According to a restrictive and partial interpretation offered by the Italian data protection authority (IDPA), the use of a facial recognition device to detect the attendance of employees is unlawful whenever the employee’s attendance may be registered with other, less invasive means.
The strict interpretation offered by the Italian data protection authority excludes the processing of biometric data at the workplace under any circumstance, failing to assess other legal basis. For example, biometric systems could be used to restrict access to sensitive areas and premises where high levels of security need to be ensured.
The facial image – being data that relates to physical characteristics of a subject, enabling its identification in an unequivocal manner – constitutes a biometric data under art. 4(14) of the GDPR. For biometric data to be lawfully processed, it must be:
- necessary to fulfil obligations by the employer,
- explicitly authorised by law.
According to IDPA, the processing of biometric data is unlawful because there is no legal provision allowing the use of such data to detect the attendance of employees.
But if, for example, the biometric system is used for the purpose of protecting the health and safety of employees, then Italian law requires the employer to adopt the necessary technical measures and, therefore, the use of a facial recognition device must be considered legitimate; this also in the presence of business information covered by secrecy, subject under Italian law to appropriate measures that maintain its secrecy, such as biometric devices.
We remain available for any further clarification.