Portal de Murcia

www.portaldemurcia.com

Murcia - SpanishMurcia - English
detail of Murcia

 

The National Court cancels a fine at a gym in Murcia that uses the fingerprint to access its facilities (22/11/2019)

Last July 2018, a resolution from the Spanish Agency for Data Protection (AEPD) that sanctioned a gym in Murcia with 1500 euros was known in various media for the use of the fingerprint as an entry and exit method of its users.

The sanction begins in a whistleblower, client of the gym, who narrates that until February 2017 he accessed the facilities through the use of a bracelet that was provided by the center itself.

After that date, this authentication method was eliminated due to the use of the users' fingerprint.

With this method of identification and control, the fingerprint of the gym partner is taken, but without it being stored in full, but a numerical template or pattern is generated using some points of the footprint generated from mathematical algorithms, thus creating A unique code for each fingerprint.

In addition, the gym itself informs its customers through the service provision contract about the necessary fingerprint taking and the end of said collection.

However, in that resolution, the Agency understood that the processing of fingerprint recognition data to control customer access without offering an alternative method, uses the data in an unproportionate and excessive manner in relation to the determined scope and purposes , in violation of Article 4.1 LOPD.

Therefore, an economic penalty of € 1,500 was imposed.

Well, the National Court, in its SAN 3675/2019 of September 19, 2019, has considered the contentious-administrative appeal filed by the company, and has proceeded to annul the sanction imposed in administrative proceedings.

The first of the reasons, the non-consideration of personal data, the algorithm generated after the conversion of the user's fingerprint into a single alphanumeric code, is dismissed by the Hearing when pointing out that the pre-GDPR application regulations (Directive 95/46 and the extinct LOPD) loosely identify the fingerprint as a personal biometric data, and it is indifferent that the sample of the fingerprint is completely or by "minutiae", since the conversion of the biometric trail into a sequence Alphanumeric keeps the user identifiable.

In addition, the Court adds that the system starts every time the member goes to the gym, putting his finger on the digital reader which leads to the confrontation of data with the stored algorithm […] Therefore, from a data unique of each partner that is transformed into an algorithm and that is verified in each entry, data of the partner that accesses the gym and identification is allowed.

On the other hand, the Hearing does accept the motive of the plaintiff that motivated that the treatment of the fingerprint as a method of control of access to the gym does not imply a violation of article 4.1 of the extinct LOPD that says that the personal data They may only be collected for treatment, as well as subject to such treatment, when they are adequate, relevant and not excessive in relation to the scope and the specific, explicit and legitimate purposes for which they were obtained.

With all of the above, the Court understands on the one hand that the collection and use of the fingerprint is for the provision of a service, which is the access and use of the gym and that the registration by fingerprint achieves said identification / security [… ] so that the suitability judgment is met.

On the other hand, the measure is necessary since the use of the footprint means an improvement in the quality of access to the gymnasium when avoiding fraud that could happen with the exchange of wristbands or identification cards between users.

Finally, the Court understands that the security measures applied during the life of the data are proportional to the use and purposes intended by the person responsible for the treatment, since it has guaranteed confidentiality by the mechanism of conversion of the fingerprint to its algorithm, storing this and not the footprint in the database, trying to minimize the interference in the right to data protection of gym users.

In addition, the microenterprise's consideration of the recurring company means that the volume of data collected and stored cannot be considered as "massive".

Finally, the sentence implies that establishing an alternative method of controlling biometric data, such as the creation of smart cards that would make the user have the biometric information contained in them, cannot be applied to all cases, but we would have to be in the concrete case to see the different circumstances that singularize the assumption.

From the Murcia consulting firm specialized in EGIDA data protection , they inform that this judgment of the National Court must be relativized since it was issued applying the regulations prior to the General Data Protection Regulation, so that this mechanism is used for access to facilities as a gym, it could be contrary to current law since biometric data is now considered special category data and its treatment must be duly justified.

Source: EGIDA

Notice
UNE-EN ISO 9001:2000 - ER-0131/2006 Región de Murcia
© 2024 Alamo Networks S.L. - C/Alamo 8, 30850 Totana (Murcia) Privacy policy - Legal notice - Cookies
This website uses cookies to facilitate and improve navigation. If you continue browsing, we consider that you accept its use. More information