News

AEPD Sanctions Cartonajes Bañeres S.A. for GDPR Violations 🇪🇸

Source : PS 00361-2023

The Spanish Data Protection Agency (AEPD) has imposed a €220,000 fine on Cartonajes Bañeres S.A., a company specializing in carton packaging manufacturing, for serious GDPR violations related to the use of facial recognition systems to manage employee work schedules.

🔍 Facts:

·       Biometric Use (2016-2023):
The company imposed a facial recognition system on employees to record their check-in and check-out times, without providing alternatives (e.g., badge or card).

·       Access Rights:
An employee who left the company in September 2022 exercised their right of access to obtain information about their personal data.

Violations: Partial and delayed response, breaching Articles 12 and 15 of the GDPR

⚖️ Main Violations Identified:

1️⃣ Failure to Conduct a Data Protection Impact Assessment (DPIA):

• The facial recognition system, classified as a high-risk processing activity, required a DPIA under Article 35 of the GDPR.
• No documentation demonstrating this assessment was provided.

2️⃣ Transparency Obligation and Right of Access:

• The company failed to respond fully and in a timely manner to an employee's access request.

3️⃣ Imposition of Biometrics Without Alternatives:

• Employees had no other means to register their work hours, making consent invalid due to lack of freedom.
  
  Defense of the Company:
• Cartonajes Bañeres argued that biometric data was transformed into mathematical hashes, with no image storage.

However, the AEPD determined this measure was insufficient to mitigate risks and comply with legal requirements.

💸 AEPD Sanctions:

€200,000: For failure to conduct a DPIA.
€20,000: For inappropriate management of access rights.

🛠️ Corrective Actions:

• The biometric system was replaced with a badge-based system in May 2023, following the company’s acquisition by a new group.
• The AEPD emphasized the need to comply with GDPR requirements for biometric data processing.