Even if the fingerprint image is not stored, a mathematical template that allows employee identification is considered personal data under GDPR
In a context where more companies are adopting biometric systems for clocking in and access control, the Spanish Agency for Data Protection (AEPD) has issued a significant reminder—both legally and technically: using a fingerprint, even if only as a mathematical representation and without storing the actual image, constitutes processing of sensitive biometric personal data under the General Data Protection Regulation (GDPR).
This is outlined in the Resolution PS-00432/2023, which analyzes a case involving a company that implemented a fingerprint-based time tracking system without offering alternatives to this technology. The company argued that since it did not store the fingerprint image, but only a “encrypted biometric template”, GDPR was not infringed. However, the AEPD has been clear: if that template allows verifying that a person is the same as who previously accessed, then biometric data is being processed for identification purposes, activating the legal requirements of Article 9 of the GDPR.
Encrypted fingerprint ≠ anonymization: why it still qualifies as biometric data
One of the most relevant aspects of this resolution is the technical-legal explanation of biometric correspondence. Unlike direct identification (such as reconstructing a fingerprint or face image), this case involves verification or authentication: comparing a current sample with a previously stored template to confirm that it’s the same individual.
The AEPD reminds us that Article 4.14 of the GDPR defines biometric data as the result of a specific technical treatment that allows unambiguous identification of a person. It’s not necessary for the system to know “who you are” by name—it suffices to know that “you are the same person as yesterday” for it to be considered identification.
This means many access control or attendance solutions claiming anonymity by not storing visual fingerprint images are still subject to data protection requirements. The fact that reconstructing the fingerprint isn’t possible does not exempt them from GDPR compliance if the template can verify a specific individual’s identity.
Obligations for companies using biometric data
In light of this resolution and other binding guidance issued by the AEPD, organizations that use biometric data for clock-in purposes must adhere to the following requirements:
1. Adequate legal basis
Processing biometric data for identification is generally prohibited unless one of the exceptions in Article 9.2 of the GDPR applies. In employment settings, consent is rarely considered valid, as there is a hierarchical relationship that prevents guaranteeing it is freely given.
Therefore, the company must justify the use of biometrics based on legitimate interest, demonstrating that it is necessary, proportionate, and appropriate for the intended purpose.
2. Data Protection Impact Assessment (DPIA)
The AEPD considers conducting a Data Protection Impact Assessment (Article 35 of GDPR) mandatory whenever biometric data is processed for access control, since it is considered high-risk processing.
This analysis should include: purpose, nature of data, risk analysis, technical and organizational measures, and mechanisms for ongoing review.
3. Non-biometric alternatives
The organization must always provide a valid and functional alternative that does not involve processing biometric data. Possible options include RFID cards, PIN codes, or mobile apps. The alternative should offer comparable functionality without imposing a significant burden or disadvantage on the user.
4. Transparency and documentation
Clear, concise, and accessible information must be provided to employees regarding:
- The technology used
- What data is collected
- The purpose of collection
- How data is stored and for how long
- How to exercise rights such as access, rectification, erasure, restriction, portability, and objection (ARSULIPO)
5. Security and data minimization
Technical security measures (encryption, access controls, activity logs) and data minimization are key principles. Only strictly necessary data should be processed, and only for the minimum required duration.
Important precedent for biometric system providers and developers
The PS-00432/2023 resolution also sends a clear message to biometric system developers, integrators, and software managers: simply “not storing the fingerprint image” is not enough to circumvent GDPR requirements. System design must incorporate privacy by design and by default principles from the outset.
In a market where contactless time control solutions proliferate to enhance employee experience, manufacturers must ensure their systems comply with GDPR in all operational modes.
What if the system is cloud-based?
If the provider stores biometric templates on remote servers, it becomes a Data Processor, requiring a contract compliant with GDPR Article 28. Additionally, if data storage or processing occurs outside the European Economic Area, measures for international data transfer must be assessed.
Conclusion: technology does not exempt from legal compliance
In this digital transformation era, using advanced technology must go hand-in-hand with a rigorous respect for fundamental rights. The AEPD has made it clear that biometric data protection isn’t just a formal matter: even if your fingerprint isn’t visible, if it can identify you, it deserves protection.
These resolutions safeguard citizens and provide legal certainty for companies, fostering responsible technological development.
FAQs
What’s the difference between biometric verification and identification?
Verification compares a sample to a stored template to confirm if you are who you claim to be (1:1). Identification compares a sample with multiple templates to determine who you are (1:N). Both processes involve biometric data processing if they allow unambiguous identification.
Can I refuse to use my fingerprint for clocking in?
Yes. If no valid alternative is offered, your consent may be deemed invalid. The company should provide a non-biometric option without penalties.
What penalties can a company face for non-compliance?
Depending on severity and impact, sanctions can reach up to €20 million or 4% of the total annual turnover, along with corrective measures, warnings, or suspension of processing activities.
Which sectors use biometric data most and are under scrutiny?
Mainly human resources, security, banking, logistics, education, and events. There is also growing concern over facial recognition in public and private spaces.