APDCAT (Catalonia) - PS 41/2022: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color= |DPAlogo=Apdcat-logo.png |DPA_Abbrevation=APDCAT |DPA_With_Country=APDCAT (Catalonia) |Case_Number_Name=PS 41/2022 |ECLI=...")
 
m (Fixed link)
 
(7 intermediate revisions by 4 users not shown)
Line 11: Line 11:


|Original_Source_Name_1=APDCAT
|Original_Source_Name_1=APDCAT
|Original_Source_Link_1=https://gdprhub.eu/images/6/66/Resoluci%25C3%25B3n_APDCat_-_UOC.pdf
|Original_Source_Link_1=https://gdprhub.eu/images/6/66/Resolución_APDCat_-_UOC.pdf
|Original_Source_Language_1=Catalan, Valencian
|Original_Source_Language_1=Catalan, Valencian
|Original_Source_Language__Code_1=CA
|Original_Source_Language__Code_1=CA
Line 63: Line 63:
}}
}}


The Spanish DPA considered the use of facial recognition systems to prevent fraud in online university examinations to be disproportionate. It imposed the data controller a fine of €20.000,00 for violating Articles 5(1)(a) and 9 GDPR .
The Catalan DPA considered the use of facial recognition systems to prevent fraud in online university examinations to be disproportionate. It imposed the controller a fine of €20,000 for violating [[Article 5 GDPR#1a|Articles 5(1)(a)]] and [[Article 9 GDPR|9 GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Universitat Oberta de Catalunya (the data controller) adopted a facial recognition system to verify the identity of students before they took online exams. The system captured the image of the students' faces to compare them with the photos on their identity cards and thus allow them to take the exam. Students who refused to do so were considered as 'absentees'. One of the students (the data subject) filed a complaint with the Catalan DPA, which launched an investigation. In response, the data controller claimed that the data collected was not sensitive data according to Opinion 3/2012 of the Article 29 Working Party. It also argued that the processing of such data was necessary for the performance of the contract (university enrollment) and based on its legitimate interest of preventing academic fraud.  During the procedures, the DPA verified that a total of 31.501 students had to use the facial recognition technology in order to be allowed to take the exams.
The Universitat Oberta de Catalunya (the controller) adopted a facial recognition system to verify the identity of students before they took online exams. The system captured the image of the students' faces to compare them with the photos on their identity cards and thus allow them to take the exam. Students who refused to do so were considered as 'absentees'.  
 
One of the students (the data subject) filed a complaint with the Catalan DPA, which launched an investigation. In response, the controller claimed that the data collected was not sensitive data according to [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp193_en.pdf Opinion 3/2012 of the Article 29 Working Party]. It also argued that the processing of such data was necessary for the performance of the contract (university enrollment) and based on its legitimate interest of preventing academic fraud.  During the procedures, the DPA verified that a total of 31,501 students had to use the facial recognition technology in order to be allowed to take the exams.


=== Holding ===
=== Holding ===
The DPA highlighted that [[Article 4 GDPR#14|Article 4(14) GDPR]] defines biometric data as 'personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data'. This definition excludes the application of Opinion 3/2012 of the Article 29 Working Party, which predates the GDPR and is therefore outdated. In the DPA's view, this is sensitive data under [[Article 9 GDPR#1|Article 9(1) GDPR]] and, as such, could only be processed for identification or authentication purposes in exceptional situations. However, the data controller did not provided any of the exceptions provided for by Article 9(2). Moreover, as no genuine alternative was offered to students, any consent obtained is invalid. While acknowledging that facial recognition technology could be an effective means of preventing academic fraud, the DPA stated that there were other less intrusive and equally effective measures available to prevent fraud. For this reason, its implementation was considered disproportionate. On such grounds, the DPA found a violation of Articles 5(1)(a) and 9 GDPR and imposed a fine €20.000,00.
The DPA highlighted that [[Article 4 GDPR#14|Article 4(14) GDPR]] defines biometric data as 'personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data'. This definition excludes the application of [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp193_en.pdf Opinion 3/2012 of the Article 29 Working Party], which predates the GDPR and is therefore outdated. In the DPA's view, this is a special category of data under [[Article 9 GDPR#1|Article 9(1) GDPR]] and, as such, could only be processed for identification or authentication purposes in exceptional situations. However, the controller did not substantiate any of the exceptions provided for by [[Article 9 GDPR#2|Article 9(2)]]. Moreover, as no genuine alternative was offered to students, any consent obtained from them was invalid. While acknowledging that facial recognition technology could be an effective means of preventing academic fraud, the DPA stated that there were other less intrusive and equally effective measures available to prevent fraud. For this reason, its implementation was considered disproportionate. On such grounds, the DPA found a violation of [[Article 5 GDPR#1a|Articles 5(1)(a)]] and [[Article 9 GDPR|9 GDPR]] and imposed a fine €20,000.


== Comment ==
== Comment ==

Latest revision as of 14:23, 17 October 2024

APDCAT - PS 41/2022
Apdcat-logo.png
Authority: APDCAT (Catalonia)
Jurisdiction: Spain
Relevant Law: Article 5(1)(a) GDPR
Article 9 GDPR
Type: Complaint
Outcome: Upheld
Started: 04.11.2021
Decided:
Published:
Fine: 20.000 EUR
Parties: Universitat Oberta de Catalunya
National Case Number/Name: PS 41/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Catalan, Valencian
Original Source: APDCAT (in CA)
Initial Contributor: Bernardo Armentano

The Catalan DPA considered the use of facial recognition systems to prevent fraud in online university examinations to be disproportionate. It imposed the controller a fine of €20,000 for violating Articles 5(1)(a) and 9 GDPR.

English Summary

Facts

The Universitat Oberta de Catalunya (the controller) adopted a facial recognition system to verify the identity of students before they took online exams. The system captured the image of the students' faces to compare them with the photos on their identity cards and thus allow them to take the exam. Students who refused to do so were considered as 'absentees'.

One of the students (the data subject) filed a complaint with the Catalan DPA, which launched an investigation. In response, the controller claimed that the data collected was not sensitive data according to Opinion 3/2012 of the Article 29 Working Party. It also argued that the processing of such data was necessary for the performance of the contract (university enrollment) and based on its legitimate interest of preventing academic fraud. During the procedures, the DPA verified that a total of 31,501 students had to use the facial recognition technology in order to be allowed to take the exams.

Holding

The DPA highlighted that Article 4(14) GDPR defines biometric data as 'personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data'. This definition excludes the application of Opinion 3/2012 of the Article 29 Working Party, which predates the GDPR and is therefore outdated. In the DPA's view, this is a special category of data under Article 9(1) GDPR and, as such, could only be processed for identification or authentication purposes in exceptional situations. However, the controller did not substantiate any of the exceptions provided for by Article 9(2). Moreover, as no genuine alternative was offered to students, any consent obtained from them was invalid. While acknowledging that facial recognition technology could be an effective means of preventing academic fraud, the DPA stated that there were other less intrusive and equally effective measures available to prevent fraud. For this reason, its implementation was considered disproportionate. On such grounds, the DPA found a violation of Articles 5(1)(a) and 9 GDPR and imposed a fine €20,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Catalan, Valencian original. Please refer to the Catalan, Valencian original for more details.