Dutch DPA imposes fine on employer processing fingerprints of employees
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) issued a fine of EUR 725,000 for a company unlawfully processing fingerprints of its employees for attendance and time registration purposes.
The Dutch DPA concluded that the company in question did not have appropriate legal basis for processing fingerprints. First of all, the employer was not able to provide prove of having obtained explicit consent of employees.
Secondly, the Dutch DPA concluded that the “necessity” exception can only be relied upon when buildings and information systems need to be secured in such a way that this cannot be done without using (only) biometrics.