The labour court has issued a ruling that provides criteria for determining whether employers may introduce fingerprint-based systems for recording working time.

Electronic time recording is becoming increasingly important against the background of the European Court of Justice's 2019 decision requiring employers to introduce an objective, reliable and accessible system for recording the daily working time performed by each employee. Digital time recording using fingerprints is of particular interest to employers. The primary aims of a fingerprint-based system are to prevent employees from 'stamping' for colleagues and to prevent working time fraud. The Arbeitsgericht (labour court) in Berlin has recently ruled on the legality of this type of working time recording system under data protection law and provided employers with criteria to be considered in the legal assessment of such systems.

What happened?

In the case before the court, the employer had introduced a new time recording system in which employees were to log on and off using a fingerprint. First, so-called 'minutiae' (individual, non-inheritable fingerprint characteristics) were extracted from the employee's fingerprint using a special algorithm. The minutiae were then stored in the time recording terminal and used to compare the fingerprints of the employees when logging on and off. However, the fingerprint itself was not stored. After the plaintiff employee refused to use the time recording system, the employer issued two warnings.

Permissibility under data protection law

The labour court decided that the employer must remove the warning notices from the employee's personnel file, as time recording by fingerprint in the specific case was not in conformity with data protection law. Because the data processing could not be based either on the consent of the employee or (in the absence of a works council) on a works agreement, the court based its legal review on the relevant provisions of the EU General Data Protection Regulation and the German Federal Data Protection Act. Under these provisions, the minutiae data record involves biometric data and special categories of personal data, which may only be processed in exceptional cases if it is necessary for the performance of the employment relationship.

Criteria for determining necessity

When examining whether this processing was 'necessary' under the law, the court relied on the principle that the more intensively the personal rights of employees are encroached upon, the more serious the concrete purpose underlying the data processing must be. Since the introduction of the fingerprint system was a considerable interference with the employees' rights, there must be special circumstances justifying an overriding interest of the employer.

In weighing the interests, the labour court stated that the employer must have a special reason for this type of control. A special reason could exist if:

  • significant misuse has been made of a previous 'manual' system;
  • there is a risk of significant misuse if another type of time recording system is introduced; or
  • the plaintiff employee had attracted negative attention in the past by misrepresentation regarding his working hours.

Because the employer did not sufficiently prove the existence of such special circumstances in this case, the employee's claim was granted.

Conclusion

The permissibility under data protection law of introducing a time recording system using fingerprints must always be carefully examined in relation to each individual case. The following general rule applies: the more time recording abuse has been practiced in the employer's workplace in the past and the more susceptible other systems appear to be to abuse, the sooner a fingerprint-based system may be introduced.

Employers with works councils also have the advantage that they can achieve 'consent' (a separate basis for processing under data protection law) by means of a works agreement. The works council has a right of codetermination regarding the introduction of a fingerprint system. On the other hand, under data protection law employee consent is a relatively weak legal basis. Employees may revoke their consent at any time, with the consequence that data processing based on such consent becomes impermissible. An employer's claim of consent may also be open to attack in view of the rule in data protection law that the consent must be truly voluntary. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.