Back to News
23-11-2023

Facial recognition as a system for monitoring the working day

A photograph taken by the employer of an employee may be used as a facial recognition control system for checking in and out of his or her workplace, where there has been no express consent to do so.

The case

An employee who signs the consent for the use of image rights for promotional or advertising purposes of the company (website, social networks, campaigns, magazines, etc.), and for this purpose a photograph is taken of him/her, which the company uses to record his/her entry and exit at the workplace.

He complains that he has not been informed about this and has not given his consent to it:

  • That the company did not carry out the required biometric data impact assessment;
  • That there is a disproportion between the sensitivity of the information collected and the practical need for it, and that the company was not offered other options on how to enrol (e.g. by card).

The complaint was first lodged with the AEPD (*), which sanctioned the company with a financial penalty and ordered it to temporarily or definitively limit the processing of the facial recognition system for the purpose of employment monitoring until it had a valid data protection impact assessment of the processing, which took into account the risks to the rights and freedoms of the employees.

The employee also brought a special action for judicial protection of rights, invoking an infringement of the right to privacy and to one’s own image; a right that may be subject to protection when the employer’s power of surveillance and control is involved. The court reasons that if the person concerned is not aware of the processing of images for facial recognition purposes, he or she cannot give informed consent. The use of a biometric system raises the question of the proportionality of each category of data processed. It must be analysed whether the system is essential to meet the identified need; the likelihood that the system will be effective in meeting that need according to the specific characteristics of the biometric technology to be used; whether the resulting loss of privacy is proportionate to the expected benefits; and whether a less privacy-intrusive means would achieve the desired end.

It is understood to have been violated since the worker did not give his express consent for his image to be used for clocking in, the company did not give him other options for carrying out the aforementioned control (the possibility of clocking in with a card), and the obligatory data protection impact assessment was not carried out.

We must not forget that the use of the image of workers to carry out the control of the working day by means of a biometric registration system requires prior information and the express consent of the workers. If this is not the case, their right to privacy and to their own image will be violated.

If you have any doubts regarding this issue, please do not hesitate to contact us by telephone at Isabel Torre Carazo or by email at itc@btsasociados.com, we will be delighted to help you.

AEPD(*) Agencia Española de Protección de Datos