Otisak prsta koji krši GDPR

U ovom modernom dobu u kojem danas živimo sve je češća uporaba otisaka prstiju kao sredstva identifikacije, na primjer: otključavanje pametnog telefona skeniranjem prsta. Ali što je s privatnošću kad se ona više ne odvija u privatnim stvarima u kojima postoji svjesni volonterizam? Može li prepoznavanje prsta povezanog s radom biti obvezno u kontekstu sigurnosti? Može li organizacija nametnuti svojim zaposlenicima obvezu predavanja otisaka prstiju, na primjer, za pristup sigurnosnom sustavu? I kako se takva obveza odnosi na pravila o privatnosti?

Otisak prsta koji krši GDPR

Otisci prstiju kao posebni osobni podaci

The question we should ask ourselves here, is whether a finger scan applies as personal data within the meaning of the General Data Protection Regulation. A fingerprint is a biometric personal data that is the result of specific technical processing of a person’s physical, physiological or behavioral characteristics.[1] Biometrijski podaci mogu se smatrati podacima koji se odnose na fizičku osobu, jer su oni podaci koji po svojoj prirodi pružaju informacije o određenoj osobi. Pomoću biometrijskih podataka, kao što je otisak prsta, osoba se može prepoznati i razlikovati od druge osobe. U članku 4. GDPR, to se također izrijekom potvrđuje odredbama definicije.[2]

Identifikacija otiska prsta je kršenje privatnosti?

Područni sud Amsterdam nedavno je presudio o prihvatljivosti skeniranja prsta kao sustava identifikacije temeljenog na razini sigurnosti.

Manfield lanac prodavaonica obuće Manfield koristio je sustav autorizacije skeniranja prstiju, koji je zaposlenicima omogućio pristup blagajni.

According to Manfield, the use of finger identification was the only way to gain access to the cash register system. It was necessary, among other things, to protect employees’ financial information and personal data. Other methods were no longer qualified and susceptible to fraud. One of the employees of the organization objected to the use of her fingerprint. She took this authorization method as a violation of her privacy, referring to article 9 of the GDPR. According to this article, the processing of biometric data for the purpose of the unique identification of a person is prohibited.

Nužnost

This prohibition does not apply where the processing is necessary for authentication or security purposes. Manfield’s business interest was to prevent loss of revenue due to fraudulent personnel. The Subdistrict Court rejected the employer’s appeal. Manfield’s business interests did not make the system ‘necessary for authentication or security purposes’, as stipulated in Section 29 of the GDPR Implementation Act. Of course, Manfield is free to act against fraud, but this may not be done in violation of the provisions of the GDPR. Furthermore, the employer had not provided its company with any other form of security. Insufficient research had been carried out into alternative authorization methods; think of the use of an access pass or numerical code, whether or not a combination of both.  The employer had not carefully measured the advantages and disadvantages of different types of security systems and could not sufficiently motivate why he preferred a specific finger scan system. Mainly because of this reason, the employer did not have the legal right to require the use of the fingerprint scanning authorization system on his staff on the basis of the GDPR Implementation Act.

Ako ste zainteresirani za uvođenje novog sigurnosnog sustava, morat ćete procijeniti jesu li takvi sustavi dopušteni GDPR-om i Zakonom o provedbi. Ako imate bilo kakvih pitanja, obratite se odvjetnicima na adresi Law & More, Odgovorit ćemo na vaša pitanja i pružiti vam pravnu pomoć i informacije.

[1] https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/identificatie/biometrie

[2] ECLI: NL: RBAMS: 2019: 6005

Udio