A company tracked its employees using facial recognition

Using facial recognition technology, he was controlling his employees’ schedules and productivity without their knowledge. A company in Alicante, Spain, first asked workers for a photo that reassured them that the images would only be needed “for website postings, flyers or other support materials,” or later used that photo for their systems rather than surveillance. For the violation of privacy, the Plastic Forte factory was fined, but received a 20% discount on costs after pleading guilty.

The Diary writes that the fine (initially 20,000 euros, then reduced to 12,000 euros) followed a report from the Spanish Data Protection Agency (Aedp) from an employee who requested information about the personal data processed by the company. Although there is an hourly record of the employee’s time at work, the documents provided by the plastic products company do not mention the ownership of biometric data (defined by European legislation as personal data on physical characteristics obtained by a certain method). technical treatment of personnel).

Among the areas of use of artificial intelligence, the technique in which the image of the person’s face is used is one of the more “high-risk” techniques. For this reason, privacy regulators of various EU countries have required it to be used only when more secure options are not available. It’s a principle violated by Plastic Forte, which uses facial recognition to control the working time of its employees without telling them, and has less invasive surveillance systems like timesheet stamping.

The company argued that AEDP is required by law to keep track of working hours, and because that is the “sole purpose” of the biometric data collected, it does not feel obliged to report the use of this technology. Despite this, Plastic Forte nevertheless decided to waive its right to sue, allowing it to be handed a final fine of “only” 12,000 euros, with timely payment.

In the ruling, Aepd stated that the use of facial recognition to control attendance is “a highly intrusive identification system for people’s fundamental freedoms”. Its use is not prohibited, but requires an impact assessment, which should include an analysis of the “necessity and proportionality” of such systems. Aepd reminded that the risks associated with misuse of techniques like this can be varied, starting with redirecting biometric information to less secure “central databases”.

However, if you decide to implement the system, the agency stressed that you should consider the amount of face data collected and try to minimize it. “On the one hand, the size of the template should be large enough to ensure security, and on the other hand, it should not be too large to avoid the risks of biometric data reconstruction,” he wrote.

Plastic Forte is not an isolated case, considering there are several instances where the Spanish privacy agency has had to sanction illegal video or audio recordings. Also this Wednesday, Aepd fined another company for installing a video surveillance system that can transmit audio from a room in real time without informing employees or customers. “Audio recording is a major breach of privacy,” he wrote in the ruling.

Source: Today IT