AEPD (Spain) - EXP202200367: Difference between revisions
From GDPRhub
m (→Facts) |
m (Ar moved page AEPD (Spain) - AI-00086-2022 to AEPD (Spain) - EXP202200367) |
||
| (4 intermediate revisions by 2 users not shown) | |||
| Line 65: | Line 65: | ||
}} | }} | ||
The Spanish DPA dismissed several | The Spanish DPA dismissed several complaints against a university regarding the use of laptop cameras to verify the identity of students during online exams. The DPA took into account the legal basis, the risk assessments performed by the controller and the information provided to data subjects. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
'' | Universidad Internacional de La Rioja (the controller) allegedly used facial recognition programmes to confirm the identity of students (data subjects) taking online exams during the Covid-19 pandemic. The controller used an IT tool from Smowl Tech (the processor) which had to be installed on the data subjects' devices. This app used the front camera to register the data subject's face while taking the exam, but it also captured the computer’s desktop. An additional camera had ot be installed on the students’ devices, as a mandatory condition to sit an exam. The second camera captured the data subject's work environment, focusing on their hands, body and work screens. A failure to install and use these cameras would result in failing the exam. | ||
A Students’ Association, 11 individuals and several other associations submitted complaints to the Spanish DPA against the controller's prcoessing activities. The complaints regarding the second camera sustained that it was disproportionate since it could also capture third parties. Regarding the software, the consent required was not valid because students who had a high-risk profile for Covid-19 did not have a choice. Others argued that the controller did not have a legitimate interest in obliging data subjects to install a software on their devices where they keep their agendas, bank apps, private communications, keywords, etc. | |||
'' | The controller claimed that none of the cameras used facial recognition techniques (which was supported with an attestation of the processor as evidence). Thus, consent was not mandatory as a legal basis but ‘necessity for the performance of a task carried out in the public interest conferred by the national law of Universities (Ley Orgánica de Universidades). The controller denied that any software was installed for the use of the second camera on the data subject's devices. Furthermore, the software installed for the frontal camera did not access data subjects' personal information unless they showed the data on their screen when the desktop was recorded. However, the controller provided data subjects with the information that screenshots taken by the tool were taken if the data subject accessed a tab not compatible with the exam. These screenshots were evaluated by the controller and deleted in case that no fraud was found. The controller also applied a variety of technical and organisational measures: a proportionality test, assessment of the security provided by the processor, implementation of the principles of privacy by design and default, risk assessments, and DPIAs. | ||
=== Holding === | |||
Firstly, the Spanish DPA recalled that facial recognition systems use biometric data, which constitutes sensitive personal data under [[Article 9 GDPR|Article 9(1) GDPR]]. However, the DPA held that, in the present case, no sensitive data had been processed by the controller. The DPA accepted as evidence the certificate signed by the processor, confirming that the controller did not process biometric data. Furthermore, the DPA stated that it was important to differentiate between the collection of desktop screenshots or their review by professional staff and the use of facial recognition techniques which use biometric software to verify the identity of a person. The DPA agreed that the legal basis for verification of identity during exams was not consent but rather the processing was necessary for the performance of a task carried out in the public interest ([[Article 6 GDPR|Article 6(1)(e) GDPR]]), in this case university education. | |||
Secondly, the DPA confirmed that the software installed for the use of the front camera and the desktop does did not access data subject's personal data unless the data subject's manifestly showed it during an exam. | |||
Thirdly, the DPA also confirmed that there was no installation of software for the activation of the second camera. Rather, access to this camera by the controller happened through an URL which requested permission from the data subject first. | |||
Additionally, the desktop screenshots were reviewed manually by the university staff, thus, with no automated decision-making involved. Furthermore, the risk assessment performed by the controller showed that the use of the second camera did not increase the risk to the data subjects' rights and freedoms and there was no other effective measure to achieve the same purpose. Finally, the DPA considered that the information provided to data subjects was complete and in accordance with the transparency principle of [[Article 5 GDPR|Article 5(1)(a) GDPR]]. | |||
Finally, the DPA considered that the information provided to | |||
In conclusion, the DPA held that no violation had occurred in the present case and dismissed the complaints. | |||
== Comment == | == Comment == | ||
There are two previous resolutions by the Spanish DPA related to this case: E-08977/2021 and E-05454/2021. The latter also gave rise to the expert Opinion 0036/2020. In those proceedings and opinion, an analysis by the Spanish DPA was already conducted regarding the use of facial recognition techniques and the installation of software in the students’ computers with surveillance purposes in remote exams. Thus, the present case is about a new measure required by the controller: the installation of a second camera (in addition to the screen one) to focus on the student’s hands and surroundings. | |||
== Further Resources == | == Further Resources == | ||
Latest revision as of 10:35, 13 December 2023
| AEPD - AI-00086-2022 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 6(1)(e) GDPR Organic Law of Universities (Ley Orgánica de Universidades) |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | |
| Published: | 28.12.2022 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | AI-00086-2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Michelle Ayora |
The Spanish DPA dismissed several complaints against a university regarding the use of laptop cameras to verify the identity of students during online exams. The DPA took into account the legal basis, the risk assessments performed by the controller and the information provided to data subjects.
English Summary
Facts
Universidad Internacional de La Rioja (the controller) allegedly used facial recognition programmes to confirm the identity of students (data subjects) taking online exams during the Covid-19 pandemic. The controller used an IT tool from Smowl Tech (the processor) which had to be installed on the data subjects' devices. This app used the front camera to register the data subject's face while taking the exam, but it also captured the computer’s desktop. An additional camera had ot be installed on the students’ devices, as a mandatory condition to sit an exam. The second camera captured the data subject's work environment, focusing on their hands, body and work screens. A failure to install and use these cameras would result in failing the exam.
A Students’ Association, 11 individuals and several other associations submitted complaints to the Spanish DPA against the controller's prcoessing activities. The complaints regarding the second camera sustained that it was disproportionate since it could also capture third parties. Regarding the software, the consent required was not valid because students who had a high-risk profile for Covid-19 did not have a choice. Others argued that the controller did not have a legitimate interest in obliging data subjects to install a software on their devices where they keep their agendas, bank apps, private communications, keywords, etc.
The controller claimed that none of the cameras used facial recognition techniques (which was supported with an attestation of the processor as evidence). Thus, consent was not mandatory as a legal basis but ‘necessity for the performance of a task carried out in the public interest conferred by the national law of Universities (Ley Orgánica de Universidades). The controller denied that any software was installed for the use of the second camera on the data subject's devices. Furthermore, the software installed for the frontal camera did not access data subjects' personal information unless they showed the data on their screen when the desktop was recorded. However, the controller provided data subjects with the information that screenshots taken by the tool were taken if the data subject accessed a tab not compatible with the exam. These screenshots were evaluated by the controller and deleted in case that no fraud was found. The controller also applied a variety of technical and organisational measures: a proportionality test, assessment of the security provided by the processor, implementation of the principles of privacy by design and default, risk assessments, and DPIAs.
Holding
Firstly, the Spanish DPA recalled that facial recognition systems use biometric data, which constitutes sensitive personal data under Article 9(1) GDPR. However, the DPA held that, in the present case, no sensitive data had been processed by the controller. The DPA accepted as evidence the certificate signed by the processor, confirming that the controller did not process biometric data. Furthermore, the DPA stated that it was important to differentiate between the collection of desktop screenshots or their review by professional staff and the use of facial recognition techniques which use biometric software to verify the identity of a person. The DPA agreed that the legal basis for verification of identity during exams was not consent but rather the processing was necessary for the performance of a task carried out in the public interest (Article 6(1)(e) GDPR), in this case university education.
Secondly, the DPA confirmed that the software installed for the use of the front camera and the desktop does did not access data subject's personal data unless the data subject's manifestly showed it during an exam.
Thirdly, the DPA also confirmed that there was no installation of software for the activation of the second camera. Rather, access to this camera by the controller happened through an URL which requested permission from the data subject first.
Additionally, the desktop screenshots were reviewed manually by the university staff, thus, with no automated decision-making involved. Furthermore, the risk assessment performed by the controller showed that the use of the second camera did not increase the risk to the data subjects' rights and freedoms and there was no other effective measure to achieve the same purpose. Finally, the DPA considered that the information provided to data subjects was complete and in accordance with the transparency principle of Article 5(1)(a) GDPR.
In conclusion, the DPA held that no violation had occurred in the present case and dismissed the complaints.
Comment
There are two previous resolutions by the Spanish DPA related to this case: E-08977/2021 and E-05454/2021. The latter also gave rise to the expert Opinion 0036/2020. In those proceedings and opinion, an analysis by the Spanish DPA was already conducted regarding the use of facial recognition techniques and the installation of software in the students’ computers with surveillance purposes in remote exams. Thus, the present case is about a new measure required by the controller: the installation of a second camera (in addition to the screen one) to focus on the student’s hands and surroundings.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/28
File No.: EXP202200367
RESOLUTION OF ACTIONS FILE
Of the actions carried out by the Spanish Agency for Data Protection and
based on the following:
FACTS
FIRST: Between December 10, 2021 and March 9, 2022, the
received at the Spanish Agency for Data Protection, the claims
sent by the UNIR STUDENTS ASSOCIATION and 11 people and associations
referenced in Annex 0. The claims are directed against the UNIVERSITY
INTERNACIONAL DE LA RIOJA with NIF A26430439 (hereinafter, the party claimed
or JOIN). The reasons on which the claim is based are the following:
Certain aspects of the processing of personal data that lead to
out UNIR, in order to confirm the identity of the students who are going to carry out
exams online to prevent the spread of Covid-19. Saying
The treatment is carried out using a computer tool that students must
installed on your computer, provided by the SMOWL vendor (the tool is
called SMOWLTECH). This application makes use of the front web camera to record
the image of the student while taking their exam, and also captures the actions
they performed at the desk, with the keyboard and mouse. the tool too
includes the use of facial recognition algorithms to determine if the
person who had registered for the test and had provided their document
identification was, indeed, the one who was doing it. under the
procedure E/08977/2021, the university assured that it would not make use of
the aforementioned facial recognition algorithms, and would replace them with a
manual review process performed by center staff.
Although, said facial treatment was already the subject of past claims,
filed with the Agency by some of those affected, in the writings received in
On this occasion, a novelty presented by the university for the
call corresponding to February 2022. According to the claimants, the
has incorporated a mandatory requirement that test takers install a
second camera, in addition to the frontal one that was already being used, forcing
Said camera focuses on the student's environment, and his two hands, his
body and its work screens, so that it is clearly seen what is
doing. Failure to do so, and as reported, the student will obtain the
zero score on the exam, which may lead to the loss of the evaluation
keep going.
Those affected consider that this practice is not proportionate and intrusive, and
does not respect the rights of students to the protection of their data or their privacy (or
that of family members who are recorded during the test). some have
quoted or attached this Agency's response to a query on the use
of surveillance technologies of the student's environment ("360º review"), and others attach
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/28
copy of the resolution of the University of Granada, of May 4, 2020, against
of the requirement of the second chamber for the evaluation. One of the teachers of
the University has transmitted to an affected person the information that it would have been the
ANECA (National Agency for Quality Assessment and Accreditation) which would have
authorized or given its approval to the requirement.
Some affected also question that consent to such treatment
The data collected in this way is truly free, since students with a risk profile
They do not have the option of taking the exam in person. Therefore, the
consent would not be a valid legal basis for consent. Others insist that the
The university also does not have a legal basis to force its students
to install "software" that allows access to their computers, where their
agenda, banking applications, private messages, passwords, etc.
From the detailed analysis of each of the claims received, it is worth
stand out:
Claim 1 provides the "Student Manual - Exams"
prepared by UNIR with the instructions to be able to take the exam
online, distributed among the students and with details about the operation
of the applications to be installed and the technical requirements to be met.
Complaint 2 provides a piece of news published in the press with the headline
“The UGR prohibits professors from asking students for two cameras in the
online exams” (https://www.ideal.es/miugr/prohibe-profesores-pedir-
chambers-students-20210118122657-nt.html). It states that the UGR
issued a resolution in May 2020 prohibiting proctoring and regulating as
proceed in videoconferences. After consulting this resolution it can be deduced that:
Yo. The UGR prohibits the use of proctoring tools in the evaluation
not face-to-face, not allowing the use of biometric techniques or
face recognition.
ii. The identification of the students is carried out through the exhibition of the
DNI or any other valid document.
iii. Oral tests are recorded to guarantee the right of review
for the time strictly necessary.
iv. Videoconference systems are used for the correct development of
the test, follow-up and identification of the student body. In this case
recording is not necessary. It is indicated that the videoconference
implies a violation of personal privacy or intrusion
residence, in the well-understood judgment of proportionality that
guarantees such rights in the face of the public interest needs of
verification of student learning. The teaching staff must
notify the student body to organize the development of the test
way that does not interfere with your exclusively domestic environment.
Complaint 3 denounces that UNIR is not respecting the
resolution of July 27 on the use of biometric techniques and
facial recognition, the existing intrusion is also denounced by demanding the
use of a student's own device to activate the second camera
surveillance, assuming this is a violation of the right to privacy of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/28
use of this device could cause a data breach breach
personal data stored on device.
In Complaint 4, Complaint 5 and Complaint 6, the
denounces the invasion of privacy that the use of the second
security camera using a student's own device, and the
recording of the home space of the students during all the time of the
examination, violating this the right to privacy.
In Complaint 7, the following is reported:
Yo. That in the registration that the student signs at the beginning of the course only
the following is specified: “students must have a
webcam and audio to be able to adequately carry out the defenses
end-of-degree and end-of-master's projects online", but it was never
specifies nothing about the existence of the second chamber and the
need to use a second device belonging to the students.
ii. An annex is provided in this claim with the document sent by
UNIR to students about the recommendations and guidelines to follow
for the correct completion of the online exams, the analysis of
this annex is extracted:
a) They recommend disabling the antivirus to prevent it from being blocked
the monitoring program.
b) Indicate that the test should be performed in a closed instance.
The student must be alone in the room. The
front camera must focus on the student and the access door
to the extent possible. The student is the guarantor
that there will be no interruptions from other people. In case of
alteration of environmental conditions, teachers
will assess the impact on the evaluation.
c) At all times the monitoring of the
desk, cameras and microphone. The deactivation,
disconnection or blurring or loss of significant visibility
may trigger an incident or alert. during the exam
it is mandatory:
Have at all times active the monitoring of the
desk.
Keep both cameras active throughout the
exam and placed so that the student can
be seen and identified.
d) The device used as a second camera must have
internet connection and focus the environment, being visible the two
hands, body and work screen. are contributed in this
document some images example of what should be
pick up by the second camera.
iii. Another annex is also provided in this claim with a
communication sent by the rector of UNIR to all students
in relation to the modalities of conducting examinations, of the
Analysis of this document extracts the following paragraphs:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/28
a) "For the online modality, support systems will be used for
supervision who have been elected after ensuring compliance
of all the requirements of the GDPR, Law 3/2018, and prior
thorough verification of compliance with the
AEPD recommendations. All legal documentation
that endorses this decision is available to any
student:
Analysis of the pronouncements and recommendations of
different protection control authorities
of data.
Judgment of constitutional proportionality.
Impact assessment and risk analysis.
Contractual guarantee of the privacy of the data of the
students.
Guarantee of the principle of information.”
b) “The supervision support system captures images and sound
of the student and environment, but does not access any information
of your computer equipment, unless it is shown in the
screen."
c) “Students can choose the modality that best suits them.
adapt to your personal and particular situation (face-to-face and online).
Both modalities are developed within the respect of the
legal and constitutional framework and both guarantee a system of
effective and rigorous assessment commensurate with academic prestige
of our institution and that of the titles we issue.”
iv. An annex is also provided in this claim with the response
sent by the General Subdirectorate of Promotions and Authorizations
to a query raised by this same CLAIMANT, and with
entry registration number O00007128e21000XXXX. From the analysis
The following paragraph stands out from this answer:
a) “Likewise and responding to your concern if the
surveillance of the student's environment or 360 review of the home in
which the test is performed could be disproportionate, given
that third parties or
showing personal elements outside the objective of the own
assessment test and who could provide information
about the privacy of the student or third parties, could
understood as an interference in the privacy of the
student and possible residents of the home and, therefore, a
risk to the right to privacy and the inviolability of the
domicile of the student.
In Complaint 8, Complaint 9 and Complaint 10, it is repeated
denounce the mandatory use of the second camera for exams
of the February 2022 call, using a personal device of the
student himself, causing the possibility of access to information
personnel contained therein.
In Complaint 11, the "Association of Students X the defense of the
Fundamental Rights (HUXIR)” complaint:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/28
Yo. That the UNIR has ignored the warning resolution
signed by the director of the AEPD on July 27, 2021 in relation to
with the use of facial recognition.
ii. That the exams that were being carried out at the time of putting
the claim they were making use of the second camera through
of an unaudited QR and that could expose sensitive data such as
photos, bank accounts…etc.
iii. They provide a screenshot of an explanatory tutorial that was carried out
held on December 22, 2021, on the exams to be carried out and in the
that the following phrase can be seen in one of the slides shown:
"The biometric data is eliminated once the minutes are closed and the
to definitive”.
iv. An email sent by this association (HUXIR) to the Office of the
University Ombudsman, requesting that he mediate to urge UNIR
to suspend the use of the second chamber for calls for
January and February 2022 since there is no legal framework covered
by the AEPD.
In Complaint 12, a UNIR student denounces the
violation of their rights in the exams held in the call for
February 2022 when violating what is indicated in the AEPD report 0036/2020 as well
as well as the resolution of file E/05454/2021. Denounces that the
UNIR has once again carried out biometric control in the February exams
2022.
Yo. That, in the registration process for the examinations
online, in the terms and conditions that the student had to accept (in
prior to registration), the following was indicated verbatim:
“obtaining through the images and audio of a model
biometric characteristics of the user to be able to carry out the
identification and subsequent checks on the identity of the
user”.
ii. That during the registration process photographs are taken both of the face
like ID.
iii. That the legal basis for the processing of personal data, in
relation to the use of the second chamber, is based on the
consent and that it cannot be given freely.
iv. Provide screenshots of what was previously stated.
In that of the association, HUXIR once again denounces that UNIR ignores
of the resolution of the director of the AEPD of July 2021 when demanding the use of
a second chamber for the exams from January to March, and ask the
AEPD to intercede on his behalf before UNIR. It is also claimed that
on February 2, 2022, it was exercised by a member of the
association, the rights of access to your personal data before the
responsible for treatment and that on the date of entry of this
claim had not been answered.
Finally, it is also worth highlighting the receipt, on May 13, 2022, of a
letter sent (...), notifying the AEPD of the situation of defenselessness
legal entity in which they were due to the actions undertaken by the other
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/28
HUXIR association, Association not recognized by UNIR students and that
as they indicate, it was only supported by about 10 students. at this writing
manifest themselves in favor of UNIR indicating that it has established a
evaluation system that guarantees the quality and reliability of the test, which
has the explicit endorsement of the vast majority of representatives
students, and therefore greatly benefits all students,
since it saves time and avoids stay and travel costs. That
UNIR has informed of the implications of the use of the
online evaluation, both of the facial recognition system, which finally
was cancelled, as well as the use of the double camera. They have responded to all
questions that have been raised, have produced documents with questions
as well as various explanatory conferences on the evaluation system.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
forward LOPDGDD), said claim was transferred to the party
claimed/ALIAS, to proceed with its analysis and inform this Agency in the
period of one month, of the actions carried out to adapt to the requirements
provided for in the data protection regulations.
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), was collected on January 31, 2022, as
It appears in the acknowledgment of receipt that is in the file.
On February 16, 2022, this Agency received a written response
stating, in summary, the following:
a) They affirm that neither of the two chambers uses recognition techniques
facial, they provide a SMOWLTECH certificate that also confirms it.
b) They state that NO program is installed on the student's device to
the use of the second camera.
c) They state that by not using facial recognition techniques it is no longer
It is necessary to obtain the consent of the student since this base does not apply
of legitimation. The basis of legitimation is the fulfillment of a mission
carried out in the public interest or in the exercise of public powers conferred by
the Organic Law of Universities. That this same Agency affirmed, in its
report 0036/2020, that this treatment was covered by article 6.1.e)
of the GDPR.
d) They affirm that the software installed on the equipment never accesses information
personal information of the interested party, unless the student himself accesses this data
displaying them on the screen while performing the test, since the software
capture the desktop. However, they indicate that UNIR has informed the
students about this circumstance. If the student, during the test,
You access a window where information that is not compatible with the
test you perform, the software takes screenshots that
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/28
They are subsequently evaluated by UNIR personnel, and in the event that they do not
certifies that the student has carried out fraudulent practices, they will be eliminated.
e) The guarantees applied to protect the rights and freedoms of
interested are:
a. Realization of proportionality trial.
b. Ensure an adequate level of security by the person in charge of
SMOWL treatment.
c. Guarantee privacy by default and by design.
d. Carrying out the corresponding risk analyzes and evaluations
of impact.
and. Guarantee the principle of information regarding the protection of
data.
f) Indicate that the impact assessment and risk analysis have already been
provided in response to the claim in file E/05454/2021 and
E/08977/2021.
g) UNIR considers that the online evaluation system implemented does not affect
differently from the processing of personal data, with
regardless of whether the system has an additional device. In
Specifically, the requirements for the use of the double chamber imply:
a. The device has an Internet connection and has sufficient battery.
b. It must focus on the environment, being visible:
Yo. The two hands and body of the person concerned. You don't have to get
the face of the person concerned.
ii. The work screen.
Regarding the statement made in section f) above, after analyzing
documents relating to risk analysis and impact assessment, are
check that the use of the second camera used by the customer is not included
student device.
THIRD: On February 24, 2022, in accordance with article 65 of the
LOPDGDD, the claim presented by the claimant party was admitted for processing.
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
matter, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following extremes:
The antecedents that appear in the information systems are the
following:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/28
1. In relation to file E/05454/2021, the following took place
performances:
a. After several claims presented in the AEPD on the use of
biometric and facial recognition techniques by UNIR, such as
responsible for processing personal data, on May 14
of 2021, this person in charge is notified who answers saying that the
The measure used was weighted, not only not causing harm to the
protection of personal data but certifying that the
evaluation tests were carried out in optimal conditions.
They justified that there were no alternative measures that guaranteed the
result pursued with equal effectiveness. They also indicated that there was
carried out impact evaluation, concluding this with a low risk
about the treatments carried out. They claimed that the measure was not
disproportionate, but ideal, to achieve the purpose pursued.
All of this without prejudice to the fact that, if the AEPD considered that the
erroneous in the analysis, the use of the system will cease immediately
valuation object. In the response to this transfer, UNIR attached:
Yo. The trial of proportionality
ii. The contract with the treatment manager (SMOWLTECH)
iii. Impact Evaluation
iv. The security measures of the person in charge of treatment.
b. However, on June 14, 2021, a new letter was received
by UNIR providing certification of deactivation of
facial recognition for student monitoring.
c. On July 27, 2021, the director of the Spanish Agency for
Data Protection dictates resolution with a warning to the entity
claimed to adopt corrective measures aimed at
prevent the planned treatment from implying a possible
breach of data protection law.
2. In relation to file E/08977/2021, which originates from a
claim presented in this Agency, it is transferred to the UNIR that
Then answer by providing the following information:
a. They affirm that UNIR DOES NOT carry out an online evaluation system
based on the use of facial recognition techniques, having been
is removed and replaced by a manual recognition system.
A document delivered to ANECA is provided as an annex where the
describes the evaluation system carried out by UNIR, which is
based on SMOWLTECH software and following the following pattern of
functioning:
Yo. Student registration process, images of the face are taken
of the student and ID.
ii. During the exam, artificial intelligence is applied for the
object detection, but never personal data. Are
Images are stored for later manual comparison.
iii. Given the alerts issued by the artificial intelligence system,
Manual review of the images is performed.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/28
3. In relation to this file, it is also worth highlighting the report
0036/2020 of this Agency on issues related to the use of techniques of
Facial recognition in online assessment tests.
FIFTH: After the receipt of this letter by UNIR, it is received
in this Agency new claims that provided new data to this
investigation, deciding then to make a new request for information
to the UNIR controller, on April 27, 2022, in accordance with
the following line of research:
a) Know the updated risk analysis including the use of the second
camera, as well as the pertinent update of the evaluation of
impact.
b) Know more details about the software that is activated by scanning the QR code
of the second camera on the student's device.
c) Clarification on the conditions that the student must accept in the
moment of registration of the SMOWLTECH software, prior to the realization
of exams. Since, as evidenced by the content provided in one of the
claims received, among the conditions that the student had to accept were
indicated that the legitimacy was based on the consent of the user and
that biometric models were made for identity checks,
all this was accredited with screenshots attached to the claim
received.
On May 17, 2022, a response to the previous request was received by
part of UNIR, from its analysis the following is extracted:
a) They provide the updated risk analysis with the use of the second chamber,
concluding the same with a risk classified as ACCEPTABLE, following
for this the tools of the AEPD (Evalua-Risk RGPD and Manage
EIPD). From this risk analysis, the following is extracted for the present investigation:
Yo. Special categories of data are not processed.
ii. They do not apply facial recognition technique.
iii. They do not use immature or newly created technologies.
iv. Consent is not applicable, the basis that legitimizes the
processing is in the public interest arising from article 6.1.e) of the GDPR,
authorized by article 46.3 of the LOU.
v. The corresponding weighting judgment has been carried out and
proportionality.
saw. They affirm that the interested parties are duly informed at the time
registration, as well as in the Student Manual. In turn, if in the
images appear to be a third party, they will be deleted or,
In the case that affects the qualifications, a record will be drawn up of what
happened and will be removed.
vii. They claim that all evidence collected by the software is
subject to personal review by qualified personnel. The
employees sign the corresponding Manual of Functions and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/28
Obligations, as well as receive specific training in matters of
data protection to avoid breaches of confidentiality.
viii. We have proceeded to the correct formalization of the commission contract of
treatment, having a protocol for the selection and
recruitment of treatment managers.
b) The risk resulting from the impact assessment, updated including the use
of the second chamber, is LOW. From it is extracted as relevant data
for this research:
Yo. To guarantee privacy by default and by design, as well as the
principle of active responsibility, affirm that the treatment will be
subject to a continuous review process and improvement system
constant, carrying out ordinary revisions (every year
academic for ordinary calls), and revisions
extraordinary in case of substantial variation in the treatment of
personal data, such as changes in applied technology, new
purposes, new data…etc.
c) In relation to the operation of the QR code on the student's device,
indicate that when it is scanned, it is referred to a SMOWL URL that
requests permission to access the camera, without involving the installation of
any programs or software on the student's device. the capture of
Images of this second camera is made from the web. The flow of
information is as follows:
Yo. QR is scanned and the camera is accessed from the URL itself.
ii. Student activity is monitored by sending images
periodic.
iii. In Smowltech the images are analyzed (automatically)
received to detect possible fraudulent objects in the environment. In
If possible fraud is detected, an alert is raised that must be
checked manually by a qualified person.
iv. Decisions are not made automatically and without the manual intervention of
a qualified person.
d) They send, attached to the response to the request, an explanatory video of the
use of the second camera with a complete step by step description of everything
the process.
e) In relation to the information provided in one of the claims, where
attached several screenshots of the moment of registration of a student
in the SMOWLTECH application (prerequisite for the completion of the
exams), and from which one could read:
Yo. On the one hand, one of the screens shown indicated that the
legitimacy for the processing of personal data was based
with the student's own consent.
- Regarding this point, UNIR answers that this
information is wrong and should not be displayed on the screen of the
student, and that, after learning of this fact, "since
UNIR contacted SMOWL and requested the
elimination of this section, as it is not a faithful reflection of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/28
evaluation process of our students, and suffers from
inconsistencies that do not coincide with reality”. attached
SMOWL certificate where they guarantee that they have proceeded to
solve this error.
ii. On the other hand, in another of the screenshots a text appeared
where the student was told that biometric models would be made
for identity checks
- Regarding this other point, UNIR answers that after having
knowledge of this, SMOWL has been requested to
verification and certification that, as indicated in its
At the moment, biometric data is not processed.
They provide a new SMOWL certificate certifying that they are not
perform such treatments.
Regarding the video provided according to section d) above, after its analysis
there is evidence that there is no software application installation on the user's device
student.
Regarding the confirmations given by UNIR in section e) above, and
after analyzing the certificates provided according to points i) and ii), the
veracity and authenticity of the same, being verified that:
1. The SMOWLTECH software error is corrected, eliminating the section of the
registration screen where it was indicated textually that "the legitimacy for the
processing of personal data was based on the consent of the individual
Username".
2. Despite the message that was displayed on the screen by mistake, JOIN does not perform
biometric data processing or facial recognition techniques.
With respect to the above, it is necessary to differentiate between the capture of
images of the student's face for storage and later manual review
(by qualified personnel), and the use of facial recognition techniques, based on these
latest in the use of biometric software to map facial features and create
facial prints that could later be compared using algorithms
specific to verify the identity of a person.
FUNDAMENTALS OF LAW
Yo
Competence
In accordance with the functions that article 57.1 a), f) and h) of the Regulation
(EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR)
conferred on each control authority and according to the provisions of articles 47 and 48.1 of
Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter LOPDGDD), is competent to
resolve these investigative actions the Director of the Spanish Agency for
Data Protection.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/28
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."
II
Processing of special categories of personal data
Article 9 of the GDPR, which regulates the treatment of special categories of
personal data, establishes the following:
"1. The processing of personal data that reveals the origin
ethnic or racial opinion, political opinions, religious or philosophical convictions, or
union affiliation, and the processing of genetic data, biometric data aimed at
uniquely identify a natural person, data relating to health or data
relating to the sexual life or sexual orientation of a natural person.
2. Section 1 shall not apply when one of the following conditions occurs:
following circumstances:
a) the interested party gave his explicit consent for the treatment of said
personal data for one or more of the specified purposes, except where the
Law of the Union or of the Member States establishes that the prohibition
mentioned in section 1 cannot be lifted by the interested party;
b) the treatment is necessary for the fulfillment of obligations and the
exercise of specific rights of the data controller or the data subject
the field of labor law and social security and protection, to the extent that
that is authorized by the law of the Union or of the Member States or an agreement
group under the law of the Member States that establishes guarantees
measures of respect for the fundamental rights and interests of the
interested;
c) the processing is necessary to protect vital interests of the data subject or
of another natural person, in the event that the interested party is not capable, physically or
legally, to give consent;
d) the treatment is carried out, within the scope of its legitimate activities and with
due guarantees, by a foundation, an association or any other body
non-profit, whose purpose is political, philosophical, religious or trade union, always
that the treatment refers exclusively to current or former members of
such bodies or persons who maintain regular contact with them in
in relation to its purposes and as long as the personal data is not communicated outside of
them without the consent of the interested parties;
e) the treatment refers to personal data that the interested party has made
manifestly public;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/28
f) the treatment is necessary for the formulation, exercise or defense of
claims or when the courts act in the exercise of their judicial function;
g) the processing is necessary for reasons of essential public interest, especially
the basis of Union or Member State law, which must be
proportional to the objective pursued, essentially respecting the right to protection
of data and establish adequate and specific measures to protect the interests and
fundamental rights of the interested party;
h) the treatment is necessary for preventive or occupational medicine purposes,
evaluation of the worker's work capacity, medical diagnosis, provision of
healthcare or social assistance or treatment, or management of systems and services
of health and social care, on the basis of Union law or of the
Member States or under a contract with a healthcare professional and without
prejudice to the conditions and guarantees contemplated in section 3;
i) the processing is necessary for reasons of public interest in the field of
public health, such as protection against serious cross-border threats to
health, or to guarantee high levels of quality and safety of care
health and medicines or health products, on the basis of the Law of
of the Union or of the Member States establishing appropriate and specific measures
to protect the rights and freedoms of the interested party, in particular the secrecy
professional;
j) the processing is necessary for purposes of archiving in the public interest, purposes of
scientific or historical research or statistical purposes, in accordance with article
89(1), on the basis of Union or Member State law,
which must be proportional to the objective pursued, essentially respect the right to
data protection and establish adequate and specific measures to protect
the interests and fundamental rights of the interested party.
3. The personal data referred to in section 1 may be processed at the
purposes mentioned in section 2, letter h), when their treatment is carried out by a
professional subject to the obligation of professional secrecy, or under his responsibility, of
accordance with the law of the Union or of the Member States or with the rules
established by the competent national bodies, or by any other person
also subject to the obligation of secrecy in accordance with Union law or
Member States or rules laid down by national bodies
competent.
4. Member States may maintain or introduce conditions
additional information, including limitations, regarding the processing of genetic data,
biometric data or data relating to health."
II
Principles relating to treatment
Letter a) and c) of article 5.1 of the GDPR advocates:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/28
"1. Personal data will be:
a) treated in a lawful, loyal and transparent manner in relation to the interested party
("lawfulness, loyalty and transparency");
(…)
c) adequate, pertinent and limited to what is necessary in relation to the purposes
for those who are processed ("data minimization");"
Article 6 of the GDPR, in its section 1, referring to the legality of the treatment
sets the following:
"one. Processing will only be lawful if at least one of the following is fulfilled
conditions:
a) the interested party gave his consent for the processing of his data
personal for one or more specific purposes;
b) the processing is necessary for the performance of a contract in which the
interested party or for the application at the request of this of measures
pre-contractual;
c) the processing is necessary for compliance with a legal obligation
applicable to the data controller;
d) the processing is necessary to protect vital interests of the data subject or
of another physical person;
e) the treatment is necessary for the fulfillment of a mission carried out in
public interest or in the exercise of public powers vested in the person responsible for the
treatment;
f) the processing is necessary for the satisfaction of legitimate interests
pursued by the data controller or by a third party, provided that
such interests do not outweigh the interests or rights and freedoms
of the interested party that require the protection of personal data, in
particularly when the interested party is a child.
The provisions of letter f) of the first paragraph shall not apply to the
treatment carried out by public authorities in the exercise of their functions.”
IV.
Facts denounced
The claims are specified in that, during the exams of the month of February
February 2022, UNIR established an identification system through a tool
computer hardware, which students have to install, and uses recognition algorithms
face lie. Since, in the indicated exams, the UNIR forced the students to insti-
cut a second camera that focused on the student's environment. They understand that the treatment
performed is not proportionate and is highly intrusive since it can lead to
bar even to the relatives of the students. They also consider that consent does not
It is free since students with high health risk cannot attend an exam
face-to-face
On the use of facial recognition techniques, after verifying
authenticity of the certificate provided by the SMOWL company, it is verified that
special categories of data are not processed and techniques of
face recognition.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/28
After verifying the authenticity of the certificates provided by the company
SMOWL, it is verified that the information that was provided has been eliminated (for
error) in the student registration process in the system, specifically the information
error provided on the basis of legitimation and on the storage of models
biometric. The basis of legitimacy of the treatment is not consent, but rather
it is necessary for the fulfillment of a mission carried out in the public interest or in the
exercise of public powers conferred on the data controller, the UNIR
It is also verified that UNIR does not store biometric models.
Likewise, it has been verified that no software is installed on the user's device.
student, access to the device's camera is done from a URL that requests
prior permission to access it. This second chamber has as its only
purpose of capturing images of the environment and sending them to the person in charge of treatment, and in
If possible fraud is detected, an alert is activated that is reviewed manually
by qualified personnel, so that automatic decisions are never made in
relation to the images captured by either of the two cameras.
With respect to software installed on the student's computer, the principal
The goal of this is to capture the desktop and make use of the front camera, so it doesn't
no other personal information stored on the device itself is accessed,
unless the student shows it on the screen while the test is being carried out.
Prior to treatment, UNIR updated the Impact Assessment
to analyze and include the risks added by the use of the second camera in the
evaluation systems, determining that the use of a second camera does not
involves an additional risk that may further affect the rights and
freedoms of those affected. In it, the corresponding judgment of
weighting and proportionality with respect to the inclusion of the second chamber,
concluding that the measure is necessary and weighted because it derives from it more
benefits or advantages for the general interest that damages other goods or
values in conflict, there being no other more weighted measure for the achievement of the
purpose equally effectively.
Complete information is offered to the student at the time of registration in the
SMOWLTECH application, and prior to carrying out the tests, in
concrete, adequate information is transmitted about:
a. Responsible for treatment and delegate of data protection.
b. Purpose of the treatment and applicable legitimation bases.
c. Rights of the interested parties.
d. Periods of conservation of the information, origin, recipients and
on international transfers.
and. About data security.
V
Conclution
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/28
Therefore, based on what is indicated in the previous paragraphs, no
found evidence that proves the existence of infringement in the field
jurisdiction of the Spanish Data Protection Agency.
Thus, in accordance with what has been indicated, by the Director of the Spanish Agency for
Data Protection,
HE REMEMBERS:
FIRST: PROCEED TO THE ARCHIVE of the present actions.
SECOND: NOTIFY this resolution to the INTERNATIONAL UNIVERSITY
DE LA RIOJA with all the annexes, and to each claimant, the resolution and the annex
corresponding to your data.
In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once the interested parties have been notified.
Against this resolution, which puts an end to the administrative process as
prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Procedure
Common Administrative Board of Public Administrations, and in accordance with the
established in the arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, the
Interested parties may optionally file an appeal for reversal before the
Director of the Spanish Agency for Data Protection within a period of one month from
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
940-110422
Mar Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/28
ANNEX 0
A.A.A. (hereinafter claimant 1).
B.B.B. (hereinafter claimant 2).
C.C.C. (hereinafter claimant 3).
D.D.D. (hereinafter claimant 4).
E.E.E. (hereinafter claimant 5).
F.F.F. and D.D.D. (hereinafter claimants 6).
B.B.B. (hereinafter claimant 7).
G.G.G. (hereinafter claimant 8).
H.H.H. (hereinafter claimant 9).
I.I.I. *** CHARGE.1 (hereinafter claimant 10).
J.J.J. *** CHARGE.2 (hereinafter claimant 11).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/28
ANNEX I
A.A.A. (hereinafter claimant 1).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/28
ANNEX II
B.B.B. (hereinafter claimant 2).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/28
ANNEX III
C.C.C. (hereinafter claimant 3).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/28
ANNEX IV
D.D.D. (hereinafter claimant 4).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/28
ANNEX V
E.E.E. (hereinafter claimant 5).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/28
ANNEX VI
F.F.F. and D.D.D. (hereinafter claimants 6).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/28
ANNEX VII
B.B.B. (hereinafter claimant 7).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/28
ANNEX VIII
G.G.G. (hereinafter claimant 8).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/28
ANNEX IX
H.H.H. (hereinafter claimant 9).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/28
ANNEX X
I.I.I. *** CHARGE.1 (hereinafter claimant 10).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/28
ANNEX XI
J.J.J. *** CHARGE.2 (hereinafter claimant 11).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
