fact that they are 
one of a class of people who are entitled to entry or 
access is not ‘biometric data for the purpose of 
uniquely identifying a natural person’ and is therefore  not Special Category Data and therefore only subject  the less onerous legal bases in the list at a)-f) above.

When is a Data Protection Impact Assessment (‘DPIA’) required in Ireland? 

Following the EDPB’s Opinion, the Irish Data Protection Commission (DPC) has published a non-exhaustive list of 
processing activities which require a DPIA to be carried out. The list encompasses both national and cross-border 
data processing operations. It should be read in conjunction with Article 35 of the GDPR and the Article 29 Working  Group Guidelines  

The DPC has determined that a DPIA will be mandatory for the following types of processing operations: 

1. Use of personal data on a large-scale for a 
purpose(s) other than that for which it was 

initially collected (a compatibility test must also 
be carried out pursuant to Article 6(4) GDPR). 

2. Profiling vulnerable persons including children to 
target marketing or online services at such 

3. Use of profiling or algorithmic means or special 
category data as an element to determine access 

to services or that results in legal or similarly 
significant effects; 

4. Systematically monitoring, tracking or observing 
individuals’ location or behaviour. 

5. Profiling individuals on a large-scale. 

6. Processing biometric data to uniquely identify an 

individual or enable the identification or 
authentication of an individual in combination 
with any of the other criteria set out in the WP29 
DPIA Guidelines. 

7. Processing genetic data in combination with any 
of the other criteria set out in WP29 DPIA 

8.    Indirectly sourcing personal data where GDPR 
transparency requirements are not being met, 
including when relying on exemptions based on 

impossibility or disproportionate effort. 

9. Combining, linking or cross-referencing separate 

datasets where such linking significantly 
contributes to or is used for profiling or 
behavioural analysis of individuals, particularly 
where the data sets are combined from different 
sources where processing was/is carried out for 
different purposes or by different controllers. 

10. Large scale processing of personal data where the 
Data Protection Act 2018 requires “suitable and 
specific measures” to be taken in order to 
safeguard the fundamental rights and freedoms 

of individuals. 

You will see that biometric data processing is at number 6. In our opinion that DPIA should conclude that you should  offer an alternative to its employees. There is no requirement that such alternative be more convenient for the 

Brexit : this advice from August is worth repeating.  

Are you an Irish company that transfers personal data to the UK?   

Reserved: This Photo by Unknown Author is licensed  under CC BY-SA  The proposed withdrawal agreement would have preserved the status quo in data  protection terms, at least until the end of the transition period in December 2020.  However, if the U.K. leaves the EU without a deal, the implications for 

international data flows and privacy compliance generally will be severe.  Without  additional actions, UK based processing of EU personal data will be illegal. 

How to ascertain ways you might be transferring data to a UK-based company 

• Are you outsourcing your HR, IT or Payroll function 
to a UK based organisation?  

• Are you using a UK based marketing company to 
send marketing communications to your customer 


• Is your pension scheme based in the UK? 

• Are you using a UK based company to analyse data 
on visitors to your website?  

In a ‘No Deal’ Brexit scenario you will need to put extra 
measures in place to legally transfer this data.  EU based 
data controllers are not permitted to transfer personal data  outside the EU/EEA unless those standards are maintained.  In a “no-deal” Brexit scenario, the UK will no longer be 

a member of the EU; instead, it will become a ‘Third 
Country’.  It will have to look for an Adequacy Ruling 

like Japan in time. This means that transfer of personal 

data from Ireland to the UK will be treated in the same 

way as transfers of personal data to countries like 

Australia or India etc. 

What this means in practice is that, in order to comply 

with GDPR rules, an Irish company intending to 

transfer personal data to the UK will need to put in 

place specific safeguards to protect the data in the 

context of its transfer and subsequent processing. 

Recent Cases from around the world 

• Are you storing or processing data in the UK on a 
server or in the cloud? 

• Are you using web-based tools provided by or via 
UK resources? 

This can be done in a number of different ways, 
depending on the circumstances in which the data is 
to be transferred. One such way is the use of 
“Standard Contractual Clauses” or “SCCs”  or” Model 
Clause Agreements “and this is likely to be relevant to  most Irish businesses that transfer personal data to 
the UK.  

The Model Clause Agreements consist of standard or  template sets of contractual terms and conditions that  the Irish-based controller and the UK-based recipient  both sign up to. The basic idea is that each of the 
parties to the contract gives contractually binding 
commitments to protect personal data in the context  of its transfer from the EU/EEA to the Third Country. 
Importantly, the data subject is also given certain 
specific rights under the SCCs even though he or she is  not party to the relevant contract.

Recently the data protection authority of North Rhine – Westphalia in Germany 
has brought the matter into sharp focus into an investigation into the car industry. 

It pointed at the following: – 

1. Vehicle data can be considered personal data if it can be linked to the 
customer’s name, or to a vehicle identification number; 

2. Data processing by a garage necessary for repair, service and maintenance including data transmission to the 
manufacturer is legitimate where that is necessary for the purpose of fulfilling a contract to which the data 
subject is party, but even in such circumstances the exact nature of the processing must be made clear to the 
data subject.  The recommendation was that this be done at the time of the order, in an addendum to order 

3. The data protection authority was more sceptical of transmission of personal data to manufacturers.  In 
particular, it formed the view that the garages and manufacturers were possibly both joint controllers of the 

personal data; 

It seems that the automotive industry is now becoming a focus for data protection, and that the data protection  
commission here will be aware of this German investigation, as there is a regular formal coordination process 
between all of the data protection authorities in the EU.  We can expect that the DPC will be considering launching its  own investigation, now that a large proportion of the work involved has already been done in Germany. 

Department of Social Protection, the DPC has directed  that the department cease processing applications for 

Breaking news in Ireland 

We explained in our August Newsletter that the State  has been told it must delete data held on 3.2 million 
citizens, which was gathered as part of the roll-out of  the Public Services Card, as there is no lawful basis for  retaining it. 

In a report on its investigation into the card, the Data  Protection Commission found there was no legal 
reason to make individuals obtain the card in order to  access State services such as renewing a driving 
licence or applying for a college grant. 

While the card will still be sought from people 
accessing some services directly administered by the 

cards needed for such functions. matters-pertaining-public-services-card 

The Minister has now said she is going to challenge  any outcome arising from the findings. The report is  below:

It seems that the government is waiting for the DPC to  issue a prosecution or fine, before reacting, so we will  have to await any such prosecution or fine and the 
inevitable Appeal/Judicial Review.  

Polish DPA imposes €645,000 fine for insufficient organisational and technical safeguards which led to personal  data of 2.2 million data subjects being breached. 

In the decision imposing the fine, the Polish DPA concluded that the company by  failing to comply with the required technical means of data protection, had 
breached, inter alia, the principle of confidentiality, as set out in Article 5 (1)(f) of  the GDPR. Therefore, there had been unauthorised access to and obtaining of 
customers’ data. The authority considered that unsuccessful measures for the 
authentication of data access were put in place. The company had implemented  additional technical security measures after the breach. 

The investigation revealed that the infringement occurred also because of ineffective monitoring of potential risks. and-technical_en 

Google wins landmark right to be forgotten case 

The Court of Justice of European Union on 24 September 2019 has agreed with the earlier decision of the Advocate 
General (on 10 January 2019) in its ruling on this landmark case and found that the “Right to be Forgotten” as applied  to Google search results only applies within the EU. Therefore, only domain names corresponding to EU Member 
States may be dereferenced TOGETHER WITH geo-blocking preventing all access to that partially dereferenced 
material from within the EU.  

This case was decided on jurisdictional grounds. It can just about be distinguished from Article 3.2 which does confer  extra-territorial jurisdiction, as that extra-territorial jurisdiction is only in the context of the sale of goods or services,  or of the monitoring of the behaviour of data subjects. 

It does make the Right to be Forgotten of only very limited use, as the information can now be accessed by technical  means or simply by accessing the information from outside the EU. 

ECJ Decision 24 September 2019 sf?text=&docid=218105&pageIndex=0&doclang=EN &mode=req&dir=&occ=first&part=1&cid=1162593 

Advocate General’s Decision 10 January 2019 sf?docid=209688&mode=req&pageIndex=1&dir=&o cc=first&part=1&text=&doclang=EN&cid=1162593