The Dutch Data Protection Authority fined an unnamed company for unlawfully using fingerprint scans of its employees for its attendance and timekeeping records. The DPA stated that “A fingerprint cannot be replaced, unlike a password. If something goes wrong, the impact can be huge and have a lifelong negative effect on the person concerned.”

https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boetebesluit_vingerafdrukken_personeel.pdf