AEPD (Spain) - EXP202200367: Difference between revisions

From GDPRhub
(elaborated on the facts, i.e. how the second camera functioned, changed order of senetences around a bit)
Line 65: Line 65:
}}
}}


The Spanish DPA dismissed several claims against the processing activities carried out by a Spanish university that applied video surveillance to students taking exams during the Covid pandemic. The DPA analysed the legal basis and the impact assessment performed by the controller.
The Spanish DPA dismissed several claims against the processing activities carried out by a university that used video surveillance to students taking exams during the Covid pandemic. The DPA analysed the legal basis and the impact assessment performed by the controller.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
''Background:''  
Universidad Internacional de La Rioja (UNIR) (the controller) used facial recognition programmes to confirm the identity of students (data subjects) taking online exams during the Covid-19 pandemic. The processing carried out by the controller involved an IT tool (SMOWL TECH) which must be installed on the data subjects' devices. This app used the front camera to register the data subject's face while taking the exam, but it also captured the computer’s desktop. An additional camera was requested by the controller as a mandatory condition as well as the activation of related software, also installed on the students’ devices. The second camera captured the data subject's work environment, focusing on their hands, body and work screens. A failure to install and use these camera would result in failing the exam.


There are two previous resolutions by the Spanish DPA related to this case: E-08977/2021 and E-05454/2021. The latter also gave rise to the expert opinion 0036/2020. In those proceedings -and opinion-, an analysis by the Spanish DPA was already conducted regarding the use of facial recognition techniques and the installation of software in the students’ computers with surveillance purposes in remote evaluations. Thus, the present case is about a new requirement by the controller (UNIR): the installation of a second camera (in addition to the screen one) to focus on the student’s hands and surroundings.
A Students’ Association, 11 individuals and several other associations submitted a complaint to the Spanish DPA against the controller's prcoessing activities. The complaints regarding the second camera sustained that it was disproportionate since it could also capture third parties. Regarding the software, the consent required is not legal since students who have a high-risk profile for COVID don’t have a choice. Others argue that the controller does not have a legitimate interest in obliging students to install a software on their devices where they keep their agendas, bank apps, private communications, keywords, etc.
 
''Facts:''
 
The present case started due to diverse complaints submitted by the Students’ Association, 11 people and several other associations against a university, Universidad Internacional de La Rioja (UNIR), the controller. Such complaints address some aspects of the processing activities done by the controller to confirm the identity of students who are taking online exams due to COVID.
 
The processing involves an IT tool (SMOWL TECH) which must be installed on their devices. This app uses the front camera to register the student’s face while taking the exam, but it also captures the computer’s desktop. Also, an additional camera was requested as a mandatory condition for whose activation a software is also installed on the students’ devices.
 
The complaints regarding the second camera sustain that it is disproportionated since it can also capture others, and regarding the app, the consent required is not legal since students who have a high-risk profile for COVID don’t have a choice. Others argue that the controller does not have a legitimate interest in obliging students to install a software on their devices where they keep their agendas, bank apps, private communications, keywords, etc.


On the other hand, the controller claimed that none of the cameras uses facial recognition techniques (which was supported with an attestation of Smowltech as evidence), thus, consent is not mandatory as a legal basis but ‘necessity for the performance of a task carried out in the public interest conferred by the national law of Universities (Ley Orgánica de Universidades); no software is installed on the students’ device for the use of the second camera; the software installed -for the frontal camera- do not access data subject personal information unless they access this data by showing them on the screen since the desktop is being recorded, however, the controller has provided this information to the students; the screenshots taken by the tool are activated if the student access a tab not compatible with the exam, then these photos are evaluated by the staff of the university and deleted in case that not fraud is found.  
On the other hand, the controller claimed that none of the cameras uses facial recognition techniques (which was supported with an attestation of Smowltech as evidence), thus, consent is not mandatory as a legal basis but ‘necessity for the performance of a task carried out in the public interest conferred by the national law of Universities (Ley Orgánica de Universidades); no software is installed on the students’ device for the use of the second camera; the software installed -for the frontal camera- do not access data subject personal information unless they access this data by showing them on the screen since the desktop is being recorded, however, the controller has provided this information to the students; the screenshots taken by the tool are activated if the student access a tab not compatible with the exam, then these photos are evaluated by the staff of the university and deleted in case that not fraud is found.  
Line 96: Line 88:


== Comment ==
== Comment ==
There are two previous resolutions by the Spanish DPA related to this case: E-08977/2021 and E-05454/2021. The latter also gave rise to the expert Opinion 0036/2020. In those proceedings and opinion, an analysis by the Spanish DPA was already conducted regarding the use of facial recognition techniques and the installation of software in the students’ computers with surveillance purposes in remote exams. Thus, the present case is about a new requirement by the controller (UNIR): the installation of a second camera (in addition to the screen one) to focus on the student’s hands and surroundings.
In the course of this proceeding, the controller amended the privacy notice provided by the software provider before the installation of the app into the student's devices since it erroneously stated that the legal basis was consent and that biometric data was collected. After the analysis of the evidence, the DPA concluded that it was not the case and decided that no violation was found.
In the course of this proceeding, the controller amended the privacy notice provided by the software provider before the installation of the app into the student's devices since it erroneously stated that the legal basis was consent and that biometric data was collected. After the analysis of the evidence, the DPA concluded that it was not the case and decided that no violation was found.



Revision as of 15:35, 9 January 2023

AEPD - AI-00086-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6(1)(e) GDPR
Organic Law of Universities (Ley Orgánica de Universidades)
Type: Complaint
Outcome: Rejected
Started:
Decided:
Published: 28.12.2022
Fine: n/a
Parties: n/a
National Case Number/Name: AI-00086-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Michelle Ayora

The Spanish DPA dismissed several claims against the processing activities carried out by a university that used video surveillance to students taking exams during the Covid pandemic. The DPA analysed the legal basis and the impact assessment performed by the controller.

English Summary

Facts

Universidad Internacional de La Rioja (UNIR) (the controller) used facial recognition programmes to confirm the identity of students (data subjects) taking online exams during the Covid-19 pandemic. The processing carried out by the controller involved an IT tool (SMOWL TECH) which must be installed on the data subjects' devices. This app used the front camera to register the data subject's face while taking the exam, but it also captured the computer’s desktop. An additional camera was requested by the controller as a mandatory condition as well as the activation of related software, also installed on the students’ devices. The second camera captured the data subject's work environment, focusing on their hands, body and work screens. A failure to install and use these camera would result in failing the exam.

A Students’ Association, 11 individuals and several other associations submitted a complaint to the Spanish DPA against the controller's prcoessing activities. The complaints regarding the second camera sustained that it was disproportionate since it could also capture third parties. Regarding the software, the consent required is not legal since students who have a high-risk profile for COVID don’t have a choice. Others argue that the controller does not have a legitimate interest in obliging students to install a software on their devices where they keep their agendas, bank apps, private communications, keywords, etc.

On the other hand, the controller claimed that none of the cameras uses facial recognition techniques (which was supported with an attestation of Smowltech as evidence), thus, consent is not mandatory as a legal basis but ‘necessity for the performance of a task carried out in the public interest conferred by the national law of Universities (Ley Orgánica de Universidades); no software is installed on the students’ device for the use of the second camera; the software installed -for the frontal camera- do not access data subject personal information unless they access this data by showing them on the screen since the desktop is being recorded, however, the controller has provided this information to the students; the screenshots taken by the tool are activated if the student access a tab not compatible with the exam, then these photos are evaluated by the staff of the university and deleted in case that not fraud is found. The controller also mentioned that safeguards were applied (proportionality test, assessment of the security provided by the other controller SMOWL, applications of privacy by design and default, risk assessments, DPIAs, and guarantee of information principle). Moreover, the second camera only records the hands, the body of the data subject (their face is not necessary), and the screen, and no installation of any software is carried out for its activation.

Holding

Regarding the facial recognition techniques claim, the Spanish DPA states that they are not present in the processing activities of this case by accepting as evidence the certificate signed by Smolw, thus, it is confirmed that the controller does not store biometric data. Furthermore, the DPA stated that it is important to differentiate between the collection of photos and their review by professional staff and the use of facial recognition techniques which use biometric software to map features of the face creating facial prints which utterly can be compared by using specific algorithms to verify the identity of a person.

Secondly, the software installed for the use of the front camera and the desktop does not access data subject personal information unless the student shows it while doing the exam.

In third place, there is no installation of software for the activation of the second camera, but access to this camera (by the university staff) is done through an URL which requests permission from the data subject first. Also, the photos taken are revised manually by the university staff, thus, there is no automated decision-making involved. Also, the risk assessment performed showed that the use of this second camera does not increase the risk to the data subjects' rights and freedoms and it concluded that its use is necessary and balanced since there are more benefits or advantages for the general interest than damages for others’ interests and there is no other effective measure to achieve the same purpose. Finally, the DPA considered that the information provided to students was according to the transparency principles.

For the reasons above mentioned, the DPA considered that no violation was observed and dismissed the complaint.

Comment

There are two previous resolutions by the Spanish DPA related to this case: E-08977/2021 and E-05454/2021. The latter also gave rise to the expert Opinion 0036/2020. In those proceedings and opinion, an analysis by the Spanish DPA was already conducted regarding the use of facial recognition techniques and the installation of software in the students’ computers with surveillance purposes in remote exams. Thus, the present case is about a new requirement by the controller (UNIR): the installation of a second camera (in addition to the screen one) to focus on the student’s hands and surroundings.

In the course of this proceeding, the controller amended the privacy notice provided by the software provider before the installation of the app into the student's devices since it erroneously stated that the legal basis was consent and that biometric data was collected. After the analysis of the evidence, the DPA concluded that it was not the case and decided that no violation was found.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/28








     File No.: EXP202200367



                  RESOLUTION OF ACTIONS FILE


Of the actions carried out by the Spanish Agency for Data Protection and
based on the following:


                                      FACTS

FIRST: Between December 10, 2021 and March 9, 2022, the
received at the Spanish Agency for Data Protection, the claims
sent by the UNIR STUDENTS ASSOCIATION and 11 people and associations

referenced in Annex 0. The claims are directed against the UNIVERSITY
INTERNACIONAL DE LA RIOJA with NIF A26430439 (hereinafter, the party claimed
or JOIN). The reasons on which the claim is based are the following:

       Certain aspects of the processing of personal data that lead to
out UNIR, in order to confirm the identity of the students who are going to carry out

exams online to prevent the spread of Covid-19. Saying
The treatment is carried out using a computer tool that students must
installed on your computer, provided by the SMOWL vendor (the tool is
called SMOWLTECH). This application makes use of the front web camera to record
the image of the student while taking their exam, and also captures the actions

they performed at the desk, with the keyboard and mouse. the tool too
includes the use of facial recognition algorithms to determine if the
person who had registered for the test and had provided their document
identification was, indeed, the one who was doing it. under the
procedure E/08977/2021, the university assured that it would not make use of

the aforementioned facial recognition algorithms, and would replace them with a
manual review process performed by center staff.

       Although, said facial treatment was already the subject of past claims,
filed with the Agency by some of those affected, in the writings received in
On this occasion, a novelty presented by the university for the

call corresponding to February 2022. According to the claimants, the
has incorporated a mandatory requirement that test takers install a
second camera, in addition to the frontal one that was already being used, forcing
Said camera focuses on the student's environment, and his two hands, his
body and its work screens, so that it is clearly seen what is

doing. Failure to do so, and as reported, the student will obtain the
zero score on the exam, which may lead to the loss of the evaluation
keep going.

       Those affected consider that this practice is not proportionate and intrusive, and

does not respect the rights of students to the protection of their data or their privacy (or
that of family members who are recorded during the test). some have
quoted or attached this Agency's response to a query on the use
of surveillance technologies of the student's environment ("360º review"), and others attach

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/28








copy of the resolution of the University of Granada, of May 4, 2020, against
of the requirement of the second chamber for the evaluation. One of the teachers of
the University has transmitted to an affected person the information that it would have been the
ANECA (National Agency for Quality Assessment and Accreditation) which would have
authorized or given its approval to the requirement.


       Some affected also question that consent to such treatment
The data collected in this way is truly free, since students with a risk profile
They do not have the option of taking the exam in person. Therefore, the
consent would not be a valid legal basis for consent. Others insist that the
The university also does not have a legal basis to force its students

to install "software" that allows access to their computers, where their
agenda, banking applications, private messages, passwords, etc.

       From the detailed analysis of each of the claims received, it is worth
stand out:


     Claim 1 provides the "Student Manual - Exams"
        prepared by UNIR with the instructions to be able to take the exam
        online, distributed among the students and with details about the operation
        of the applications to be installed and the technical requirements to be met.


     Complaint 2 provides a piece of news published in the press with the headline
        “The UGR prohibits professors from asking students for two cameras in the
        online exams” (https://www.ideal.es/miugr/prohibe-profesores-pedir-
        chambers-students-20210118122657-nt.html). It states that the UGR
        issued a resolution in May 2020 prohibiting proctoring and regulating as
        proceed in videoconferences. After consulting this resolution it can be deduced that:

           Yo. The UGR prohibits the use of proctoring tools in the evaluation
                not face-to-face, not allowing the use of biometric techniques or
                face recognition.
          ii. The identification of the students is carried out through the exhibition of the
                DNI or any other valid document.
          iii. Oral tests are recorded to guarantee the right of review

                for the time strictly necessary.
          iv. Videoconference systems are used for the correct development of
                the test, follow-up and identification of the student body. In this case
                recording is not necessary. It is indicated that the videoconference
                implies a violation of personal privacy or intrusion
                residence, in the well-understood judgment of proportionality that

                guarantees such rights in the face of the public interest needs of
                verification of student learning. The teaching staff must
                notify the student body to organize the development of the test
                way that does not interfere with your exclusively domestic environment.


     Complaint 3 denounces that UNIR is not respecting the
        resolution of July 27 on the use of biometric techniques and
        facial recognition, the existing intrusion is also denounced by demanding the
        use of a student's own device to activate the second camera
        surveillance, assuming this is a violation of the right to privacy of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/28








        use of this device could cause a data breach breach
        personal data stored on device.

     In Complaint 4, Complaint 5 and Complaint 6, the
        denounces the invasion of privacy that the use of the second

        security camera using a student's own device, and the
        recording of the home space of the students during all the time of the
        examination, violating this the right to privacy.


     In Complaint 7, the following is reported:

           Yo. That in the registration that the student signs at the beginning of the course only
               the following is specified: “students must have a
               webcam and audio to be able to adequately carry out the defenses
               end-of-degree and end-of-master's projects online", but it was never
               specifies nothing about the existence of the second chamber and the
               need to use a second device belonging to the students.

          ii. An annex is provided in this claim with the document sent by
               UNIR to students about the recommendations and guidelines to follow
               for the correct completion of the online exams, the analysis of
               this annex is extracted:
                   a) They recommend disabling the antivirus to prevent it from being blocked
                       the monitoring program.

                   b) Indicate that the test should be performed in a closed instance.
                       The student must be alone in the room. The
                       front camera must focus on the student and the access door
                       to the extent possible. The student is the guarantor
                       that there will be no interruptions from other people. In case of

                       alteration of environmental conditions, teachers
                       will assess the impact on the evaluation.
                   c) At all times the monitoring of the
                       desk, cameras and microphone. The deactivation,
                       disconnection or blurring or loss of significant visibility
                       may trigger an incident or alert. during the exam

                       it is mandatory:
                            Have at all times active the monitoring of the
                              desk.
                            Keep both cameras active throughout the
                              exam and placed so that the student can
                              be seen and identified.

                   d) The device used as a second camera must have
                       internet connection and focus the environment, being visible the two
                       hands, body and work screen. are contributed in this
                       document some images example of what should be
                       pick up by the second camera.
          iii. Another annex is also provided in this claim with a

               communication sent by the rector of UNIR to all students
               in relation to the modalities of conducting examinations, of the
               Analysis of this document extracts the following paragraphs:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/28








                   a) "For the online modality, support systems will be used for
                       supervision who have been elected after ensuring compliance
                       of all the requirements of the GDPR, Law 3/2018, and prior
                       thorough verification of compliance with the
                       AEPD recommendations. All legal documentation

                       that endorses this decision is available to any
                       student:
                            Analysis of the pronouncements and recommendations of
                               different protection control authorities
                               of data.
                            Judgment of constitutional proportionality.

                            Impact assessment and risk analysis.
                            Contractual guarantee of the privacy of the data of the
                               students.
                            Guarantee of the principle of information.”
                   b) “The supervision support system captures images and sound

                       of the student and environment, but does not access any information
                       of your computer equipment, unless it is shown in the
                       screen."
                   c) “Students can choose the modality that best suits them.
                       adapt to your personal and particular situation (face-to-face and online).
                       Both modalities are developed within the respect of the

                       legal and constitutional framework and both guarantee a system of
                       effective and rigorous assessment commensurate with academic prestige
                       of our institution and that of the titles we issue.”
          iv. An annex is also provided in this claim with the response
                sent by the General Subdirectorate of Promotions and Authorizations
                to a query raised by this same CLAIMANT, and with

                entry registration number O00007128e21000XXXX. From the analysis
                The following paragraph stands out from this answer:
                   a) “Likewise and responding to your concern if the
                       surveillance of the student's environment or 360 review of the home in
                       which the test is performed could be disproportionate, given
                       that third parties or

                       showing personal elements outside the objective of the own
                       assessment test and who could provide information
                       about the privacy of the student or third parties, could
                       understood as an interference in the privacy of the
                       student and possible residents of the home and, therefore, a
                       risk to the right to privacy and the inviolability of the

                       domicile of the student.

     In Complaint 8, Complaint 9 and Complaint 10, it is repeated
        denounce the mandatory use of the second camera for exams
        of the February 2022 call, using a personal device of the

        student himself, causing the possibility of access to information
        personnel contained therein.

     In Complaint 11, the "Association of Students X the defense of the
        Fundamental Rights (HUXIR)” complaint:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/28








           Yo. That the UNIR has ignored the warning resolution
               signed by the director of the AEPD on July 27, 2021 in relation to
               with the use of facial recognition.
          ii. That the exams that were being carried out at the time of putting
               the claim they were making use of the second camera through

               of an unaudited QR and that could expose sensitive data such as
               photos, bank accounts…etc.
          iii. They provide a screenshot of an explanatory tutorial that was carried out
               held on December 22, 2021, on the exams to be carried out and in the
               that the following phrase can be seen in one of the slides shown:
               "The biometric data is eliminated once the minutes are closed and the

               to definitive”.
         iv. An email sent by this association (HUXIR) to the Office of the
               University Ombudsman, requesting that he mediate to urge UNIR
               to suspend the use of the second chamber for calls for
               January and February 2022 since there is no legal framework covered

               by the AEPD.

     In Complaint 12, a UNIR student denounces the
        violation of their rights in the exams held in the call for
        February 2022 when violating what is indicated in the AEPD report 0036/2020 as well
        as well as the resolution of file E/05454/2021. Denounces that the

        UNIR has once again carried out biometric control in the February exams
        2022.
           Yo. That, in the registration process for the examinations
               online, in the terms and conditions that the student had to accept (in
               prior to registration), the following was indicated verbatim:
               “obtaining through the images and audio of a model

               biometric characteristics of the user to be able to carry out the
               identification and subsequent checks on the identity of the
               user”.
          ii. That during the registration process photographs are taken both of the face
               like ID.
          iii. That the legal basis for the processing of personal data, in

               relation to the use of the second chamber, is based on the
               consent and that it cannot be given freely.
         iv. Provide screenshots of what was previously stated.

     In that of the association, HUXIR once again denounces that UNIR ignores
        of the resolution of the director of the AEPD of July 2021 when demanding the use of

        a second chamber for the exams from January to March, and ask the
        AEPD to intercede on his behalf before UNIR. It is also claimed that
        on February 2, 2022, it was exercised by a member of the
        association, the rights of access to your personal data before the
        responsible for treatment and that on the date of entry of this

        claim had not been answered.

     Finally, it is also worth highlighting the receipt, on May 13, 2022, of a
        letter sent (...), notifying the AEPD of the situation of defenselessness
        legal entity in which they were due to the actions undertaken by the other

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/28








        HUXIR association, Association not recognized by UNIR students and that
        as they indicate, it was only supported by about 10 students. at this writing
        manifest themselves in favor of UNIR indicating that it has established a
        evaluation system that guarantees the quality and reliability of the test, which
        has the explicit endorsement of the vast majority of representatives

        students, and therefore greatly benefits all students,
        since it saves time and avoids stay and travel costs. That
        UNIR has informed of the implications of the use of the
        online evaluation, both of the facial recognition system, which finally
        was cancelled, as well as the use of the double camera. They have responded to all
        questions that have been raised, have produced documents with questions

        as well as various explanatory conferences on the evaluation system.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
forward LOPDGDD), said claim was transferred to the party

claimed/ALIAS, to proceed with its analysis and inform this Agency in the
period of one month, of the actions carried out to adapt to the requirements
provided for in the data protection regulations.

The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations

Public (hereinafter, LPACAP), was collected on January 31, 2022, as
It appears in the acknowledgment of receipt that is in the file.

On February 16, 2022, this Agency received a written response
stating, in summary, the following:


    a) They affirm that neither of the two chambers uses recognition techniques
       facial, they provide a SMOWLTECH certificate that also confirms it.

    b) They state that NO program is installed on the student's device to
       the use of the second camera.


    c) They state that by not using facial recognition techniques it is no longer
       It is necessary to obtain the consent of the student since this base does not apply
       of legitimation. The basis of legitimation is the fulfillment of a mission
       carried out in the public interest or in the exercise of public powers conferred by
       the Organic Law of Universities. That this same Agency affirmed, in its
       report 0036/2020, that this treatment was covered by article 6.1.e)

       of the GDPR.

    d) They affirm that the software installed on the equipment never accesses information
       personal information of the interested party, unless the student himself accesses this data
       displaying them on the screen while performing the test, since the software

       capture the desktop. However, they indicate that UNIR has informed the
       students about this circumstance. If the student, during the test,
       You access a window where information that is not compatible with the
       test you perform, the software takes screenshots that


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/28








       They are subsequently evaluated by UNIR personnel, and in the event that they do not
       certifies that the student has carried out fraudulent practices, they will be eliminated.




    e) The guarantees applied to protect the rights and freedoms of
       interested are:
           a. Realization of proportionality trial.
           b. Ensure an adequate level of security by the person in charge of

               SMOWL treatment.
           c. Guarantee privacy by default and by design.
           d. Carrying out the corresponding risk analyzes and evaluations
               of impact.
           and. Guarantee the principle of information regarding the protection of
               data.


    f) Indicate that the impact assessment and risk analysis have already been
       provided in response to the claim in file E/05454/2021 and
       E/08977/2021.


    g) UNIR considers that the online evaluation system implemented does not affect
       differently from the processing of personal data, with
       regardless of whether the system has an additional device. In
       Specifically, the requirements for the use of the double chamber imply:
           a. The device has an Internet connection and has sufficient battery.

           b. It must focus on the environment, being visible:
                   Yo. The two hands and body of the person concerned. You don't have to get
                      the face of the person concerned.
                   ii. The work screen.

       Regarding the statement made in section f) above, after analyzing

documents relating to risk analysis and impact assessment, are
check that the use of the second camera used by the customer is not included
student device.

THIRD: On February 24, 2022, in accordance with article 65 of the

LOPDGDD, the claim presented by the claimant party was admitted for processing.

FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
matter, by virtue of the functions assigned to the control authorities in the

article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following extremes:

       The antecedents that appear in the information systems are the

following:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/28








    1. In relation to file E/05454/2021, the following took place
       performances:

           a. After several claims presented in the AEPD on the use of
               biometric and facial recognition techniques by UNIR, such as

               responsible for processing personal data, on May 14
               of 2021, this person in charge is notified who answers saying that the
               The measure used was weighted, not only not causing harm to the
               protection of personal data but certifying that the
               evaluation tests were carried out in optimal conditions.
               They justified that there were no alternative measures that guaranteed the

               result pursued with equal effectiveness. They also indicated that there was
               carried out impact evaluation, concluding this with a low risk
               about the treatments carried out. They claimed that the measure was not
               disproportionate, but ideal, to achieve the purpose pursued.
               All of this without prejudice to the fact that, if the AEPD considered that the

               erroneous in the analysis, the use of the system will cease immediately
               valuation object. In the response to this transfer, UNIR attached:
                   Yo. The trial of proportionality
                  ii. The contract with the treatment manager (SMOWLTECH)
                  iii. Impact Evaluation
                  iv. The security measures of the person in charge of treatment.

           b. However, on June 14, 2021, a new letter was received
               by UNIR providing certification of deactivation of
               facial recognition for student monitoring.
           c. On July 27, 2021, the director of the Spanish Agency for
               Data Protection dictates resolution with a warning to the entity
               claimed to adopt corrective measures aimed at

               prevent the planned treatment from implying a possible
               breach of data protection law.

    2. In relation to file E/08977/2021, which originates from a
       claim presented in this Agency, it is transferred to the UNIR that
       Then answer by providing the following information:

           a. They affirm that UNIR DOES NOT carry out an online evaluation system
               based on the use of facial recognition techniques, having been
               is removed and replaced by a manual recognition system.
               A document delivered to ANECA is provided as an annex where the
               describes the evaluation system carried out by UNIR, which is
               based on SMOWLTECH software and following the following pattern of

               functioning:
                   Yo. Student registration process, images of the face are taken
                      of the student and ID.
                  ii. During the exam, artificial intelligence is applied for the
                      object detection, but never personal data. Are

                      Images are stored for later manual comparison.
                  iii. Given the alerts issued by the artificial intelligence system,
                      Manual review of the images is performed.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/28








    3. In relation to this file, it is also worth highlighting the report
       0036/2020 of this Agency on issues related to the use of techniques of
       Facial recognition in online assessment tests.

FIFTH: After the receipt of this letter by UNIR, it is received

in this Agency new claims that provided new data to this
investigation, deciding then to make a new request for information
to the UNIR controller, on April 27, 2022, in accordance with
the following line of research:

    a) Know the updated risk analysis including the use of the second

       camera, as well as the pertinent update of the evaluation of
       impact.

    b) Know more details about the software that is activated by scanning the QR code
       of the second camera on the student's device.



    c) Clarification on the conditions that the student must accept in the
       moment of registration of the SMOWLTECH software, prior to the realization
       of exams. Since, as evidenced by the content provided in one of the
       claims received, among the conditions that the student had to accept were
       indicated that the legitimacy was based on the consent of the user and

       that biometric models were made for identity checks,
       all this was accredited with screenshots attached to the claim
       received.

       On May 17, 2022, a response to the previous request was received by

part of UNIR, from its analysis the following is extracted:

    a) They provide the updated risk analysis with the use of the second chamber,
       concluding the same with a risk classified as ACCEPTABLE, following
       for this the tools of the AEPD (Evalua-Risk RGPD and Manage
       EIPD). From this risk analysis, the following is extracted for the present investigation:

          Yo. Special categories of data are not processed.
          ii. They do not apply facial recognition technique.
         iii. They do not use immature or newly created technologies.
         iv. Consent is not applicable, the basis that legitimizes the
               processing is in the public interest arising from article 6.1.e) of the GDPR,
               authorized by article 46.3 of the LOU.

         v. The corresponding weighting judgment has been carried out and
               proportionality.
         saw. They affirm that the interested parties are duly informed at the time
               registration, as well as in the Student Manual. In turn, if in the
               images appear to be a third party, they will be deleted or,
               In the case that affects the qualifications, a record will be drawn up of what

               happened and will be removed.
        vii. They claim that all evidence collected by the software is
               subject to personal review by qualified personnel. The
               employees sign the corresponding Manual of Functions and

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/28








               Obligations, as well as receive specific training in matters of
               data protection to avoid breaches of confidentiality.
        viii. We have proceeded to the correct formalization of the commission contract of
               treatment, having a protocol for the selection and
               recruitment of treatment managers.


    b) The risk resulting from the impact assessment, updated including the use
       of the second chamber, is LOW. From it is extracted as relevant data
       for this research:
          Yo. To guarantee privacy by default and by design, as well as the
               principle of active responsibility, affirm that the treatment will be

               subject to a continuous review process and improvement system
               constant, carrying out ordinary revisions (every year
               academic for ordinary calls), and revisions
               extraordinary in case of substantial variation in the treatment of
               personal data, such as changes in applied technology, new

               purposes, new data…etc.

    c) In relation to the operation of the QR code on the student's device,
       indicate that when it is scanned, it is referred to a SMOWL URL that
       requests permission to access the camera, without involving the installation of
       any programs or software on the student's device. the capture of

       Images of this second camera is made from the web. The flow of
       information is as follows:
          Yo. QR is scanned and the camera is accessed from the URL itself.
          ii. Student activity is monitored by sending images
               periodic.
         iii. In Smowltech the images are analyzed (automatically)

               received to detect possible fraudulent objects in the environment. In
               If possible fraud is detected, an alert is raised that must be
               checked manually by a qualified person.
         iv. Decisions are not made automatically and without the manual intervention of
               a qualified person.


    d) They send, attached to the response to the request, an explanatory video of the
       use of the second camera with a complete step by step description of everything
       the process.

    e) In relation to the information provided in one of the claims, where
       attached several screenshots of the moment of registration of a student

       in the SMOWLTECH application (prerequisite for the completion of the
       exams), and from which one could read:
          Yo. On the one hand, one of the screens shown indicated that the
               legitimacy for the processing of personal data was based
               with the student's own consent.

                    - Regarding this point, UNIR answers that this
                        information is wrong and should not be displayed on the screen of the
                        student, and that, after learning of this fact, "since
                        UNIR contacted SMOWL and requested the
                        elimination of this section, as it is not a faithful reflection of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/28








                        evaluation process of our students, and suffers from
                        inconsistencies that do not coincide with reality”. attached
                        SMOWL certificate where they guarantee that they have proceeded to

                        solve this error.
         ii. On the other hand, in another of the screenshots a text appeared
               where the student was told that biometric models would be made
               for identity checks
                    - Regarding this other point, UNIR answers that after having

                        knowledge of this, SMOWL has been requested to
                        verification and certification that, as indicated in its
                        At the moment, biometric data is not processed.
                        They provide a new SMOWL certificate certifying that they are not
                        perform such treatments.


       Regarding the video provided according to section d) above, after its analysis
there is evidence that there is no software application installation on the user's device
student.

       Regarding the confirmations given by UNIR in section e) above, and

after analyzing the certificates provided according to points i) and ii), the
veracity and authenticity of the same, being verified that:

    1. The SMOWLTECH software error is corrected, eliminating the section of the
       registration screen where it was indicated textually that "the legitimacy for the
       processing of personal data was based on the consent of the individual

       Username".
    2. Despite the message that was displayed on the screen by mistake, JOIN does not perform
       biometric data processing or facial recognition techniques.

       With respect to the above, it is necessary to differentiate between the capture of

images of the student's face for storage and later manual review
(by qualified personnel), and the use of facial recognition techniques, based on these
latest in the use of biometric software to map facial features and create
facial prints that could later be compared using algorithms
specific to verify the identity of a person.


                           FUNDAMENTALS OF LAW

                                           Yo

                                     Competence


       In accordance with the functions that article 57.1 a), f) and h) of the Regulation
(EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR)
conferred on each control authority and according to the provisions of articles 47 and 48.1 of

Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter LOPDGDD), is competent to
resolve these investigative actions the Director of the Spanish Agency for
Data Protection.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/28








       Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions

regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."


                                            II

               Processing of special categories of personal data


       Article 9 of the GDPR, which regulates the treatment of special categories of
personal data, establishes the following:


       "1. The processing of personal data that reveals the origin
ethnic or racial opinion, political opinions, religious or philosophical convictions, or
union affiliation, and the processing of genetic data, biometric data aimed at
uniquely identify a natural person, data relating to health or data
relating to the sexual life or sexual orientation of a natural person.


       2. Section 1 shall not apply when one of the following conditions occurs:
following circumstances:

       a) the interested party gave his explicit consent for the treatment of said

personal data for one or more of the specified purposes, except where the
Law of the Union or of the Member States establishes that the prohibition
mentioned in section 1 cannot be lifted by the interested party;

       b) the treatment is necessary for the fulfillment of obligations and the
exercise of specific rights of the data controller or the data subject

the field of labor law and social security and protection, to the extent that
that is authorized by the law of the Union or of the Member States or an agreement
group under the law of the Member States that establishes guarantees
measures of respect for the fundamental rights and interests of the
interested;


       c) the processing is necessary to protect vital interests of the data subject or
of another natural person, in the event that the interested party is not capable, physically or
legally, to give consent;


       d) the treatment is carried out, within the scope of its legitimate activities and with
due guarantees, by a foundation, an association or any other body
non-profit, whose purpose is political, philosophical, religious or trade union, always
that the treatment refers exclusively to current or former members of
such bodies or persons who maintain regular contact with them in
in relation to its purposes and as long as the personal data is not communicated outside of

them without the consent of the interested parties;

       e) the treatment refers to personal data that the interested party has made
manifestly public;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es                   13/28









       f) the treatment is necessary for the formulation, exercise or defense of
claims or when the courts act in the exercise of their judicial function;


       g) the processing is necessary for reasons of essential public interest, especially
the basis of Union or Member State law, which must be
proportional to the objective pursued, essentially respecting the right to protection
of data and establish adequate and specific measures to protect the interests and
fundamental rights of the interested party;


       h) the treatment is necessary for preventive or occupational medicine purposes,
evaluation of the worker's work capacity, medical diagnosis, provision of
healthcare or social assistance or treatment, or management of systems and services
of health and social care, on the basis of Union law or of the

Member States or under a contract with a healthcare professional and without
prejudice to the conditions and guarantees contemplated in section 3;

       i) the processing is necessary for reasons of public interest in the field of
public health, such as protection against serious cross-border threats to
health, or to guarantee high levels of quality and safety of care

health and medicines or health products, on the basis of the Law of
of the Union or of the Member States establishing appropriate and specific measures
to protect the rights and freedoms of the interested party, in particular the secrecy
professional;


       j) the processing is necessary for purposes of archiving in the public interest, purposes of
scientific or historical research or statistical purposes, in accordance with article
89(1), on the basis of Union or Member State law,
which must be proportional to the objective pursued, essentially respect the right to
data protection and establish adequate and specific measures to protect

the interests and fundamental rights of the interested party.

       3. The personal data referred to in section 1 may be processed at the
purposes mentioned in section 2, letter h), when their treatment is carried out by a
professional subject to the obligation of professional secrecy, or under his responsibility, of
accordance with the law of the Union or of the Member States or with the rules

established by the competent national bodies, or by any other person
also subject to the obligation of secrecy in accordance with Union law or
Member States or rules laid down by national bodies
competent.


       4. Member States may maintain or introduce conditions
additional information, including limitations, regarding the processing of genetic data,
biometric data or data relating to health."

                                           II

                            Principles relating to treatment


       Letter a) and c) of article 5.1 of the GDPR advocates:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/28









       "1. Personal data will be:
       a) treated in a lawful, loyal and transparent manner in relation to the interested party

("lawfulness, loyalty and transparency");
       (…)
       c) adequate, pertinent and limited to what is necessary in relation to the purposes
for those who are processed ("data minimization");"

       Article 6 of the GDPR, in its section 1, referring to the legality of the treatment

sets the following:

       "one. Processing will only be lawful if at least one of the following is fulfilled
conditions:
       a) the interested party gave his consent for the processing of his data

personal for one or more specific purposes;
       b) the processing is necessary for the performance of a contract in which the
interested party or for the application at the request of this of measures
pre-contractual;
       c) the processing is necessary for compliance with a legal obligation
applicable to the data controller;

       d) the processing is necessary to protect vital interests of the data subject or
of another physical person;
       e) the treatment is necessary for the fulfillment of a mission carried out in
public interest or in the exercise of public powers vested in the person responsible for the
treatment;

       f) the processing is necessary for the satisfaction of legitimate interests
pursued by the data controller or by a third party, provided that
such interests do not outweigh the interests or rights and freedoms
of the interested party that require the protection of personal data, in
particularly when the interested party is a child.

       The provisions of letter f) of the first paragraph shall not apply to the
treatment carried out by public authorities in the exercise of their functions.”

                                            IV.
                                  Facts denounced


       The claims are specified in that, during the exams of the month of February
February 2022, UNIR established an identification system through a tool
computer hardware, which students have to install, and uses recognition algorithms
face lie. Since, in the indicated exams, the UNIR forced the students to insti-
cut a second camera that focused on the student's environment. They understand that the treatment

performed is not proportionate and is highly intrusive since it can lead to
bar even to the relatives of the students. They also consider that consent does not
It is free since students with high health risk cannot attend an exam
face-to-face


       On the use of facial recognition techniques, after verifying
authenticity of the certificate provided by the SMOWL company, it is verified that
special categories of data are not processed and techniques of
face recognition.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/28









       After verifying the authenticity of the certificates provided by the company
SMOWL, it is verified that the information that was provided has been eliminated (for

error) in the student registration process in the system, specifically the information
error provided on the basis of legitimation and on the storage of models
biometric. The basis of legitimacy of the treatment is not consent, but rather
it is necessary for the fulfillment of a mission carried out in the public interest or in the
exercise of public powers conferred on the data controller, the UNIR
It is also verified that UNIR does not store biometric models.


       Likewise, it has been verified that no software is installed on the user's device.
student, access to the device's camera is done from a URL that requests
prior permission to access it. This second chamber has as its only
purpose of capturing images of the environment and sending them to the person in charge of treatment, and in

If possible fraud is detected, an alert is activated that is reviewed manually
by qualified personnel, so that automatic decisions are never made in
relation to the images captured by either of the two cameras.

       With respect to software installed on the student's computer, the principal
The goal of this is to capture the desktop and make use of the front camera, so it doesn't

no other personal information stored on the device itself is accessed,
unless the student shows it on the screen while the test is being carried out.

       Prior to treatment, UNIR updated the Impact Assessment
to analyze and include the risks added by the use of the second camera in the

evaluation systems, determining that the use of a second camera does not
involves an additional risk that may further affect the rights and
freedoms of those affected. In it, the corresponding judgment of
weighting and proportionality with respect to the inclusion of the second chamber,
concluding that the measure is necessary and weighted because it derives from it more

benefits or advantages for the general interest that damages other goods or
values in conflict, there being no other more weighted measure for the achievement of the
purpose equally effectively.

       Complete information is offered to the student at the time of registration in the
SMOWLTECH application, and prior to carrying out the tests, in

concrete, adequate information is transmitted about:
           a. Responsible for treatment and delegate of data protection.
           b. Purpose of the treatment and applicable legitimation bases.
           c. Rights of the interested parties.
           d. Periods of conservation of the information, origin, recipients and

               on international transfers.
           and. About data security.

                                          V
                                      Conclution






C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/28








       Therefore, based on what is indicated in the previous paragraphs, no
found evidence that proves the existence of infringement in the field

jurisdiction of the Spanish Data Protection Agency.

Thus, in accordance with what has been indicated, by the Director of the Spanish Agency for
Data Protection,


HE REMEMBERS:

FIRST: PROCEED TO THE ARCHIVE of the present actions.


SECOND: NOTIFY this resolution to the INTERNATIONAL UNIVERSITY
DE LA RIOJA with all the annexes, and to each claimant, the resolution and the annex
corresponding to your data.


       In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once the interested parties have been notified.

       Against this resolution, which puts an end to the administrative process as
prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Procedure

Common Administrative Board of Public Administrations, and in accordance with the
established in the arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, the
Interested parties may optionally file an appeal for reversal before the
Director of the Spanish Agency for Data Protection within a period of one month from
count from the day following the notification of this resolution or directly

contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the

day following the notification of this act, as provided for in article 46.1 of the
referred Law.


                                                                                 940-110422
Mar Spain Marti
Director of the Spanish Data Protection Agency



















C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/28































ANNEX 0

A.A.A. (hereinafter claimant 1).


B.B.B. (hereinafter claimant 2).

C.C.C. (hereinafter claimant 3).


D.D.D. (hereinafter claimant 4).

E.E.E. (hereinafter claimant 5).


F.F.F. and D.D.D. (hereinafter claimants 6).

B.B.B. (hereinafter claimant 7).


G.G.G. (hereinafter claimant 8).

H.H.H. (hereinafter claimant 9).


I.I.I. *** CHARGE.1 (hereinafter claimant 10).

J.J.J. *** CHARGE.2 (hereinafter claimant 11).














C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/28






























ANNEX I

A.A.A. (hereinafter claimant 1).




















































C/ Jorge Juan, 6 www.aepd.es

28001 – Madrid sedeagpd.gob.es 19/28






























ANNEX II




B.B.B. (hereinafter claimant 2).

















































C/ Jorge Juan, 6 www.aepd.es

28001 – Madrid sedeagpd.gob.es 20/28






























ANNEX III



C.C.C. (hereinafter claimant 3).


















































C/ Jorge Juan, 6 www.aepd.es

28001 – Madrid sedeagpd.gob.es 21/28































ANNEX IV


D.D.D. (hereinafter claimant 4).


















































C/ Jorge Juan, 6 www.aepd.es

28001 – Madrid sedeagpd.gob.es 22/28




































ANNEX V



E.E.E. (hereinafter claimant 5).












































C/ Jorge Juan, 6 www.aepd.es

28001 – Madrid sedeagpd.gob.es 23/28































ANNEX VI



F.F.F. and D.D.D. (hereinafter claimants 6).

















































C/ Jorge Juan, 6 www.aepd.es

28001 – Madrid sedeagpd.gob.es 24/28































ANNEX VII



B.B.B. (hereinafter claimant 7).

















































C/ Jorge Juan, 6 www.aepd.es

28001 – Madrid sedeagpd.gob.es 25/28


































ANNEX VIII



G.G.G. (hereinafter claimant 8).














































C/ Jorge Juan, 6 www.aepd.es

28001 – Madrid sedeagpd.gob.es 26/28






























ANNEX IX



H.H.H. (hereinafter claimant 9).


















































C/ Jorge Juan, 6 www.aepd.es

28001 – Madrid sedeagpd.gob.es 27/28


































ANNEX X



I.I.I. *** CHARGE.1 (hereinafter claimant 10).














































C/ Jorge Juan, 6 www.aepd.es

28001 – Madrid sedeagpd.gob.es 28/28






























ANNEX XI



J.J.J. *** CHARGE.2 (hereinafter claimant 11).


















































C/ Jorge Juan, 6 www.aepd.es

28001 – Madrid sedeagpd.gob.es