The Italian Data Protection Authority has sanctioned a Provincial Health Department (ASP) in Enna for 30.000 euros because it was using a attendance detection system based on biometric data of employees. After the reinforcement of guarantees required by the Regulation and from the Privacy Code, in order to install this type of systems it is necessary a legislative basis which is proportionate to the pursued aim which sets out appropriate and specific measures in order to protect rights of data subjects. 

In the case of APS of Enna the legislative basis used was lacking, due to the non implementation of the Regulation of the Legislation n. 56/2016 (then repealed) which shall establish guarantees in order to limit and regulate the main processing moods. 

The investigation of the Authority, started after some press releases, has permitted to ensure that the attendance detection system of ASP Enna acquire fingerprints of more than 2.000 employees by storing them in a cryptographic way on the badge of each employees. 

The company verified the identity of the employee by the comparison with the biometric reference model, stored inside the badge, and the fingerprint presented at the detecting act and it transmits the serial number of the employee, the date and the time of the postmarking, to the attendance detection system. 

The Authority has thought, on the contrary to which the health company has argued, that in this way it was done a biometric personal data processing of the employees (both in the badge time of emission, that in the time of verification of the fingerprint in each postmark of each employee), in absence of a suitable legal basis. 

Nor can the consent of the employees, relied on by the ASP as a basis for the process, be regarded as valid in the employment context, a fortiori in the public context, because of the imbalance in the relationship between employee and employer.

In addition, the health facility, although it had informed the staff and the trade unions of the organisational choice made, had not provided all the information on the processing, as required by the European Privacy Regulation.

Considering all the aspects of the case, the Italian Data Protection Authority declared the processing of biometric data unlawful and imposed a fine of 30.000 euros on the hospital. The Italian Data Protection Authority also ordered the deletion of the biometric templates stored in the badges and asked the hospital to announce the steps it intends to take to stop processing employees’ biometric data.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELL’ITALIA – GPDP