Perspective | Can employers require employees to clock in and out using facial recognition or other similar methods?
Published:
2025-06-30
My company requires employees to clock in and out using facial recognition, which involves registering iris and facial recognition features. Some employees have raised concerns about the security of their facial information, as it is already linked to numerous accounts and bank cards. They worry about potential data breaches upon leaving the company and are therefore reluctant to use facial recognition for attendance. Does the company have the right to mandate facial recognition for attendance?
Issue
My company requires employees to clock in and out using facial recognition, requiring employees to register iris and facial recognition features, etc. Some employees have raised concerns that facial information is personal information, and many accounts and bank cards have already been linked to facial recognition information. What if their facial information is leaked after they leave? Therefore, they are unwilling to accept facial recognition clock-in and attendance. So, does my company have the right to force employees to accept facial recognition clock-in and attendance?
Points of Dispute
If employees disagree, can the employer force employees to use facial recognition for attendance?
Lawyer's Analysis
With the development of technology, more and more employers are using high-tech methods for employee attendance management, with facial recognition clock-in becoming a common method. As employees' awareness of personal information protection deepens, some employees have also raised objections to this attendance method. Because irises, facial recognition features are typical biometric information, such attendance operations have certain legal risks.
I. What constitutes personal information?
First, we need to clarify what constitutes personal information. Article 4 of the "People's Republic of China Personal Information Protection Law" stipulates that "Personal information is various information recorded in electronic or other forms related to identified or identifiable natural persons, excluding anonymized information. The processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information."
II. In the attendance management of employers, how to legally process the collected employee personal information?
According to Article 13 of the "People's Republic of China Personal Information Protection Law": Personal information processors may process personal information only under one of the following circumstances: (1) Obtaining the individual's consent; (2) Necessary for the establishment or performance of a contract in which the individual is a party, or necessary for the implementation of human resource management in accordance with legally formulated labor regulations and legally signed collective contracts; (3) Necessary for the performance of statutory duties or legal obligations; (4) Necessary for responding to public health emergencies, or in emergencies to protect the life, health, and property safety of natural persons; (5) For public interest, implementing news reporting, public opinion supervision, etc., processing personal information within a reasonable scope; (6) In accordance with this Law, processing personal information that is self-disclosed or otherwise legally disclosed within a reasonable scope; (7) Other circumstances stipulated by laws and administrative regulations. In accordance with other relevant provisions of this Law, the processing of personal information shall obtain the individual's consent, but if there are circumstances stipulated in the second to seventh items of the preceding paragraph, it is not necessary to obtain the individual's consent.
According to Article 4 of the "Supreme People's Court's Provisions on the Application of Law in Handling Civil Cases Related to the Use of Facial Recognition Technology to Process Personal Information": If any of the following circumstances exist, the people's court will not support the defense of the information processor on the grounds that the consent of the natural person or his guardian has been obtained: (1) The information processor requires the natural person to agree to process his facial information before providing products or services, but the processing of facial information is necessary for providing products or services; (2) The information processor requires the natural person to agree to process his facial information by bundling it with other authorizations; (3) Other circumstances that force or indirectly force natural persons to agree to process their facial information.
Therefore, according to the above provisions, employers require employees to clock in and out using facial recognition, etc., must obtain the employee's explicit consent; if it is "necessary for human resource management" and is stipulated through legal regulations or collective contracts, it can be done without the employee's consent. However, if the employer can provide other clock-in methods such as swiping cards, without the employee's consent and without legal regulations or collective contract provisions, only collecting employees' irises and facial recognition features for attendance purposes may be deemed not "necessary for implementing human resource management". If the company attempts to bundle the authorization of employee personal information, such as considering employees as not clocking in or being absent from work if they do not agree to facial recognition clock-in and attendance, such bundled authorization is invalid.
III. What matters should employers pay attention to when collecting employees' irises, facial recognition features, and other personal information for clock-in and attendance?
1. Clearly obtain employee consent
When collecting employees' irises, facial recognition features, and other personal information, employers need to explain to employees the purpose and use of collecting employees' irises and facial recognition features and obtain their written consent. Employers can do this by signing an agreement with employees or having employees issue a written statement of consent and sign it. The written document must state that the employee is aware of the purpose and use of the employer collecting employee personal information and agrees to the employer's use of the above personal information.
2. Employers have a duty to ensure the security of employees' personal information
Employers need to take necessary measures to ensure the security of the collected employee personal information. Employers can formulate employee personal information protection regulations and publicize or inform employees through democratic procedures. At the same time, regularly conduct systematic training to enable employees to better understand the basic principles of personal information protection and enhance the security awareness of departments responsible for processing employee personal information.
At the same time, employers can only process employees' iris and facial recognition information within the specific purpose of attendance, avoiding excessive collection or use of employee personal information. When using employee personal information, employers need to follow the rules of open information processing to ensure that employees clearly understand how their personal information is collected, stored, used, and processed, and how employees can exercise their rights, such as inquiring, correcting, and deleting personal information. In addition, employers should regularly audit and conduct compliance checks on personal information processing activities to ensure that all processing activities comply with relevant laws and regulations, and promptly identify and correct any violations.
Article 51 of the "Personal Information Protection Law" stipulates: "Personal information processors shall, based on the purpose and method of processing personal information, the type of personal information, the impact on personal rights and interests, and potential security risks, take the following measures to ensure that personal information processing activities comply with the provisions of laws and administrative regulations, and prevent unauthorized access and leakage, alteration, and loss of personal information: (1) Formulate internal management regulations and operating procedures; (2) Implement classified management of personal information; (3) Adopt corresponding encryption, de-identification and other security technical measures; (4) Reasonably determine the operating authority for processing personal information, and regularly conduct security education and training for employees; (5) Formulate and implement contingency plans for personal information security incidents; (6) Other measures stipulated by laws and administrative regulations."
3. Seek alternative solutions
If employees explicitly refuse to use facial recognition for clock-in and attendance, employers can provide employees with traditional clock-in methods, such as swiping cards and signature attendance, to enable employers to manage employee attendance in multiple ways.
Revelation: When employers use biometric technologies such as facial recognition for attendance tracking, they should fully respect employees' personal information rights and strictly abide by relevant laws and regulations. When collecting employees' iris and facial recognition features, the employer must clearly inform employees of the purpose and obtain their written consent to reduce legal disputes caused by improper handling of employee personal information. At the same time, employers should take necessary security measures, adhere to the principle of minimization, make processes transparent, and conduct regular audits and compliance checks to ensure the legal and compliant handling of employee personal information.
Key words:
Related News
Zhongcheng Qingtai Jinan Region
Address: Floor 55-57, Jinan China Resources Center, 11111 Jingshi Road, Lixia District, Jinan City, Shandong Province
