Are you sure? An employee number identifies a person, but is not personal identification for the purpose of this case.
If the hash is all that is transmitted, then it would not be personal information, just a confirmation the employee has clocked in at work. That information though, that they are attending work, could be construed as personal information that Kronos would be party to without her permission.
PS, ok DougS, if the fingerprint is hashed *and* salted, then theoretically reconstruction can be "impossible"? Most hash functions may have some "collisions", that would make reconstruction rather impossible, even if you know the algorithm (theoretically different inputs can give different outputs, brute forcing gives you these, not the actual real input, as IRL the chances of 2 fingerprints being identically hashed is an acceptable risk, as not filling the search space as a brute force attack will).