Press "Enter" to skip to content

ADN Files Biometric Data Complaint

The ADN – National Democratic Alternative party has filed a formal complaint with the Ombudsman and submitted a complaint to the National Data Protection Commission (CNPD) over SESARAM’s decision to introduce a mandatory attendance control system based on facial recognition and the use of employee identification cards from July onwards.

In a statement, the ADN argues that the measure is illegal and violates rights guaranteed by the Constitution of the Portuguese Republic, namely the right to privacy and the protection of personal data, enshrined in Articles 26 and 35. According to the party, the measure also contravenes the General Data Protection Regulation (GDPR), which classifies biometric data as a special category of personal data whose processing is prohibited except under strictly defined circumstances and with a clear legal basis.

According to Miguel Pita, the matter becomes even more serious given that SESARAM was the target of a devastating cyberattack in August 2023, which resulted in the loss of user data and the suspension of consultations, surgeries and examinations. In light of this incident, the ADN considers it “irresponsible and unacceptable” that the same institution now intends to collect and store the biometric data of hundreds of healthcare professionals without publicly verified guarantees regarding cybersecurity.

In its complaint to the Ombudsman, the party requests that a recommendation be issued calling for the immediate suspension of the biometric system and intervention by the Regional Government of Madeira. In its submission to the CNPD, the ADN raises concerns over the possible absence of a Data Protection Impact Assessment, which is legally required for this type of processing, and calls for an urgent investigation into the legality of the measure.

The party also argues that the simultaneous use of facial biometrics and employee identification cards violates the principle of data minimisation, as there are less intrusive and equally effective means of recording attendance. Requiring facial recognition from employees who already possess staff identification cards represents, in the ADN’s view, an unnecessary duplication without legitimate justification.

In addition to the alleged constitutional and GDPR infringements, the party warns that the measure may also breach Article 18 of the Labour Code, which requires employers to obtain the prior opinion of the workers’ committee before initiating any processing of biometric data. Failure to do so may constitute a serious administrative offence.

“It is not acceptable that an institution which lost all its data in a cyberattack now wants to store the biometric data of each of its employees,” said Miguel Pita. “This is not modernisation; it is recklessness with sensitive data that people have the right to see protected.”

The ADN also states that it is closely monitoring the situation and is supporting any SESARAM employees who wish to submit individual complaints to the CNPD as data subjects in relation to their own biometric information.

The situation regarding SESARAM is a complex example of the tension between operational modernisation and the stringent data protection requirements established by European and Portuguese law.

The ADN party’s formal complaint highlights several core issues that form the backbone of EU data protection debates regarding biometrics in the workplace.

Key Legal and Ethical Considerations

When organisations, particularly public institutions, consider implementing biometric systems for attendance or access control, they must navigate a high threshold of compliance:

  • Special Category Data: Under the General Data Protection Regulation (GDPR), biometric data is classified as “special category” (sensitive) data. Processing it is generally prohibited unless a strict exception applies.
  • The Power Imbalance: In an employment context, data protection authorities (including the Portuguese Comissão Nacional de Proteção de Dados – CNPD) are often skeptical of “consent” as a legal basis. Because of the inherent power imbalance between employer and employee, consent is frequently not considered “freely given” if the employee fears negative consequences for refusing.
  • Data Minimization and Proportionality: This is central to the ADN’s argument. The GDPR requires that data processing be proportionate to the goal. If a less intrusive method, such as a physical ID card, a PIN, or an electronic tag, can achieve the same result (recording attendance), the use of facial recognition is often viewed as excessive and a violation of the principle of data minimisation.
  • Data Protection Impact Assessment (DPIA): For high-risk processing, such as the use of new technologies involving biometric data on a large scale (e.g., all employees of a large healthcare provider), a DPIA is legally mandatory. This assessment must evaluate the risks to employees and the measures taken to mitigate them.
  • Security Concerns: The history of cyberattacks mentioned by the ADN is a significant factor. Under GDPR, the controller must ensure the “security of processing.” If an organisation has a history of compromised data, the regulatory scrutiny regarding its ability to store highly sensitive biometric “templates” safely increases significantly.

General Guidelines for Biometrics in the Workplace

While the CNPD in Portugal has provided frameworks for the use of biometrics, they generally emphasise the following requirements:

  1. Strict Necessity: There must be a clear, documented justification for why traditional, less intrusive methods are insufficient.
  2. Irreversibility: The system should typically store only mathematical “templates” rather than actual images of faces. These templates must be encrypted and technically irreversible, meaning the original biometric image cannot be reconstructed from the stored data.
  3. No Alternative Penalty: Employers must ensure that employees are not penalised or disadvantaged for opting out or requesting an alternative method of identification if a viable one exists.
  4. Prior Consultation: As the ADN noted, Article 18 of the Portuguese Labour Code requires the involvement and opinion of the workers’ committee regarding the introduction of new technologies that may affect employees’ privacy.

The Role of the CNPD and Ombudsman

The ADN has taken the standard procedural route for challenging such measures. The CNPD has the authority to investigate the legality of the processing and can issue fines or order the suspension of a data processing activity if it is found to be in breach of the GDPR or national law. The Ombudsman (Provedor de Justiça) provides an independent channel to review the actions of public institutions like SESARAM from the perspective of fundamental rights and administrative conduct.

Samantha Gannon

info at madeira-weekly.com

Views: 29

Mission News Theme by Compete Themes.
Madeira Weekly