Belgian Data Protection Authority fines employer €45,000 for unlawful biometric data processing

18 Sep 2024

The use of biometric data by employers has become increasingly common. However, processing such sensitive data is subject to stringent regulations under the General Data Protection Regulation (GDPR). A recent decision (114/2024) by the Belgian Data Protection Authority (DPA) provides valuable insights into the lawful and unlawful use of biometric data in the workplace. This newsletter explores the key aspects of this decision, focusing on the conditions under which the use of biometric data could be considered lawful.

Case summary

On September 6 2024, the DPA imposed a €45,000 fine on an employer for the illicit processing of biometric data following a complaint filed by a former employee. The employer had implemented a system using employees' fingerprints for time tracking purposes, relying on their consent as a legal ground.

General principle

Article 9.1 of the GDPR prohibits the processing of special categories of personal data unless one of the conditions outlined in article 9.2 applies.

Key takeaways from the decision

Special categories of personal data include fingerprints

The DPA confirms that a fingerprint constitutes biometric data within the meaning of Article 4(14) of the GDPR. Since it was used by the employer to identify employees for time tracking, it also constitutes the processing of a special category of personal data within the meaning of Article 9.1 of the GDPR.

Processing of special categories of personal data is prohibited in principle

The DPA further confirms that processing special categories of personal data is prohibited in principle, seeing that this kind of processing creates higher risks for the fundamental rights and freedoms of the data subject.

Cumulative application of Articles 6 and 9 of the GDPR

To lawfully process such data, the data controller must establish the existence of both a legal ground under Article 6.1 of the GDPR, as well as an exception to the prohibition under Article 9. This decision aligns with recent CJEU case law (Meta, case C-252/21), confirming the cumulative application of Articles 6 and 9 for the processing of special categories of personal data. The DPA also mentions Opinion 2/2019 of the European Data Protection Board (EDPB) and Opinion 06/2014 of the Article 29 Working Party, which consistently refer to the cumulative application of both Article 6 and Article 9 GDPR in the case of processing of special categories of personal data. Finally, the DPA also refers to Recital 51 GDPR that indicates that Article 6 must always be applied.

Difficulty of relying on consent as a legal ground in an employment context

The DPA emphasised that, in the context of an employer-employee relationship, relying on employees’ consent is only valid in exceptional circumstances where it can be proved that there would be no negative consequences for employees should they refuse to give their consent. In this case, the DPA noted that both the employees’ onboarding documentation and the internal labour agreement highlighted the importance (and obligation) to register their working time, demonstrating the mandatory and non-voluntary nature of the processing activity to which the employee had to submit.

Even though the processing activity was introduced to ease the employee’s time registration (badges were too burdensome) and the labour unions (or the employees themselves) never expressed any concerns, it is still insufficient to show that the consent was valid or freely given.

Additional breaches

The DPA also found a breach of data minimisation principles, noting that less intrusive measures could have sufficed. Additionally, the employer failed to conduct a mandatory data protection impact assessment and did not implement necessary GDPR-compliant measures.

Conclusion

The DPA’s decision underscores that, while the use of biometric data by employers could be lawful, these situations are subject to strict conditions. Employers must carefully consider whether less intrusive methods can achieve their objectives and ensure that any processing of biometric data complies with both Article 6 and Article 9.2 of the GDPR.

In our view, this decision almost certainly condemns the use of biometric data for time recording or protecting company assets. We imagine that this decision, although justifiable in view of the prohibition of biometric data, will come as a thunderbolt for many companies that use this type of security to protect their critical infrastructure or trade secrets.

Finally, the complaint, brought by an employee a few days before the termination of his/her labour agreement, once again demonstrates that privacy arguments are increasingly being used as leverage and means of pressure in the context of other disputes. Employers should remember that today’s employee could potentially be tomorrow’s complainant.

Are you interested in knowing more about data protection or processing biometric data? Don't hesitate to reach out!

Loïc Delanghe, Peter Decru and Isha Upadhyaya

Subscribe now

Receive updates on the news that matters to you

Contact us

Karin Winters

Lawyer - Partner, PwC Legal BV/SRL

+32 476 60 26 94

Loïc Delanghe

Lawyer - Senior Managing Associate, PwC Legal BV/SRL

+32 493 53 96 13

About us Careers News Our offices Services

© 2020 - 2025 PwC. PwC Legal. All rights reserved. PwC Legal is a separate and independent law firm that entered into a multidisciplinary cost sharing arrangement with PricewaterhouseCoopers Business Advisory Services BCVBA (PwC Business Advisory Services) which on its turn is a member of the network of member firms of PricewaterhouseCoopers International Limited (PwCIL). Neither PwC Business Advisory Services, nor PwCIL nor any of its member firms controls, acts as an agent of, or assumes liability for the acts or omissions of PwC Legal. Similarly, PwC Legal does not control, act as an agent of, or assumes liability for the acts or omissions of PwC Business Advisory Services, PwCIL or any other member firm.