APDCAT (Catalonia) - PS 41/2022
| APDCAT - PS 41/2022 | |
|---|---|
 | |
| Authority: | APDCAT (Catalonia) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(a) GDPR Article 9 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 04.11.2021 |
| Decided: | |
| Published: | |
| Fine: | 20.000 EUR |
| Parties: | Universitat Oberta de Catalunya |
| National Case Number/Name: | PS 41/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Catalan, Valencian |
| Original Source: | APDCAT (in CA) |
| Initial Contributor: | Bernardo Armentano |
The Catalan DPA considered the use of facial recognition systems to prevent fraud in online university examinations to be disproportionate. It imposed the data controller a fine of €20,000 for violating Articles 5(1)(a) and 9 GDPR .
English Summary
Facts
The Universitat Oberta de Catalunya (the controller) adopted a facial recognition system to verify the identity of students before they took online exams. The system captured the image of the students' faces to compare them with the photos on their identity cards and thus allow them to take the exam. Students who refused to do so were considered as 'absentees'.
One of the students (the data subject) filed a complaint with the Catalan DPA, which launched an investigation. In response, the controller claimed that the data collected was not sensitive data according to Opinion 3/2012 of the Article 29 Working Party. It also argued that the processing of such data was necessary for the performance of the contract (university enrollment) and based on its legitimate interest of preventing academic fraud. During the procedures, the DPA verified that a total of 31,501 students had to use the facial recognition technology in order to be allowed to take the exams.
Holding
The DPA highlighted that Article 4(14) GDPR defines biometric data as 'personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data'. This definition excludes the application of Opinion 3/2012 of the Article 29 Working Party, which predates the GDPR and is therefore outdated. In the DPA's view, this is a special category of data under Article 9(1) GDPR and, as such, could only be processed for identification or authentication purposes in exceptional situations. However, the controller did not substantiate any of the exceptions provided for by Article 9(2). Moreover, as no genuine alternative was offered to students, any consent obtained from them was invalid. While acknowledging that facial recognition technology could be an effective means of preventing academic fraud, the DPA stated that there were other less intrusive and equally effective measures available to prevent fraud. For this reason, its implementation was considered disproportionate. On such grounds, the DPA found a violation of Articles 5(1)(a) and 9 GDPR and imposed a fine €20,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Catalan, Valencian original. Please refer to the Catalan, Valencian original for more details.
