Húsasmiðjan – Violation Found (Iceland, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Icelandic DPA found that Húsasmiðjan's use of a fingerprint scanner for employee attendance was not lawful. The company didn't provide an alternative to using fingerprints, making consent not freely given. This case emphasizes the need for companies to offer alternatives when collecting sensitive data like biometrics.
What happened
Húsasmiðjan used a fingerprint scanner for employee attendance without offering an alternative, making the consent invalid.
Who was affected
Employees of Húsasmiðjan who were required to use their fingerprints for logging in and out.
What the authority found
The Icelandic DPA ruled that the use of biometric data was not lawful due to the lack of freely given consent and no alternative options.
Why this matters
This decision stresses the importance of offering alternatives to employees when collecting sensitive data, ensuring consent is truly voluntary. Companies should review their practices around biometric data to avoid similar issues.
GDPR Articles Cited
The lawyer of the company acting as data controller, Húsasmiðjan, contacted the Icelandic DPA (Persónuvernd) with regards to the installation of a fingerprint scanner system for the company's employees. The controller announced the DPA that it is using the system, and asked for the DPA's opinion on the legality of the processing operation. The company had used the fingerprint scanner system for the logging in and out of employees in the company's payroll system. When an employee arrived at work they would have to scan their fingerprint, which created a number sequence with a timestamp that was linked to other information on the employee. The image of the fingerprint itself was not stored and could not be retrieved from the number sequence stored in the system. In this aspect, the number sequence works similarly to an employee's ID number, and is not personally identifiable except for when the system performs the identity verification. Furthermore, encryption (256bit AES) was also used to make it difficult to reverse the process and identify individuals through the raw fingerprint image. Did the data controller lawfully process the biometric data of its employees for the purpose of logging in and out the employees in the company's payroll system? The Icelandic DPA held that the processing of biometric data by Húsasmiðjan was not lawful. In its reasoning on using consent as a legal basis, the DPA also referred to Recitals 42 and 43 and pointed towards the power imbalance inherent in the nature of most employment relationships. This difference of positions between employer and employee would mean that the consent is not freely given especially considering that in the particular case, the employees were not not informed of any other option for logging in to the workplace that did not involve the use of their biometric information. It was therefore unclear what the consequences would be for an employee if they would refuse to provide their fingerprint data. Since th
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Húsasmiðjan in IS
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Húsasmiðjan - Iceland (2020). Retrieved from cookiefines.eu
Last updated: