Recently, the Spanish Data Protection Agency (AEPD) has published a sanctioning resolution against a gym based on denunciation of a customer for using access control system with a fingerprint.
More specifically, the denouncer indicated that the use of this access control system “is a disproportionate means in the collection of data and that the document for consent to the contribution of his biometric data was not delivered to him“.
According to the denounced company, “the purpose of the system in the gym is to obtain a numerical template based on algorithms that serves as a personal and non-transferable means to access the gym facilities through the comparison of elaborated patterns by the system based on the fingerprint.” In addition, they ensure that the fingerprints of the customers are not saved, but that they are used to generate a template for each customer:
“A numerical template is generated through complex mathematical algorithms using the information of some points of the fingerprint. In no case can the fingerprint be retrieved through the information of these stored templates. In addition to this, the physical characteristics of the fingerprint cannot be deduced from the template”
“Any time that the capture of this fingerprint does not require capturing the digital fingerprint of the individual, but it is only a pattern or template, which despite being non-transferable, cannot be used for any other use“
However, the Director of the Spanish Data Protection Agency agreed to initiate the sanctioning procedure for the alleged violation of Article 4.1 of the Spanish Organic Law about Protection of Personal Data (LOPD), classified as serious in article 44.3.c) of the aforementioned rule. Let’s remember that the LOPD is still valid in all those points where it does not contradict the GDPR.
LOPD. Article 4. Quality of the data.
- Personal data may be collected for processing, and undergo such processing, only if they are adequate, relevant and not excessive in relation to the scope and the specified, explicit and legitimate purposes for which they were obtained.
Higher future sanctions
After analyzing this case we can draw some interesting conclusions with which we have to:
- The sanction imposed in this case is very benevolent because it is the first since the new regulation was approved: only 1500 euros. However, we must be alert since those that will come from now on, will be higher, as warned and settled by the “jurisprudence” in this sector.
- It is also important to highlight the number of companies that use fingerprint readers (for customers or workers) and almost all of them are not compliant with the LOPD and GDPR.
- The key is in the proportionality of the measure and how it is justified in the Record of Processing Activities.
- It is necessary to base the processing on the legitimate interest, especially for the labor control in human resources, but also to have a control of the facilities, greater control assurances in the accesses that avoid entrances to the establishments without paying and more efficient business management.