Browsing by Author "Luoma, Ossi"

Over the recent years, biometric verification and identification (“biometrics”), automated identification of a person by physical or physiological characteristics, has become more common also in working life. It is a technology that may pose significant risks to the protection of personal data. The General Data Protection Regulation of the European Union ("GDPR") has a significant impact on the conditions for the use of biometrics in working life by classifying biometric data for identification purposes as specific categories of personal data.         The research question of the thesis is: "What are the conditions for the use of biometrics at workplace to be acceptable from a data protection legislation perspective?", with a clarifying additional question: “Which of the 9(2) GDPR exemptions is most probable to be applicable for the use of biometrics in workplace context, and with which conditions?” As biometric data for identification purposes belong to special categories of personal data under Article 9 GDPR, they are subject to stricter requirements than the processing of "regular" personal data. To enable the use of biometric identifiers at all at workplace, one of the exceptions of Article 9(2) must apply. As the use of biometric identification at workplace is not specifically provided for in labor law in Finland, the only possible exception in a “typical” employment context is an explicit consent of the data subject.         The use of consent in the context of an employment relationship has its inherent weaknesses due to the employee's subordinate position and should therefore be avoided. However, consent may be used when no other legal basis for processing or exception for the processing of special categories of personal data applies, provided that the conditions for the validity of the consent are met. The most problematic of these conditions in the context of employment relationship is the voluntary nature of consent. In order for consent to biometric identification to be seen as voluntary, the employer must provide an alternative means of identification so that the employee has an actual opportunity to choose whether or not to consent to the use of biometrics. Another key requirement for a valid consent is the provision of sufficient information to the data subject, a requirement which is emphasized in the case of an explicit consent. In addition to the validity of consent, the principle of lawfulness, fairness and transparency of processing, as set out in Article 5 GDPR, also require adequate information to be provided. It is therefore particularly important for the employer to ensure that the employee is adequately informed about the use of biometric identification, including of the risks involved, before giving consent.         When introducing biometrics, the employer should in principle carry out a data protection impact assessment pursuant to Article 35 GDPR, and, as part of this, devise measures to control the risks of processing. In the impact assessment, the employer must assess whether biometric identification is necessary and proportionate, taking into account the details of the specific use case – and based on this, decide whether or not biometric identification is offered. It is noteworthy that, if biometric identification is taken into use, the requirement for the explicit consent of the data subject will ultimately give the employee an opportunity to assess whether he or she considers biometric identification to be necessary and proportionate.         To manage the risks of biometric identification, the thesis identifies certain actions an employer should take when implementing biometrics. As regards the biometric system, verification rather than identification should be used, also allowing the use of a local storage media. For storage, local storage should be preferred over centralized databases, and a biometric template should be stored instead of the actual biometric sample. System requirements must be carefully defined, and security experts are to be utilized to design adequate security measures. The model rules of the French Data Protection Supervisor, CNIL, on the use of biometric identifiers at workplace could serve as guidance. However, there is currently some uncertainty in the use of biometric identification in the workplace due to the inherent weakness of the use of consent in the employment context. The situation in the absence of special legislation on biometrics at workplace is not ideal. it would be desirable for Finland to introduce legislation concerning biometric identification at workplace, for example in line with the French model. The use of biometrics at workplace is unlikely to diminish in the future due to the ever-evolving technology. For this reason, it would be important to regulate the subject more precisely, thus making it easier for employers to ensure their compliance. From the perspective of the data subject, it would also be desirable for biometric identifiers in the workplace to be subject to clear provisions that are interpreted uniformly by employers.