• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
easy GDPR - we make compliance with GDPR easy

easyGDPR

We make implementing General Data Protection Regulation Easy

  • Home
  • Services
    • Software
      • easyGDPR Quickcheck
      • (DEP) easyGDPR lite
      • (DEP) easyGDPR Standard
      • Data Subject Requests
      • Sophos
    • IT Security
    • network checkup
    • SME digitization funding
    • Data protection consulting
      • Data protection
      • Cybersecurity
    • Training
      • Data protection
      • Cybersecurity
  • Partner
    • Resellerprogramm
    • Affiliate programm
  • GDPR
    • GDPR News
    • FAQ
    • GDPR Decisions
    • GDPR penalties
    • GDPR legal text
  • Shop
  • Contact
    • Contact
    • Newsletter registration
  • Login
    • Shop / Affiliate Program
    • easyGDPR Software
  • German
  • English

D124.2941 (2022-0.360.359), Processing of biometric data using palm vein scanners; video surveillance in the workplace.

27/01/2023 by Jakob Guggenberger

The complainant, as a former employee of the respondent, considered his right to confidentiality violated because the respondent processed his biometric data using a palm vein scanner and recorded him with video surveillance cameras.

The respondent operates a restaurant in Vienna. She uses a palm vein scanner there, which uses infrared light to measure the palm vein pattern of the hand held in front of the scanner. The handheld vein scanner is used to allow the respondent’s employees to view their employment contract documents and to check and sign off on their monthly work time records.

Furthermore, the respondent operates 29 video surveillance cameras at this location. Two of them also take up areas of the kitchen, where the complainant worked mainly as a cook.

The data protection authority partially upheld the complaint, finding that the respondent had violated the complainant’s right to confidentiality by unlawfully processing his biometric personal data and recording him with two cameras in the kitchen.

The respondent based the processing of biometric data, which qualifies as special category data within the meaning of Art. 9 GDPR, on the exceptional circumstances of the Art. 9 par. 2 lit. a GDPR (Consent).

However, the data protection authority held that the consent obtained was not granted in compliance with the law.

Thus, it was already stated in the employment contract that the complainant had given his “express consent to the introduction and use of a system based on biometric palm scanning for the provision of signatures for company documents in the company” for the entire period of the existing employment relationship.

The data protection authority came to the conclusion that the consent subsequently given at the hand-held vein scanner terminal could not have been given voluntarily by the complainant and that the associated data processing was unlawful.

The complaint was also upheld with regard to two video surveillance cameras installed in the kitchen, since in the opinion of the data protection authority the complainant’s interests in secrecy outweighed the respondent’s interests in clarifying and preventing any thefts and burglaries and damage during delivery/disposal.

In doing so, the data protection authority emphasized that image processing in the context of employment is a particularly intensive interference with private rights. It was not apparent why, in order to protect the stated objectives, the kitchen work areas where the complainant was mainly present to perform his work had to be covered by video cameras.

It would be possible, for example, to install cameras in individual rooms containing valuable goods and to direct them towards escape and disposal routes in order to achieve the purposes stated by the respondent.
The respondent was prohibited from operating the two video surveillance cameras and was also ordered to appropriately label its video surveillance system in accordance with Article 13 of the GDPR.

Source: DSB Austria

Category iconGDPR Decisions

Primary Sidebar

IT-Security Whitepaper Downloaden
  • German
  • English
  • Data Protection Statement
  • Terms and Conditions
  • Imprint
  • Licence terms for easyGDPR
  • GDPR terms
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking "Accept", you consent to the use of ALL the cookies.
SettingsAccept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non Necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

functionality

Diese Art von Cookies erhöht die Benutzerfreundlichkeit unserer Website. Beispielsweise wird darin die von Ihnen ausgewählte Sprache gespeichert. Auch die Verfügbarkeit von Videostreams und sonstigem Inhalt kann von diesen Cookies abhängig sein. Wenn Sie diese Cookies ablehnen, ist die Benutzerfreundlichkeit eingeschränkt.

Save & Accept