CTC Externalización, S.L. – €360,000 Fine (Spain, 2024)

On 14 February 2022, a data subject filed a complaint with the Spanish DPA (AEPD) against their employer, CTC Externalización, S.L. (the controller), which collected fingerprint data from employees to implement a sign-in system. In its defense brief, the controller stated that the fingerprint scanner was an authentication system, not an identification system. As such, it claimed that fingerprints were not stored; instead, the fingerprint reader generated a numeric identifier that matched the fingerprint. The numeric identifier, not the fingerprint, was then stored in an encrypted system that compared the generated numeric identifiers. The fingerprint was allegedly erased immediately. As result, the controller claimed that it was impossible to reproduce the fingerprint from the numeric identifier. The controller also noted that it provided a disclosure in the employee portal concerning the data processing. The AEPD concluded that the controller violated Articles 13, 32, and 35 GDPR and imposed a fine of € 360,000. First, the AEPD noted that the processing disclosure made available in the employee portal violated Article 13(2)(d) and (e) GDPR because it was inaccurate, overly general and insufficiently informative. The clause concerning processing only mentioned that a fingerprint sign-in system was being implemented; it provided no information about the collection, processing or storage of fingerprint data. The clause referred generally to a number of processing activities and purposes and invoked contract as a legal basis for all of them. In assessing the disclosure's adequacy, the AEPD took note of the controller's amendments to the disclosure. The controller’s updates referred specifically to the fingerprint processing and cited legal obligations under national law as the legal basis for this processing. They also articulated a different data retention period, further indicating the inaccuracy of the original disclosure. Finally, at no point did the controller