Spanish Company Penalized for Inadequate Notification of Biometric Data to Employees

The Spanish Data Protection Agency (AEPD) imposed a fine of €365,000 on CTC Externalización S.L. (CTC) for violating the General Data Protection Regulation (GDPR). The decision was made following a complaint by an employee who claimed that the company demanded fingerprints from staff members to introduce a biometric-based time tracking system, without informing them that this data would be stored in the employee portal.

The AEPD found that CTC failed to properly inform employees about the processing of their biometric data, constituting a breach of Article 13 of the GDPR. Additionally, the authority noted the absence of evidence from CTC regarding the rules for the deletion of fingerprints once they are no longer needed. CTC also failed to implement security measures to protect access to employees’ biometric and identification data, violating Article 32 of the GDPR.

Furthermore, the AEPD emphasized that CTC did not treat the processing of biometric data as processing special categories of data nor did it consider the risk to employees’ rights and freedoms, failing to fulfill its obligation to conduct a Data Protection Impact Assessment (DPIA) as required by Article 35 of the GDPR.

As a result, the AEPD imposed an administrative fine of €365,000 on CTC and ordered the company to temporarily or permanently limit the processing of data from the fingerprint time control system until a DPIA is conducted. Moreover, CTC was required to demonstrate within six months that it has informed all employees about the data processing, established necessary security measures to prevent unauthorized access, and complied with GDPR provisions.