SPAIN Trends and Developments Contributed by: Agustín Puente Escobar and Natalia González Vera, Broseta Abogados
attendance monitoring using biometric systems in accordance with the GDPR” – whether for working or non-working purposes – and identi - fies the measures that must be adopted for the processing to be considered compliant with the GDPR and other applicable rules. The Guide indicates as a first consideration that “the different products available on the market for the collection of biometric data that record such data with a precision, detail or frequency that is well above the needs of a specific pro - cessing violate the principle of minimisation”. The Guide considers it necessary that the solu - tion chosen for the processing of data is respect - ful of this principle and is configured in such a way as to avoid the collection of biometric data where it is unnecessary. Likewise, the Guide – following the EDPB cri - teria – provides that biometric data processing always involves special categories of personal data, regardless of whether the data is used for identify the data subject within a specific uni - verse (1:N comparison) or only to authenticate them (1:1 comparison). It thus revises its previ - ous stance that only identification processing falls into this category. Sections V and VI of the Guide analyse the pos - sible legal grounds for the processing, focusing on the possibility that the processing may be based on the exceptions set out in Article 9(2) (a) and (b) of the GDPR – ie, that: • the data subject has given their explicit con - sent to the processing, which is not prohib - ited by domestic law; and • “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social
security and social protection law in so far as it is authorised by EU or member state law or a collective agreement pursuant to member state law providing for appropriate safeguards for the fundamental rights and the interests of the data subject”. The Guide does not analyse the possible legal basis of the public interest, on which it had already ruled in the past. Regarding the applicability of Article 9(2)(b), the AEPD indicates that processing will only be possible when a regulation with the force of law or a collective agreement incorporates a suffi - ciently specific authorisation indicating that the processing is necessary for the fulfilment of the purposes that justify it, justifying that need and establishing the measures that must be adopted for the processing to be lawful. On the other hand, with regard to the excep - tion contained in Article 9(2)(a) of the GDPR and after ruling out its applicability in the workplace as a result of the “imbalance of power” existing in labour relations, the Guide applies the princi - ples of freedom of consent and the necessity of processing to reach a conclusion that de facto prohibits the processing of biometric data based on the consent of the data subject. The Guide’s reasoning is summarised as follows: given that biometric data processing is more intrusive than other data processing that does not involve spe - cial categories of data and that, in order for the processing of biometric data to be based on the consent of the data subject, the existence of an alternative means that enables the same purpose and does not entail such processing is necessary (as, otherwise, the consent would not be free), the logical consequence will be that the processing of biometric data is not necessary – in the sense of being essential to achieve the aim
403 CHAMBERS.COM
Powered by FlippingBook