Yesterday, the Swedish Data Protection Authority imposed its first administrative fine under the GDPR. During a trial period, a school in northern Sweden used facial recognition technique through camera surveillance in order to track students’ attendance.
The processing of personal data included biometric data, i.e. special category of personal data. Special categories of personal data must not be processed unless specific circumstances apply. The students had consented to the processing, but because of students’ dependency in relation to the school and attendance control, the Data Protection Authority held that consent is not a valid legal basis. It also found that no other legal basis applied.
Moreover, the Data Protection Authority stated that the facial recognition surveillance was too extensive and intrusive, thereby being disproportionate to the purpose of the processing. Lastly, neither an impact assessment nor a prior consultation with a supervisory authority had been executed beforehand.
Due to circumstances such as the limited time period of the processing and the small number of data subjects, the fine was set at SEK 200 000.
The decision can be found under the link below:
Time Advokatbyrå continuously provides advice within the field of data protection. If you would like to know more about this decision or need assistance with data protection legislation, please reach out to Alexander Berger, head of Data Privacy.