The Data Protection Authority (“DPA”) responded to Inquiry 02-2025 through pronunciation No. SPDP-2025-0031-O (“Pronunciation”). Through this Pronunciation the DPA addresses the legitimacy and legal basis applicable to the use of biometric data for employee attendance tracking.
In summary, the Pronunciation considers the following:
- The Data Protection Law categorizes biometric data as sensitive and establishes that it can only be processed exceptionally.
- The DPA has analyzed the existing legal bases with relation to the processing of biometric data and has pointed out the following with respect to the most relevant ones:
-
- The DPA has analyzed the existing legal bases with relation to the processing of biometric data and has pointed out the following with respect to the most relevant ones:
- Consent given by the employee cannot be considered valid in this context as the employer-employee relationship involves a power imbalance that prevents truly free consent.
- Using biometric data for attendance tracking is deemed disproportionate, unnecessary, and excessive as the same objective can be achieved using less intrusive methods.
-
- The DPA recommends alternatives such as the use of magnetic cards, manual attendance logs, or computer-based registration, which can verify the IP address at login and logout.
- Employers are required to conduct risk analysis and a data privacy impact assessment for any high-risk data processing, including those that involve the use of biometric data. This ensures that appropriate security measures are implemented to protect individuals’ rights and freedoms.
The DPA´s Pronunciation is not legally binding and does not serve as evidence in legal proceedings.
Rafael Serrano, Partner at CorralRosales
rserrano@corralrosales.com
+593 2 2544144