Sweden’s first GDPR fine
A School in Sweden has been charged by the Swedish DPA a fined of 200 000 SEK (approximately 20 000 euros) for using facial recognition technology to monitor the attendance of students in school.
22 students’ participation in class was captured by a camera using facial-recognition software. This trial was conducted to determine if it could be used as a standard procedure to cut down on class time.
The faces and full name of students were captured through biometric data. The data was stored in a local computer without an internet connection, and placed in a locked cabinet. Consent was gathered from the guardians and the school gave the participants the option to take back consent and stop the trial. However, neither a risk assessment nor prior consultation with the Swedish DPA was executed.
GDPR was violated in three ways:
- Violation of the fundamental principles of Article 5 by processing personal data in a more integrity invasive manner than necessary relative to the purpose (attendance)
- Article 9 by processing sensitive personal data (biometrical data) without legal basis
- Articles 35 and 36 by not fulfilling the requirements of data protection impact assessment and prior consultation.
Even though, the school maintains it had its students’ consent, the DPA found there was no valid legal basis for this as there’s a clear imbalance between the data subject and the controller.
When it comes to the workplace, Spanish DPA, AEPD, rules that the controller can gather biometric data (e.g.fingerprint) for attendance control purposes as long as some principles and requirements are met, mainly purpose limitation and data minimisation, among others.