News

AEPD Sanctions Cartonajes Bañeres S.A. for GDPR Violations ??

Source : PS 00361-2023

The Spanish Data Protection Agency (AEPD) has imposed a €220,000 fine on Cartonajes Bañeres S.A., a company specializing in carton packaging manufacturing, for serious GDPR violations related to the use of facial recognition systems to manage employee work schedules.

? Facts:

·       Biometric Use (2016-2023):
The company imposed a facial recognition system on employees to record their check-in and check-out times, without providing alternatives (e.g., badge or card).

·       Access Rights:
An employee who left the company in September 2022 exercised their right of access to obtain information about their personal data.

• Violations: Partial and delayed response, breaching Articles 12 and 15 of the GDPR.

?? Main Violations Identified:

1?? Failure to Conduct a Data Protection Impact Assessment (DPIA):

• The facial recognition system, classified as a high-risk processing activity, required a DPIA under Article 35 of the GDPR.
• No documentation demonstrating this assessment was provided.

2?? Transparency Obligation and Right of Access:

• The company failed to respond fully and in a timely manner to an employee's access request.

3?? Imposition of Biometrics Without Alternatives:

• Employees had no other means to register their work hours, making consent invalid due to lack of freedom.

Defense of the Company:

• Cartonajes Bañeres argued that biometric data was transformed into mathematical hashes, with no image storage.
• However, the AEPD determined this measure was insufficient to mitigate risks and comply with legal requirements.

? AEPD Sanctions:

• €200,000: For failure to conduct a DPIA.
• €20,000: For inappropriate management of access rights.

?? Corrective Actions:

• The biometric system was replaced with a badge-based system in May 2023, following the company’s acquisition by a new group.
• The AEPD emphasized the need to comply with GDPR requirements for biometric data processing.