AEPD (Spain) - EXP202200367: Difference between revisions
m (added legal basis) |
m (Ar moved page AEPD (Spain) - AI-00086-2022 to AEPD (Spain) - EXP202200367) |
||
(One intermediate revision by one other user not shown) | |||
Line 65: | Line 65: | ||
}} | }} | ||
The Spanish DPA dismissed several complaints against a university regarding the use of laptop cameras to verify the identity of students during online exams. The DPA | The Spanish DPA dismissed several complaints against a university regarding the use of laptop cameras to verify the identity of students during online exams. The DPA took into account the legal basis, the risk assessments performed by the controller and the information provided to data subjects. | ||
== English Summary == | == English Summary == | ||
Line 74: | Line 74: | ||
A Students’ Association, 11 individuals and several other associations submitted complaints to the Spanish DPA against the controller's prcoessing activities. The complaints regarding the second camera sustained that it was disproportionate since it could also capture third parties. Regarding the software, the consent required was not valid because students who had a high-risk profile for Covid-19 did not have a choice. Others argued that the controller did not have a legitimate interest in obliging data subjects to install a software on their devices where they keep their agendas, bank apps, private communications, keywords, etc. | A Students’ Association, 11 individuals and several other associations submitted complaints to the Spanish DPA against the controller's prcoessing activities. The complaints regarding the second camera sustained that it was disproportionate since it could also capture third parties. Regarding the software, the consent required was not valid because students who had a high-risk profile for Covid-19 did not have a choice. Others argued that the controller did not have a legitimate interest in obliging data subjects to install a software on their devices where they keep their agendas, bank apps, private communications, keywords, etc. | ||
The controller claimed that none of the cameras used facial recognition techniques (which was supported with an attestation of the processor as evidence). Thus, consent was not mandatory as a legal basis but ‘necessity for the performance of a task carried out in the public interest conferred by the national law of Universities (Ley Orgánica de Universidades). | The controller claimed that none of the cameras used facial recognition techniques (which was supported with an attestation of the processor as evidence). Thus, consent was not mandatory as a legal basis but ‘necessity for the performance of a task carried out in the public interest conferred by the national law of Universities (Ley Orgánica de Universidades). The controller denied that any software was installed for the use of the second camera on the data subject's devices. Furthermore, the software installed for the frontal camera did not access data subjects' personal information unless they showed the data on their screen when the desktop was recorded. However, the controller provided data subjects with the information that screenshots taken by the tool were taken if the data subject accessed a tab not compatible with the exam. These screenshots were evaluated by the controller and deleted in case that no fraud was found. The controller also applied a variety of technical and organisational measures: a proportionality test, assessment of the security provided by the processor, implementation of the principles of privacy by design and default, risk assessments, and DPIAs. | ||
=== Holding === | === Holding === | ||
Firstly, the Spanish DPA recalled that facial recognition systems use biometric data, which constitutes sensitive personal data under [[Article 9 GDPR|Article 9(1) GDPR]]. However, the DPA held that, in the present case, no sensitive data | Firstly, the Spanish DPA recalled that facial recognition systems use biometric data, which constitutes sensitive personal data under [[Article 9 GDPR|Article 9(1) GDPR]]. However, the DPA held that, in the present case, no sensitive data had been processed by the controller. The DPA accepted as evidence the certificate signed by the processor, confirming that the controller did not process biometric data. Furthermore, the DPA stated that it was important to differentiate between the collection of desktop screenshots or their review by professional staff and the use of facial recognition techniques which use biometric software to verify the identity of a person. The DPA agreed that the legal basis for verification of identity during exams was not consent but rather the processing was necessary for the performance of a task carried out in the public interest ([[Article 6 GDPR|Article 6(1)(e) GDPR]]), in this case university education. | ||
Secondly, the DPA confirmed that the software installed for the use of the front camera and the desktop does did not access data subject's personal data unless the data subject's manifestly showed it during an exam. | Secondly, the DPA confirmed that the software installed for the use of the front camera and the desktop does did not access data subject's personal data unless the data subject's manifestly showed it during an exam. | ||
Line 85: | Line 85: | ||
Additionally, the desktop screenshots were reviewed manually by the university staff, thus, with no automated decision-making involved. Furthermore, the risk assessment performed by the controller showed that the use of the second camera did not increase the risk to the data subjects' rights and freedoms and there was no other effective measure to achieve the same purpose. Finally, the DPA considered that the information provided to data subjects was complete and in accordance with the transparency principle of [[Article 5 GDPR|Article 5(1)(a) GDPR]]. | Additionally, the desktop screenshots were reviewed manually by the university staff, thus, with no automated decision-making involved. Furthermore, the risk assessment performed by the controller showed that the use of the second camera did not increase the risk to the data subjects' rights and freedoms and there was no other effective measure to achieve the same purpose. Finally, the DPA considered that the information provided to data subjects was complete and in accordance with the transparency principle of [[Article 5 GDPR|Article 5(1)(a) GDPR]]. | ||
In conclusion, the DPA held that no violation | In conclusion, the DPA held that no violation had occurred in the present case and dismissed the complaints. | ||
== Comment == | == Comment == |
Latest revision as of 10:35, 13 December 2023
AEPD - AI-00086-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 6(1)(e) GDPR Organic Law of Universities (Ley Orgánica de Universidades) |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | |
Published: | 28.12.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | AI-00086-2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Michelle Ayora |
The Spanish DPA dismissed several complaints against a university regarding the use of laptop cameras to verify the identity of students during online exams. The DPA took into account the legal basis, the risk assessments performed by the controller and the information provided to data subjects.
English Summary
Facts
Universidad Internacional de La Rioja (the controller) allegedly used facial recognition programmes to confirm the identity of students (data subjects) taking online exams during the Covid-19 pandemic. The controller used an IT tool from Smowl Tech (the processor) which had to be installed on the data subjects' devices. This app used the front camera to register the data subject's face while taking the exam, but it also captured the computer’s desktop. An additional camera had ot be installed on the students’ devices, as a mandatory condition to sit an exam. The second camera captured the data subject's work environment, focusing on their hands, body and work screens. A failure to install and use these cameras would result in failing the exam.
A Students’ Association, 11 individuals and several other associations submitted complaints to the Spanish DPA against the controller's prcoessing activities. The complaints regarding the second camera sustained that it was disproportionate since it could also capture third parties. Regarding the software, the consent required was not valid because students who had a high-risk profile for Covid-19 did not have a choice. Others argued that the controller did not have a legitimate interest in obliging data subjects to install a software on their devices where they keep their agendas, bank apps, private communications, keywords, etc.
The controller claimed that none of the cameras used facial recognition techniques (which was supported with an attestation of the processor as evidence). Thus, consent was not mandatory as a legal basis but ‘necessity for the performance of a task carried out in the public interest conferred by the national law of Universities (Ley Orgánica de Universidades). The controller denied that any software was installed for the use of the second camera on the data subject's devices. Furthermore, the software installed for the frontal camera did not access data subjects' personal information unless they showed the data on their screen when the desktop was recorded. However, the controller provided data subjects with the information that screenshots taken by the tool were taken if the data subject accessed a tab not compatible with the exam. These screenshots were evaluated by the controller and deleted in case that no fraud was found. The controller also applied a variety of technical and organisational measures: a proportionality test, assessment of the security provided by the processor, implementation of the principles of privacy by design and default, risk assessments, and DPIAs.
Holding
Firstly, the Spanish DPA recalled that facial recognition systems use biometric data, which constitutes sensitive personal data under Article 9(1) GDPR. However, the DPA held that, in the present case, no sensitive data had been processed by the controller. The DPA accepted as evidence the certificate signed by the processor, confirming that the controller did not process biometric data. Furthermore, the DPA stated that it was important to differentiate between the collection of desktop screenshots or their review by professional staff and the use of facial recognition techniques which use biometric software to verify the identity of a person. The DPA agreed that the legal basis for verification of identity during exams was not consent but rather the processing was necessary for the performance of a task carried out in the public interest (Article 6(1)(e) GDPR), in this case university education.
Secondly, the DPA confirmed that the software installed for the use of the front camera and the desktop does did not access data subject's personal data unless the data subject's manifestly showed it during an exam.
Thirdly, the DPA also confirmed that there was no installation of software for the activation of the second camera. Rather, access to this camera by the controller happened through an URL which requested permission from the data subject first.
Additionally, the desktop screenshots were reviewed manually by the university staff, thus, with no automated decision-making involved. Furthermore, the risk assessment performed by the controller showed that the use of the second camera did not increase the risk to the data subjects' rights and freedoms and there was no other effective measure to achieve the same purpose. Finally, the DPA considered that the information provided to data subjects was complete and in accordance with the transparency principle of Article 5(1)(a) GDPR.
In conclusion, the DPA held that no violation had occurred in the present case and dismissed the complaints.
Comment
There are two previous resolutions by the Spanish DPA related to this case: E-08977/2021 and E-05454/2021. The latter also gave rise to the expert Opinion 0036/2020. In those proceedings and opinion, an analysis by the Spanish DPA was already conducted regarding the use of facial recognition techniques and the installation of software in the students’ computers with surveillance purposes in remote exams. Thus, the present case is about a new measure required by the controller: the installation of a second camera (in addition to the screen one) to focus on the student’s hands and surroundings.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/28 File No.: EXP202200367 RESOLUTION OF ACTIONS FILE Of the actions carried out by the Spanish Agency for Data Protection and based on the following: FACTS FIRST: Between December 10, 2021 and March 9, 2022, the received at the Spanish Agency for Data Protection, the claims sent by the UNIR STUDENTS ASSOCIATION and 11 people and associations referenced in Annex 0. The claims are directed against the UNIVERSITY INTERNACIONAL DE LA RIOJA with NIF A26430439 (hereinafter, the party claimed or JOIN). The reasons on which the claim is based are the following: Certain aspects of the processing of personal data that lead to out UNIR, in order to confirm the identity of the students who are going to carry out exams online to prevent the spread of Covid-19. Saying The treatment is carried out using a computer tool that students must installed on your computer, provided by the SMOWL vendor (the tool is called SMOWLTECH). This application makes use of the front web camera to record the image of the student while taking their exam, and also captures the actions they performed at the desk, with the keyboard and mouse. the tool too includes the use of facial recognition algorithms to determine if the person who had registered for the test and had provided their document identification was, indeed, the one who was doing it. under the procedure E/08977/2021, the university assured that it would not make use of the aforementioned facial recognition algorithms, and would replace them with a manual review process performed by center staff. Although, said facial treatment was already the subject of past claims, filed with the Agency by some of those affected, in the writings received in On this occasion, a novelty presented by the university for the call corresponding to February 2022. According to the claimants, the has incorporated a mandatory requirement that test takers install a second camera, in addition to the frontal one that was already being used, forcing Said camera focuses on the student's environment, and his two hands, his body and its work screens, so that it is clearly seen what is doing. Failure to do so, and as reported, the student will obtain the zero score on the exam, which may lead to the loss of the evaluation keep going. Those affected consider that this practice is not proportionate and intrusive, and does not respect the rights of students to the protection of their data or their privacy (or that of family members who are recorded during the test). some have quoted or attached this Agency's response to a query on the use of surveillance technologies of the student's environment ("360º review"), and others attach C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/28 copy of the resolution of the University of Granada, of May 4, 2020, against of the requirement of the second chamber for the evaluation. One of the teachers of the University has transmitted to an affected person the information that it would have been the ANECA (National Agency for Quality Assessment and Accreditation) which would have authorized or given its approval to the requirement. Some affected also question that consent to such treatment The data collected in this way is truly free, since students with a risk profile They do not have the option of taking the exam in person. Therefore, the consent would not be a valid legal basis for consent. Others insist that the The university also does not have a legal basis to force its students to install "software" that allows access to their computers, where their agenda, banking applications, private messages, passwords, etc. From the detailed analysis of each of the claims received, it is worth stand out: Claim 1 provides the "Student Manual - Exams" prepared by UNIR with the instructions to be able to take the exam online, distributed among the students and with details about the operation of the applications to be installed and the technical requirements to be met. Complaint 2 provides a piece of news published in the press with the headline “The UGR prohibits professors from asking students for two cameras in the online exams” (https://www.ideal.es/miugr/prohibe-profesores-pedir- chambers-students-20210118122657-nt.html). It states that the UGR issued a resolution in May 2020 prohibiting proctoring and regulating as proceed in videoconferences. After consulting this resolution it can be deduced that: Yo. The UGR prohibits the use of proctoring tools in the evaluation not face-to-face, not allowing the use of biometric techniques or face recognition. ii. The identification of the students is carried out through the exhibition of the DNI or any other valid document. iii. Oral tests are recorded to guarantee the right of review for the time strictly necessary. iv. Videoconference systems are used for the correct development of the test, follow-up and identification of the student body. In this case recording is not necessary. It is indicated that the videoconference implies a violation of personal privacy or intrusion residence, in the well-understood judgment of proportionality that guarantees such rights in the face of the public interest needs of verification of student learning. The teaching staff must notify the student body to organize the development of the test way that does not interfere with your exclusively domestic environment. Complaint 3 denounces that UNIR is not respecting the resolution of July 27 on the use of biometric techniques and facial recognition, the existing intrusion is also denounced by demanding the use of a student's own device to activate the second camera surveillance, assuming this is a violation of the right to privacy of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/28 use of this device could cause a data breach breach personal data stored on device. In Complaint 4, Complaint 5 and Complaint 6, the denounces the invasion of privacy that the use of the second security camera using a student's own device, and the recording of the home space of the students during all the time of the examination, violating this the right to privacy. In Complaint 7, the following is reported: Yo. That in the registration that the student signs at the beginning of the course only the following is specified: “students must have a webcam and audio to be able to adequately carry out the defenses end-of-degree and end-of-master's projects online", but it was never specifies nothing about the existence of the second chamber and the need to use a second device belonging to the students. ii. An annex is provided in this claim with the document sent by UNIR to students about the recommendations and guidelines to follow for the correct completion of the online exams, the analysis of this annex is extracted: a) They recommend disabling the antivirus to prevent it from being blocked the monitoring program. b) Indicate that the test should be performed in a closed instance. The student must be alone in the room. The front camera must focus on the student and the access door to the extent possible. The student is the guarantor that there will be no interruptions from other people. In case of alteration of environmental conditions, teachers will assess the impact on the evaluation. c) At all times the monitoring of the desk, cameras and microphone. The deactivation, disconnection or blurring or loss of significant visibility may trigger an incident or alert. during the exam it is mandatory: Have at all times active the monitoring of the desk. Keep both cameras active throughout the exam and placed so that the student can be seen and identified. d) The device used as a second camera must have internet connection and focus the environment, being visible the two hands, body and work screen. are contributed in this document some images example of what should be pick up by the second camera. iii. Another annex is also provided in this claim with a communication sent by the rector of UNIR to all students in relation to the modalities of conducting examinations, of the Analysis of this document extracts the following paragraphs: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/28 a) "For the online modality, support systems will be used for supervision who have been elected after ensuring compliance of all the requirements of the GDPR, Law 3/2018, and prior thorough verification of compliance with the AEPD recommendations. All legal documentation that endorses this decision is available to any student: Analysis of the pronouncements and recommendations of different protection control authorities of data. Judgment of constitutional proportionality. Impact assessment and risk analysis. Contractual guarantee of the privacy of the data of the students. Guarantee of the principle of information.” b) “The supervision support system captures images and sound of the student and environment, but does not access any information of your computer equipment, unless it is shown in the screen." c) “Students can choose the modality that best suits them. adapt to your personal and particular situation (face-to-face and online). Both modalities are developed within the respect of the legal and constitutional framework and both guarantee a system of effective and rigorous assessment commensurate with academic prestige of our institution and that of the titles we issue.” iv. An annex is also provided in this claim with the response sent by the General Subdirectorate of Promotions and Authorizations to a query raised by this same CLAIMANT, and with entry registration number O00007128e21000XXXX. From the analysis The following paragraph stands out from this answer: a) “Likewise and responding to your concern if the surveillance of the student's environment or 360 review of the home in which the test is performed could be disproportionate, given that third parties or showing personal elements outside the objective of the own assessment test and who could provide information about the privacy of the student or third parties, could understood as an interference in the privacy of the student and possible residents of the home and, therefore, a risk to the right to privacy and the inviolability of the domicile of the student. In Complaint 8, Complaint 9 and Complaint 10, it is repeated denounce the mandatory use of the second camera for exams of the February 2022 call, using a personal device of the student himself, causing the possibility of access to information personnel contained therein. In Complaint 11, the "Association of Students X the defense of the Fundamental Rights (HUXIR)” complaint: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/28 Yo. That the UNIR has ignored the warning resolution signed by the director of the AEPD on July 27, 2021 in relation to with the use of facial recognition. ii. That the exams that were being carried out at the time of putting the claim they were making use of the second camera through of an unaudited QR and that could expose sensitive data such as photos, bank accounts…etc. iii. They provide a screenshot of an explanatory tutorial that was carried out held on December 22, 2021, on the exams to be carried out and in the that the following phrase can be seen in one of the slides shown: "The biometric data is eliminated once the minutes are closed and the to definitive”. iv. An email sent by this association (HUXIR) to the Office of the University Ombudsman, requesting that he mediate to urge UNIR to suspend the use of the second chamber for calls for January and February 2022 since there is no legal framework covered by the AEPD. In Complaint 12, a UNIR student denounces the violation of their rights in the exams held in the call for February 2022 when violating what is indicated in the AEPD report 0036/2020 as well as well as the resolution of file E/05454/2021. Denounces that the UNIR has once again carried out biometric control in the February exams 2022. Yo. That, in the registration process for the examinations online, in the terms and conditions that the student had to accept (in prior to registration), the following was indicated verbatim: “obtaining through the images and audio of a model biometric characteristics of the user to be able to carry out the identification and subsequent checks on the identity of the user”. ii. That during the registration process photographs are taken both of the face like ID. iii. That the legal basis for the processing of personal data, in relation to the use of the second chamber, is based on the consent and that it cannot be given freely. iv. Provide screenshots of what was previously stated. In that of the association, HUXIR once again denounces that UNIR ignores of the resolution of the director of the AEPD of July 2021 when demanding the use of a second chamber for the exams from January to March, and ask the AEPD to intercede on his behalf before UNIR. It is also claimed that on February 2, 2022, it was exercised by a member of the association, the rights of access to your personal data before the responsible for treatment and that on the date of entry of this claim had not been answered. Finally, it is also worth highlighting the receipt, on May 13, 2022, of a letter sent (...), notifying the AEPD of the situation of defenselessness legal entity in which they were due to the actions undertaken by the other C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/28 HUXIR association, Association not recognized by UNIR students and that as they indicate, it was only supported by about 10 students. at this writing manifest themselves in favor of UNIR indicating that it has established a evaluation system that guarantees the quality and reliability of the test, which has the explicit endorsement of the vast majority of representatives students, and therefore greatly benefits all students, since it saves time and avoids stay and travel costs. That UNIR has informed of the implications of the use of the online evaluation, both of the facial recognition system, which finally was cancelled, as well as the use of the double camera. They have responded to all questions that have been raised, have produced documents with questions as well as various explanatory conferences on the evaluation system. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in forward LOPDGDD), said claim was transferred to the party claimed/ALIAS, to proceed with its analysis and inform this Agency in the period of one month, of the actions carried out to adapt to the requirements provided for in the data protection regulations. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), was collected on January 31, 2022, as It appears in the acknowledgment of receipt that is in the file. On February 16, 2022, this Agency received a written response stating, in summary, the following: a) They affirm that neither of the two chambers uses recognition techniques facial, they provide a SMOWLTECH certificate that also confirms it. b) They state that NO program is installed on the student's device to the use of the second camera. c) They state that by not using facial recognition techniques it is no longer It is necessary to obtain the consent of the student since this base does not apply of legitimation. The basis of legitimation is the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred by the Organic Law of Universities. That this same Agency affirmed, in its report 0036/2020, that this treatment was covered by article 6.1.e) of the GDPR. d) They affirm that the software installed on the equipment never accesses information personal information of the interested party, unless the student himself accesses this data displaying them on the screen while performing the test, since the software capture the desktop. However, they indicate that UNIR has informed the students about this circumstance. If the student, during the test, You access a window where information that is not compatible with the test you perform, the software takes screenshots that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/28 They are subsequently evaluated by UNIR personnel, and in the event that they do not certifies that the student has carried out fraudulent practices, they will be eliminated. e) The guarantees applied to protect the rights and freedoms of interested are: a. Realization of proportionality trial. b. Ensure an adequate level of security by the person in charge of SMOWL treatment. c. Guarantee privacy by default and by design. d. Carrying out the corresponding risk analyzes and evaluations of impact. and. Guarantee the principle of information regarding the protection of data. f) Indicate that the impact assessment and risk analysis have already been provided in response to the claim in file E/05454/2021 and E/08977/2021. g) UNIR considers that the online evaluation system implemented does not affect differently from the processing of personal data, with regardless of whether the system has an additional device. In Specifically, the requirements for the use of the double chamber imply: a. The device has an Internet connection and has sufficient battery. b. It must focus on the environment, being visible: Yo. The two hands and body of the person concerned. You don't have to get the face of the person concerned. ii. The work screen. Regarding the statement made in section f) above, after analyzing documents relating to risk analysis and impact assessment, are check that the use of the second camera used by the customer is not included student device. THIRD: On February 24, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the claimant party was admitted for processing. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in matter, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following extremes: The antecedents that appear in the information systems are the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/28 1. In relation to file E/05454/2021, the following took place performances: a. After several claims presented in the AEPD on the use of biometric and facial recognition techniques by UNIR, such as responsible for processing personal data, on May 14 of 2021, this person in charge is notified who answers saying that the The measure used was weighted, not only not causing harm to the protection of personal data but certifying that the evaluation tests were carried out in optimal conditions. They justified that there were no alternative measures that guaranteed the result pursued with equal effectiveness. They also indicated that there was carried out impact evaluation, concluding this with a low risk about the treatments carried out. They claimed that the measure was not disproportionate, but ideal, to achieve the purpose pursued. All of this without prejudice to the fact that, if the AEPD considered that the erroneous in the analysis, the use of the system will cease immediately valuation object. In the response to this transfer, UNIR attached: Yo. The trial of proportionality ii. The contract with the treatment manager (SMOWLTECH) iii. Impact Evaluation iv. The security measures of the person in charge of treatment. b. However, on June 14, 2021, a new letter was received by UNIR providing certification of deactivation of facial recognition for student monitoring. c. On July 27, 2021, the director of the Spanish Agency for Data Protection dictates resolution with a warning to the entity claimed to adopt corrective measures aimed at prevent the planned treatment from implying a possible breach of data protection law. 2. In relation to file E/08977/2021, which originates from a claim presented in this Agency, it is transferred to the UNIR that Then answer by providing the following information: a. They affirm that UNIR DOES NOT carry out an online evaluation system based on the use of facial recognition techniques, having been is removed and replaced by a manual recognition system. A document delivered to ANECA is provided as an annex where the describes the evaluation system carried out by UNIR, which is based on SMOWLTECH software and following the following pattern of functioning: Yo. Student registration process, images of the face are taken of the student and ID. ii. During the exam, artificial intelligence is applied for the object detection, but never personal data. Are Images are stored for later manual comparison. iii. Given the alerts issued by the artificial intelligence system, Manual review of the images is performed. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/28 3. In relation to this file, it is also worth highlighting the report 0036/2020 of this Agency on issues related to the use of techniques of Facial recognition in online assessment tests. FIFTH: After the receipt of this letter by UNIR, it is received in this Agency new claims that provided new data to this investigation, deciding then to make a new request for information to the UNIR controller, on April 27, 2022, in accordance with the following line of research: a) Know the updated risk analysis including the use of the second camera, as well as the pertinent update of the evaluation of impact. b) Know more details about the software that is activated by scanning the QR code of the second camera on the student's device. c) Clarification on the conditions that the student must accept in the moment of registration of the SMOWLTECH software, prior to the realization of exams. Since, as evidenced by the content provided in one of the claims received, among the conditions that the student had to accept were indicated that the legitimacy was based on the consent of the user and that biometric models were made for identity checks, all this was accredited with screenshots attached to the claim received. On May 17, 2022, a response to the previous request was received by part of UNIR, from its analysis the following is extracted: a) They provide the updated risk analysis with the use of the second chamber, concluding the same with a risk classified as ACCEPTABLE, following for this the tools of the AEPD (Evalua-Risk RGPD and Manage EIPD). From this risk analysis, the following is extracted for the present investigation: Yo. Special categories of data are not processed. ii. They do not apply facial recognition technique. iii. They do not use immature or newly created technologies. iv. Consent is not applicable, the basis that legitimizes the processing is in the public interest arising from article 6.1.e) of the GDPR, authorized by article 46.3 of the LOU. v. The corresponding weighting judgment has been carried out and proportionality. saw. They affirm that the interested parties are duly informed at the time registration, as well as in the Student Manual. In turn, if in the images appear to be a third party, they will be deleted or, In the case that affects the qualifications, a record will be drawn up of what happened and will be removed. vii. They claim that all evidence collected by the software is subject to personal review by qualified personnel. The employees sign the corresponding Manual of Functions and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/28 Obligations, as well as receive specific training in matters of data protection to avoid breaches of confidentiality. viii. We have proceeded to the correct formalization of the commission contract of treatment, having a protocol for the selection and recruitment of treatment managers. b) The risk resulting from the impact assessment, updated including the use of the second chamber, is LOW. From it is extracted as relevant data for this research: Yo. To guarantee privacy by default and by design, as well as the principle of active responsibility, affirm that the treatment will be subject to a continuous review process and improvement system constant, carrying out ordinary revisions (every year academic for ordinary calls), and revisions extraordinary in case of substantial variation in the treatment of personal data, such as changes in applied technology, new purposes, new data…etc. c) In relation to the operation of the QR code on the student's device, indicate that when it is scanned, it is referred to a SMOWL URL that requests permission to access the camera, without involving the installation of any programs or software on the student's device. the capture of Images of this second camera is made from the web. The flow of information is as follows: Yo. QR is scanned and the camera is accessed from the URL itself. ii. Student activity is monitored by sending images periodic. iii. In Smowltech the images are analyzed (automatically) received to detect possible fraudulent objects in the environment. In If possible fraud is detected, an alert is raised that must be checked manually by a qualified person. iv. Decisions are not made automatically and without the manual intervention of a qualified person. d) They send, attached to the response to the request, an explanatory video of the use of the second camera with a complete step by step description of everything the process. e) In relation to the information provided in one of the claims, where attached several screenshots of the moment of registration of a student in the SMOWLTECH application (prerequisite for the completion of the exams), and from which one could read: Yo. On the one hand, one of the screens shown indicated that the legitimacy for the processing of personal data was based with the student's own consent. - Regarding this point, UNIR answers that this information is wrong and should not be displayed on the screen of the student, and that, after learning of this fact, "since UNIR contacted SMOWL and requested the elimination of this section, as it is not a faithful reflection of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/28 evaluation process of our students, and suffers from inconsistencies that do not coincide with reality”. attached SMOWL certificate where they guarantee that they have proceeded to solve this error. ii. On the other hand, in another of the screenshots a text appeared where the student was told that biometric models would be made for identity checks - Regarding this other point, UNIR answers that after having knowledge of this, SMOWL has been requested to verification and certification that, as indicated in its At the moment, biometric data is not processed. They provide a new SMOWL certificate certifying that they are not perform such treatments. Regarding the video provided according to section d) above, after its analysis there is evidence that there is no software application installation on the user's device student. Regarding the confirmations given by UNIR in section e) above, and after analyzing the certificates provided according to points i) and ii), the veracity and authenticity of the same, being verified that: 1. The SMOWLTECH software error is corrected, eliminating the section of the registration screen where it was indicated textually that "the legitimacy for the processing of personal data was based on the consent of the individual Username". 2. Despite the message that was displayed on the screen by mistake, JOIN does not perform biometric data processing or facial recognition techniques. With respect to the above, it is necessary to differentiate between the capture of images of the student's face for storage and later manual review (by qualified personnel), and the use of facial recognition techniques, based on these latest in the use of biometric software to map facial features and create facial prints that could later be compared using algorithms specific to verify the identity of a person. FUNDAMENTALS OF LAW Yo Competence In accordance with the functions that article 57.1 a), f) and h) of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR) conferred on each control authority and according to the provisions of articles 47 and 48.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), is competent to resolve these investigative actions the Director of the Spanish Agency for Data Protection. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/28 Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II Processing of special categories of personal data Article 9 of the GDPR, which regulates the treatment of special categories of personal data, establishes the following: "1. The processing of personal data that reveals the origin ethnic or racial opinion, political opinions, religious or philosophical convictions, or union affiliation, and the processing of genetic data, biometric data aimed at uniquely identify a natural person, data relating to health or data relating to the sexual life or sexual orientation of a natural person. 2. Section 1 shall not apply when one of the following conditions occurs: following circumstances: a) the interested party gave his explicit consent for the treatment of said personal data for one or more of the specified purposes, except where the Law of the Union or of the Member States establishes that the prohibition mentioned in section 1 cannot be lifted by the interested party; b) the treatment is necessary for the fulfillment of obligations and the exercise of specific rights of the data controller or the data subject the field of labor law and social security and protection, to the extent that that is authorized by the law of the Union or of the Member States or an agreement group under the law of the Member States that establishes guarantees measures of respect for the fundamental rights and interests of the interested; c) the processing is necessary to protect vital interests of the data subject or of another natural person, in the event that the interested party is not capable, physically or legally, to give consent; d) the treatment is carried out, within the scope of its legitimate activities and with due guarantees, by a foundation, an association or any other body non-profit, whose purpose is political, philosophical, religious or trade union, always that the treatment refers exclusively to current or former members of such bodies or persons who maintain regular contact with them in in relation to its purposes and as long as the personal data is not communicated outside of them without the consent of the interested parties; e) the treatment refers to personal data that the interested party has made manifestly public; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/28 f) the treatment is necessary for the formulation, exercise or defense of claims or when the courts act in the exercise of their judicial function; g) the processing is necessary for reasons of essential public interest, especially the basis of Union or Member State law, which must be proportional to the objective pursued, essentially respecting the right to protection of data and establish adequate and specific measures to protect the interests and fundamental rights of the interested party; h) the treatment is necessary for preventive or occupational medicine purposes, evaluation of the worker's work capacity, medical diagnosis, provision of healthcare or social assistance or treatment, or management of systems and services of health and social care, on the basis of Union law or of the Member States or under a contract with a healthcare professional and without prejudice to the conditions and guarantees contemplated in section 3; i) the processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health, or to guarantee high levels of quality and safety of care health and medicines or health products, on the basis of the Law of of the Union or of the Member States establishing appropriate and specific measures to protect the rights and freedoms of the interested party, in particular the secrecy professional; j) the processing is necessary for purposes of archiving in the public interest, purposes of scientific or historical research or statistical purposes, in accordance with article 89(1), on the basis of Union or Member State law, which must be proportional to the objective pursued, essentially respect the right to data protection and establish adequate and specific measures to protect the interests and fundamental rights of the interested party. 3. The personal data referred to in section 1 may be processed at the purposes mentioned in section 2, letter h), when their treatment is carried out by a professional subject to the obligation of professional secrecy, or under his responsibility, of accordance with the law of the Union or of the Member States or with the rules established by the competent national bodies, or by any other person also subject to the obligation of secrecy in accordance with Union law or Member States or rules laid down by national bodies competent. 4. Member States may maintain or introduce conditions additional information, including limitations, regarding the processing of genetic data, biometric data or data relating to health." II Principles relating to treatment Letter a) and c) of article 5.1 of the GDPR advocates: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/28 "1. Personal data will be: a) treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness, loyalty and transparency"); (…) c) adequate, pertinent and limited to what is necessary in relation to the purposes for those who are processed ("data minimization");" Article 6 of the GDPR, in its section 1, referring to the legality of the treatment sets the following: "one. Processing will only be lawful if at least one of the following is fulfilled conditions: a) the interested party gave his consent for the processing of his data personal for one or more specific purposes; b) the processing is necessary for the performance of a contract in which the interested party or for the application at the request of this of measures pre-contractual; c) the processing is necessary for compliance with a legal obligation applicable to the data controller; d) the processing is necessary to protect vital interests of the data subject or of another physical person; e) the treatment is necessary for the fulfillment of a mission carried out in public interest or in the exercise of public powers vested in the person responsible for the treatment; f) the processing is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that such interests do not outweigh the interests or rights and freedoms of the interested party that require the protection of personal data, in particularly when the interested party is a child. The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by public authorities in the exercise of their functions.” IV. Facts denounced The claims are specified in that, during the exams of the month of February February 2022, UNIR established an identification system through a tool computer hardware, which students have to install, and uses recognition algorithms face lie. Since, in the indicated exams, the UNIR forced the students to insti- cut a second camera that focused on the student's environment. They understand that the treatment performed is not proportionate and is highly intrusive since it can lead to bar even to the relatives of the students. They also consider that consent does not It is free since students with high health risk cannot attend an exam face-to-face On the use of facial recognition techniques, after verifying authenticity of the certificate provided by the SMOWL company, it is verified that special categories of data are not processed and techniques of face recognition. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/28 After verifying the authenticity of the certificates provided by the company SMOWL, it is verified that the information that was provided has been eliminated (for error) in the student registration process in the system, specifically the information error provided on the basis of legitimation and on the storage of models biometric. The basis of legitimacy of the treatment is not consent, but rather it is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller, the UNIR It is also verified that UNIR does not store biometric models. Likewise, it has been verified that no software is installed on the user's device. student, access to the device's camera is done from a URL that requests prior permission to access it. This second chamber has as its only purpose of capturing images of the environment and sending them to the person in charge of treatment, and in If possible fraud is detected, an alert is activated that is reviewed manually by qualified personnel, so that automatic decisions are never made in relation to the images captured by either of the two cameras. With respect to software installed on the student's computer, the principal The goal of this is to capture the desktop and make use of the front camera, so it doesn't no other personal information stored on the device itself is accessed, unless the student shows it on the screen while the test is being carried out. Prior to treatment, UNIR updated the Impact Assessment to analyze and include the risks added by the use of the second camera in the evaluation systems, determining that the use of a second camera does not involves an additional risk that may further affect the rights and freedoms of those affected. In it, the corresponding judgment of weighting and proportionality with respect to the inclusion of the second chamber, concluding that the measure is necessary and weighted because it derives from it more benefits or advantages for the general interest that damages other goods or values in conflict, there being no other more weighted measure for the achievement of the purpose equally effectively. Complete information is offered to the student at the time of registration in the SMOWLTECH application, and prior to carrying out the tests, in concrete, adequate information is transmitted about: a. Responsible for treatment and delegate of data protection. b. Purpose of the treatment and applicable legitimation bases. c. Rights of the interested parties. d. Periods of conservation of the information, origin, recipients and on international transfers. and. About data security. V Conclution C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/28 Therefore, based on what is indicated in the previous paragraphs, no found evidence that proves the existence of infringement in the field jurisdiction of the Spanish Data Protection Agency. Thus, in accordance with what has been indicated, by the Director of the Spanish Agency for Data Protection, HE REMEMBERS: FIRST: PROCEED TO THE ARCHIVE of the present actions. SECOND: NOTIFY this resolution to the INTERNATIONAL UNIVERSITY DE LA RIOJA with all the annexes, and to each claimant, the resolution and the annex corresponding to your data. In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process as prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Procedure Common Administrative Board of Public Administrations, and in accordance with the established in the arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, the Interested parties may optionally file an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of one month from count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 940-110422 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/28 ANNEX 0 A.A.A. (hereinafter claimant 1). B.B.B. (hereinafter claimant 2). C.C.C. (hereinafter claimant 3). D.D.D. (hereinafter claimant 4). E.E.E. (hereinafter claimant 5). F.F.F. and D.D.D. (hereinafter claimants 6). B.B.B. (hereinafter claimant 7). G.G.G. (hereinafter claimant 8). H.H.H. (hereinafter claimant 9). I.I.I. *** CHARGE.1 (hereinafter claimant 10). J.J.J. *** CHARGE.2 (hereinafter claimant 11). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/28 ANNEX I A.A.A. (hereinafter claimant 1). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/28 ANNEX II B.B.B. (hereinafter claimant 2). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/28 ANNEX III C.C.C. (hereinafter claimant 3). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/28 ANNEX IV D.D.D. (hereinafter claimant 4). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/28 ANNEX V E.E.E. (hereinafter claimant 5). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/28 ANNEX VI F.F.F. and D.D.D. (hereinafter claimants 6). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/28 ANNEX VII B.B.B. (hereinafter claimant 7). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/28 ANNEX VIII G.G.G. (hereinafter claimant 8). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/28 ANNEX IX H.H.H. (hereinafter claimant 9). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/28 ANNEX X I.I.I. *** CHARGE.1 (hereinafter claimant 10). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/28 ANNEX XI J.J.J. *** CHARGE.2 (hereinafter claimant 11). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es