In December 2015 representatives of the National Supervisory Authority for Personal Data Processing carried out an ex officio investigation at the City Hall of Timişoara.
As result of this control the following were ascertained:
1. Failure to notify and malevolent notification, provided by article 31. of Law no. 677/2001, namely failure to submit a notification as the Timisoara City Hall, event though it has started since 2009 to use an electronic record of working hours for its employees based on biometric data, hadn’t also submitted a notification before starting this processing of employees’ biometric data in accordance with the obligations provided by article 22 paragraph (1) of Law no. 677/2001 and article 1 paragraph (1) letter a) and article 2 of the Decision no. 11/2009 issued by NSAPDP’s president;
2. The illegal processing of personal data, provided by article 32 of Law no. 677/2001, as Timisoara City Hall hadn’t informed the data subjects in accordance with the provisions of article 12 paragraph (1) of Law no. 677/2001, for the data processed in order to ensure a record of working hours on the basis of fingerprint data;
3. The illegal processing of personal data, provided by article 32 of Law no. 677/2001, as Timisoara City Hall has processed employee biometric data excessively by comparison with the purpose of the processing (ensuring a record of working hours) even though less intrusive means could have been used to achieve the same purpose and therefore the provisions of article 4 paragraph (1) letter c) of Law no. 677/2001 have been infringed;
4. Failure to comply with the obligations referring to confidentiality and applying security measures, provided by article 33 of Law no. 677/2001, as Timisoara City Hall hadn’t adopted sufficient measures to ensure the confidentiality and security of the processed data (biometric data) in accordance with the provisions of articles 19 and 20 of Law no. 677/2001.
For the ascertained issues, the following sanctions were imposed:
A fine of 2000 lei for the offence provided by article 31 of Law no. 677/2001, on the basis of article 35 of Law no. 677/2001;
A fine of 3000 lei for the offence provided by article 32 of Law no. 677/2001, in conjunction with article 12 of Law no. 677/2001;
A fine of 6000 lei for the offence provided by article 32 of Law no. 677/2001, in conjunction with article 4 paragraph (1) letter c) of Law no. 677/2001;
A fine of 7000 lei for the offence provided by article 33 of Law no. 677/2001.
Thus, the supervisory authority sanctioned the City Hall of Timisoara with a fine of 18.000 RON.
In this context, we underline that the courts of law have constantly confirmed the Supervisory Authority’s approach namely that the processing of employees’ personal data (fingerprints) cannot be done unless a thorough analysis of the necessity and proportionality of such measures is carried out and the employer must identify alternate solutions which have less of an impact on the employees’ private lives.
In relation to this specific issue, the jurisprudence of the European Court of Human Rights referring to article 8 of the Convention on the protection of human rights and fundamental liberties (the right to the protection of private and family life), the European court has stated that the protection granted by this article would be diminished in an inacceptable way if the use of modern scientific techniques is allowed at any cost and without a just balance between the benefits of an extensive use of such techniques and the important interests referring to the private life (Case S. and M. Marper vs. the UK).
The Legal and Communication Dept.
8th December 2015