function OptanonWrapper() { }
0
BLOG | Regulatory Updates | September 06, 2019

First GDPR Fine in Sweden Over Facial Recognition Use

A high school received the first GDPR fine in Sweden after using facial recognition technology on students.

Eliza Crawford

Product Manager

Post Featured Image

A school in northern Sweden has been fined 200,000 SEK (about $20,000) after experimenting with facial recognition as a system to document student attendance. The Swedish Data Protection Authority (DPA) fined the school for violating three articles under the General Data Protection Regulation (GDPR):

  • Article 5(1)(C): The use of facial recognition was intrusive in monitoring the attendance of students which lays down the ‘data minimization’ principle.
  • Article 9: Facial recognition data comprises ‘special categories of data’, which may only be processed to a legal basis. Processing facial recognition data is allowed with the data subject’s explicit consent. The school argued that all the students and their parents had given consent. However, the Swedish regulator held that the permission given by students was not a voluntarily given and freely chosen because of the school’s powerful position.
  • Article 35: Under this article, there is a requirement to conduct a documented Data Protection Impact Assessment (DPIA) before processing data that entails elevated data protection risks, such as facial recognition monitoring.

This is the first time the country has been fined for violating the digital privacy violation. The facial recognition pilot had been going on for three weeks last fall and involved 22 students.

Ranja Bunni, a lawyer at the Swedish DPA who helped with the review of this violation, said that consent isn’t a valid legal argument since the students depend on the high school board. The agency pointed out in its release that there are alternatives to checking student attendance that aren’t as intimately invasive as a facial recognition system.

While the Swedish DPA’s ruling is not big compared to other GDPR fines, it’s a clear marker that GDPR enforcement is picking up around the globe. The Sweden High School case indicates the extent of GDPR is not just limited to giant corporations such as British Airways, but also smaller public and private entities.

Visit here to learn how CookiePro helps comply with the GDPR.

Tags:
eu privacy gdpr Privacy law

Related Resources

Cookie Banner Examples

Cookie Banner Gallery: GDPR, CCPA, CNIL, and TCF 2.0 Examples

Jun 22, 2022
Capture and Share Consent Across Domains and Devices

How to Capture and Share Consent Across Domains and Devices

Jun 21, 2022
Google Play Data Safety

Google Play Data Safety Requirements: What Are They & How To Prepare

May 03, 2022

You Might Also Like

knowledge

10 Steps to Complete Google Data Safety...

View Resource
knowledge

Google Play Data Safety vs. Apple Nutrition...

View Resource
Datasheet

6 Step Checklist to Complete Google Play’s...

View Resource
Webinar | 45 minutes

Google Play Data Safety: What it Means...

View Resource
Onetrust All Rights Reserved
.grecaptcha-badge { visibility: hidden; }