Are employers allowed to process employees' biometric data, such as fingerprints, for the purpose of time and attendance tracking?
Processing of biometric data, such as a fingerprint or a biometric pattern (capturing of main characteristics of a fingerprint image and their preservation in a database for the purpose of comparing the biometric pattern and an actual fingerprint, as a means of unique identification, regardless of the fact that such pattern cannot be reproduced to create an image of the fingerprint) is not allowed.
Namely, there is no disputing that an employer has the right and duty to control its employees' time and attendance, which is borne out by the text of the Labour Law (Official Gazette of RS, Nos. 24/2005, 61/2005 and 54/2009) and the Labour Records Law (Official Gazette of FRY, No. 46/96 and Official Gazette of RS, Nos. 101/2005 – other law and 36/2009 – other law), which provides for the specific data an employer is required to keep in its Employee Records (Article 5) and its Salary Records (Article 24). In order to process any employee data other than those specifically required by the Labour Records Law, an employer will need to obtain the data subject's consent in accordance with Articles 10 and 15 of the Law on Personal Data Protection. However, even if employees have consented to the collecting of biometric data (through fingerprint scanning), such processing would still be unlawful. Namely, according to Article 8, item 7 of the Law on Personal Data Protection, data can be processed only if the number or type of the data processed is proportionate taking into account the purpose of processing. In other words, data can be collected and processed only if they are strictly necessary for achieving the intended purpose of processing. This means it is necessary to examine on a case-by-case basis for each type of data whether the processing of any specific data is strictly necessary for achieving the intended purpose of processing. In other words, is it actually necessary to scan employees' fingerprints for the purpose of time and attendance tracking or can the same purpose be achieved by other, less intrusive means?
The Serbian legal order does not include any overarching and systemic piece of legislation that would regulate the processing of biometric data as a type of personal data. However, as data protection is guaranteed by Article 42 of the Constitution of the Republic of Serbia as a specific human right, the interpretation and protection of this right needs to take into account the relevant applicable international standards of human rights. According to Article 18, paragraph 3 of the Serbian Constitution, provisions governing human and minority rights are interpreted to the benefit of promoting values of a democratic society, according to the applicable international standards of human and minority rights, as well as the practice of international institutions which supervise their implementation. The Provision of Article 5 of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, which was incorporated in the national legislation by the Law on Ratification of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Official Gazette of FRY – International Agreements, No. 1/92 and Official Gazette of Serbia and Montenegro – International Agreements, No. 11/2005 – other law), provides that personal data undergoing automatic processing must be:
(a) obtained and processed fairly and lawfully,
(b) stored for specified and legitimate purposes and not used in a way incompatible with those purposes,
(c) adequate, relevant and not excessive in relation to the purposes for which they are stored,
(d) accurate and, where necessary, kept up to date,
(e) preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is a cornerstone of acquis commuinaitaire: it governs the processing of personal data and protects the fundamental rights and freedoms of individuals, including in particular the right to privacy as a fundamental human right. A relevant international body that has addressed the issue of biometric data and introduced certain standards and guidelines in this field is the Article 29 Working Party, established under Article 29 of the said Directive 95/46/ЕZ of 24 October 1995, the powers of which are set out in Article 30 of that Directive. This body acts in an advisory capacity and is autonomous in its work. According to the Working Document on Biometrics adopted by the Article 29 Working Party on 1 August 2003, biometric data can be used only if they are adequate, relevant and not excessive.
The purpose for which biometric data can be used and processed must be clearly stated and a test has to be made in order to determine the proportionality and lawfulness of any such processing, taking into account the risk posed by such processing for the protection of individuals' fundamental rights and freedoms. One question that merits special consideration is whether the intended purpose of processing can be achieved by less intrusive means. This implies a strict assessment of proportionality of the processed data. Centralised storage of biometric data also increases the risk of using the biometric data as a key for cross-referencing different databases, which may result in detailed profiles of individuals' habits, both in public and private sectors. Therefore, the use of biometric data is considered necessary only in cases where this is needed for the purpose of the data controller's operations (which should be assessed on a case-by-case basis, depending on the employer's activity), for the purpose of protecting personal data or trade secrets, personal safety etc.
Introducing biometrics for the sole purpose of time and attendance tracking is excessive and disproportionate and constitutes an unnecessary invasion of privacy, since the purpose of such processing can be achieve by other means, e.g. by better organisation of the staff, by appointing a person to keep track the arrival and departure of employees etc., while the potential damage that may result from any abuse of such data outweighs by far any benefits the data controller may obtain.