Case Study on the Fingerprint Processing in a Workplace under GDPR Article 9 (2, b)

The protection of personal data is the most important legal standard for the use of biometric data. Fingerprints are personal biometric data in accordance with Article 9 (1) of the GDPR. It is also a category of personal data that needs to be processed specifically in order to ensure the right to the protection of personal data and to reduce the risk of its restriction. The problem discussed in this study is fingerprint processing in the workplace. Protection of a person‘s data is a paramount legal standard for biometric usage. The fingerprint is personal biometric data within GDPR Article 9 (1). It is also a particular category of personal data that requires specific processing to ensure the right to personal data protection and minimize the risk of its restriction. The research interest leads to the problem of fingerprint processing in a workplace through the case study. The goal is molded to provide comparative research about the implication of the GDPR Article 9 (1) (2, b) by the Member States of the European Union in the Netherlands (2019), Germany (2020), Italy (2021). The case study is limited to the discussion about the processing of finger characteristics of employees in a workplace for the time-attendance detection. The European Union law requires employers to establish an objective, reliable and accessible system to measure the length of the working day each employee works each day (ECJ, Case C 55/18..., para 60), nevertheless, it is not a way forward for the GDPR Article 9 (2, b) application.


Introduction
The General Data Protection Regulation (hereinafter referred to as 'GDPR') (Regulation (EU) 2016/679...)) has a direct implementation in the Member States of the European Union. Member States should assume that any national measures that could apply throughout the EU contrary to the Lisbon Treaties will be demarcated contrary to EU law (ECJ, Case 94/77...). Repetition of the text of EU regulations in national law is prohibited unless such repetitions are strictly necessary to ensure consistency (ECJ, Case 94/77...). However, in some cases, implementation measures are required by EU regulations themselves to ensure uniform application across the Union (ECJ, Case C-34/73..., 98, para. 10). In implementing the norms of European acts in the legislation of the Member States, an important issue is how provisions of the national laws will diverge. GDPR contains over forty rules (TFEU,Art. 288). National law can specify possible restrictions and limitations for regulating biometric data processing by clauses use (Chakarova, 2019). For example, a clause in Article 9 (4) GDPR enables the Member States to introduce additional conditions for special categories of personal data (CJEU Case C-673/17..., and the Opinion of the AG Szpunar, March 21, 2019). In the view of the study, a clause does not request harmonization measures but its practical implementation at the national level (Miscenic, Hoffmann, 2020), and sincere cooperation (TEU, Art 4 (3)). Upon legal nature, GDPR's opening clauses are classified as obligatory. In that vision, norms concerning biometric data processing give the Member States some way of defining additional legal grounds permitting the processing of such a distinct category and separately stipulate data sort out.
The Netherlands, in response to GDPR, adopted the Implementation Act (hereinafter referred to as the 'UAVG') (Uitvoeringswet Algemene Verordening...) launched on May 25, 2018. The former Act, known as Wet Bescherming Persoonsgegevens (hereinafter referred to as the 'Wbp'), has ceased to apply (Wet bescherming persoonsgegevens..., 2012). Wbp did not contain specific rules for biometrics; therefore, it is challenged that UAVG, on the one hand, provides specific national derogation and, on the other, similarity to the provision of Article 9 (2) GDPR. Thus, the inclusion of biometric data processing and an extension of the types of personal data became crucial. The UAVG has prohibited to process biometrics and issued national affairs for this matter (UAVG,Articles 22,23). It is allowed only if there is a necessity for authentication and security purposes (UAVG, Article 29), likewise, biometric access systems to computers and buildings.
On May 12, 2017, the German Bundesrat approved the Federal Data Protection Act on the Adaptation and Implementation of GDPR provisions (Datenschutz-Anpassungs-und-Umsetzungsgesetz...) 2 . published further on July 5, 2018. It came into force, like GDPR, on May 25, 2018. Former Data Protection Act (Bundesdatenschutzgesetz, 2003) in the time of the provisions of Directive 95/46/EC ceased to apply. Thus, Germany is the first European country to adopt its national legislation immediately. Germany subjected biometric data processing to several different legal requirements. The first, if necessary, biometric data is permitted for the processing to achieve public interest. Secondly, the processing is allowed without a person's consent for scientific, historical, and statistical research purposes. Third, public and private bodies may process biometrics in preventative or occupational medicine, in employment, contract, and if the processing is subject to secrecy. Thus, the controller's interests substantially outweigh the data subject. Germany also provides a safeguarded technique when data could be processed and stored on an identity card at the request of the card applicant.
Italy is distinguished from all EU countries by the existence of the Personal Data Protection Code. 3 Provisions for the Adaptation of the National Legislation (Decreto legislativo of Aug. 10, 2018...) amended the former Code. Italy introduced the following limitations when biometric data must obey specific safeguards: encryption, pseudonymization, minimization, and selective access. Also, under the Italian Data Protection Authority (hereinafter referred to as the 'IDPA'), biometric data processing is safeguarded for healthcare organizations to diagnose patients and medical prescriptions. The novel is prohibition of the dissemination of biometric data.

Problem Case December 4, 2019. The Decision of Dutch Data Protection Authority 'Boetebesluit vingerafdrukken personeel'
On July 5, 2018, the Dutch Data Protection Authority (hereinafter referred to as the 'DDPA') launched an investigation about fingerprint processing in the workplace. The exploration took place based on the information that the company (hereinafter referred to as the 'Company 1') invited employees to collect physiological characteristics (DDPA Report 'Examine staff..., 2019).
Based on the testimonies, the purpose of mentioned processing is a unique identification of employees due to the need to fix the time of duties performed in the office. A biometric scanning kit became an avoidance measure of the excessive absence of employees from time to time during working hours. Risk mitigation is justified because workers must accomplish tasks while staying in the workplace (DDPA Decision 'Fine decision..., 2019, at 2)). Company 1 updated its policy to control employees' arrival and departure times through computerized records of fingerprint processing (DDPA Decision 'Fine decision..., 2019, at 2)). Therefore, in the view of Company 1, a unique recognition system is a definitive and accurate method to control workers' onsite duties. Company 1 calculated the amount of factual working time and consequently guaranteed pay salary appropriately to exact hours wage. Moreover, the equipment is beneficial because it levels out the purchase cost, loss, and damage of formerly used personal identification cards. Among other things, fingerprint processing is a solution for unwanted third parties' entry and exit problems (DDPA Decision 'Fine decision..., 2019, at 2)). Thus, by replacing an outdated system, unique identification is expected to eliminate security risks hereafter.
From organizational and technical points of view, employees should leave at least two finger footprints in biometric embedded installment. Once characteristics were brooked, templates with the finger's unique data were preserved as a text file. As a result, Company 1 has collected physiological characteristics from the structural information of employees' bodies and achieved a unique identification purpose in the workplace. Biometric records were enclosed upon the termination of employment. Within the employment relationships, times-off and days-off duties, fingerprint patterns were saved and remain locked in the company's biometric base.
The biometric embedded application for fingerprint processing has been in operation since early 2017. The first fingerprint processing took place on January 23, 2017. Nevertheless, employment contracts had no stipulations about fingerprint processing for unique identification purposes. In July 2017, Company 1 warned employees about the necessity and purpose of fingerprint processing through the supplied handbook (DDPA Decision 'Fine decision..., 2019, at 2)). Several employees indicated that fingerprint processing was mandatory for payroll applications. Two employees confirm about given verbal consent. Other employees refused to provide finger's physiological characteristics, and the following talk with the director about this negative feedback took place (DDPA Decision 'Fine decision..., 2019, at 2)). On November 8, 2018, fingerprint processing was running at last. On March 18, 2019, some of the employee's biometric data were still active in the database (DDPA Decision 'Fine decision..., 2019, at 2)). After April 16, 2019, Company 1 ceased to store the fingerprint templates and text files of formerly employed employees. 4

Case 2. June 4, 2020. LArbG Berlin-Brandenburg 10th Chamber Decision 5
On June 4, 2020, the appeal court, LArbG Berlin-Brandenburg, completed a hearing of the case about the biometric time recording of an employee based on the plaintiff's lawsuit against the company (hereinafter referred to as the 'Company 2'). Plaintiff has been a radiologist since June 1, 2007, and employed as a medical and technical radiology assistant.
From August 1, 2018, the defendant used the ZEUS Firma I of GmbH, IT 8200 FP platform for the timesheet record of personnel's daily hours and ensured proper accounting of working hours. It enabled a weekly duty to be assembled (LArbG Berlin-Brandenburg 10..., 2020, at para 4). A new stated technique is fingerprint-based biometric identification. On July 27, 2018, all employees were briefed about the invention because previously, employees had to record working hours on the duty roster manually. Company 2 noted: 'From August 1, 2018, only working hours being determined through emergence timekeeping system are applied. Hours recorded on the duty roster are no longer recognized' (ArbG Berlin 29, Kammer Decision..., p. 2 para 5). Nevertheless, a plaintiff used a manual method for working hours records. The plaintiff refused to use the disputed time recording system, notably by failing to give consent. Therefore, in August and September of 2018, the plaintiff retained the former record system without biometric data processing operation. On October 5, 2018, the defendant issued a warning. 6 On March 26, 2019, the warning was regurgitated. 7 The plaintiff also requested the defendant to remove those written warnings from the personal labor file.
The practice of unique finger identification has increased the development of new technologies and its embrace by the company (ArbG Berlin 29. Kammer Decision..., p. 4 para 19). Company 2 considers all the rebutted warnings lawful because biometric data processing refers to the GDPR Article 9 (2, b). The plaintiff's consent to apply the biometric installment for the time record is not mandatory. Biometric innovation has been familiarized to all employees, and each employee shall follow policy. Besides, an outdated manual timekeeping system posed a risk of unauthorized access to employee information. Alternative recording methods such as ID numbers and electronic chip cards have been halted. As a result, the wrongful calculation of actual time spent cannot subsequently be verified and recorded without errors. Thus, employees' ID card systems are inaccurate because staff can falsely pass cards to colleagues. The defendant argued about the experience of its parent company. For example, various digital time recording systems under chip cards or transponders had negative experiences because they could change registered data without much effort. Some employees pass chip cards or employee identification numbers to colleagues several times and, as a result, illicitly encumbered the time into the data system (ArbG Berlin 29. Kammer Decision, p. 4 para 19). Also, when the chipboard is forgotten or lost, Company 2 cannot document working hours accurately. Company 2 cannot always check the actual attendance and declares that biometric technologies are shielded from counterfeiting 5 Ruling the ArbG Berlin 29 Kammer Decision of October 16, 2019, -the company representative, on November 18, 2019, filed an appeal to LArbG Berlin-Brandenburg 10th Chamber.
6 Para 13 of the Kammer Decision of LArbG Berlin-Brandenburg states: ‚We request you perform duties using the ZEUS logging system through fingerprint with immediate scanner effect. Suppose you continue to falter in following our instructions. In that case, we will impose further employment law measures, up to job termination'.
7 Para 15-16 of the Kammer Decision of LArbG Berlin-Brandenburg states: ‚Despite our written request and warning dated October 5, 2018, unfortunately, we had to reveal that you are not using the ZEUS recording system. A timeclock device is essential for managing hourly and holiday accounts with your duty schedule. We are, therefore, forced to warn once again and for the last time. You have to carry out duties by using the ZEUS timetable. Please carry out duties using the ZEUS with the appropriate fingerprint scanner. If you fail to follow our instructions, we will impose additional measures under the German labor laws. Immediate termination is also possible if the violation continues'.
It is stated that a machine does not pose any risks for the employees because staff only need to provide some parts of physiological finger characteristics in contrast to a whole finger's footprint. 8 Besides, the processing is managed uniformly through the human resources department. 9 Furthermore, the plaintiff's assignments are performed at high-risk; thus, fingerprint processing is necessary not only for accurate time recording but also to eliminate chains of infection (LArbG Berlin-Brandenburg 10. Kammer Decision..., 2020, page 8, paras 43). In this regard, Company 2 retrieved the plaintiff's health data through fingerprint processing (LArbG Berlin-Brandenburg 10. Kammer Decision..., 2020, page 7-8, paras 42). In that way, in the view of Company 2, the interests of both are harmonized. The company provides its services in 21 municipalities with over 2000 employees. The administration has introduced the system of biometric identity verification for the decentralized control and triggered in light of Law no. 56/2019 (IDPA, Ordinanza ingiunzione..., 2021, Article 2, Page 2). It confirmed the practice of finger processing in four clinics and territorial wards allocated in municipalities. Biometric data processing was performed for different employees due to 24 hours tasks and led to considerable complexity of the duties management.
An Enna argued that there are no critical violations of norms because the installment uses ‚…[s] oftware that can capture data and store it in encrypted form on a secure device. All employees have been equipped with the information under Article 13 of the GDPR. Besides, the software offers a data deletion phase' (IDPA, Ordinanza ingiunzione..., 2021). Assuming biometric data processing involves the detection of the fingerprint transformed into an encrypted string, stored in turn of the badge. 'The system compares strings of fingers stored in the badge locally and only within the time necessary for verification and when a comparison is coincident. A processed computed string is automatically deleted; therefore, biometric is no longer stored, and only the serial number of the employee, time, and date of attendance has been seated.' (IDPA, Ordinanza ingiunzione..., 2021) The time detection is performed by contextual use of the badge and placing the employee's finger on the device. Besides, Enna did impact assessment, taking the registration, enrollment, acquisition, and recognition phases for the attendance records under the contractual relationship with its employees (IDPA, Ordinanza ingiunzione..., 2021, Article 3 (3.1); General prescriptive provision on biometric..., 2014). Enna has warned the staff and informed the trade union, issuing detailed notes containing generic references to ensure correct and transparent processing (GDPR, Article 13).

Problem Assessment
GDPR covers biometric data to be regulated and obtained through specific technical processes. It also includes physiological characteristics of an individual, which allow to make a unique identification or confirm the unique identification of that individual (GDPR, Article 4 (11)). Article 9 (1) of the GDPR expressly regulates the prohibition of biometric data processing. The processing of personal data consists of ‚any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data, such as collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction' (GDPR, Article 4 (2)). Biometric data processing is not prohibited if one of the grounds for derogation applies (GDPR, Article 9 (2)). Based on the circumstances of the studied cases, the research took exemption 'b' prolonged in Article 9 (2) of the GDPR. The mentioned exception is vigorous because it makes questionable biometric data processing in the workplace.
The companies consider it legitimate to set up the processing of fingerprints that records working hours. For further discussion, the study counts the principle of proportionality because the processing of fingerprint data is a subject matter of proportionality application. 10 The application proposed is to be made according to the criteria of the mentioned principle. Among them is a balance of interests and aims pursued. The claim in three scenarios involved the interest of a company to control the time-attendance of employees by fingerprint processing, and the welfare of employees is to protect their biometric data. Consequently, it is necessary to establish whether employees' biometric data processing is proportional to the need for timekeeping to exercise rights and fulfill obligations. The interests of the employee and company must be proportionate to each other. On the counterweight, these interests could be legally shunned when employees' biometric data is processed to disclose or avoid criminal offenses (Directive (EU) 2016/680 of the European Parliament...). The legal basis of the processing must, among other things, pursue an objective for public interest and be proportionate to the legitimate aim pursued. 11 Although the employee's unique identity is affirmed at the access gates, a study believes this particular treatment is under justification because the processing is carried out directly and personally by the interested party in privileges. 12 In this regard, whether the aim in studied cases -unique identification is justified -must be confident.
Employers' general commitments rule out reliable and accessible systems for calculating hours worked per day by every staff member. Therefore, companies indicate that such processing is necessary. In the view of the study, the need for the attendance sheet, security, and work management are not pertinent because employees for access control should gain credentials by enrolling biometric features into a fingerprint system. The DDPA states that fingerprint processing for the prevention the time and attendance regime is neither necessary nor proportionate (DDPA Report 'Examine staff..., 2019). In 10 Recommendation CM/REC (2015) of the Committee of Ministers to Member States on the processing of personal data in the context of employment, paragraph 18 (1) 'Biometric data': 'The processing of biometric data should be based on scientifically recognized methods and should be subject to the requirements of strict security and proportionality' (1224 meeting, April 1, 2015). 11 GDPR, Article 6 (3, b); Recommendation on the protection of personal data used for employment purposes, the Consultative Committee of the Convention for the protection of individuals with regard to automatic processing of personal data [ETS No. 108], paragraph 18 'Biometric data': 'The access to such data shall be subject to requirements of security and proportionality' (October 30, 2012). 12 GDPR, Articles 5, 6, 9; (IDPA, Ordinanza ingiunzione..., 2021, para 3.3 states about the absence of a legal basis for processing of biometric data to detect attendance. the view of the study, companies in three studied cases are correctly pointing out that the employer should not tolerate incorrect entry of working hours to a certain extent. However, due to the explicit prohibition of biometrics processing, companies must be guided by GDPR Article 9 (1) (2). Also, proportionality is applied to the risk level and type of risk for the person whose biometric data is processed. Company 2 guaranteed fingerprint processing control, demanding uniform time tracking using a fingerprint scanner uniformly through the human resources department. 13 However, on the other hand, Company 2 disclosed the plaintiff's health data due to the risk of infection associated with a specific employee position in a radiological office. After all, he works in sizeable radiological equipment and has access to saline solutions. Therefore, in the view of Company 2, an accurate recording is necessary to eliminate the chains of infection and protect other employees. In the opinion of the study, health data is included in the special categories of Article 9 (1) of the GDPR and is not subject to processing or disclosure. The system's installation would not replace a broader framework of initiatives for the imposition of disciplinary sanctions and sanctioning noncompliance with worktime. Thus, the degree of data protection in the company is low. In this respect, there is interference and risk posed to privacy.
The person's interests are at stake with the company when biometric data processing occurs. There must be appropriate guarantees for the fundamental right to personal biometric data protection. The employer must determine the scope of preventive measures based on an overall risk assessment. The following argument is proposed. A study predefines a synthetic computer description of the obtained biometric characteristic which only extracts the elements from the biometric sample. In all cases, the biometric apparatus requires the registration phase through a precise reading of the employees' fingerprint to create a biometric model in Case 3 securely stored in the badge given to the person concerned. In the subsequent phases of biometric recognition of the interested party, an Enna verifies the identity through biometrics in the badge, and this obtained model is presented for the time detection. Generally, if the comparison operation is successful, it can ascertain the interested party's identity. The function is possible because the employees' registration number is transmitted to the attendance management system, and also data about the date and time of being in a workplace. Based on the view of the study, Enna guarantees the right to data protection because biometric conservation is applicable in badges with intelligent functionality that the administration entrusts to each interested party (employees), that in response, is the exclusive holder. There must be a high level of individual control over personal biometric data. It demonstrates taken procedures, both technical and organizational, that, among other things, complied with the minimization of the objected data (GDPR, Articles 5 (1, c), 24, 25). However, in any case, the preliminary verification of when the conditions of lawfulness are met in processing of employees' biometric data is open. Hence, a study thinks that the more such measures are implemented, the more likely the fingerprint processing will pass the sense of proportionality measurement.
In the view of the study, given the employer-employee relationship, explicit consent cannot be disowned. In this circumstance, parties are obliged to elaborate the definiteness and purpose of the machining carefully under a collective agreement. Therefore, the exception under GDPR Article 9 (2) (a) is not taken in this circumstance. According to cases' facts, companies had no documentation of proof of will for fingerprint processing. In the first two cases, some employees were confronted with this operation. Likewise, the DDPA investigation revealed refusal, as several employees said that fin-13 In Case 2 company used terminal "IT 8200 FP" with the model of the time-registration system "ZEUS" from a company I. GmbH. A system for reading an ID card and transponders is that such an installation allows identifying a person without processing the plaintiff's fingerprint. Also, the electronic system "ZEUS" of I. GmbH saves the corresponding timesheet, as far as even without the biometric data of the claimant, so that system produces alternative methods of E-registration and not only based on the fingerprint database. gerprint scans were mandatory (DDPA Report 'Examine staff..., 2019, at 3). Thus, Company 2 did not take the necessary organizational measures to pursue a collective agreement. Introspection presumes that reconciliation is not depend on the parties' status. For instance, an employer is a person who willynilly is engaged in the relationship involved. Nevertheless that the employer can keep a record of all employees concerned up to date, and these records are made available to the competent authorities (ECJ, Case C 55/18..., para 34), in Case 2, the warnings dated October 5, 2018, and March 26, 2019, have no legal basis and must be removed from the employee's file (LArbG Berlin-Brandenburg 10..., 2020, page 14, para 81). In Case 1, several employees indicated that when they refused to have their fingerprints scanned, a conversation with the director followed. Significantly applying the principle of proportionality, there is an imbalance of interests. Given the dependency on the employer-employee relationship, employees could feel it is an obligation instead of ask to register fingerprints. In the view of the study, the collective agreement is valid when each of the employees states a will in a written declaration. Thus, unique identification in Cases 1 and 2 is not legitimate because a collective agreement is not delivered. That established breach of GDPR Article 9 (2, b). No derogation can be earned in any case, even with the consent of the employee concerned (ECJ, Case C 55/18..., para 39). In Case 3, none of the disagreement has been found. Moreover, Enna indicated employees' unique identification by applying Article 2 of Italian law No. 56 of June 19, 2019, affected from November 4, 2019. Moreover, according to documental findings, it is declaring that Enna has been deploying biometric systems consistent with the opinion of a draft Decree issued by the President of the Council of Ministers concerning problems. In the view of the study, those facts comply with the GDPR Article 9 (2, b) criteria about a collective agreement and Member State law authorization.
Turning to the security assertion, the study proposes to examine whether the employer's security interests are legitimate. The company vindicates a high-security gain that may exceed the employee's interest in particular facts. Employers envisage biometric access control to increase access security. Employers are interested in reserving access to their premises, such as factories, offices, or special facilities, and adequate access to certain facilities only for employees or contractors. In the view of the study, the employer protects designated infrastructures rather than shielding workers. An alternative method, such as the use and verification of an employee's or contractor's number at the entrance to the premises, would, in principle, be sufficient to satisfy security interests. The research thinks it is relevant for real security needs especially when a company must monitor the identity and the permit is only to a limited number of specifically authorized persons that could have access to certain facilities and places and solely confirmed in an enhanced manner. Pursuant to case studies, employers have implemented a system that can measure the daily working hours of each employee. The employer must have an objective, reliable and accessible design to measure the daily working time of each employee. In Case 2, the company stated that the primary purpose of functioning the ZEUS time roster and the IT 8200 FP terminal is to prevent wrongful tab a working time. The modern alternative technologies are very diverse for limiting the maximum working hours and observation of daily rest periods. It can be a system for recording working hours, records in paper form, computer programs, and electronic displays for recording working hours (LArbG Berlin-Brandenburg 10..., 2020, page 10, para 60). The card systems that make it possible to hand over cards to colleagues avoiding to be too late and leaving early are likely a violation of the list of duties and have to be deemed a breach of labor law and cannot be an argument for using Article 9 (2, b) as an exception from Article 9 (1) of GDPR. Therefore, the reasoning of data transmission to colleagues and manipulation of the time -pretending as being present, but factually not -is outside the GDPR and not an unprecedented circumstance that can be an exception. Besides, it can also be viewed as fraudulent worktime and thus constitute a criminal offense. Nevertheless, the processor must assess the fundamental right to personal data protection through a delicate balance that considers the interests of both. The study assumes it in the first two cases. In Case 3, the security reasons explained due to the 'considerable complexity in the management of employees' (IDPA, Ordinanza ingiunzione..., 2021, Article 3 (3.3)) with amount of over 2000, and the vastness of the territorial area.
In the view of the study, compared to Case 1 and Case 2, Case 3 demonstrates that a biometric setting is proportional to the actual circumstances of processing of employees' fingerprints. Enna proves the processing protection in an encrypted way. It is not permitted to record encrypted data in a manner that is incomprehensible to the person who is privy to understanding it. In the view of the article, a centralized repository of biometric data is an adequate security measure where the storage of samples should be sidestepped. Data storage should be carried out without explicit reference to the individual or other types of personal data, e.g., name. But Company 1 and Company 2 demonstrate the opposite. At this point, the study deems to provide additional protection, such as using a pseudo-name or code-name. The study argues that, in any case, biometric data must be handled under human control, considering human dignity (Explanatory memorandum to Recommendation Committee of Ministers No. R. (89) 2..., provision 43, 45) and privacy (Explanatory memorandum to Recommendation Committee of Ministers No. R. (89) 2..., provision 70). Regardless of that, the Enna shows compliant operational biometric usage because the new detection system of attendance comes into operation using the biometric sensor keeping data storage only on the personal card, and held only by the employee. In other words, data has been saved only on portable devices equipped with cryptography capabilities and used in badges entrusted to each staff (IDPA, Ordinanza ingiunzione..., 2021, Article 3(3.2)).
Moreover, based on GDPR Article 5 (1, a), a study thinks the processing appears to have been carried out in violation of transparency; as indicated above, case facts do not fully represent the carried-out processing. Thus, any company has not demonstrated that employees have been sufficiently informed about fingerprinting.
As a result, according to Case 1, on December 4, 2019, DDPA imposed a fine of 725,000 EUR under violation of Article 9 (2, b) from May 25, 2018, to April 16, 2019. 14 In Case 2, the Berlin-Brandenburg Regional Court held that an employer could not rely on Article 9 (2, b) to install a time-tracking system that uses employees' fingerprints. The Appeal court states that utilizing a biometric system in a workplace is not proportional. GDPR Article 9 (1) is understood in the context of banning to process biometrics for neither time management nor control of attendance in the workplace. 15 In Case 3, the IDPA imposed a EUR 30.000 fine against Enna -a local public health body -using employees' biometric attendance detection system.
Thus, specific legislation for the use of biometric applications is limited. In this context, the possible distorted use of the tools for detecting the everyday presence in a workplace and the decisions of employees assessed to the relative treatment are nonproportionate (Provision no. 357 of September 15, 2016...). However, the research disagrees with the fine in Case 3 and states Enna's compliance that led to an independent research position. Given the extent of the number of employees affected -2000 in service -a biometric detection system is necessary case-to-case and could not be generalized as illegality in the Enna casefor most of the working time control in medical or surgical practice. Also, 14 DDPA Decision is also according to the GDPR Article 58 (2) and Article 83(5). Those provisions are set out in the Netherlands' UAVG Article 14 (3). Moreover, the Company 1 is officially enlisted in the Commercial Register of the Chamber of Commerce and Industry, whose number is also concealed. 15 The appeal is admissible but not substantiated. The Regional Labour Court -LArbG Berlin-Brandenburg 10. Kammer -followed the Decision of Berlin Labour Court -ArbG Berlin 29 Kammer. taking into account specific characteristics of the biometric system, the last does not memorize biometric data, resides on the badge, and is read-only at the time of stamping. The registration phase 'enrollment' is carried out using a personal computer and an optical sensor connected through an interface entirely inside the device. The fingerprint detected on the registration site is immediately transformed by the sensor into a string of encrypted bits and sent to the personal computer that records it in a template of the unique identification medium (smart card with a microchip). Thus, when the employee puts a finger for the processing, an image is stored only for the time necessary for processing, obtaining the representative finger string (the template) from the characteristics of the imprint. it is impossible to get the fingerprint image starting from the bits string (template) stored on the smartcard. 16 Moreover, the described system for the detection of biometric data, in its inactive state, falls within the scope of application of the regulations set forth regarding the protection of personal data, to the extent that the company intends to acquire the information in the enrollment phase deducible from the employees' fingerprints -by storing them on the badge entrusted to the staff. A worker has an opportunity to press 'agree' to enter; at this stage, there is no memorization and even less transmission of images of the footprint or the template, and apart from temporary local storage as well as concerned device is for the sole purpose of recognition when at the same time the biometric data remain confined to the sensor and deleted at the end of the process. Thus, Enna safeguarded the processing and mitigated the risk of privacy interference (European data protection supervisor guidelines..., December 19, 2019).

Conclusion
The processing of personal data relating to the detection of attendance and working hours is attributable to the purposes pursued by entities under a regulatory framework that provides specific obligations to control consequent responsibilities of the competent functions of administrations within the scope of institutional tasks assigned to them by labor law promoting disciplinary actions. Regarding the use of biometric technologies to detect attendance, it is noted that the legitimate purpose ascertained for compliance with working hours utilizing objective and automated forms of controls (and in some cases to guarantee exceptional levels of security) must, in any case, be carried out in full compliance with the regulation on the protection of personal data. Because the right to personal data protection is not absolute, a study concerns compliance with the principles of necessity and proportionality. The research requires that other physical and logistic safety systems, devices, and measures are considered to ensure a timely and reliable verification for workplace control without biometric data processing. Biometric data are personal data directly, univocally, and in a tendential way stable over time, connected to the individual and denote the profound relationship between the person's body, behavior, and identityand its use for the specific purpose of recording attendance in service, which the company intends to pursue, is not proportional to the needs of the company under data protection legislation. The employer is always required to seek the less invasive means by choosing, if possible, a nonbiometric procedure.
Regarding the protection of personal data, it is noted that detailed elements provided by the data controller concerning repeated and concrete episodes of violation of office duties by employees and the well-founded fear of the perpetration of abuses, compliance of the working hours by the employees, together with the possible benefits deriving to the community from the effective unique detection of presence in service, -examine cases peculiar. For the same assessment, those aspects are relevant to guiding the company's choice towards the described attendance detection system and deemed to the toponymy and the extension of the area because it does not allow easy control of the presence of the workers and observance of working hours. In this context, we must consider proportionality concerning the purposes pursued and the need for the continuous availability of biometrics for service reasons to move frequently from one department to another. The conduct of companies intends to prevent the situation when an unfaithful employee goes to mark in place of a set of colluding colleagues, absent at work. The companies had documented reasons for ineffective alternative automated tools and the difficulties encountered in carrying out the correct execution of the services to employees. In these cases, the daily verification of the presence of the personnel assigned for the sanctioning regime is not compliant in Cases 1 and 2.
When an employer processes an employee's biometrics, it becomes the legal basis for the processing based on the conditions of the performance of the contract (GDPR, Article 6 (1, b)), the legal obligation to process biometrics and the agreement implication to make the processing valid. However, a company must process personal data to carry out its tasks in various situations, even if a legal obligation, agreement cannot justify the processing. In the light of the circumstances described in Case 3 and the system configuration of methods of using biometric data processing, in the view of the study, Enna complied with the exception provided under GDPR Article 9 (2, b). The prime necessity to manage a large number of facilitated employees in the institution is justified and combined under technological and organizational safeguards for employees and met processing for a vital interest of adequate healthcare that exceeds Enna's interests and aims to protect workers' physical integrity by giving back processed finger ID saved on the smart-chip card under self-control.
The study also encounters the employer's legitimate interest in ensuring the security of its premises and information systems, enabling access to information, information systems, and managing the office space (European Data Protection Supervisor, Opinion..., May 15, 2014). This employer is justified for the processing measure since personal data is required for access control (European Data Protection Supervisor, Opinion..., May 15, 2014). As regards the condition for processing -the consent (GDPR, Article 6 (1, a)) has been rarely considered appropriate in an employment relationship; therefore, the employee's interest is subordinate to the employer. Public or private owners could start processing except for their close and stable relationship with the individual and identity (IDPA, Ordinanza ingiunzione..., 2021, Article 3, at 3.3). Therefore, the legal basis for processing cannot be under the agreement in all cases, as collecting a biometric identifier is contested to see a justifiable condition for an employment contract (European Data Protection Supervisor, Opinion..., April 7, 2008). However, processing can comply with the employer's statutory obligation for biometric identification (European Data Protection Supervisor, Opinion..., April 7, 2008). In this regard, the employer's legitimate interest remains the most appropriate legal basis for the proceedings concerning biometric identification. The legitimate interest provided does not apply if ‚the employee's interests require personal data protection or fundamental rights and freedoms override such benefits'. (GDPR, Article 6 (1) (f)) Therefore, legitimate interest as a legal basis for processing requires a so-called balancing test, which weighs the legitimate interests of the controller (employer) and the fundamental rights and freedoms of the data subject (employee) (European data protection supervisor guidelines..., December 19, 2019). The proportionality test is the stumbling block; it is necessary to weigh whether the processing interferes disproportionately with the rights and freedoms for the employee's benefit. A balance of interests involved could have been the most appropriate treatment for using biometric identifiers in the employment relationship. Therefore, a legitimate interest as a basis for treatment will ultimately necessarily apply, especially where processing is not expressly permitted by specific legislation like in studied cases.
Companies referred to particular security need permitting on that way biometric data processing. This criterion, however, is applied in a rather willful way. Companies may rely on this higher security interest to protect persons under received authorization. In the view of the research, the DPA of a particular country may grant approval for using biometric characteristics, particularly fingerprints, to secure access to places. For example, the Dutch DPA states that it is legitimate to collect data to maintain order and safety. 17 However, this general rule, in principle, requires specific legislation on biometric identification in an employment relationship under the GDPR exception of Article 9 (2, b). It is the known fact that GDPR allows the Member States to adopt additional biometric rules in the context of employment. 18 Some of the provisions, such as Article 88 of the GDPR, are no exception for the further broader interpretation. Hence, the scope of a specific regulation adopted in Member States countries is limited (LArbG Berlin-Brandenburg 10..., 2020, page 11, para 62). The criterion for processing biometric data in the employment context is not different from the general rule. Thus, no deviation or modification is permitted in the national law of Member States. The derogation is not applicable because there is no particular legislation on biometric identification in employment activities in studied countries. 19 In the study's view, installing biometric systems in a workplace should not abuse employee data protection. Since the deployment of a biometric system is usually carried out for all employees, it cannot limit its use to only a limited number of data subjects. Employers cannot impose restrictions on worker rights. 20 Moreover, the EU law does not require employers to create a system to measure the length of the working day worked by each employee every day (ECJ, Case C 55/18...). Therefore, there is no legal basis in the means of GDPR Article 9 (2, b) for employees' biometric data in the workplace.