In certain cases, the employer may explicitly require employees to use this method.
Fingerprints are particularly protected
Fingerprints are biometric data. Biometric data directly tells us something about a person’s body. For this reason, they are particularly protected. Their processing is only permitted under strict conditions. This is what the General Data Protection Regulation (GDPR) orders for biometric data if they are suitable „for the unique identification of a natural person.“
It fits with the employer’s duty of care.
This also applies in the workplace. There is nothing surprising about this. Labor law recognizes the employer’s duty of care. It expresses that the personal concerns of employees are important in everyday working life. It creates a protected framework in which the employee performs his or her work.
The details are regulated by the BDSG
Sometimes proper work performance is only possible if the employee’s data is processed in the process. The German Federal Data Protection Act (BDSG) makes a number of provisions in this regard. Such supplementary national regulations are expressly made possible by the GDPR for working life.
Two-stage legal examination for fingerprints
The BDSG provides for a two-stage consideration. This can be illustrated very well using the example of fingerprints:
- Stage 1: First, it must be established that the scanning of fingerprints is necessary so that the employee can properly perform his or her work.
- Step 2: Then it must be examined whether, in a specific individual case, the employee’s interests worthy of protection nevertheless take precedence. If this is the case, scanning would be necessary in itself, but would still not be permissible.
In normal cases, a fingerprint scan is overkill
In normal office life, it is not necessary to secure access to a computer by scanning a fingerprint. Provided that the „usual office data“ such as data from orders and deliveries is processed, this would simply be overkill. Of course, such data also needs protection against unauthorized access. But the usual means, such as passwords and locking the screen when no input has been made for some time, are sufficient for this.
Making everyday office life more inconvenient
Fingerprint scanning is not required for such situations. Thus, the requirements of Level 1 are lacking, and the employer may not provide for such scans in these cases. This applies even if the employees concerned would actually be quite happy to do so. For them, it would often be more convenient to place their thumb on a scanner instead of entering a password, which they may also have to change regularly. A company agreement on the subject could help. Data protection authorities, on the other hand, view employee consent with skepticism.
Fingerprint scanning is required in special cases
Sometimes the use of fingerprint scans is necessary. This is especially true in security-sensitive areas. One example is work on technical developments that are later to be filed for patent. Another example is the execution of orders that are subject to government secrecy regulations. This occurs, for example, with suppliers to the German armed forces. Such cases meet the requirements of level 1.
Interests worthy of protection are almost never opposed
The examination of level 2 only very rarely shows that interests of employees worthy of protection are nevertheless to be regarded as having priority. It goes without saying that the employee will, in his own interest, pay strict attention to who has access to the scan data, for example. Otherwise, the protection he is seeking with their help would immediately be undermined.
Protective measures always need an overall concept!
The use of fingerprint scans is usually not sufficient as the only protective measure. Above all, the automatic locking of the screen when no input has been made for some time is additionally necessary. And one very banal safeguard should also never be forgotten: Nowadays, a PC is so small that it can easily fit in a pocket. It is therefore necessary to protect it against being taken away by a „thief“. Each individual
security measure is only as good as the overall concept to which it belongs!