On 23 November 2023, the Spanish Data Protection Agency (AEPD) published Guidelines on the processing of physical presence monitoring using biometric systems, establishing criteria that were much more restrictive than the ones that had been accepted up to that time. It stated that this was to bring the rules into line with European Data Protection Board Guidelines 05/2022.

The AEPD assumes that biometric data fall into a special category and that an assessment must therefore be made regarding whether there is legislation that would authorise their use to monitor working hours or access to offices (which is not currently the case in Spain) or whether the processing of such data is necessary, to the extent that there is no other method that is equally effective and less intrusive (such as cards that can be used by employees). Insofar as other monitoring measures exist, the processing of biometric data is rendered unnecessary, according to the AEPD itself.

The AEPD also says that obtaining express consent from employees is not enough, since there is an imbalance between employer and employee, which would prevent consent from being freely given. Although this decision could be disputed, it is nevertheless the one that the AEPD has adopted with regard to this specific issue. If the Collective Bargaining Agreement that applies to a company specifies the possibility of using biometric data, this could be considered to represent valid consent, though one would also have to analyse the system used, its necessity and its suitability, and the company would therefore have to carry out an exhaustive study (Impact Assessment), which could also be deemed unsuitable by the AEPD because it contradicts the new criteria that have been established.

In short, the new criteria make it very difficult for biometric systems to be used by companies at the present time without the risk of incurring penalties. In any case, we will have to see how the criteria are applied by the AEPD. For the moment, no term has been established to allow companies to adapt to the new criteria, and they are therefore already applicable.