KamR Stockholm - Case No. 5888-20
KamR Stockholm - Case No. 5888-20 | |
---|---|
Court: | KamR Stockholm (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 5 GDPR Article 9 GDPR Article 9(1) GDPR Article 9(2) GDPR Article 35 GDPR Article 36 GDPR |
Decided: | |
Published: | |
Parties: | |
National Case Number/Name: | Case No. 5888-20 |
European Case Law Identifier: | |
Appeal from: | IMY (Sweden) Case No. 5888-20 |
Appeal to: | Not appealed |
Original Language(s): | Swedish Swedish |
Original Source: | Datainspektionen (in Swedish) IMY (in Swedish) |
Initial Contributor: | Natalie |
The Court of Appeal in Stockholm upheld a decision of the Swedish DPA (IMY) to fine a school €20,000 (SEK 200,000) for using facial recognition technology to register student attendance.
English Summary
Facts
The Swedish DPA carried out an investigation of the Upper Secondary School Board in Skellefteåmunicipality and its pilot project at a high school that used facial recognition to record student attendance.
The cameras installed with this technology use biometric personal data to uniquely identify natural persons. Such biometric personal data qualifies as particularly sensitive personal data (under Article 9 GDPR) concerning children. According to Article 9(1), the processing of such data shall be prohibited. The prohibition does not apply if the data subject consents to the processing of personal data for a specific purpose (Article 9 (2). For a consent to be valid, it must have been given voluntarily.
Following an initial decision by the Swedish DPA, holding that the Board had violated the GDPR, the Upper Secondary School Board contended that students and their guardians provided valid consent to use of the facial recognition technology and appealed to the Court of Appeal.
Following the appeal, the Court of Appeal in Stockholm upheld the decision of the Swedish DPA. The Upper Secondary School Board appealed the decision to the administrative court but the administrative court dismissed the appeal, finally rendering the decision of the Swedish DPA final.
Holding
The Swedish DPA (IMY) held that the use of facial recognition technology to register student attendance is in violation with Articles 5, 9, 35 and 36 GDPR. It explained that students cannot provide meaningful consent to such data processing because of their dependence on school services. While there is a legal basis for administering the attendance of students at school, there is no legal basis to perform the task through the processing of sensitive data. The technology amounts to an intrusion of student integrity and is thus disproportionate to the task of measuring attendance. Furthermore, the DPA considered that the risk assessment reported by the Upper Secondary School Board did not meet the requirements of Article 35 GDPR; the Board should have consulted with the DPA before implementing the technology, and because it failed to do so, it also violated Article 36 GDPR.
On the issue of consent, the DPA and the Court of Appeal elaborated that recitals 42 and 43 of the Data Protection Regulation state that consent should not be considered voluntary if the data subject has no genuine or free opportunity to refuse or withdraw their consent. In order to ensure that consent is given voluntarily, consent should therefore not be a valid legal basis for the processing of personal data if there is significant inequality between the data subject and the controller. This applies in particular if the person responsible for personal data is a public authority and it is therefore unlikely that the consent has been given voluntarily in the circumstances. In this case, there is a clear inequality between students and the data controller. The consent can therefore not be considered voluntary and thus does not constitute a legal basis for the treatment of personal data.
On the issue of proportionality, the Court of Appeal explained that Article 5 GDPR only allows for personal data to be collected for specific, explicit and justified purposes. In addition, personal data processed must be adequate, relevant and not too extensive in relation to the purposes for which they are treated. The facial recognition technology was used in the student’s everyday environment, leading to a major infringement in student integrity. Attendance checks are possible in a less privacy-infringing manner. Therefore, attendance checks through facial recognition had been too extensive and disproportionate to the purpose.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
Decision Diary No. 1 (20) 2019-08-20 DI-2019-2221 Skellefteå Municipality, Upper Secondary School Board Supervision according to the EU Data Protection Regulation 2016/679 - face recognition for attendance control of students Content The Data Inspectorate's decision ………………………………………………………………… ..2 Report on the supervisory matter …………………………………………………………. 2 Grounds for the decision ………………………………………………………………………… ..4 Personal data responsibility ………………………………………………………………… 4 Experimental project ……………………………………………………………………………… .4 Legal basis for the processing of personal data (Article 6) 4 .4 Consent as a legal basis ……………………………………………………. 4 The treatment is necessary to perform a task of general Interest …………………………………………………………………………………… ..6 Sensitive personal data (Article 9) …………………………………………… ... 7 Basic principles for the processing of personal data (Article 5) ……………………………………………………………………………………… ..11 Impact assessment and prior consultation (Articles 35, 36) ………… 13 Permission according to the Camera Surveillance Act ……………………………………… ..15 Risk that the regulations will be violated if planned treatment …………………………………………………………………………………… 16 Choice of intervention ……………………………………………………………………………… ..16 Penalty fee ……………………………………………………………………………… 17 Determination of the amount of the penalty ………………………… .... 18 Warning ………………………………………………………………………………………… ..19 How to appeal verk ..20 Postal address: Box 8114, 104 20 Stockholm E-mail: datainspektionen@datainspektionen.se Website: www.datainspektionen.se Phone: 08-657 61 00Datainspektionen DI-2019-2221 2 (20) The Data Inspectorate's decision The Data Inspectorate states that the upper secondary school board in Skellefteå municipality by using face recognition via camera for presence control of students have processed personal data in violation of 1 Article 5 of the Data Protection Regulation by dealing with pupils personal data on a brought personal integrity more intrusive way and included more personal data than what is necessary for the stated purpose (attendance check), Article 9 by processing sensitive personal data (biometric data) without having a valid treatment exceptions to the prohibition on processing sensitive personal data and Articles 35 and 36 by failing to comply with the requirements impact assessment and not having submitted one prior consultation with the Data Inspectorate. 2 The Data Inspectorate decides on the basis of ch. Section 2 of the Data Protection Act and Articles 58 (2) and 83 of the Data Protection Ordinance that the Upper Secondary School Board in Skellefteå municipality must pay an administrative sanction fee of 200,000 kronor. The Data Inspectorate states that the Upper Secondary School Board in Skellefteå municipality likely to infringe Articles 5 and 9 with the continued use of face recognition for presence control. The Data Inspectorate decides to give the Upper Secondary School Board in Skellefteå municipality a warning under Article 58 (2) (a) of the Data Protection Regulation. Report on the supervisory matter Through data in the media, the Data Inspectorate has been made aware that The upper secondary school board in Skellefteå municipality (hereinafter the upper secondary school board) in one pilot project at Anderstorps gymnasium in Skellefteå has been used 1 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on that free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation). 2 The Act (2018: 218) with supplementary provisions to the EU Data Protection RegulationData Inspectorate DI-2019-2221 3 (20) facial recognition to register students' attendance in a class during a few weeks. The purpose of the supervision has been to review the upper secondary school board's processing of personal data through facial recognition for presence control has been in accordance with the data protection rules. The Data Inspectorate has reviewed personal data processing as the upper secondary school board has implemented in the current project and also taken position on any future treatments. The Data Inspectorate has within in the context of this supervision has not made any assessment regarding safety or the duty to provide information in connection with the treatments in question. The review has revealed that the upper secondary school board during three weeks has processed personal data through face recognition to check the presence of 22 high school students and the high school board considered in the future process personal data through the use of face recognition for attendance control. The purpose has been to in a simpler and more efficient way register attendance at high school lessons. To register attendance at a traditional way tarenligtgymnasienämnden 10 minutes per lesson and using face recognition technology for presence control it would according to the board save 17,280 hours per year at the current school. The Upper Secondary School Board has stated that the facial recognition has been implemented in that the students have been filmed by a camera approaching a classroom. Images from the camera surveillance have been compared with pre-registered ones pictures of each participant's face. The information that has been registered is biometric data in the form of face images and first and last names. The information has been stored in a local computer without internet connection stored in one lockers. Express approvals have been obtained from guardians and it has been possible to waive the registration of personal data with biometric data. The supervisory case began with a supervisory letter on 19 February 2019. Answer to The supervisory letter was received on 15 March 2019, supplementing the annexes April 2, 2019. Later additions from the high school board came in on the 16th August and 19 August 2019. Data Inspectorate DI-2019-2221 4 (20) Justification of decision Personal data responsibility The Upper Secondary School Board has stated that the board is responsible for personal data personal data processing that has taken place within the framework of the pre-project with face recognition for attendance control at Anderstorps gymnasium in Skellefteå municipality. The Data Inspectorate shares this view. Experimental project The current personal data processing has taken place within the framework provided pilot project. The Data Inspectorate states that the Data Protection Ordinance does not contain any exceptions for pilot or pilot activities. The requirements of the regulation therefore need to be met in order to implement such type operations. Legal basis for the processing of personal data (Article 6) Article 6 of the Data Protection Regulation states that processing is only lawful if one of the conditions specified in the article is met. Consent as a legal basis The Upper Secondary School Board has in a statement that came in to the Data Inspectorate on March 15, 2019 p. a. stated consent has been given to the treatment that has occurred within the framework of attendance management. The upper secondary school committee's statement states, among other things: a. the following. “Ie. the students' guardians receive information about the project's purpose and which personal data processing will take place and may give its express and voluntary approval for the processing of personal data. Students who do not want to participate do not need to participate, attendance is checked then according to previous routines. Students also receive information that they reach as preferably can withdraw their approval for the processing of personal data. (p. 6). ” Article 6 (1) of the Data Protection Regulation states personal data processing is legal if the data subject has left consent to the processing of his personal data in one or more specific ways purpose.Datainspektionen DI-2019-2221 5 (20) Consent of the data subject is defined in Article 4 (11) of the Data Protection Regulation such as any kind of voluntary, specific, informed and unambiguous expression of will, by which the data subject, either by a statement or by a unequivocal affirmative action, accepts the processing of personal data concerning him or her. Recital 43 of the Data Protection Regulation further states the following. “To ensure that consent is given voluntarily, it should not constitute valid legal basis for the processing of personal data in a specific case where there is significant inequality between the data subject and the data subject personal data controller, especially if the personal data controller is one public authority and it is therefore unlikely that the consent has provided voluntarily in all circumstances such as this particular situation includes. " This means that the assessment of whether a consent has been given is not only voluntary shall take place on the basis of the freedom of choice that prevails, but also the relationship that exists between the data subject and the data controller. The space provided for voluntary consent in the public sector is therefore limited. Within the school area, it is clear that the student is in a position of dependence to the school in terms of grades, study grants, education and thus the opportunity to future work or further studies. In addition, often the question of children. The Education Data Inquiry made the assessment that it is still possible to secure personal data processing use consent also in the relationship between a childminder and a preschool and a student guardian or the student himself depending on age and a school. An example on close consent could provide a suitable basis for personal data processing is prior to photography the students in order to create electronic school catalogs or photography to document activities in preschool and school, not least for the purpose of being able to account for the one for childminders. (SOU 2017: 49 EU Data Protection Regulation and the field of education p. 137) Attendance control is regulated by public law school activities and the reporting of attendance are of significant importance to the Data Inspectorate DI-2019-2221 6 (20) eleven. This treatment is therefore not comparable to it personal data processing that can take place to administer school photography. During attendance checks, the student is in such a position of dependence that it prevails significant inequality. The Data Inspectorate therefore does not consider consent may constitute a legal basis for the processing of personal data such as this supervision includes. The treatment is necessary to perform a task of general interest The Upper Secondary School Board has also stated that the legal basis led personal data processing that has taken place within the framework of the pre-project with facial recognition is the Public Administration Act's requirement for efficient case management, the Education Act's requirements for measures in the event of absence and the obligation for high schools night report invalid absence to Central the Student Aid Board (CSN). According to Article 6 (1) (e) of the Data Protection Regulation, processing is lawful if it is necessary to perform a task of general interest or as part of it exercise of personal data controllers' authority. Article 6 (2) of the Data Protection Regulation states, inter alia, that States may maintain or introduce more specific provisions to adapt the application of the provisions of the Data Protection Regulation in order to comply points in the same article. According to Article 6 (3), the task shall be of general interest in accordance with Article 6.1 evara determined in accordance with Union or national law Right. According to ch. Section 16, first paragraph of the Education Act (2010: 800) requires a pupil in the upper secondary school participates in the activities that are arranged to provide the intended the education, if the student does not have a valid reason for not attending. If a student in upper secondary school is absent from that activity without a valid reason arranged to carry out the intended education, the principal shall ensure that student guardians are informed on the same day that the student has been absent. If there are special reasons, student guardians do not need to be informed on the same day (Chapter 15, Section 16, second paragraph of the Education Act). The personal data processing that usually takes place to administer students' attendance at school is necessary due to the task of the principals according to ch. 15 Section 16 of the Education Act and thus constitutes a task of general interestData Inspectorate DI-2019-2221 7 (20) pursuant to Article 6.1 (e) of the Data Protection Regulation. In some parts it can also there is a legal obligation under Article 6 (1) (c) of the Data Protection Regulation. According to the preparatory work for the Data Protection Act (Bill 2017/18: 105 New Data Protection Act p. 51) however, the requirements for supplementary national regulation are increasing regarding precision and predictability when it comes to the question of a more tangible infringement. It is also stated that the intrusion is significant and entails monitoring or mapping of the individual's personal circumstances is required in addition, special legal support according to ch. 6 and 20 §§ form of government. The Data Inspectorate can state that there is a legal basis for this administer students' attendance at school, but that there is no explicit legal support to perform the task through the treatment of sensitive personal data or in another more privacy-infringing way. Sensitive personal data (Article 9) The facial recognition that has been rancid in the present case has meant that Attendance control has been rendered by biometric personal data about children have been treated to uniquely identify these. According to Article 9 (1) of the Data Protection Regulation, the processing of biometric personal data to uniquely identify a natural person a processing of specific categories of personal data (so-called sensitive) personal data). The starting point is that it is forbidden to process such tasks. In order to process sensitive personal data, this is required exemption from Article 9 (2) of the Data Protection Regulation. As stated above, the high school board has given its consent from the guardians have been harmed in connection with the current treatments supervision refers to. According to Article 9 (2) (a) of the Data Protection Regulation, the processing of sensitive data personal data permitted if the data subject has expressly provided consent to the processing of this personal data provided or more specific purposes, except in the case of Union law or the national law of the Member States law provides that the prohibition in paragraph 1 may not be lifted by the data subject. As previously reported, there is generally a significant inequality relationship between the upper secondary school board and the students and attendance control isDatainspektionen DI-2019-2221 8 (20) unilateral control measure where this inequality prevails. Consent can therefore not, as previously stated, is considered to be provided voluntarily within the framework of school activities. Consent is therefore not possible to apply as an exception from the prohibition to process sensitive personal data in the case in question. The Upper Secondary School Board also invokes the rules of the Administrative Procedure Act efficient case management and the school law's rules on handling absence. Article 9 (2) (g) of the Data Protection Regulation follows the prohibition on processing sensitive personal data if the processing is necessary out of consideration in the public interest, on the basis of Union law or national law of the Member States, which shall be proportionate to it pursued the purpose, be compatible with the essential content of the right to data protection and contain provisions on appropriate and specific measures for to ensure the data subject's fundamental rights and interests. National supplementary provisions apply except except important public interest has i.a. a. introduced in ch. § 3 of the Data Protection Act.3 According to ch. Section 3, first paragraph 2 of the Data Protection Act appears sensitive personal data may be processed on the basis of Article 9 (2) (g) of the Regulation if necessary in the interests of the public interest and the processing is necessary for the handling of a case. In the preparatory work (Bill 2017/18: 105 New Data Protection Act) it is stated, among other things. a. the following. “The Government's view, however, is that in most cases the concept of case is relatively clear (see Bill 2016/17: 180 pp. 23–25 and p. 286). The term is used as a delimitation for the Public Administration Act scope and should, in the Government's view, also be used 3 Individual school principals' processing of sensitive personal data has regulated in Chapter 26 a. Section 4 of the Education Act (2010: 800), which corresponds to Chapter 3 § 3 the Data Protection Act. As this supervision refers to the municipal school and it is missing sector-specific provisions regarding the treatment of sensitive personal data in this type of school activity ch. 3 Section 3 of the Data Protection Act applicable.Data Inspectorate DI-2019-2221 9 (20) here. The provision should therefore be applicable in the handling of a matter. (p. 87) ” Furthermore, the following is stated in the preparatory work for the Public Administration Act (Bill 2016/17: 180 A modern and legally secure administration - new administrative law). The term processing includes all measures taken by an authority takes from the time a case is initiated until it is closed. The expression case is not defined in the law. Characteristic of what constitutes a case, however, is that it is regularly concluded by a statement from authority that is intended to have actual effects on a recipient in the individual case. A case is closed by a decision of some kind. In assessing the question of whether an authority position is to be regarded as a decision in this sense it is the purpose and content of the statement that determines the nature of the statement, not its external form (p. 286). " The Data Inspectorate states that the attendance check is in full swing facial recognition does not constitute a case handling without question about an actual action. The provision in ch. Section 3, first paragraph 2 The Data Protection Act is therefore not applicable to personal data processing which the upper secondary school board has carried out in connection with face recognition attendance control of students. Of ch. 3 Section 3, first paragraph 1 of the Data Protection Act appears sensitive personal data may be processed by an authority if the data has been provided to the authority and the processing is required by law. Regarding this provision appears, among other things. a. following the preparatory work (prop.2017 / 18: 105 New data protection law). “The provision clarifies that it is permissible for authorities to perform such processing of sensitive personal data as is required in the activities of the authorities as a direct consequence of, above all the provisions of the Public Access and Secrecy Act and the Administrative Procedure Act on how public documents are to be handled, for example through requirements for record keeping and obligation to receive e-mail. Treatment of sensitive Data Inspectorate DI-2019-2221 1 0 (20) personal data on the basis of this paragraph may only be made about the data has been submitted to the authority. (p. 194) ” The Data Inspectorate states that ch. Section 3, first paragraph 1 of the Data Protection Act not relevant to the current processing of personal data. According to ch. Section 3, first paragraph 3 of the Data Protection Act also applies to authorities in other respects case process sensitive personal data if the processing is necessary with consideration of an important public interest and does not imply undue infringement of the data subject's privacy. In the preparatory work (Bill 2017/18: 105 New Data Protection Act) it is stated, among other things. a. the following. "The provision is not intended to be applied casually in it ongoing operations. It is required that the data controller, in it individual case, make an assessment of whether the treatment involves one undue invasion of the data subject's privacy. If the treatment would involve such an infringement, it must not take place in accordance with this provision. To determine if the intrusion is improper must the authority to make a proportionality assessment where the need to carry out the processing is weighted against the data subjects' interest in the treatment does not take place. The assessment of the data subjects' interest in the treatment does not take place should be based on the interest of privacy protection that the registrants typically have. The person responsible for personal data must thus not making an assessment in relation to each individual concerned. At the assessment of the intrusion on the individual's personal integrity shall be important added to i.a. the sensitivity of the data, the nature of the processing, the attitude the data subjects can be assumed to have to the treatment, the spread the information may be obtained and the risk of further processing for others purpose than the collection purpose. This means e.g. that the provision can not be used as a basis for creating privacy-sensitive compilations of sensitive personal data. (p. 194) ”. Attendance management is a comprehensive and central task in the school system and skerslentrian-wise in that running business. The Data Inspectorate assesses therefore that ch. § 3 first paragraph 3 of the Data Protection Act can not applied to the personal data processing that takes place for attendance management. The provision can thus not be applied to the personal data processingData Inspectorate DI-2019-2221 1 1 (20) which the upper secondary school board has carried out. In addition, the Data Inspectorate considers that they the current personal data processing has entailed undue intrusion into the privacy of the registered as the high school board through camera surveillance in students' everyday environment has processed sensitive personal data concerning children who are dependent on the upper secondary school board the purpose of attendance management. Against this background, the Data Inspectorate finds that the national supplementary provisions concerning the exemption in 9.2 g i the Data Protection Ordinance on important public interest which has been introduced in ch. 3 § first paragraph of the Data Protection Act does not apply to them personal data processing covered by this supervision. In addition, it appears from ch. Section 3, second paragraph, of the Data Protection Act prohibited from performing applications that take place on the basis of ch. § 3 first paragraph in purpose of obtaining a selection of personal data on sensitive personal data. Since the purpose of facial recognition is to identify students, can The Data Inspectorate states that the attendance check presupposes searches based on sensitive personal data. The latter mentioned meant current the treatments covered by this supervision have also been in breach of 3 Cape. Section 3, second paragraph, of the Data Protection Act. In summary, the Data Inspectorate considers that the exemption in 9.2 g in the Data Protection Regulation does not apply to the current processing of personal data. Because what has emerged in the case is not either provided for any of the other exceptions in Article 9 (2) (i) the Data Protection Ordinance may become relevant, the Data Inspectorate considers that The upper secondary school board has lacked the conditions to process biometrics personal data to uniquely identify students for attendance management such as has been. These personal data processing has thus taken place in violation of Article 9 of the Data Protection Regulation. Basic principles for the processing of personal data (Article 5) It can be stated that the personal data controller according to Article 5 (2) The Data Protection Regulation is responsible for compliance with the Regulation and shall demonstrate compliance with the basic principles. Article 5 of the Data Protection Regulation states, among other things: a. that the personal data shall collected for special, explicitly stated and justified purposes and notDatainspektionen DI-2019-2221 1 2 (20) later treated in a way that is compatible with these purposes (purpose limitation). In addition, personal data must be processed adequate, relevant and not comprehensive in relation to the purposes for which which they are processed (data minimization). For recital 39, personal data followed may be treated only if the purpose of the treatment cannot be achieved in one satisfactorily with other methods. On the question, the high school board has made the proportionality assessment regarding the current personal data processing, the board has provided the following answer in the sitting statement that was received on March 15, 2019. “It is important to have a secure identification to know who the students are present and meet the requirements contained in the Education Act for action then students have high absenteeism. The method of face recognition is assessed needed to know for sure that attendance is being recorded correctly. Face recognition is also a clear increase in quality compared to the previous manual handling which on inspection proved to have deficiencies in such a way that it is not always correct. Of the various alternative methods tested, facial recognition was judged to be the best method meets the requirements both from the legislation and from the purpose of the project. " The Data Inspectorate has previously established the personal data processing which this supervision covers has involved the treatment of sensitive personal data concerning children who are dependent on i relation to the upper secondary school board and that these treatments have taken place through camera surveillance in the students' everyday environment. The Data Inspectorate assessed these treatments - even if it is a question of relatively few students and a relatively limited period of time - has meant a lot invasion of student integrity. The Upper Secondary School Board has stated that the purpose of these treatments has been used attendance control. Attendance checks can be done in other ways that are smaller privacy violators. The Data Inspectorate considers this to be the case the method, to use face recognition via camera for presence control, has has been comprehensive and implemented in order to promote personal integrity intervening manner and thereby been disproportionate to the purpose. The Upper Secondary School Board's proceedings have thus been carried out in combat with Article 5 of the Data Protection Ordinance.Data Inspectorate DI-2019-2221 1 3 (20) Impact assessment and prior consultation (Articles 35, 36) According to Article 35, a data controller shall make an assessment of a planned processing consequences of the protection of personal data, in particular whether a treatment is to be carried out with new technology and taking into account its nature, scope, context and purpose are likely to lead to a high risk of the rights and freedoms of natural persons. On the question of whether the upper secondary school board has made an impact assessment according to Article 35 the start of the current project has the high school board in its response received on March 15, 2019 referred to a risk assessment performed. The following is the assessment made. “Face recognition is admittedly biometric data and according to the Data Protection Regulation sensitive personal data which requires special decision to be dealt with. However, the information is not classified either if they are sensitive. The students' guardians also give their consent the processing of personal data and there is legal support for the treatment both in the Public Administration Act and in the Education Act. The handling described by the provider for handling the sensitive data such as that there is no mains connection of the equipment that handles information that only authorized personnel have access to personal data that only the target group is handled, that those who registered gives his consent and that the data will be deleted after the test period means that the handling is judged to be within the framework of the Data Protection Regulation. Overall, no special is required risk assessment to handle sensitive personal data without it needed is that the upper secondary school board approves in its register list the handling of biometric data and also the entry of a reason to use the data. Head of Administration for the upper secondary school office has a delegation to make decisions on approval of handling of personal data and also sensitive personal data. (p. 4) ”. In its response, the Board referred to the appendix “Skellefteå municipality - The classroom of the future ”. The appendix (p. 5) states that an advantage of facial recognition is that it is easy to mass register a large group such as a class. The disadvantages are that it is technically advanced solution that requires relatively many images of each individual and that the cameraData Inspectorate DI-2019-2221 1 4 (20) must have a clear view of all students present and that any headgear / shawl may cause identification to fail. Article 35 (7) of the Data Protection Regulation states that at least the following shall: included in an impact assessment. A systematic description of it planned treatment and the purposes of the treatment, an assessment of the need of and the proportionality of the treatment in relation to the purposes, a assessment of the risks posed by data subjects' rights and freedoms referred to in paragraph 1, and the measures planned to address the risks, including: safeguards, security measures and procedures to ensure the protection of personal data and to ensure compliance with this Regulation, taking into account to the rights and entitlements of data subjects and other persons concerned interests. The Data Inspectorate states that the upper secondary school board has made one risk assessment. In the risk assessment, it has been concluded that the legal aid one refers to and the security the treatment is covered by made no one special risk assessment needs to be made sensitive personal data. According to the Swedish Data Inspectorate's assessment, the current treatments are harsh included a number of factors that suggest an impact assessment according to Article 35 would have been completed before the start of the proceedings. The treatments have happened with camera surveillance which is systematic surveillance and they have included sensitive personal data about children in an environment where they are in dependency. Face recognition is also a new technology. Requirements for one impact assessment under Article 35 may therefore be based on those assessments which preceded the current use. The Data Inspectorate assesses the risk assessment of the upper secondary school board reported to the defendant the assessment of the risks involved registered rights and freedoms as well as an account of the proportionality of the treatment in relation to its purposes why the requirements in Article 35 cannot be considered fulfilled. According to Article 36 of the Data Protection Regulation, a personal data controller shall: consult with the regulatory authority on an impact assessment data protection under Article 35 shows that the processing would lead to a high risk if there is no personal data controller to take measures to reduce the risk. Data Inspectorate DI-2019-2221 1 5 (20) Based on what has emerged in the case, the high school board did not submitted a prior consultation to the Data Inspectorate. The inspection assesses that there have been a number of factors that have made it high risk differentiates rights and freedoms with the treatments. For example These treatments include new technologies that relate to sensitive personal data concerning children who are dependent on the upper secondary school board and that these treatments have been rendered through camera surveillance in the students' everyday environment. Because the risk assessment the upper secondary school board has submitted In the absence of an assessment of current risks, the rights of data subjects were recorded freedoms with the treatments, the high school board could not show either that the high risk under Article 36 has been reduced. The Data Inspectorate states because the current treatments should have caused one prior consultation with the Data Inspectorate in accordance with Article 36 before processing initiated. The treatments were also carried out in breach of Article 36. Permit according to the Camera Surveillance Act The Camera Surveillance Act contains national regulations concerning cameras monitoring which according to § 1 supplementary data protection ordinance. Of § 2 The Camera Surveillance Act states that the purpose of the law is to meet the need of camera surveillance for legitimate purposes and to protect natural persons counter-intrusion into the privacy of such security. The definition of camera surveillance in section 3 of the Camera Surveillance Act entails among other things, the question of equipment being used on such ways that involve permanent or regular repeated personal surveillance. According to section 7 of the Camera Surveillance Act, a permit is required for camera surveillance of a place to which the public has access, if the surveillance is to be conducted by one authority. The Data Inspectorate states that this has been a question of a persistent and regular issue repeated personal surveillance used by the local high school board camera surveillance with technology for face recognition in connection with its attendance control projects during the three-week period. The Upper Secondary School Board is an authority and must therefore have a starting point permission to camera-monitor a place to which the public has access. The question is then if the public is considered to have access to the place that the upper secondary school boardData Inspectorate DI-2019-2221 1 6 (20) camera surveillance through the use of face recognition technology in in connection with attendance registration of students. In practice, the concept emerged "Place to the public access" shall be interpreted white (see Supreme the decision of the Administrative Court RÅ 2000 ref. 52). In general, a school product is placed in a place to which the public does not have access, however, there are certain areas of school where the public is considered to have access. Examples of such areas are the main entrances and corridors leads to the principal's office. The investigation revealed the students were registered using face recognition each time they entered one classroom. A classroom is not to be considered a place for the general public access. Against the background of what has emerged about whether the place for surveillance assesses The Data Inspectorate that it is not a question of a place for the general public access. There is thus no requirement to apply for a permit. To The camera surveillance is unlicensed, however, does not necessarily mean that it permitted surveillance. If camera surveillance includes personal data processing, the data protection rules must be followed, e.g. the obligation to clearly inform about the camera surveillance. Risk that the regulations will be violated during planned further treatment Based on what has emerged in the case, the high school board has considered to re-process personal data through face recognition in the future for attendance control avelever. The Data Inspectorate has found that the upper secondary school board's proceedings have been in breach of Articles 5 and 9 the Data Protection Regulation. The Data Inspectorate finds that the upper secondary school board risks violating the said regulations even at planned treatments. Choice of intervention Article 58 of the Data Protection Regulation lists all the powers The Data Inspectorate has. According to Article 58 (2), the Data Inspectorate has a number corrective powers, e.g. a. warnings, reprimands or restrictions of treatment.Datainspektionen DI-2019-2221 1 7 (20) Pursuant to Article 58 (2) (i) of the Data Protection Regulation the supervisory authority shall impose administrative penalty fees in accordance with with Article 83. According to Article 83 (2), administrative penalty fees, depending on the circumstances of the individual case, is imposed in addition to or in instead, the measures referred to in Article 58 (2) (a) to (h) and (j) Article 83 (2) (n) which factors shall be taken into account in administrative decisions penalty fees in general shall be imposed and in determining the size of the fee. Instead, sanction fees may in certain cases according to recital 148 to data protection regulation a reprimand is instead issued penalty fees if it is a question of a minor infringement. However, consideration must be given circumstances such as the nature, severity and duration. For authorities may, in accordance with Article 83 (7), national supplementary provisions are introduced regarding administrative penalty fees. Of ch. 6 § 2 The Data Protection Act states that the supervisory authority may charge a penalty fee by an authority in respect of infringements referred to in Article 83 (4), 83 (5) and 83 (6) of the Data Protection Regulation. In that case, Article 83 (1), (2) and (3) of the Regulation shall apply apply. Penalty fee The Data Inspectorate has assessed the upper secondary school board in the cases in question the processing of personal data has infringed Article 5, Article 9, Article 35 and Article 36 of the Data Protection Regulation. These articles are covered by article 83.4 and 83.5 and in the event of a violation of these, the supervisory authority shall consider imposing an administrative penalty fee in addition to, or instead of, other corrective measures. In the light of eight personal data processing such supervision has involved the processing of sensitive personal data concerning children who is in a dependent relationship with the upper secondary school board and that these treatments are rancid through camera surveillance in students' everyday lives environment, is not the issue of a minor infringement. There is thus no reason to replace the penalty fee with a reprimand.Datainspektionen DI-2019-2221 1 8 (20) No other corrective action is relevant for that treatment either as happened. The Upper Secondary School Board shall thus be charged with administrative penalty fees. Determination of the amount of the sanction Pursuant to Article 83 (1) of the Data Protection Regulation, any regulatory authority ensure that the imposition of administrative penalty fees in each individual case effective, proportionate and dissuasive. The administrative penalty fee may not exceed Article 83 (3) the amount for the most serious infringement if it is a question of an other data processing or interconnected data processing. For authorities applicable according to ch. 6 § 2 second paragraph of the Data Protection Act that the penalty fees shall be set at a maximum of SEK 5,000,000 infringements referred to in Article 83 (4) of the Data Protection Regulation and up to SEK 10,000,000 in the case of infringements referred to in Article 83 (5) and (6). Violations of Articles 5 and 9 are covered by the higher penalty fee under Article 83 (5), while infringements of Articles 35 and 36 are covered by it lower the maximum amount according to Article 83.4. In this case, the question is the same data processing why the amount may not exceed SEK 10 million. Article 83. 2 of the Data Protection Regulation sets out all the factors that should taken into account when determining the size of the penalty fee. In the assessment of the size of the penalty fee shall include a. Article 83 (2) (a) is taken into account (nature, severity and duration of the infringement), b (intent or negligence), g (categories of personal data), h (how the violation came about The Data Inspectorate's knowledge) and k (other aggravating or mitigating factor for example direct or indirect financial gain) the Data Protection Regulation. In the Data Inspectorate's assessment of the penalty fee, account has been taken of the fact that there have been infringements concerning several articles of the Data Protection Regulation, infringement of Articles 5 and 9 has been deemed more serious and covered by the higher penalty fee. Furthermore, it has been taken into account that the violation has sensitive personal data, concerning children who have been harmed in a position of dependence in relation to the upper secondary school board. The treatments have has taken place in order to streamline operations, the treatment has thus taken place intentionally. These circumstances are aggravating. Data Inspectorate DI-2019-2221 1 9 (20) Account has also been taken of the fact that the treatment has taken place The Data Inspectorate's knowledge via information in the media. As mitigating circumstances, it is taken into account that the treatment has been ongoing during a limited period of three weeks and only included 22 students. The Data Inspectorate decides on the basis of an overall assessment that The upper secondary school board in Skellefteå municipality must pay the administrative fee penalty fee of SEK 200,000. Warning According to Article 58 (2) (a), the Data Inspectorate has the authority to issue warnings to a personal data controller or personal data assistant that planned treatment is likely to violate the provisions of this Regulation. The upper secondary school board in Skellefteå municipality has arranged for them to continue use face recognition for attendance control avelever. These treatments will in a corresponding manner violate the provisions of the Data Protection Regulation. Due to the risk of future infringements in in connection with the planned treatments, a warning is now given in accordance with Article 58 (2) (a) of the Data Protection Regulation. This decision was made by Director General Lena Lindgren Schelin after presentation by lawyers Ranja Bunni and Jenny Bård. At the final the proceedings are the chief lawyer Hans-Olof Lindblom and the unit managers Katarina Tullstedt and Charlotte Waller Dahlberg and the lawyer Jeanette Bladh Gustafson participated. Lena Lindgren Schelin, 2019-08-20 (This is an electronic signature) Appendices Appendix 1 - How to pay penalty fee Copy for knowledge of: Data protection representative for the upper secondary school board in Skellefteå KommunDatainspektionen DI-2019-2221 2 0 (20) How to appeal If you want to appeal the decision, you must write to the Data Inspectorate. Enter i the letter which decision you are appealing and the change you are requesting. The appeal must have been received by the Data Inspectorate no later than three weeks from on the day the decision was announced. If the appeal has been received in due time The Data Inspectorate further sends this to the Administrative Court in Stockholm examination. You can e-mail the appeal to the Data Inspectorate if it does not contain any privacy-sensitive personal data or data that may be covered by secrecy. The authority's contact details appear on the first page of the decision.