Sweden Sweden

School in Skellefteå

18,630 €

GDPR enforcement action by Data Protection Authority of Sweden on 2019-08-20.

Rank · Sector
#134
of 357 in Public Sector and Education
Rank · Sweden
#38
of 46
Rank · All fines
#1,123
of 3,051

Case details

Authority
Data Protection Authority of Sweden
Date
2019-08-20
Controller / Processor
School in Skellefteå
Sector
Public Sector and Education
Quoted Articles
Art. 5 (1) c) GDPR, Art. 9 GDPR, Art. 35 GDPR, Art. 36 GDPR
Type of violation
Insufficient legal basis for data processing

Summary

A school in Skellefteå made a trial to use facial recognition technology. The fine was imposed against the school which had used facial recognition technology to monitor the attendance of students. Even though, in general, data processing for the purpose of monitoring attendance is possible doing so with facial recognition is disproportioned to the goal to monitor attendance. The supervisory authority is of the opinion that biometric data of students was processed which is why Art. 9 GDPR is applicable. Additionally, the authority argued that consent can not be applied since students and their guardians cannot freely decide if they/their children want to be monitored for attendance purposes. When examining if the school board can rely on any of the exemptions listed in Art. 9 (2), the supervisory authority found that this was not the case. The supervisory authority also found that there was a case of a processing activity with high risks since new technology was used to process sensitive personal data concerning children who are in a dependency position to the high school board and due to camera surveillance being used in the students everyday environment. In the view of the authority, the school board was not able to demonstrate compliance with Art. 35 GDPR and that the school board was required to consult the authority in accordance with Art. 36 (1) GDPR.

Open original source Links to the regulator's original publication or another source.

Related fines