05 09 2018
Recently, the Spanish Data Protection Agency (AEPD) has published a sanctioning resolution against a gym based on denunciation of a customer for using access control system with a fingerprint.
More specifically, the denouncer indicated that the use of this access control system “is a disproportionate means in the collection of data and that the document for consent to the contribution of his biometric data was not delivered to him“.
According to the denounced company, “the purpose of the system in the gym is to obtain a numerical template based on algorithms that serves as a personal and non-transferable means to access the gym facilities through the comparison of elaborated patterns by the system based on the fingerprint.” In addition, they ensure that the fingerprints of the customers are not saved, but that they are used to generate a template for each customer:
“A numerical template is generated through complex mathematical algorithms using the information of some points of the fingerprint. In no case can the fingerprint be retrieved through the information of these stored templates. In addition to this, the physical characteristics of the fingerprint cannot be deduced from the template”
“Any time that the capture of this fingerprint does not require capturing the digital fingerprint of the individual, but it is only a pattern or template, which despite being non-transferable, cannot be used for any other use“
However, the Director of the Spanish Data Protection Agency agreed to initiate the sanctioning procedure for the alleged violation of Article 4.1 of the Spanish Organic Law about Protection of Personal Data (LOPD), classified as serious in article 44.3.c) of the aforementioned rule. Let’s remember that the LOPD is still valid in all those points where it does not contradict the GDPR.
LOPD. Article 4. Quality of the data.
After analyzing this case we can draw some interesting conclusions with which we have to: