School fined for using student fingerprint readers. Processing of biometric data without a legal basis in violation of the data minimisation principle

The school used a biometric fingerprint reader located at the entrance to the school canteen to verify whether a given student was entitled to a meal. The school was collecting and processing children's data on the basis of written consent of their parents or legal guardians since April 2015.  In the school year 2019/2020, almost 700 children were subject to this method of verification.

According to the GDPR, “biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. Biometric data are used, among other things, in fingerprint readers, iris recognition technologies, as well as in emotion recognition systems.

In the justification of his decision, the President of the Personal Data Protection Office stated that, given the facts of the case, the processing of biometric data was not necessary to achieve the purpose of confirming the student’s entitlement to a meal in the canteen and there were other ways of such verification which did not interfere that much with the privacy of the child. This was all the more important because there were also other forms of verifying the child's right to a meal in the school canteen, e.g. by indicating the name and contract number or by means of an electronic card.

The President of the Personal Data Protection Office emphasised that children who did not use this method of verification were forced to go to the back of the line and could enter the canteen as the last ones. This was considered to be unequal treatment and unjustified differentiation of students due to the way their parents or legal guardians chose to identify them. 

The decision also underlines that children merit specific protection with regard to their personal data, in particular when special categories of their data are processed (recital 38 of the GDPR). The legislation specifies the types of data that a school may collect from its students and none of them allows a facility such as a school to process the biometric data of children attending the school.

According to Article 9(1) of the GDPR, the processing of a specific category of personal data (including biometric data) is in principle prohibited and this prohibition is only lifted in specific cases, including where the data subject has given his or her explicit consent to the processing of such personal data, as was the case here. At the same time, however, the data minimisation principle should always be taken into account when processing personal data (Article 5(1)(c) of the GDPR); this principle requires that the processing be adequate, relevant and limited to what is necessary in relation to the purposes for which personal data are processed. In the opinion of the President of the Personal Data Protection Office, it was possible to verify access to the school canteen by means of methods that interfered less upon students' privacy. Consequently, the collection of such data was excessive and thus in breach of the GDPR.

In view of the above, the President of the Personal Data Protection Office concluded that the school did not have any legal basis to process biometric data in the form of students' fingerprints. 

Importantly, operating the canteen is also part of the school's statutory tasks, which explains the position of the President of the Personal Data Protection Office. It should be pointed out, however, that the development of new technologies, including access authorisation methods using biometric data is an important issue also in other areas of life.

This trend was reflected in the Labour Code, as the legislator explicitly allowed processing of special categories of data, including biometric data. According to Article 221b of the Labour Code, the consent of a job candidate or an employee can be the basis for the processing of special categories of personal data by the employer, but only if such data are transferred at the initiative of the job candidate or the employee. Therefore, the employer generally may not require its employee to use a method such as a fingerprint reader to monitor the employee's working time. On the other hand, the processing of biometric data is permitted if the provision of such data is necessary to control access to particularly important information the disclosure of which could expose the employer to damage, or to control access to premises requiring special protection. This could be the case, for example, for banks or museums.

The refusal or withdrawal of consent to the processing of specific data cannot be the basis for any disadvantaged treatment of a job candidate or an employee and in no case can lead to any adverse consequences for them. In addition, only persons with written authorisation from their employer may be allowed to process personal biometric data. 

As can be seen, issues related to the processing of employees’ biometric data have been noticed by the legislator, and thus the rules of their processing have been regulated in Polish law, albeit fragmentarily. The development of technologies and the resultant technical advances are encouraging entities such as schools to take advantage of the opportunities arising from the processing of biometric data. However, as long as the Polish legislation is not properly adjusted, the processing of biometric data will involve a high risk of being challenged by the Polish supervisory authority. The implementation of solutions involving the processing of biometric data always has to be checked for their lawfulness.