APDCAT (Catalonia) - PS 49/2019: Difference between revisions
No edit summary |
No edit summary |
||
Line 64: | Line 64: | ||
The school asked for the explicit consent of the parents of the students. In case a parent would not consent, the attendance data would be gathered manually, instead of via this system. | The school asked for the explicit consent of the parents of the students. In case a parent would not consent, the attendance data would be gathered manually, instead of via this system. | ||
The system was provided by a third party, the processor, with which they had not subscribed a processing agreement. | The system was provided by a third party, the processor, with which they had not subscribed a processing agreement. Also, the school could not prove that they had properly fulfilled the parents' right to be informed. | ||
Additionally, the school stopped using this system when the APDCAT launched their investigation. | Additionally, the school stopped using this system when the APDCAT launched their investigation. | ||
Line 72: | Line 72: | ||
===Holding=== | ===Holding=== | ||
The APDCAT held that | |||
==Comment== | ==Comment== |
Revision as of 10:18, 30 March 2021
APDCAT - PS 49/2019 | |
---|---|
Authority: | APDCAT (Catalonia) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(a) GDPR Article 9 GDPR Article 13 GDPR Article 28 GDPR |
Type: | Investigation |
Outcome: | Violation found |
Started: | |
Decided: | |
Published: | 02.03.2020 |
Fine: | None |
Parties: | Institut Enric Borràs de Badalona |
National Case Number/Name: | PS 49/2019 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Catalan |
Original Source: | APDCAT decision (in CA) |
Initial Contributor: | n/a |
The Catalan DPA (APDCAT) warned a public school for using biometric data (fingerprint and facial recognition system) to control the attendance of the students.
English Summary
Facts
A public school in Badalona installed a system for controlling the students attendance that used biometric data, including collection of fingerprints and facial recognition.
This system gathered the facial vectors of the 1st year of secondary education (it was only used with this grade), with an addition of the fingerprint data for twins, given that they have identical faces but different fingerprints.
The school asked for the explicit consent of the parents of the students. In case a parent would not consent, the attendance data would be gathered manually, instead of via this system.
The system was provided by a third party, the processor, with which they had not subscribed a processing agreement. Also, the school could not prove that they had properly fulfilled the parents' right to be informed.
Additionally, the school stopped using this system when the APDCAT launched their investigation.
Dispute
Can a school use biometric data to control the attendance of the students? Are they allowed to contract with a processor to do this?
Holding
The APDCAT held that
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
PS 49/2019 Carrer Rosselló, 214, esc. A, 1r 1a 08008 Barcelona File identification Resolution of the sanctioning procedure no. PS 49/2019, referring to the Institut Enric Borràs de Badalona, dependent on the Department of Education. Background 1. On 02/10/2019 the Inspection Area of the Catalan Data Protection Authority had knowledge that, on 19/09/2019, the media Business Insider had published the following news regarding the Institut Enric Borràs in Badalona (hereinafter, the institute): Catalan Institute is using facial recognition to control class attendance, something for which has been fined 19,000 euros by a Swedish school. " 2. The Authority opened a prior information phase (IP No. 262/2019), in accordance with provides for Article 7 of Decree 278/1993, of 9 November, on the sanctioning procedure applicable to the areas of competence of the Generalitat, and article 55.2 of Law 39/2015, of 1 October, of the common administrative procedure of public administrations (henceforth hereinafter, LPAC), to determine whether the facts were likely to motivate the initiation of a sanctioning procedure, the identification of the person or persons who may be responsible and the relevant circumstances that concurred. 3. In this information phase, on 08/10/2019, the Authority carried out an act inspection at the institute’s premises to verify certain aspects related to the student facial recognition system. In that face-to-face inspection, the representatives of the institute and the Department of Education stated, among others, the Next: - That the facial recognition system was installed from the 2011-2012 academic year. - That the purpose pursued was to reduce absenteeism, by controlling the attendance of students, as well as informing families immediately in case of absence. - That the facial recognition system was only applied to 1st year ESO students. In in relation to students in other courses, the control of attendance was done manually by of teachers. - That the system was suspended until the Authority ruled. This course was not available initiated the control of the assistance by means of facial recognition. In the application you manage attendance control began to load data from various students (goes suspended before loading the entire list of students), but were not captured vectors of his face. - That the system allowed the unambiguous identification of people. The only problem is identified two twins, but that goes away Page 1 of 12 PS 49/2019 08008 Barcelona, 214, esc. A, 1r 1a resolve by verifying your identity through your fingerprint (All other students did not have to identify themselves through the fingerprint). - At the beginning of the course, the student stood in front of one of the terminals, which collected the vectors of his face making various movements. In turn, these vectors were associated to the student’s code (it was a random but unique code for each student) and the phone number of legal representatives. - That in order to control their attendance, the student had to approach the terminal through which his identity was recognized. - That when it was detected that a student had not attended high school, before generating the notice (SMS), it was checked if his family had warned him that he would not attend. Otherwise, the the person managing the attendance control application activated the option to send the SMS to their guardians. In the event that the family later contacts the institute, indicating that the student had gone there, it was checked if he had attended in person (he was going to look for the student in the class). - That to the students of 1st of ESO, besides the control of assistance by means of recognition facial, his class attendance was also monitored by passing list. - That the data necessary to allow facial recognition were only preserved during the 1st ESO course. In June, at the end of the course, the data was deleted. - That this treatment was based on the consent of the legal representatives of the students. - That in the event that the legal representative of a student does not give consent or the later withdrawn, that student’s attendance would be verified manually. Cap the person had refused to give consent, nor had he withdrawn it. - That with regard to the rest of the students of the institute, whose presence was not controlled by facial recognition, the family was notified by telephone if they did not attend high school. The same would be true if the consent of the parties was not obtained legal representatives of a 1st year ESO student. This warning was not immediate as in the case of the SMS sent to students subject to facial recognition. - That the right to information became effective in the letter of educational commitment of the institute. In this letter did not enable the possibility of legal representatives of minors could express their refusal to process biometric data for purposes of control of their children’s attendance through facial recognition. - That the company installing the facial recognition system carried out the maintenance of this system and intervened at the beginning of the course to load the data of the students (associate the student’s code with the name). - That no contract had been signed with the said company in charge of the processing. - That this system made it possible to achieve the goal of reducing absenteeism. - That another system is being evaluated for the next academic year to control attendance without facial recognition. - That there is a predisposition to act in accordance with the provisions of the regulations on the protection of data. Page 2 of 12 PS 49/2019 Carrer Rosselló, 214, esc. A, 1r 1a 08008 Barcelona Also, on the same date, the inspection staff of the Authority verified, between others: - That in the lobby of the institute (ground floor) there were 2 terminals installed to allow the control of attendance through facial recognition. In turn, it was found that in the corridors on the 1st floor there were also 2 more terminals, one of which also allowed the fingerprint recognition. - That the application that allowed to manage the time control system was “School Access Attendance Control ”, which was installed on a computer located in the secretariat from the high school. It was verified that, in the system there was the data referring to the name and surnames of several students, the group (class), the user ID and the mobile of their tutor. It was found that the students were listed as absent and all are part of 1st ESO. On the other hand, it is verified that in order to access said application it was necessary to authenticate using password. Finally, the inspection staff collected the following documentation, which was handed over by the representatives of the inspected entity: - Copy of the letter of commitment signed by 2 legal representatives of 1st ESO students (1 for the 2018-2019 academic year and the other 1 for 2019-2020). - Copy of the image rights authorization form signed by 2 legal representatives (1 corresponding to the 2018-2019 academic year and the other 1 corresponding to 2019-2020). - Copy of the technical specifications of the access control by means of systems biometrics for facial recognition and two budgets. - Various documentation relating to facial recognition terminals. 4. On 11/29/2019, the director of the Catalan Data Protection Authority agreed initiate disciplinary proceedings against the institute, in the first instance, for an alleged infringement provided for in Article 83.5.a), in relation to Articles 5.1.a) and 9; second, by a presumption infringement provided for in Article 83.5.b), in relation to Article 13; and, thirdly, by a presumption infringement provided for in Article 83.4.a), in relation to Article 28; all of them of the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27/4, relative to the protection of the people with regard to the processing of personal data and the free movement of such data (in forward, RGPD). This initiation agreement was notified to the imputed entity on 12/12/2019. 5. On 12/20/2019, the institute made allegations in the initiation agreement. 6. On 06/02/2020, the person instructing this procedure made a proposal resolution, which proposed that the director of the Catalan Protection Authority of The Institut Enric Borràs in Badalona was warned of the data as responsible, in the first place, for a infringement provided for in Article 83.5.a) in relation to Articles 5.1.a) and 9; secondly, of a Page 3 of 12 PS 49/2019 Carrer Rosselló, 214, esc. A, 1r 1a 08008 Barcelona infringement provided for in Article 83.5.b) in relation to Article 13; and third, an infringement provided for in Article 83.4.a) in relation to Article 28 all of them of the RGPD. This proposal of resolution was notified on 06/02/2020 and a period of 10 days was granted to formulate allegations. 7. The deadline has been exceeded and no allegations have been made. Proven facts Of all the actions carried out in this procedure, the following are considered accredited facts detailed below. 1. The Enric Borràs Institute in Badalona processed biometric data to control attendance at educational center for 1st year ESO students. To this end, in the 2011-2012 academic year he installed a facial recognition system to control attendance at the school of 1st ESO students. And, in relation to two student people who were twins, also monitored their attendance by fingerprint, attended to that the facial recognition system did not guarantee its unambiguous identification. This system controls attendance by facial recognition or fingerprinting fingerprint remained active until the end of the 2018-2019 academic year. On 08/10/2019, the staff Authority inspector verified that this system was no longer used for monitoring attendance by 1st year ESO students (who were listed as absent). 2. In relation to the control of the attendance of the students of 1st of ESO by means of his facial recognition or fingerprinting, the institute has not proven that the right has been enforced of information to the representatives of the students of 1st of ESO during the course 2018-2019. 3. In 2011, the institute commissioned the installation of this system for monitoring the attendance of 1st year ESO students at the company Xip Solucions, SL; as well as its maintenance. He maintenance of this system meant that, at the beginning of each course, its staff company would upload student data to the system. This order was not formalized in a contract or other legal act written with the content required by Article 28.3 of the RGPD, and this was admitted by the person representing the institute in the act of face-to-face inspection carried out on 08/10/2019. Fundamentals of law 1. The provisions of the LPAC and Article 15 of Decree 278/1993, in accordance with the provisions of DT 2a of Law 32/2010, of 1 October, of the Page 4 of 12 PS 49/2019 Carrer Rosselló, 214, esc. A, 1r 1a 08008 Barcelona Catalan Data Protection. In accordance with articles 5 and 8 of Law 32/2010, the resolution of the sanctioning procedure corresponds to the director of the Catalan Authority of Data Protection. 2. The accused entity has not made any allegations in the motion for a resolution, but it does to do in the initiation agreement. In this regard, it is considered appropriate to repeat the following below relevant to the instructor's reasoned response to these allegations. 2.1. About the news. In its written allegations against the initiation agreement, the accused entity stated than the figures published in the media on the cost of installing the facial recognition system were not accurate; that easy recognition system goes contribute to the improvement of absenteeism; that there was “no intentional misuse of the data of the students"; and that it had already been agreed to make an educational platform change to manage assistance. In advance, it should be made clear that the institute did not question in its writing of allegations before the initiation agreement nor the facts imputed, nor its qualification legal. That said, in terms of the cost of implementation or maintenance, this was a circumstance irrelevant for the purposes of determining the alleged facts and their legal classification. In relation to the lack of intentionality invoked by the institute, as stated by the person instructor in the motion for a resolution, it is necessary to point out that the infringing rates imputed in the present sanctioning procedure, do not require that the element of the intentionality. Regarding the improvement of absenteeism, it is not discussed here whether the recognition system facial (and fingerprint) could help achieve this goal, but this could be achieved in through other less intrusive means for the rights of 1st year ESO students, than not involve the processing of special categories of data (such as biometric data). Proof of the above is that with respect to other students, their attendance was controlled by from teachers in high school or the classroom; as well as the presence in the classroom of the students of 1st of ESO it was also verified by the teacher passing list (the controversial system verified the presence of students in high school, but not in the classroom). It should be noted that the Authority has already ruled on CNS opinion 63/2018, in the sense of considering that the “principle of minimization is not manifested only in opting for alternatives that are not involve the processing of personal data, or to carry out the processing of data in a manner that the minimum necessary data be used, but it must also entail that if possible achieve a certain purpose without having to process data from special categories, this Page 5 of 12 PS 49/2019 Carrer Rosselló, 214, esc. A, 1r 1a 08008 Barcelona option must prevail over other options that do involve the treatment of such types of data. ” Apart from the above, in the present case the treatment was not based on any of the exceptions set out in Article 9.2 of the RGPD, which must apply when dealing with special categories of data, as in the present case. Lastly, the decision to change the educational platform to manage the attendance of the students, would come to corroborate that in the present case the treatment of was not necessary special categories of data to control the attendance of students in the 1st year of ESO. 2.2. About the actions taken. The accused entity then reported in its written allegations before the agreement of initiation that the implementation of the system in this course was immediately suspended root of news published in the media; that the terminals had been dismantled and the whole installation; as well as the secretarial computer equipment was also disabled. In this sense, as stated by the instructor in the motion for a resolution, all the measures that the institute reported having implemented as a result of the face-to-face inspection carried out on 08/10/2019 by the inspection staff of the Authority, must lead to it happening unnecessary to require any corrective action to correct the effects of the infringements imputed, as will be set forth below. Also noteworthy is the good disposition of the institute to comply with the regulations on data protection, suspending the facial / fingerprint recognition system as soon as possible a piece of news was made public that questioned its suitability for the data protection regime; as well as when following the intervention of the Authority in the framework of the information phase, it has decided dismantle said system. On the other hand, in its written allegations before the initiation agreement, the institute also indicated that no family has "formally commented on the use of the recognition." In this point, suffice it to say that this circumstance would not allow to consider that the treatment of special categories of data was lawful (Article 9 RGPD). 3. In relation to the facts described in point 1 of the section on proven facts, both relating to facial recognition as well as fingerprint recognition, violate the principles of lawfulness (articles 5.1.a and 9 RGPD). Article 5.1.a) of the RGPD regulates the principle of lawfulness determining that the data will be “processed in a lawful manner (...) ”. Page 6 of 12 PS 49/2019 Carrer Rosselló, 214, esc. A, 1r 1a 08008 Barcelona For its part, Article 9.2 of the RGPD, concerning the treatment of special categories of provides that the prohibition of its treatment does not apply if one of the following circumstances: “A) the interested party gave his explicit consent for the treatment of such personal data for one or more of the purposes specified, except when the Union or Member State law provides that the prohibition referred to in paragraph 1 may not be raised by the person concerned; b) the treatment is necessary for the fulfillment of obligations and the exercise specific rights of the controller or the data subject in the field of labor law and social security and protection, to the extent that as authorized by the law of the Union of the Member States or a collective agreement under the law of the Member States which establish adequate guarantees of respect for fundamental rights and the interests of the interested party; (c) the treatment is necessary to protect the vital interests of the person concerned or another natural person, in the event that the interested party is not trained, physical or legally, to give their consent; (d) the processing is carried out, within the scope of its lawful activities and with the due guarantees, by a foundation, an association or any other non - profit organization, whose purpose is political, philosophical, religious or provided that the treatment relates exclusively to members current or former members of such bodies or persons who maintain contacts with them in relation to their purposes and provided that personal data do not communicate outside them without the consent of the interested parties; e) the processing refers to personal data that the interested party has made manifestly public; (f) treatment is necessary for the formulation, exercise or defense of claims or when the courts act in the exercise of their judicial function; (g) treatment is necessary for reasons of essential public interest, above the basis of Union or Member State law, which must be proportional to the objective pursued, to respect in essence the right to data protection and establish appropriate and specific measures for protect the interests and fundamental rights of the person concerned; h) treatment is necessary for the purposes of preventive or occupational medicine, assessment of the worker's work capacity, medical diagnosis, provision of health or social care or treatment, or management of the health and social care systems and services, on the basis of law of the Union or of the Member States or under a contract with a healthcare professional and without prejudice to the conditions and guarantees contemplated in section 3; (i) the treatment is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats Page 7 of 12 PS 49/2019 Carrer Rosselló, 214, esc. A, 1r 1a 08008 Barcelona for health, or to ensure high levels of quality and safety of the health care and medicines or health products, on the basis of Union or Member State law laying down measures appropriate and specific measures to protect the rights and freedoms of the person concerned, in particular professional secrecy, j) the processing is necessary for archival purposes in the public interest, purposes of scientific or historical research or statistical purposes, in accordance with the Article 89 (1) on the basis of Union or State law members, which must be proportionate to the aim pursued, respect in what the right to data protection and to establish appropriate measures and to protect the fundamental interests and rights of the interested. ” As indicated by the instructor, during the processing of this procedure has been duly accredited the conduct described in point 1 of the section on proven facts (referring to facial recognition and fingerprint recognition), which is constitutive of a infringement provided for in Article 83.5.a) in relation to Articles 5.1.a) and 9; both of the RGPD. Article 83.5.a) of the RGPD, classifies as an infraction, the violation of the “basic principles of including the conditions for consent under Articles 5, 6, 7 and 9 ”, including the lawfulness of the processing of special categories of data (articles 5.1.a and 9 RGPD). For its part, this conduct has also been listed as a very serious violation of the article 72.1.e) of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), as follows: “E) The processing of personal data in the categories referred to in the article 9 of Regulation (EU) 2016/679, without any of the circumstances which provide for the aforementioned precept and Article 9 of this Organic Law. ” 4. With regard to the fact described in point 2 of the section on proven facts, regarding the violation of the right information, reference should be made to Article 13 of the RGPD, which provides that: “1. When personal data relating to him are obtained from an interested party, the responsible for the treatment, at the time they are obtained, you provide all the information below: (a) the identity and contact details of the person responsible and, where applicable, of his / her manager; representative; (b) the contact details of the data protection officer, if any; c) the purposes of the processing for which the personal data are intended and the basis legal status of treatment; Page 8 of 12 PS 49/2019 Carrer Rosselló, 214, esc. A, 1r 1a 08008 Barcelona (d) where the treatment is based on Article 6 (1) (f), the legitimate interests of the controller or a third party; (e) the recipients or categories of recipients of the personal data, in your case; f) where applicable, the intention of the controller to transfer personal data to a third country or international organization and the existence or absence of a Commission adjustment decision, or, in the case of transfers referred to in Articles 46 or 47 or the second subparagraph of Article 49 (1), reference to the appropriate or appropriate guarantees and the means to obtain them a copy of these or the fact that they have been lent. 2.In addition to the information referred to in paragraph 1, the head of the processing will facilitate the interested party, at the time the data are obtained personal information, the following information necessary to ensure treatment of Fair and transparent data: a) the period during which the personal data will be kept or, if not possible, the criteria used to determine this deadline; b) the existence of the right to request access to the controller personal data relating to the data subject, and its rectification or deletion, or the limitation of their treatment, or to oppose the treatment, as well as the right to data portability; (c) where the treatment is based on Article 6 (1) (a), or Article 9 (2) (a), the existence of the right to withdraw the consent at any time, without affecting the lawfulness of the treatment based on prior consent for withdrawal; d) the right to lodge a complaint with a supervisory authority; e) whether the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and whether the interested party is obliged to provide personal data and is informed of the possible consequences that it does not provide such data; f) the existence of automated decisions, including profiling, a referred to in Article 22 (1) and (4) and, at least in such cases, significant information on the logic applied, as well as the importance and the expected consequences of such treatment for the data subject. (...) ” In accordance with what has been stated, as indicated by the instructor, the fact contained in point 2 of the section on proven facts constitutes the infringement provided for in article 83.5.b) of the RGPD, which classifies as such the violation of “the rights of the interested parties under the articles 12 to 22 ”, among which is the right of information of the interested person contemplated in Article 13 of the RGPD. In turn, this conduct has also been listed as a very serious infraction in Article 72.1.h) of the LOPDGDD, as follows: Page 9 of 12 PS 49/2019 Carrer Rosselló, 214, esc. A, 1r 1a 08008 Barcelona “H) The omission of the duty to inform the affected party about the treatment of theirs personal data in accordance with the provisions of Articles 13 and 14 of the Regulation (EU) 016/679 and 12 of this Organic Law. " 5. With regard to the fact described in point 3 of the section on proven facts, regarding the lack of contract in charge of the treatment, it is necessary to go to article 28.3 of the RGPD, which provides the Next: “3. The treatment by the manager will be governed by a contract or other legal act in accordance with Union or Member State law, which links to in charge of the person in charge and establish the object, the duration, the nature and purpose of the processing, the type of personal data and categories of stakeholders, and the obligations and rights of the person responsible. Said contract o legal act shall stipulate, in particular, that the person in charge: a) will process personal data only following instructions documented by the responsible party, including with regard to transfers of personal data to a third country or an international organization, unless is required to do so under Union or Member State law to be applied to the manager; in such a case, the person in charge will inform the person in charge of that legal requirement prior to treatment, unless such right prohibits it by important reasons of public interest; (b) ensure that persons authorized to process personal data are have committed to or are subject to confidentiality obligation of confidentiality of a statutory nature; (c) take all necessary measures in accordance with Article 32; (d) respect the conditions set out in paragraphs 2 and 4 for recourse to another in charge of treatment; e) assist the person in charge, taking into account the nature of the treatment, through appropriate technical and organizational measures, whenever possible, for that it can fulfill its obligation to respond to requests that have as their object the exercise of the rights of interested parties established in Chapter III; f) help the person in charge to ensure compliance with the obligations set out in Articles 32 to 36, taking into account the nature of the treatment and information available to the manager; g) at the choice of the person responsible, will delete or return all personal data once the provision of treatment services is completed, and will eliminate them existing copies unless data retention is required under Union or Member State law; h) make available to the person in charge all the information necessary for demonstrate compliance with the obligations set forth herein article, as well as to allow and contribute to the performance of audits, Page 10 of 12 PS 49/2019 Carrer Rosselló, 214, esc. A, 1r 1a 08008 Barcelona including inspections, by the manager or another authorized auditor by said person in charge. In relation to the provisions of letter h) of the first paragraph, the manager he shall immediately inform the person responsible if, in his opinion, an instruction infringes this Regulation or other protection provisions data of the Union or of the Member States. " In accordance with what has been stated, as indicated by the instructor, the fact contained in point 3 of the section on proven facts constitutes the infringement provided for in article 83.4.a) of the RGPD, which typifies as such, the violation of “the obligations of the person in charge and the person in charge according to of articles 8, 11, 25 to 39, 42 and 43 ”, among which is the one provided for in article 28 RGPD. In turn, this conduct has also been listed as a serious violation of Article 73.k) of the LOPDGDD, as follows: “K) To entrust the processing of data to a third party without prior formalization of a contract or other legal act written with the content required by the article 28.3 of Regulation (EU) 2016/679. ” 6. Article 77.2 LOPDGDD provides that, in the case of offenses committed by those responsible or managers listed in art. 77.1 LOPDGDD, the competent data protection authority: "(...) he must issue a resolution sanctioning them with a reprimand. The resolution shall also set out the measures to be taken for it to cease conduct or correct the effects of the offense that has been committed. The decision must be notified to the controller or controller, a the body on which it depends hierarchically, where applicable, and those affected who have the interested party, if any. ” In terms similar to the LOPDGDD, article 21.2 of Law 32/2010, determines the following: “2. In the case of offenses committed in relation to publicly owned files, the director of the Catalan Data Protection Authority must issue a resolution declaring the infringement and setting out the measures to be taken for correct its effects. In addition, it may propose, if necessary, the initiation of actions disciplinary action in accordance with current legislation on the scheme disciplinary action of staff in the service of public administrations. This one resolution must be notified to the person responsible for the file or processing, a the person in charge of the treatment, if applicable, to the body on which they depend and to the affected people, if any ”. In the present case, as stated by the instructor in the motion for a resolution, no it is appropriate to propose no requirement for corrective action to correct the effects of the Page 11 of 12 PS 49/2019 Carrer Rosselló, 214, esc. A, 1r 1a 08008 Barcelona imputed infractions, since the institute has dismantled the facial recognition system and fingerprint. Resolution For all this, I resolve: 1. To admonish the Enric Borràs Institute of Badalona as responsible for three infractions: one infringement provided for in Article 83.5.a) in relation to Articles 5.1.a) and 9; another infraction provided for in Article 83.5.b) in relation to Article 13; and a third violation under the article 83.4.a) in relation to Article 28, all of them of the RGPD. No corrective action is required to correct the effects of the infringement, in accordance with which has been set out in the 6th foundation of law. 2. Notify the institute of this resolution. 3. Communicate the resolution issued to the Catalan Ombudsman, in accordance with the provisions Article 77.5 of the LOPDGDD. 4. Order that this resolution be published on the Authority’s website (apdcat.gencat.cat), of in accordance with Article 17 of Law 32/2010, of 1 October. Against this resolution, which terminates the administrative procedure in accordance with articles 26.2 of the Law 32/2010, of 1 October, of the Catalan Data Protection Authority, and 14.3 of Decree 48/2003, of 20 February, approving the Statute of the Catalan Agency for the Protection of In this case, the accused entity may, on an optional basis, lodge an appeal for reversal the director of the Catalan Data Protection Authority, within one month from the day after its notification, in accordance with the provisions of Article 123 et seq the LPAC. You can also lodge an administrative appeal directly with the courts administrative disputes, within two months from the day after its notification, in accordance with articles 8, 14 and 46 of Law 29/1998, of 13 July, regulating administrative contentious jurisdiction. If the accused entity expresses to the Authority its intention to lodge a contentious appeal administrative against the firm resolution in administrative way, the resolution will be suspended precautionarily in the terms provided for in Article 90.3 of the LPAC. Likewise, the defendant entity may file any other appeal it deems appropriate for defend their interests. The director, Page 12 of 12