Many employers use fingerprint scanners for time tracking and access control. They’re convenient, they prevent time theft, and they seem more secure than ID cards. But under GDPR, storing employee fingerprints is far from straightforward.
Two landmark cases – one from the Netherlands and one from the UK – demonstrate how seriously data protection authorities take workplace biometric processing. Both established that convenience and cost-saving are not valid reasons to collect employee fingerprints.
This article explains when fingerprint data can and cannot be processed in the workplace, what the legal requirements are, and what alternatives exist. While EU and UK GDPR share the same fundamental principles, this article covers both jurisdictions and clarifies where they differ.
Why Fingerprints Are Special Under GDPR
Fingerprints are classified as biometric data under GDPR Article 9 (both EU and UK), which places them in the “special category” of personal data. This category includes genetic data, health information, and data about racial or ethnic origin.
The key characteristic: processing this data is prohibited by default.
As the Dutch Data Protection Authority explained in their enforcement decision: “A fingerprint isn’t like a password – it can’t be replaced. If something goes wrong, the impact on the person concerned can be enormous and cause lifelong problems.”
The UK Information Commissioner’s Office (ICO) emphasises the same point: “The risks of harm in the event of inaccuracies or a security breach are much greater with biometric data – it is more difficult to rectify if inaccurate, and you cannot replace it in the event of a breach.”
This means you can’t simply decide to start scanning employee fingerprints. You need to meet one of the narrow exceptions in Article 9(2), and you must demonstrate that your processing is both necessary and proportionate.
Case Study 1: The Dutch Fingerprint Fine (2020)
In 2017, a Dutch company implemented fingerprint scanners across its operations. The stated purpose was to reduce abuse of their previous time registration system and improve tracking of working hours for 337 employees.
The company believed it had valid grounds for processing fingerprints. It didn’t.
Note on jurisdiction: This case was decided under EU GDPR by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). While UK courts are not bound by EU member state decisions, the case is highly instructive because the legal principles in Article 9 are identical in UK and EU GDPR.
What the Company Got Wrong
They relied on consent, but consent wasn’t freely given
Employees felt the fingerprint scanning was mandatory. When employees refused, they were called into personal meetings with the director. The Dutch DPA found that employees “experienced recording of their fingerprints as an obligation.”
Under GDPR, consent must be freely given. In an employment relationship, there’s an inherent power imbalance. Employees fear consequences if they refuse. This makes genuine consent nearly impossible to obtain.
They couldn’t demonstrate necessity or proportionality
The company argued that fingerprint scanning was necessary for security purposes. The Dutch DPA disagreed.
Article 9(2)(b) permits processing biometric data when it’s “necessary” for authentication or security. But “necessary” has a specific meaning under GDPR: there must be no less intrusive alternative available.
The proportionality test failed completely. ID cards, RFID tags, and PIN codes were all viable alternatives. The company chose fingerprints for convenience and cost reduction, not because biometrics were the only way to achieve their stated purpose.
The Outcome
Initial fine: €725,000
After appeal: €50,000 (reduced due to financial hardship during COVID-19)
More significantly: the company was ordered to stop all fingerprint processing and delete the data.
Case Study 2: UK ICO v Serco Leisure (2024)
In February 2024, the UK Information Commissioner’s Office issued enforcement notices against Serco Leisure, Serco Jersey, and seven associated leisure trusts for unlawfully processing biometric data of more than 2,000 employees at 38 leisure facilities.
Serco used both facial recognition technology and fingerprint scanning for attendance monitoring and payment.
The ICO’s Findings
The ICO found that Serco:
Failed the proportionality test: Serco “failed to show why it was necessary or proportionate to use facial recognition technology and fingerprint scanning when less intrusive means were available such as ID cards or fobs.”
Prioritised business over employee rights: The ICO stated that Serco “did not fully consider the risks, prioritising their business interests over their employees’ privacy.”
Did not offer genuine alternatives: “Employees were not proactively offered an alternative to having their faces and fingers scanned to clock in and out.”
Could not rely on consent: Due to the power imbalance between Serco and its employees, “it was unlikely they would feel able to refuse.”
The Enforcement Action
The ICO issued enforcement notices requiring Serco to:
- Stop all processing of biometric data for monitoring employee attendance
- Destroy all biometric data not legally required to be retained within three months
Serco had contravened Articles 5(1)(a), 6, and 9 of UK GDPR by failing to establish an appropriate lawful basis for processing special category personal data.
Significance for UK employers: This case represents the ICO’s clear position on workplace biometric processing. It was accompanied by updated guidance specifically on biometric recognition, making the ICO’s expectations explicit.
When Can Employers Process Fingerprints?
GDPR Article 9(2) (both EU and UK) provides limited exceptions to the prohibition. For employers, two are potentially relevant:
Exception 1: Explicit Consent (Article 9(2)(a))
In theory, employees can explicitly consent to fingerprint processing. In practice, this is extremely difficult in an employment context.
The ICO’s position is clear: “Where there is an imbalance of power between you and the person, you should carefully consider whether relying on consent is appropriate.” The ICO specifically notes this is “particularly an issue for public authorities and employers.”
The European Data Protection Board (EDPB) takes the same view: consent in employment relationships is presumed not to be freely given due to the power imbalance.
Both the Dutch DPA (in the case above) and the UK ICO (in Serco) found that employees felt unable to refuse biometric processing without consequences. This makes consent invalid.
ICO guidance: Employers should not rely on consent for biometric processing unless they can demonstrate employees have a genuine choice without detriment.
Exception 2: Employment Obligations (Article 9(2)(b))
Processing is permitted when necessary for carrying out obligations in the field of employment, provided this is:
- Authorised by EU or member state law, or
- Authorised by a collective agreement under member state law
- Includes appropriate safeguards for fundamental rights
Even with legal authorisation, you must demonstrate that biometric processing is necessary and proportionate. This means:
- Less intrusive alternatives don’t meet the security requirement
- The risk you’re addressing genuinely requires biometric authentication
- You’ve conducted a Data Protection Impact Assessment (DPIA)
The High Bar for “Necessary” and “Proportionate”
Both necessity and proportionality must be demonstrated. The ICO states: “‘Necessary’ means that you must not rely on these lawful bases to process data unless your processing is a targeted and proportionate way of achieving your purpose.”
The ICO requires employers to show:
- Less intrusive alternatives don’t work: “If you could achieve your purpose in a less intrusive way, or by processing less information, then you cannot argue that your proposal is necessary.”
- Benefits justify the privacy impact: “Balance the potential impact this processing may have on people against your purpose.”
- Specific security risk exists: Not just general business efficiency or cost savings.
The Dutch DPA set a similar standard: biometric data is only necessary “when buildings and information systems need to be secured in such a way that this cannot be done without using (only) biometrics.”
Examples where biometrics might meet the necessity and proportionality tests:
- Access to high-security facilities (nuclear facilities, defence installations)
- Access to systems containing highly sensitive data where unauthorised access would cause severe harm
- Situations where identity verification is legally mandated at a high assurance level
Examples where biometrics fail the necessity and proportionality tests:
- Preventing employees from clocking in for absent colleagues (both cases above)
- Tracking working hours for payroll (both cases above)
- General office access control
- Reducing administrative costs or increasing convenience
Practical Steps for Employers
If you’re considering fingerprint scanning or already use it, follow these steps:
1. Question Whether You Need Biometrics
Start by asking: what specific security risk am I addressing?
The ICO requires you to: “Describe the purpose and the benefit you expect to get from the processing of biometric data” and “consider whether your proposed processing is a proportionate way to achieve your purpose.”
If the answer is “time theft,” “convenience,” or “cost savings,” biometrics fail the proportionality test. Use ID cards, PIN codes, or proximity badges instead.
If the answer is “unauthorised access to critical systems where less intrusive methods are insufficient,” continue to step 2.
2. Conduct a Data Protection Impact Assessment
Article 35(3)(b) requires a DPIA for large-scale processing of special category data. For biometric systems, a DPIA is mandatory.
Your DPIA should:
- Identify the specific security risk requiring biometric authentication
- Analyse whether less intrusive alternatives would address the risk
- Assess the impact on employee privacy and fundamental rights
- Identify safeguards to minimise privacy intrusion
- Document your necessity and proportionality assessment
3. Provide Genuine Alternatives
Both the ICO and Dutch DPA require that employees have genuine alternatives to biometric processing.
The ICO states: “You must offer a suitable alternative, regardless of whether a power imbalance exists, if you are relying on consent.” Even when relying on other legal bases, the ICO advises offering alternatives to demonstrate proportionality.
The ICO’s guidance on workplace monitoring emphasises: “Workers who choose to use an alternative method should not suffer any disadvantage from doing so.”
Alternative methods might include:
- Supervised access procedures
- Two-factor authentication using alternative methods
- PIN codes or proximity cards
- Manual identity verification
4. Implement Technical Safeguards
If you proceed with biometric processing:
- Store only biometric templates, not actual fingerprint images
- Encrypt templates both in transit and at rest
- Implement strict access controls to the biometric database
- Store templates locally on secure devices where possible, rather than centrally
- Establish secure deletion procedures for when employees leave
5. Be Transparent
Employees must be fully informed before any biometric processing begins:
- Why you’re processing fingerprints
- What legal basis you’re relying on
- How long data will be retained
- Their rights, including the right to object
- What alternatives are available
What About Other Biometric Technologies?
The principles established in the Dutch case apply equally to other biometric systems:
Facial recognition: The Article 29 Working Party (predecessor to the EDPB) stated that employers should generally refrain from using facial recognition technologies in workplace video analytics, as this is likely disproportionate.
Iris scanning: Subject to the same Article 9 requirements as fingerprints.
Voice recognition: When used to uniquely identify individuals, this constitutes biometric processing under Article 9.
The consistent message from regulators: biometrics should be a last resort, not a first choice.
Key Takeaways
- Fingerprints are special category data under GDPR Article 9 (EU and UK), and processing is prohibited by default
- Both the Dutch DPA and UK ICO have found that consent is not viable in employment relationships due to power imbalance
- Proportionality is central: Processing is only lawful when it’s a targeted and proportionate way to achieve your purpose
- Necessity must be demonstrated: There must be no less intrusive alternative that could achieve the same security objective
- “Necessary” means required for specific security reasons, not just convenient or cost-effective
- A Data Protection Impact Assessment is mandatory for biometric processing
- Employees must be offered genuine alternatives without disadvantage
- The burden of proof is on employers to demonstrate both necessity and proportionality
EU vs UK GDPR: What’s the Difference?
For biometric data in employment, the legal principles are identical in EU and UK GDPR. Both:
- Classify fingerprints as special category data under Article 9
- Require a valid condition for processing
- Apply the necessity and proportionality tests
- Recognise that consent in employment relationships is problematic
Key difference: UK employers should follow ICO guidance, which is more detailed and recent (March 2024) than most EU member state guidance. The Serco case represents the ICO’s current enforcement position.
EU member state decisions (like the Dutch case) are persuasive but not binding on UK courts. However, the alignment between the Dutch DPA and ICO positions shows regulatory consensus across both jurisdictions.
Both cases demonstrate that data protection authorities take biometric processing in the workplace seriously. Before implementing any biometric system, ask yourself: is this truly necessary and proportionate, or are we using biometrics because we can?
If the honest answer is the latter, stick to less intrusive alternatives. Your employees’ fundamental rights – and your potential enforcement action – depend on it.
Further Reading:
UK Guidance and Cases:
- ICO Biometric Recognition Guidance
- ICO Workplace Monitoring Guidance
- ICO Serco Leisure Enforcement Action
EU Guidance and Cases:
