News

The CNIL has fined a company €10,000 for illegal use of biometric data.

Context

In 2017, a company was sanctioned for installing a biometric fingerprint recognition system to monitor its employees’ working hours without prior authorization from the CNIL.

👉 The CNIL emphasized that employers can only use biometric data technologies under exceptional circumstances, justified by specific security needs.

📌 Biometric data processing is prohibited when:

• A badge system is sufficient.
• It serves only for convenience.
• The protected locations, applications, or devices are not particularly sensitive.

Violation of Article 9 of the GDPR: Sensitive Data

Processing biometric data for uniquely identifying individuals is prohibited, except under specific legal exceptions.

Case Details:

• A company had implemented a fingerprint-based clock-in system for its employees.
• After an inspection, the CNIL issued a formal request to:
• Stop using the system.
• Delete all collected biometric data within 3 months.
• 8 months later, the CNIL found that:
• The system was still in operation.
• Biometric data collected over the past 7 years had not been deleted.

Consequences:

💰 Administrative fine: €10,000.
📢 Publication of the decision:

• On the CNIL website.
• On Légifrance, to raise awareness among data controllers about their legal obligations under GDPR.