The decision of the Supreme Administrative Court1 dated December 1, 2009 (I OSK 249/09, LEX 553777) is the first ruling which raises the issue of processing biometric information of an employee by the employer in regard to Polish law. It is, therefore, of profound significance and calls for thorough analysis. As a result of advancement in new technologies and means of communications over the past few years, as well as progress in the development of practices of work performance, the provisions of law in force applicable to personal data processing in employment relationships (Article 221 of Labour Code, in particular) have been out of touch with the demands of the contemporary world. The decision of the Supreme Administrative Court (hereinafter referred to as “SAC”) dealt with the relation between the provisions of Labour Code and Personal Data Protection Act, combined with the issue of biometric information and the positions of respective parties in the employment relationship. In its decision of December 1, 2009, SAC ruled on collection of biometric information of employees (employee fingerprints) by employers upon prior written consent of the employees in question. In the case concerned biometric information was being processed for the purpose of working time registration at the workplace. It seems that SAC assumption that an employee who was asked to give consent for processing his personal data (biometric information in this specific case) was in an inconvenient situation was fundamental to the decision on the case in question. Employee is dependent on his employer as an entity to which consent shall be given. Therefore, the employee’s freedom to give consent or not is questionable in principle. SAC concluded that for the aforementioned reasons, the catalogue of data that employer was allowed to require from the employee was limited in the Labour Code. Furthermore, the Supreme Administrative Court stated in the justification for the decision that the practice of invoking the consent given by an employee in order to support extension of the scope of personal data catalogue defined in the Labour Code was in conflict with the principle of appropriateness (proportionality). The Court pointed out that it was the principle of proportionality that represented the essential criterion applicable to biometric information processing. In the presented case the purpose, namely, control over employee working time was deemed inappropriate and failing to justify biometric information processing. It follows from the decision of SAC that employee’s consent to process his biometric information which is given upon employer’s request may be assessed as being involuntary and given in the circumstances of actual lack of freedom to take an independent decision. It seems, in the light of the presented decision, that invoking these prerequisites listed in the Personal Data Protection Act which are other than consent of biometric information holder is a solution possible for validating the processing of biometric information of employees - thus processing it to a more extensive degree than it is allowed based on the Labour Code. A justified purpose of the workplace may be one of such prerequisites, on condition, however, that data processing neither violates employee rights, nor employee freedom. As provided in the justification for the Court decision, for the purpose of assessing specific state of affairs, each time the purpose that data processing is supposed to serve should be investigated in addition to the permissible conditions of personal data processing (as well as personal data collection) that are defined in the Personal Data Protection Act. The prerequisite which legitimizes data processing and the purpose of data processing are interrelated and are decisive in a given situation for the right of data administrator to collect and process biometric information. Presently, it should be pointed out that the statements of Inspector General for Personal Data Protection2 in practice constitute important guidelines for processing biometric information of employees by employers. These guidelines indicate that there actually are situations which justify processing of biometric information of employees. In accordance with Inspector General’s opinion these situations include, for example, the need to protect places in which hazardous materials, explosive materials, radioactive materials, viruses, bacteria, legally protected secrets, industrial secrets or know-how of a company are stored. Biometric information of employees may be processed in such circumstances because of justified interest of the company and safety at the workplace and the Inspector General approves the use of biometric information considering the advisability of processing the said information.
Read full abstract