French data protection authority (“CNIL”) rules that a biometric control system of employees’ working time is forbidden
A company had implemented a biometric control system (fingerprints recognition) which purpose was to monitor employee’s working time.
Although French law allows an employer to monitor its employees activity, a monitoring system must, to be valid, meet the following requirements:
- Transparency: the employee’s reps’ and the employees themselves shall be informed of its existence.
- Justification: the monitoring system must be justified by a legitimate interest (ensuring the security and safety, improving of the customer satisfaction for instance).
- Proportionality: the monitoring system shall not be excessive. Proportionality is assessed in relation to fundamental freedoms, including the right to privacy.
In this case, the CNIL considered that this monitoring system was disproportionate, and sentenced the company to a 10,000 euros fine (due to the persisting infringements of the company despite several warnings).
According to new GDPR regulation, biometric data is sensible data which processing is forbidden, except in very specific cases, such as control of access to highly sensitives and secured places of work.
Vanessa Stepanian / Tilia Bopp