Skip to main content
Information for the interested party on data protection

5.95. Access control by fingerprint recognition

Description of the activity

Processing of data of AEAT employees, including collaborators and external companies for time control and billing. 

Maintaining security at the AEAT headquarters by controlling access to buildings that the AEAT shares with other personnel.

Purpose

Management of employees assigned to the AEAT, in order to be able to carry out actions to control compliance with the obligations of the personnel in its service.

To guarantee the safety of people, goods and facilities.

Legitimation

Regarding the time and billing control of staff at the service of the AEAT, article 6 of Regulation 2016/679 (EU), relating to the legality of processing, in section 1, letter b) states that “The processing will be lawful if at least one of the following conditions is met: (…) b) the processing is necessary for the execution of a contract to which the interested party is a party or for the application at the request of the interested party of pre-contractual measures ( …)”.

Under this provision, data processing is lawful and does not require consent when the data processing is carried out for the fulfillment of contractual relations of an employment nature.

This provision would also cover the processing of data of public employees, even if their relationship is not contractual in the strict sense.

In both cases, the AEAT processes the fingerprint referred to in the EU Regulation, in its article 9, as “ special categories of data ”.

Thus, Article 9.1 of the aforementioned Regulation states that “ The processing of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data intended to uniquely identify a natural person, data relating to the health or data relating to a natural person's sex life or sexual orientation is prohibited ”.

However, in section 2, a series of exceptions are established in which such data may be processed. Specifically, letter b) of this section 2 states the following: “ Section 1 shall not apply when one of the following circumstances occurs: (…) b) the processing is necessary for the fulfillment of obligations and the exercise of specific rights of the data controller or the interested party in the field of labor law and social security and protection (…)”.

Regarding ensuring security in the access control to buildings by personnel performing their duties in AEAT buildings, Article 32 “ Security guards and their specialty ” of Law 5/2014 on Private Security, establishes that:

1. Security guards will perform the following functions:

a) To exercise surveillance and protection of property, establishments, places and events, both private and public, as well as the protection of persons who may be present therein, carrying out the necessary checks, searches and precautions to fulfil its mission.

b) Carry out identity checks, checks on personal items, packages, merchandise or vehicles, including the interior of these, at the entrance or inside buildings or properties where they provide services, without, under any circumstances, being able to retain personal documentation, but they may prevent access to said buildings or properties. Refusal to show identification or to allow the inspection of personal items, packages, merchandise or the vehicle will empower them to prevent access to individuals or to order them to abandon the building or property that is the object of their protection .”

According to this, and in accordance with the provisions of article 6.1.f of the Regulation, the consent of the interested parties is not necessary, since article 51 of Law 4/2014 recognizes the right to "provide themselves with private security measures aimed at the protection of persons and property and ensuring the normal development of their personal or business activities." 

Interested parties

  • Personnel serving the AEAT and any other employee, public or private, who performs their duties in AEAT buildings.

Details

  • DNI, Name and Surname
  • Biometric data (fingerprint details, from which the fingerprint cannot be reconstructed)

Treatments

  • Collection
  • Record
  • Storage
  • Structuring
  • Modification
  • Update
  • Copy
  • Analysis
  • Enquiry
  • Extraction
  • Promotion
  • Interconnection
  • Limitation
  • Suppression
  • Destruction
  • Other 

Recipients

Not anticipated.

International transfers

Not foreseen

Profiling

Does not apply.

Technical/organizational measures

All data processed has been evaluated through a risk analysis, obtaining the list of technical and organizational measures to be applied. These measures have been applied in accordance with the approved adaptation plan.

It's important to put attention on:

  • During the fingerprint registration process, only a few details or traces are saved that allow comparison with the employee's fingerprint at the time of access control. At no time is the complete fingerprint recorded and from these details it is impossible to reproduce the original image of the fingerprint.
  • These details are stored encrypted so that they can only be read on the equipment that is part of the access control solution implemented by the Tax Agency.
  • An Impact Assessment has been carried out in accordance with the terms of art. 35 of the GDPR, which has been provided to the Spanish Data Protection Agency.

These measures have been applied in accordance with the approved adaptation plan.