The processing of employees’ biometric data carried out by a public administrative authority for the purpose of verifying their attendance declared unlawful by the Italian Supervisory Authority.

The Italian Supervisory Authority (“Garante”) imposed a fine of € 30.000 on a public administrative authority (“PA”) for unlawful processing of its employees’ biometric data, due to the use of an attendance monitoring system based on fingerprints. The system, by matching the employee’s fingerprint with the one associated to his/her badge, was able to prove the effective attendance of employees at the work place.

In its decision, the Garante underlined the absence of a legal basis as regards the processing concerned, as provided by art. 6 of the GDPR. In particular, the Garante, reminding that the processing of biometric data in the field of employment is allowed only “in so far as at it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject” (Art. 9.2 b), in replying to the PA’s defense arguments, stated that:

• the processing activities in question could not be based (i) on consent, due to the fact that – in accordance with the EDPB Guidelines 05/2020 on consent – the imbalance in the employer-employee relationship is generally inconsistent with the conditions required for such a basis, as provided by art. 7 of the GDPR; nor (ii) on the legitimate interests pursued by the controller, given that this latter basis is not included in the conditions listed in art. 9.2 of the GDPR, which are the only ones that can be applied to process special categories of data (including, inter alia,  biometric data);
• the PA could not justify the processing by affirming that it was necessary for compliance with Italian law (Law n. 56/2019 against employees’ absenteeism in public sector). In fact, even if this law – today repealed – authorized public administrative authorities to install biometric monitoring systems for the purpose of verifying the employees’ attendance at the work place, it imposed as a condition the adoption of specific measures provided by a regulation, which, nevertheless, the Italian Government never adopted. Therefore, the law in question couldn’t be considered as a valid basis for such a processing;
• the PA couldn’t argue that the processing was necessary for “reasons of substantial public interest” (Art. 9.2, g) of the GDPR) because, once again, the Italian Government never adopted the implementing regulation, as required by the Member State law (in particular, Art. 2sexies of the Italian Personal Data Protection Code), identified as a condition to apply this legal basis. 

In conclusion, considering all the above, the Garante (i) declared the unlawfulness of the processing activities concerned, (ii) ordered the erasure of the employees’ collected data, and (iii) imposed the PA an administrative fine of 30.000€.