,

📹First GDPR fine in Sweden: facial recognition at school📹

Facial Recognition under GDPR

For the first time the Swedish Data Protection Authority, Datainspektionen, has issued a fine for violation of the rules introduced by the General Data Protection Regulation, GDPR, towards a school that implemented a facial recognition system to monitor students’ attendance in class.

The GDPR, which was transposed into national legislation by the Swedish Data Protection Act (2018:218), introduces special safeguards and obligations for data controllers who process biometric data, that are used for facial recognition, including for example, the obligation to appoint a Data Protection Officer and to carry out an Data Protection Impact Assessment (Articles 37-35).

The sanction

According to the DPA website, a high school in Skellefteå has used a facial recognition system to monitor students’ attendance at the lessons. The trial has been going on for three weeks and affected 22 students. The Datainspektionen has examined the use of the system and concluded that the High School Board in Skellefteå has processed sensitive personal data in violation of the GDPR (see art. 9 of the Regulation) and it was fined with a sanction of  200.000 SEK (appr 20.000 EURO). The fine is moderate since Skellefteå is a public entity, and that it has only been a limited trial. The maximum fines for public entities in Sweden is 10.000.000 SEK.

In its decision, the DPA finds that facial recognition meant camera surveillance of the students in their everyday environment, which was an intrusion on their integrity and that presence control could have be done in other – less intrusive – ways.

The high school board has stated that they have received the students’ consent to use face recognition for attendance control. However as explained by Ranja Bunni, a lawyer at the DPA who participated in the review, the high school board cannot use consent in this case because the students are in a position of dependence on the board, and therefore the consent cannot be deemed to be valid pursuant to the GDPR.

Conclusion

This fine confirms the EU wide trend of Data Protection Authorities towards biometric data processing, therefore here is my advice:

  1. prior to implementing a facial recognition system all the available alternatives shall be considered adopting a privacy by design and privacy by default approach;
  2. if no alternatives are viable, the data processing shall respect the data minimization principle, collecting as little data as possible and retaining the data for the period of time strictly necessary to pursue the analysis;
  3. when processing biometric data enhanced security measures shall be adopted to guarantee the safety and protection of such precious information;
  4. prior to seeking for data subjects’ consent, you shall consider if consent is a valid legal basis for processing at all in the specific circumstance.

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuablerepay my effort and share it on your #SocialMedia, Be Influent! 

Also don’t miss my Telegram channel @TechnoLawgy for the latest #Privacy and #TMT news!