The complainant, as a former employee of the respondent, considered his right to confidentiality violated because the respondent processed his biometric data using a palm vein scanner and recorded him with video surveillance cameras.
The respondent operates a restaurant in Vienna. She uses a palm vein scanner there, which uses infrared light to measure the palm vein pattern of the hand held in front of the scanner. The handheld vein scanner is used to allow the respondent’s employees to view their employment contract documents and to check and sign off on their monthly work time records.
Furthermore, the respondent operates 29 video surveillance cameras at this location. Two of them also take up areas of the kitchen, where the complainant worked mainly as a cook.
The data protection authority partially upheld the complaint, finding that the respondent had violated the complainant’s right to confidentiality by unlawfully processing his biometric personal data and recording him with two cameras in the kitchen.
The respondent based the processing of biometric data, which qualifies as special category data within the meaning of Art. 9 GDPR, on the exceptional circumstances of the Art. 9 par. 2 lit. a GDPR (Consent).
However, the data protection authority held that the consent obtained was not granted in compliance with the law.
Thus, it was already stated in the employment contract that the complainant had given his “express consent to the introduction and use of a system based on biometric palm scanning for the provision of signatures for company documents in the company” for the entire period of the existing employment relationship.
The data protection authority came to the conclusion that the consent subsequently given at the hand-held vein scanner terminal could not have been given voluntarily by the complainant and that the associated data processing was unlawful.
The complaint was also upheld with regard to two video surveillance cameras installed in the kitchen, since in the opinion of the data protection authority the complainant’s interests in secrecy outweighed the respondent’s interests in clarifying and preventing any thefts and burglaries and damage during delivery/disposal.
In doing so, the data protection authority emphasized that image processing in the context of employment is a particularly intensive interference with private rights. It was not apparent why, in order to protect the stated objectives, the kitchen work areas where the complainant was mainly present to perform his work had to be covered by video cameras.
It would be possible, for example, to install cameras in individual rooms containing valuable goods and to direct them towards escape and disposal routes in order to achieve the purposes stated by the respondent.
The respondent was prohibited from operating the two video surveillance cameras and was also ordered to appropriately label its video surveillance system in accordance with Article 13 of the GDPR.
Source: DSB Austria