Lawful grounds for processing employee biometric data

Answer:

Unfortunately there is nothing, as far as I know, under employment law to justify the use of biometrics for clock in/clock out systems. This means that legal obligation cannot be used as a lawful ground for processing. Consent is out of the question as well because consent obtained from employees may be considered as not being freely given.

This leaves you with legitimate interest. This lawful ground for processing can only be used if your interest overrides the individual's right. In this case a legitimate interest assessment would need to be performed. In your specific case you would basically need to prove that there is no other less intrusive way to monitor the time employees come in and leave work than the use of fingerprints.

Sorry Andrei, one follow up question. I was looking into Legitimate Interest Assessment (LIA) and found the following on the ICO website "As your LIA determines if the legitimate interests basis applies, you must perform it before you start processing the data. You cannot start processing the data then retrospectively try and apply legitimate interests. Your processing is unlawful without a lawful basis, and this will lead to inevitable breaches of transparency and accountability requirements." We have had the fingerprint recognition clock in/out for a few years now. Well before GDPR laws. Can we still do a LIA even though we have already captured and stored employee's fingerprints? New employees details can be added at anytime so would this still cover us doing the LIA?

1. Yes, doing LIA should not be a huge issue especially since this may be closely linked with the GDPR provisions. Just make sure that besides the LIA you would need to amend your Employees Privacy Notice to reflect the processing of biometric data for the purpose of time management.

2. As song as you use the same biometrics for the new employees, it should be fine to add new employees details at anytime. If you would change to face recognition or iris scan, than the LIA would need to be performed again and your Employee Privacy Notice would need to be updated as well.

What if one of our employees doesn't want to sign the Employee Privacy Notice?

There is no need for the employees to sign the Privacy Notices, it is enough for you to send an email with the Privacy Notice enclosed or provide a link to the Privacy Notice. It would also be advisable for you to publish the Privacy Notice on your intranet page to be available to all employees.