Fine issued for misuse of fingerprints.

The logic of this huge enforcement action was simple, biometric data was collected disproportionate to need.

Employees of a company had to have their fingerprints scanned for attendance and time registration. After investigation, the Dutch Data Protection Authority concluded that the company should not have processed employee fingerprints. The company cannot rely on an exception ground for the processing of special personal data. The company will be fined 725,000 euros for this.

Humans were at put risk because privacy wasn’t being properly minded. Attendance and time authentication were not reasonable use-cases, as they have effective ID options that do not need collection of biometrics.

Exception for collection would be made if fingerprints were an appropriate control mechanism, such as in a system protecting the user’s data by verifying them by something they are.