KamR Stockholm - Case No. 5888-20
From GDPRhub
| KamR Stockholm - Case No. 5888-20 | |
|---|---|
 | |
| Court: | KamR Stockholm (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 5 GDPR Article 9 GDPR Article 9(1) GDPR Article 9(2) GDPR Article 35 GDPR Article 36 GDPR |
| Decided: | 01.03.2021 |
| Published: | |
| Parties: | |
| National Case Number/Name: | Case No. 5888-20 |
| European Case Law Identifier: | |
| Appeal from: | IMY (Sweden) Case No. 5888-20 |
| Appeal to: | Not appealed |
| Original Language(s): | Swedish Swedish |
| Original Source: | Datainspektionen (in Swedish) IMY (in Swedish) |
| Initial Contributor: | Natalie |
The Court of Appeal in Stockholm upheld a decision of the Swedish DPA (IMY) to fine a school €20,000 (SEK 200,000) for using facial recognition technology to register student attendance.
English Summary
Facts
The Swedish DPA carried out an investigation of the Upper Secondary School Board in Skellefteåmunicipality and its pilot project at a high school that used facial recognition to record student attendance.
The cameras installed with this technology use biometric personal data to uniquely identify natural persons. Such biometric personal data qualifies as particularly sensitive personal data (under Article 9 GDPR) concerning children. According to Article 9(1), the processing of such data shall be prohibited. The prohibition does not apply if the data subject consents to the processing of personal data for a specific purpose (Article 9 (2). For a consent to be valid, it must have been given voluntarily.
Following an initial decision by the Swedish DPA, holding that the Board had violated the GDPR, the Upper Secondary School Board contended that students and their guardians provided valid consent to use of the facial recognition technology and appealed to the Court of Appeal.
Following the appeal, the Court of Appeal in Stockholm upheld the decision of the Swedish DPA. The Upper Secondary School Board appealed the decision to the administrative court but the administrative court dismissed the appeal, finally rendering the decision of the Swedish DPA final.
Holding
The Swedish DPA (IMY) held that the use of facial recognition technology to register student attendance is in violation with Articles 5, 9, 35 and 36 GDPR. It explained that students cannot provide meaningful consent to such data processing because of their dependence on school services. While there is a legal basis for administering the attendance of students at school, there is no legal basis to perform the task through the processing of sensitive data. The technology amounts to an intrusion of student integrity and is thus disproportionate to the task of measuring attendance. Furthermore, the DPA considered that the risk assessment reported by the Upper Secondary School Board did not meet the requirements of Article 35 GDPR; the Board should have consulted with the DPA before implementing the technology, and because it failed to do so, it also violated Article 36 GDPR.
On the issue of consent, the DPA and the Court of Appeal elaborated that recitals 42 and 43 of the Data Protection Regulation state that consent should not be considered voluntary if the data subject has no genuine or free opportunity to refuse or withdraw their consent. In order to ensure that consent is given voluntarily, consent should therefore not be a valid legal basis for the processing of personal data if there is significant inequality between the data subject and the controller. This applies in particular if the person responsible for personal data is a public authority and it is therefore unlikely that the consent has been given voluntarily in the circumstances. In this case, there is a clear inequality between students and the data controller. The consent can therefore not be considered voluntary and thus does not constitute a legal basis for the treatment of personal data.
On the issue of proportionality, the Court of Appeal explained that Article 5 GDPR only allows for personal data to be collected for specific, explicit and justified purposes. In addition, personal data processed must be adequate, relevant and not too extensive in relation to the purposes for which they are treated. The facial recognition technology was used in the student’s everyday environment, leading to a major infringement in student integrity. Attendance checks are possible in a less privacy-infringing manner. Therefore, attendance checks through facial recognition had been too extensive and disproportionate to the purpose.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
Decision Diary No. 1 (20)
2019-08-20 DI-2019-2221
Skellefteå Municipality, Upper Secondary School Board
Supervision according to the EU Data Protection Regulation
2016/679 - face recognition for
attendance control of students
Content
The Data Inspectorate's decision ………………………………………………………………… ..2
Report on the supervisory matter …………………………………………………………. 2
Grounds for the decision ………………………………………………………………………… ..4
Personal data responsibility ………………………………………………………………… 4
Experimental project ……………………………………………………………………………… .4
Legal basis for the processing of personal data (Article 6) 4 .4
Consent as a legal basis ……………………………………………………. 4
The treatment is necessary to perform a task of general
Interest …………………………………………………………………………………… ..6
Sensitive personal data (Article 9) …………………………………………… ... 7
Basic principles for the processing of personal data
(Article 5) ……………………………………………………………………………………… ..11
Impact assessment and prior consultation (Articles 35, 36) ………… 13
Permission according to the Camera Surveillance Act ……………………………………… ..15
Risk that the regulations will be violated if planned
treatment …………………………………………………………………………………… 16
Choice of intervention ……………………………………………………………………………… ..16
Penalty fee ……………………………………………………………………………… 17
Determination of the amount of the penalty ………………………… .... 18
Warning ………………………………………………………………………………………… ..19
How to appeal verk ..20
Postal address: Box 8114, 104 20 Stockholm E-mail: datainspektionen@datainspektionen.se
Website: www.datainspektionen.se Phone: 08-657 61 00Datainspektionen DI-2019-2221 2 (20)
The Data Inspectorate's decision
The Data Inspectorate states that the upper secondary school board in Skellefteå municipality
by using face recognition via camera for presence control of
students have processed personal data in violation of
1
Article 5 of the Data Protection Regulation by dealing with pupils
personal data on a brought personal integrity more intrusive
way and included more personal data than what is necessary for
the stated purpose (attendance check),
Article 9 by processing sensitive personal data
(biometric data) without having a valid treatment
exceptions to the prohibition on processing sensitive personal data and
Articles 35 and 36 by failing to comply with the requirements
impact assessment and not having submitted one
prior consultation with the Data Inspectorate.
2
The Data Inspectorate decides on the basis of ch. Section 2 of the Data Protection Act and
Articles 58 (2) and 83 of the Data Protection Ordinance that the Upper Secondary School Board in
Skellefteå municipality must pay an administrative sanction fee of 200,000
kronor.
The Data Inspectorate states that the Upper Secondary School Board in Skellefteå municipality
likely to infringe Articles 5 and 9 with the continued use of
face recognition for presence control.
The Data Inspectorate decides to give the Upper Secondary School Board in Skellefteå
municipality a warning under Article 58 (2) (a) of the Data Protection Regulation.
Report on the supervisory matter
Through data in the media, the Data Inspectorate has been made aware that
The upper secondary school board in Skellefteå municipality (hereinafter the upper secondary school board) in one
pilot project at Anderstorps gymnasium in Skellefteå has been used
1 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016
on the protection of individuals with regard to the processing of personal data and on that
free movement of such data and repealing Directive 95/46 / EC (General
Data Protection Regulation).
2 The Act (2018: 218) with supplementary provisions to the EU Data Protection RegulationData Inspectorate DI-2019-2221 3 (20)
facial recognition to register students' attendance in a class during a few
weeks.
The purpose of the supervision has been to review the upper secondary school board's
processing of personal data through facial recognition for
presence control has been in accordance with the data protection rules.
The Data Inspectorate has reviewed personal data processing as
the upper secondary school board has implemented in the current project and also taken
position on any future treatments. The Data Inspectorate has within
in the context of this supervision has not made any assessment regarding safety or
the duty to provide information in connection with the treatments in question.
The review has revealed that the upper secondary school board during three weeks has
processed personal data through face recognition to check
the presence of 22 high school students and the high school board considered
in the future process personal data through the use of face recognition
for attendance control. The purpose has been to in a simpler and more efficient way
register attendance at high school lessons. To register attendance at
a traditional way tarenligtgymnasienämnden 10 minutes per lesson and
using face recognition technology for presence control it would
according to the board save 17,280 hours per year at the current school.
The Upper Secondary School Board has stated that the facial recognition has been implemented
in that the students have been filmed by a camera approaching a classroom.
Images from the camera surveillance have been compared with pre-registered ones
pictures of each participant's face. The information that has been registered is
biometric data in the form of face images and first and last names. The information
has been stored in a local computer without internet connection stored in one
lockers. Express approvals have been obtained from guardians and
it has been possible to waive the registration of personal data with
biometric data.
The supervisory case began with a supervisory letter on 19 February 2019. Answer to
The supervisory letter was received on 15 March 2019, supplementing the annexes
April 2, 2019. Later additions from the high school board came in on the 16th
August and 19 August 2019. Data Inspectorate DI-2019-2221 4 (20)
Justification of decision
Personal data responsibility
The Upper Secondary School Board has stated that the board is responsible for personal data
personal data processing that has taken place within the framework of the pre-project with
face recognition for attendance control at Anderstorps gymnasium in
Skellefteå municipality. The Data Inspectorate shares this view.
Experimental project
The current personal data processing has taken place within the framework provided
pilot project. The Data Inspectorate states that the Data Protection Ordinance
does not contain any exceptions for pilot or pilot activities.
The requirements of the regulation therefore need to be met in order to implement such
type operations.
Legal basis for the processing of personal data (Article 6)
Article 6 of the Data Protection Regulation states that processing is only lawful
if one of the conditions specified in the article is met.
Consent as a legal basis
The Upper Secondary School Board has in a statement that came in to the Data Inspectorate on
March 15, 2019 p. a. stated consent has been given to the treatment that has
occurred within the framework of attendance management.
The upper secondary school committee's statement states, among other things: a. the following.
“Ie. the students' guardians receive information about the project's purpose and
which personal data processing will take place and may give its
express and voluntary approval for the processing of personal data.
Students who do not want to participate do not need to participate, attendance is checked then
according to previous routines. Students also receive information that they reach as
preferably can withdraw their approval for the processing of personal data.
(p. 6). ”
Article 6 (1) of the Data Protection Regulation states
personal data processing is legal if the data subject has left
consent to the processing of his personal data in one or more specific ways
purpose.Datainspektionen DI-2019-2221 5 (20)
Consent of the data subject is defined in Article 4 (11) of the Data Protection Regulation
such as any kind of voluntary, specific, informed and unambiguous expression of will,
by which the data subject, either by a statement or by a
unequivocal affirmative action, accepts the processing of personal data concerning
him or her.
Recital 43 of the Data Protection Regulation further states the following.
“To ensure that consent is given voluntarily, it should not constitute
valid legal basis for the processing of personal data in a specific case
where there is significant inequality between the data subject and the data subject
personal data controller, especially if the personal data controller is one
public authority and it is therefore unlikely that the consent has
provided voluntarily in all circumstances such as this particular
situation includes. "
This means that the assessment of whether a consent has been given is not only voluntary
shall take place on the basis of the freedom of choice that prevails, but also the relationship that
exists between the data subject and the data controller.
The space provided for voluntary consent in the public sector is therefore
limited. Within the school area, it is clear that the student is in a position of dependence
to the school in terms of grades, study grants, education and thus the opportunity to
future work or further studies. In addition, often the question of children.
The Education Data Inquiry made the assessment that it is still possible to
secure personal data processing use consent also in
the relationship between a childminder and a preschool and a student
guardian or the student himself depending on age and a school. An example
on close consent could provide a suitable basis for
personal data processing is prior to photography the students in order to create
electronic school catalogs or photography to document
activities in preschool and school, not least for the purpose of being able to account for
the one for childminders. (SOU 2017: 49 EU Data Protection Regulation
and the field of education p. 137)
Attendance control is regulated by public law
school activities and the reporting of attendance are of significant importance to the Data Inspectorate DI-2019-2221 6 (20)
eleven. This treatment is therefore not comparable to it
personal data processing that can take place to administer school photography.
During attendance checks, the student is in such a position of dependence that it prevails
significant inequality. The Data Inspectorate therefore does not consider consent
may constitute a legal basis for the processing of personal data such as this
supervision includes.
The treatment is necessary to perform a task of general interest
The Upper Secondary School Board has also stated that the legal basis led
personal data processing that has taken place within the framework of the pre-project with
facial recognition is the Public Administration Act's requirement for efficient case management,
the Education Act's requirements for measures in the event of absence and the obligation for
high schools night report invalid absence to Central
the Student Aid Board (CSN).
According to Article 6 (1) (e) of the Data Protection Regulation, processing is lawful if it is
necessary to perform a task of general interest or as part of it
exercise of personal data controllers' authority.
Article 6 (2) of the Data Protection Regulation states, inter alia, that
States may maintain or introduce more specific provisions to adapt
the application of the provisions of the Data Protection Regulation in order to comply
points in the same article. According to Article 6 (3), the task shall be of general interest
in accordance with Article 6.1 evara determined in accordance with Union or national law
Right.
According to ch. Section 16, first paragraph of the Education Act (2010: 800) requires a pupil in
the upper secondary school participates in the activities that are arranged to provide the intended
the education, if the student does not have a valid reason for not attending.
If a student in upper secondary school is absent from that activity without a valid reason
arranged to carry out the intended education, the principal shall ensure that
student guardians are informed on the same day that the student has been
absent. If there are special reasons, student guardians do not need to
be informed on the same day (Chapter 15, Section 16, second paragraph of the Education Act).
The personal data processing that usually takes place to administer students'
attendance at school is necessary due to the task of the principals
according to ch. 15 Section 16 of the Education Act and thus constitutes a task of general interestData Inspectorate DI-2019-2221 7 (20)
pursuant to Article 6.1 (e) of the Data Protection Regulation. In some parts it can also
there is a legal obligation under Article 6 (1) (c) of the Data Protection Regulation.
According to the preparatory work for the Data Protection Act (Bill 2017/18: 105 New Data Protection Act p.
51) however, the requirements for supplementary national regulation are increasing
regarding precision and predictability when it comes to the question of a more tangible
infringement. It is also stated that the intrusion is significant and entails
monitoring or mapping of the individual's personal circumstances is required
in addition, special legal support according to ch. 6 and 20 §§ form of government.
The Data Inspectorate can state that there is a legal basis for this
administer students' attendance at school, but that there is no explicit
legal support to perform the task through the treatment of sensitive
personal data or in another more privacy-infringing way.
Sensitive personal data (Article 9)
The facial recognition that has been rancid in the present case has meant that
Attendance control has been rendered by biometric personal data about children
have been treated to uniquely identify these.
According to Article 9 (1) of the Data Protection Regulation, the processing of
biometric personal data to uniquely identify a natural person a
processing of specific categories of personal data (so-called sensitive)
personal data). The starting point is that it is forbidden to process such
tasks. In order to process sensitive personal data, this is required
exemption from Article 9 (2) of the Data Protection Regulation.
As stated above, the high school board has given its consent from
the guardians have been harmed in connection with the current treatments
supervision refers to.
According to Article 9 (2) (a) of the Data Protection Regulation, the processing of sensitive data
personal data permitted if the data subject has expressly provided
consent to the processing of this personal data provided or more
specific purposes, except in the case of Union law or the national law of the Member States
law provides that the prohibition in paragraph 1 may not be lifted by the data subject.
As previously reported, there is generally a significant inequality
relationship between the upper secondary school board and the students and attendance control isDatainspektionen DI-2019-2221 8 (20)
unilateral control measure where this inequality prevails. Consent can therefore not,
as previously stated, is considered to be provided voluntarily within the framework of
school activities. Consent is therefore not possible to apply as an exception
from the prohibition to process sensitive personal data in the case in question.
The Upper Secondary School Board also invokes the rules of the Administrative Procedure Act
efficient case management and the school law's rules on handling absence.
Article 9 (2) (g) of the Data Protection Regulation follows the prohibition on processing
sensitive personal data if the processing is necessary out of consideration
in the public interest, on the basis of Union law or
national law of the Member States, which shall be proportionate to it
pursued the purpose, be compatible with the essential content of the right to
data protection and contain provisions on appropriate and specific measures for
to ensure the data subject's fundamental rights and interests.
National supplementary provisions apply except except important
public interest has i.a. a. introduced in ch. § 3 of the Data Protection Act.3
According to ch. Section 3, first paragraph 2 of the Data Protection Act appears sensitive
personal data may be processed on the basis of Article 9 (2) (g) of the
Regulation if necessary in the interests of the public interest
and the processing is necessary for the handling of a case.
In the preparatory work (Bill 2017/18: 105 New Data Protection Act) it is stated, among other things. a. the following.
“The Government's view, however, is that in most cases the concept of case
is relatively clear (see Bill 2016/17: 180 pp. 23–25 and p. 286).
The term is used as a delimitation for the Public Administration Act
scope and should, in the Government's view, also be used
3
Individual school principals' processing of sensitive personal data has
regulated in Chapter 26 a. Section 4 of the Education Act (2010: 800), which corresponds to Chapter 3 § 3
the Data Protection Act. As this supervision refers to the municipal school and it is missing
sector-specific provisions regarding the treatment of sensitive
personal data in this type of school activity ch. 3 Section 3 of the Data Protection Act
applicable.Data Inspectorate DI-2019-2221 9 (20)
here. The provision should therefore be applicable in the handling of a
matter. (p. 87) ”
Furthermore, the following is stated in the preparatory work for the Public Administration Act
(Bill 2016/17: 180 A modern and legally secure administration - new administrative law).
The term processing includes all measures taken by an authority
takes from the time a case is initiated until it is closed. The expression
case is not defined in the law. Characteristic of what constitutes a
case, however, is that it is regularly concluded by a statement from
authority that is intended to have actual effects on a
recipient in the individual case. A case is closed by a decision of
some kind. In assessing the question of whether an authority
position is to be regarded as a decision in this sense it is
the purpose and content of the statement that determines the nature of the statement, not its
external form (p. 286). "
The Data Inspectorate states that the attendance check is in full swing
facial recognition does not constitute a case handling without question
about an actual action. The provision in ch. Section 3, first paragraph 2
The Data Protection Act is therefore not applicable to personal data processing
which the upper secondary school board has carried out in connection with face recognition
attendance control of students.
Of ch. 3 Section 3, first paragraph 1 of the Data Protection Act appears sensitive
personal data may be processed by an authority if the data has been provided
to the authority and the processing is required by law. Regarding this
provision appears, among other things. a. following the preparatory work (prop.2017 / 18: 105 New
data protection law).
“The provision clarifies that it is permissible for authorities to perform
such processing of sensitive personal data as is required in
the activities of the authorities as a direct consequence of, above all
the provisions of the Public Access and Secrecy Act and the Administrative Procedure Act
on how public documents are to be handled, for example through requirements for
record keeping and obligation to receive e-mail. Treatment of sensitive Data Inspectorate DI-2019-2221 1 0 (20)
personal data on the basis of this paragraph may only be made about the data
has been submitted to the authority. (p. 194) ”
The Data Inspectorate states that ch. Section 3, first paragraph 1 of the Data Protection Act
not relevant to the current processing of personal data.
According to ch. Section 3, first paragraph 3 of the Data Protection Act also applies to authorities in other respects
case process sensitive personal data if the processing is necessary with
consideration of an important public interest and does not imply undue infringement of
the data subject's privacy.
In the preparatory work (Bill 2017/18: 105 New Data Protection Act) it is stated, among other things. a. the following.
"The provision is not intended to be applied casually in it
ongoing operations. It is required that the data controller, in it
individual case, make an assessment of whether the treatment involves one
undue invasion of the data subject's privacy. If
the treatment would involve such an infringement, it must not take place in accordance with
this provision. To determine if the intrusion is improper must
the authority to make a proportionality assessment where the need to
carry out the processing is weighted against the data subjects' interest in
the treatment does not take place. The assessment of the data subjects' interest in
the treatment does not take place should be based on the interest of privacy protection that
the registrants typically have. The person responsible for personal data must
thus not making an assessment in relation to each individual concerned. At
the assessment of the intrusion on the individual's personal integrity shall be important
added to i.a. the sensitivity of the data, the nature of the processing, the
attitude the data subjects can be assumed to have to the treatment, the spread
the information may be obtained and the risk of further processing for others
purpose than the collection purpose. This means e.g. that the provision
can not be used as a basis for creating privacy-sensitive
compilations of sensitive personal data. (p. 194) ”.
Attendance management is a comprehensive and central task in the school system and
skerslentrian-wise in that running business. The Data Inspectorate
assesses therefore that ch. § 3 first paragraph 3 of the Data Protection Act can not
applied to the personal data processing that takes place for attendance management.
The provision can thus not be applied to the personal data processingData Inspectorate DI-2019-2221 1 1 (20)
which the upper secondary school board has carried out. In addition, the Data Inspectorate considers that they
the current personal data processing has entailed undue intrusion into
the privacy of the registered as the high school board through camera surveillance in
students' everyday environment has processed sensitive personal data concerning
children who are dependent on
the upper secondary school board the purpose of attendance management.
Against this background, the Data Inspectorate finds that the national
supplementary provisions concerning the exemption in 9.2 g i
the Data Protection Ordinance on important public interest which has been introduced in ch. 3
§ first paragraph of the Data Protection Act does not apply to them
personal data processing covered by this supervision.
In addition, it appears from ch. Section 3, second paragraph, of the Data Protection Act
prohibited from performing applications that take place on the basis of ch. § 3 first paragraph in
purpose of obtaining a selection of personal data on sensitive personal data.
Since the purpose of facial recognition is to identify students, can
The Data Inspectorate states that the attendance check presupposes searches
based on sensitive personal data. The latter mentioned meant current
the treatments covered by this supervision have also been in breach of 3
Cape. Section 3, second paragraph, of the Data Protection Act.
In summary, the Data Inspectorate considers that the exemption in 9.2 g in
the Data Protection Regulation does not apply to the current processing of
personal data. Because what has emerged in the case is not either
provided for any of the other exceptions in Article 9 (2) (i)
the Data Protection Ordinance may become relevant, the Data Inspectorate considers that
The upper secondary school board has lacked the conditions to process biometrics
personal data to uniquely identify students for attendance management such as
has been. These personal data processing has thus taken place in violation of
Article 9 of the Data Protection Regulation.
Basic principles for the processing of personal data (Article 5)
It can be stated that the personal data controller according to Article 5 (2)
The Data Protection Regulation is responsible for compliance with the Regulation and shall
demonstrate compliance with the basic principles.
Article 5 of the Data Protection Regulation states, among other things: a. that the personal data shall
collected for special, explicitly stated and justified purposes and notDatainspektionen DI-2019-2221 1 2 (20)
later treated in a way that is compatible with these purposes
(purpose limitation). In addition, personal data must be processed
adequate, relevant and not comprehensive in relation to the purposes for which
which they are processed (data minimization). For recital 39, personal data followed
may be treated only if the purpose of the treatment cannot be achieved in one
satisfactorily with other methods.
On the question, the high school board has made the proportionality assessment
regarding the current personal data processing, the board has provided
the following answer in the sitting statement that was received on March 15, 2019.
“It is important to have a secure identification to know who the students are
present and meet the requirements contained in the Education Act for action then
students have high absenteeism. The method of face recognition is assessed
needed to know for sure that attendance is being recorded correctly.
Face recognition is also a clear increase in quality compared to
the previous manual handling which on inspection proved to have deficiencies
in such a way that it is not always correct. Of the various alternative methods
tested, facial recognition was judged to be the best method
meets the requirements both from the legislation and from the purpose of the project. "
The Data Inspectorate has previously established the personal data processing
which this supervision covers has involved the treatment of sensitive
personal data concerning children who are dependent on i
relation to the upper secondary school board and that these treatments have taken place
through camera surveillance in the students' everyday environment. The Data Inspectorate
assessed these treatments - even if it is a question of relatively few
students and a relatively limited period of time - has meant a lot
invasion of student integrity.
The Upper Secondary School Board has stated that the purpose of these treatments has been used
attendance control. Attendance checks can be done in other ways that are smaller
privacy violators. The Data Inspectorate considers this to be the case
the method, to use face recognition via camera for presence control, has
has been comprehensive and implemented in order to promote personal integrity
intervening manner and thereby been disproportionate to
the purpose. The Upper Secondary School Board's proceedings have thus been carried out in combat
with Article 5 of the Data Protection Ordinance.Data Inspectorate DI-2019-2221 1 3 (20)
Impact assessment and prior consultation (Articles 35, 36)
According to Article 35, a data controller shall make an assessment of a
planned processing consequences of the protection of personal data, in particular
whether a treatment is to be carried out with new technology and taking into account its nature,
scope, context and purpose are likely to lead to a high risk of
the rights and freedoms of natural persons.
On the question of whether the upper secondary school board has made an impact assessment according to
Article 35 the start of the current project has the high school board in its
response received on March 15, 2019 referred to a risk assessment performed.
The following is the assessment made.
“Face recognition is admittedly biometric data and according to
the Data Protection Regulation sensitive personal data which requires special
decision to be dealt with. However, the information is not classified either
if they are sensitive. The students' guardians also give their consent
the processing of personal data and there is legal support for
the treatment both in the Public Administration Act and in the Education Act. The handling
described by the provider for handling the sensitive data
such as that there is no mains connection of the equipment that handles
information that only authorized personnel have access to
personal data that only the target group is handled, that those who
registered gives his consent and that the data will be deleted after
the test period means that the handling is judged to be within the framework of
the Data Protection Regulation. Overall, no special is required
risk assessment to handle sensitive personal data without it
needed is that the upper secondary school board approves in its register list
the handling of biometric data and also the entry of a
reason to use the data. Head of Administration for
the upper secondary school office has a delegation to make decisions on approval of
handling of personal data and also sensitive personal data. (p. 4) ”.
In its response, the Board referred to the appendix “Skellefteå municipality -
The classroom of the future ”. The appendix (p. 5) states that an advantage of
facial recognition is that it is easy to mass register a large group
such as a class. The disadvantages are that it is technically advanced
solution that requires relatively many images of each individual and that the cameraData Inspectorate DI-2019-2221 1 4 (20)
must have a clear view of all students present and that any headgear / shawl
may cause identification to fail.
Article 35 (7) of the Data Protection Regulation states that at least the following shall:
included in an impact assessment. A systematic description of it
planned treatment and the purposes of the treatment, an assessment of the need
of and the proportionality of the treatment in relation to the purposes, a
assessment of the risks posed by data subjects' rights and freedoms referred to in
paragraph 1, and the measures planned to address the risks, including:
safeguards, security measures and procedures to ensure the protection of
personal data and to ensure compliance with this Regulation, taking into account
to the rights and entitlements of data subjects and other persons concerned
interests.
The Data Inspectorate states that the upper secondary school board has made one
risk assessment. In the risk assessment, it has been concluded that the legal aid
one refers to and the security the treatment is covered by made no one
special risk assessment needs to be made sensitive
personal data.
According to the Swedish Data Inspectorate's assessment, the current treatments are harsh
included a number of factors that suggest an impact assessment according to
Article 35 would have been completed before the start of the proceedings. The treatments have
happened with camera surveillance which is systematic surveillance and they have
included sensitive personal data about children in an environment where they are in
dependency. Face recognition is also a new technology. Requirements for one
impact assessment under Article 35 may therefore be based on those assessments
which preceded the current use.
The Data Inspectorate assesses the risk assessment of the upper secondary school board
reported to the defendant the assessment of the risks involved
registered rights and freedoms as well as an account of
the proportionality of the treatment in relation to its purposes why the requirements
in Article 35 cannot be considered fulfilled.
According to Article 36 of the Data Protection Regulation, a personal data controller shall:
consult with the regulatory authority on an impact assessment
data protection under Article 35 shows that the processing would lead to a high risk
if there is no personal data controller to take measures to reduce the risk. Data Inspectorate DI-2019-2221 1 5 (20)
Based on what has emerged in the case, the high school board did not
submitted a prior consultation to the Data Inspectorate. The inspection
assesses that there have been a number of factors that have made it high
risk differentiates rights and freedoms with the treatments. For example
These treatments include new technologies that relate to sensitive personal data
concerning children who are dependent on the upper secondary school board
and that these treatments have been rendered through camera surveillance in the students'
everyday environment. Because the risk assessment the upper secondary school board has submitted
In the absence of an assessment of current risks, the rights of data subjects were recorded
freedoms with the treatments, the high school board could not show either
that the high risk under Article 36 has been reduced. The Data Inspectorate states
because the current treatments should have caused one
prior consultation with the Data Inspectorate in accordance with Article 36 before processing
initiated. The treatments were also carried out in breach of Article 36.
Permit according to the Camera Surveillance Act
The Camera Surveillance Act contains national regulations concerning cameras
monitoring which according to § 1 supplementary data protection ordinance. Of § 2
The Camera Surveillance Act states that the purpose of the law is to meet the need
of camera surveillance for legitimate purposes and to protect natural persons
counter-intrusion into the privacy of such security.
The definition of camera surveillance in section 3 of the Camera Surveillance Act entails
among other things, the question of equipment being used on such
ways that involve permanent or regular repeated personal surveillance.
According to section 7 of the Camera Surveillance Act, a permit is required for camera surveillance of a
place to which the public has access, if the surveillance is to be conducted by one
authority.
The Data Inspectorate states that this has been a question of a persistent and regular issue
repeated personal surveillance used by the local high school board
camera surveillance with technology for face recognition in connection with its
attendance control projects during the three-week period.
The Upper Secondary School Board is an authority and must therefore have a starting point
permission to camera-monitor a place to which the public has access. The question is
then if the public is considered to have access to the place that the upper secondary school boardData Inspectorate DI-2019-2221 1 6 (20)
camera surveillance through the use of face recognition technology in
in connection with attendance registration of students. In practice, the concept emerged
"Place to the public access" shall be interpreted white (see Supreme
the decision of the Administrative Court RÅ 2000 ref. 52).
In general, a school product is placed in a place to which the public does not have access,
however, there are certain areas of school where the public is considered to have
access. Examples of such areas are the main entrances and corridors
leads to the principal's office. The investigation revealed the students
were registered using face recognition each time they entered one
classroom. A classroom is not to be considered a place for the general public
access.
Against the background of what has emerged about whether the place for surveillance assesses
The Data Inspectorate that it is not a question of a place for the general public
access. There is thus no requirement to apply for a permit. To
The camera surveillance is unlicensed, however, does not necessarily mean that it
permitted surveillance. If camera surveillance includes
personal data processing, the data protection rules must be followed, e.g. the obligation to
clearly inform about the camera surveillance.
Risk that the regulations will be violated during planned further treatment
Based on what has emerged in the case, the high school board has considered
to re-process personal data through face recognition in the future
for attendance control avelever. The Data Inspectorate has found that
the upper secondary school board's proceedings have been in breach of Articles 5 and 9
the Data Protection Regulation. The Data Inspectorate finds that
the upper secondary school board risks violating the said regulations even at
planned treatments.
Choice of intervention
Article 58 of the Data Protection Regulation lists all the powers
The Data Inspectorate has. According to Article 58 (2), the Data Inspectorate has a number
corrective powers, e.g. a. warnings, reprimands or restrictions
of treatment.Datainspektionen DI-2019-2221 1 7 (20)
Pursuant to Article 58 (2) (i) of the Data Protection Regulation
the supervisory authority shall impose administrative penalty fees in accordance with
with Article 83. According to Article 83 (2), administrative penalty fees,
depending on the circumstances of the individual case, is imposed in addition to or in
instead, the measures referred to in Article 58 (2) (a) to (h) and (j)
Article 83 (2) (n) which factors shall be taken into account in administrative decisions
penalty fees in general shall be imposed and in determining
the size of the fee.
Instead, sanction fees may in certain cases according to recital 148 to
data protection regulation a reprimand is instead issued penalty fees
if it is a question of a minor infringement. However, consideration must be given
circumstances such as the nature, severity and
duration.
For authorities may, in accordance with Article 83 (7), national supplementary
provisions are introduced regarding administrative penalty fees. Of ch. 6 § 2
The Data Protection Act states that the supervisory authority may charge a penalty fee
by an authority in respect of infringements referred to in Article 83 (4), 83 (5) and 83 (6) of
the Data Protection Regulation. In that case, Article 83 (1), (2) and (3) of the Regulation shall apply
apply.
Penalty fee
The Data Inspectorate has assessed the upper secondary school board in the cases in question
the processing of personal data has infringed Article 5, Article 9, Article 35
and Article 36 of the Data Protection Regulation. These articles are covered by article
83.4 and 83.5 and in the event of a violation of these, the supervisory authority shall
consider imposing an administrative penalty fee in addition to, or instead of,
other corrective measures.
In the light of eight personal data processing such supervision
has involved the processing of sensitive personal data concerning children
who is in a dependent relationship with the upper secondary school board and that
these treatments are rancid through camera surveillance in students' everyday lives
environment, is not the issue of a minor infringement. There is thus no reason
to replace the penalty fee with a reprimand.Datainspektionen DI-2019-2221 1 8 (20)
No other corrective action is relevant for that treatment either
as happened. The Upper Secondary School Board shall thus be charged with administrative
penalty fees.
Determination of the amount of the sanction
Pursuant to Article 83 (1) of the Data Protection Regulation, any regulatory authority
ensure that the imposition of administrative penalty fees in each individual
case effective, proportionate and dissuasive.
The administrative penalty fee may not exceed Article 83 (3)
the amount for the most serious infringement if it is a question of an other
data processing or interconnected data processing.
For authorities applicable according to ch. 6 § 2 second paragraph of the Data Protection Act that
the penalty fees shall be set at a maximum of SEK 5,000,000
infringements referred to in Article 83 (4) of the Data Protection Regulation and up to
SEK 10,000,000 in the case of infringements referred to in Article 83 (5) and (6).
Violations of Articles 5 and 9 are covered by the higher penalty fee
under Article 83 (5), while infringements of Articles 35 and 36 are covered by it
lower the maximum amount according to Article 83.4. In this case, the question is the same
data processing why the amount may not exceed SEK 10 million.
Article 83. 2 of the Data Protection Regulation sets out all the factors that should
taken into account when determining the size of the penalty fee. In the assessment of
the size of the penalty fee shall include a. Article 83 (2) (a) is taken into account
(nature, severity and duration of the infringement), b (intent or
negligence), g (categories of personal data), h (how the violation came about
The Data Inspectorate's knowledge) and k (other aggravating or mitigating
factor for example direct or indirect financial gain)
the Data Protection Regulation.
In the Data Inspectorate's assessment of the penalty fee, account has been taken of the fact that
there have been infringements concerning several articles of the Data Protection Regulation,
infringement of Articles 5 and 9 has been deemed more serious and
covered by the higher penalty fee. Furthermore, it has been taken into account that
the violation has sensitive personal data, concerning children who have been harmed
in a position of dependence in relation to the upper secondary school board. The treatments have
has taken place in order to streamline operations, the treatment has thus taken place
intentionally. These circumstances are aggravating. Data Inspectorate DI-2019-2221 1 9 (20)
Account has also been taken of the fact that the treatment has taken place
The Data Inspectorate's knowledge via information in the media.
As mitigating circumstances, it is taken into account that the treatment has been ongoing during
a limited period of three weeks and only included 22 students.
The Data Inspectorate decides on the basis of an overall assessment that
The upper secondary school board in Skellefteå municipality must pay the administrative fee
penalty fee of SEK 200,000.
Warning
According to Article 58 (2) (a), the Data Inspectorate has the authority to issue warnings to
a personal data controller or personal data assistant that planned
treatment is likely to violate the provisions of this
Regulation.
The upper secondary school board in Skellefteå municipality has arranged for them to continue
use face recognition for attendance control avelever. These
treatments will in a corresponding manner violate the provisions of
the Data Protection Regulation. Due to the risk of future infringements in
in connection with the planned treatments, a warning is now given in accordance with
Article 58 (2) (a) of the Data Protection Regulation.
This decision was made by Director General Lena Lindgren Schelin after
presentation by lawyers Ranja Bunni and Jenny Bård. At the final
the proceedings are the chief lawyer Hans-Olof Lindblom and the unit managers
Katarina Tullstedt and Charlotte Waller Dahlberg and the lawyer Jeanette Bladh
Gustafson participated.
Lena Lindgren Schelin, 2019-08-20 (This is an electronic signature)
Appendices
Appendix 1 - How to pay penalty fee
Copy for knowledge of:
Data protection representative for the upper secondary school board in Skellefteå KommunDatainspektionen DI-2019-2221 2 0 (20)
How to appeal
If you want to appeal the decision, you must write to the Data Inspectorate. Enter i
the letter which decision you are appealing and the change you are requesting.
The appeal must have been received by the Data Inspectorate no later than three weeks from
on the day the decision was announced. If the appeal has been received in due time
The Data Inspectorate further sends this to the Administrative Court in Stockholm
examination.
You can e-mail the appeal to the Data Inspectorate if it does not contain
any privacy-sensitive personal data or data that may be covered by
secrecy. The authority's contact details appear on the first page of the decision.
