APDCAT (Catalonia) - PS 41/2022

From GDPRhub
APDCAT - PS 41/2022
Authority: APDCAT (Catalonia)
Jurisdiction: Spain
Relevant Law: Article 5(1)(a) GDPR
Article 9 GDPR
Type: Complaint
Outcome: Upheld
Started: 04.11.2021
Fine: 20.000 EUR
Parties: Universitat Oberta de Catalunya
National Case Number/Name: PS 41/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Catalan, Valencian
Original Source: APDCAT (in CA)
Initial Contributor: Bernardo Armentano

The Catalan DPA considered the use of facial recognition systems to prevent fraud in online university examinations to be disproportionate. It imposed the controller a fine of €20,000 for violating Articles 5(1)(a) and 9 GDPR.

English Summary


The Universitat Oberta de Catalunya (the controller) adopted a facial recognition system to verify the identity of students before they took online exams. The system captured the image of the students' faces to compare them with the photos on their identity cards and thus allow them to take the exam. Students who refused to do so were considered as 'absentees'.

One of the students (the data subject) filed a complaint with the Catalan DPA, which launched an investigation. In response, the controller claimed that the data collected was not sensitive data according to Opinion 3/2012 of the Article 29 Working Party. It also argued that the processing of such data was necessary for the performance of the contract (university enrollment) and based on its legitimate interest of preventing academic fraud. During the procedures, the DPA verified that a total of 31,501 students had to use the facial recognition technology in order to be allowed to take the exams.


The DPA highlighted that Article 4(14) GDPR defines biometric data as 'personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data'. This definition excludes the application of Opinion 3/2012 of the Article 29 Working Party, which predates the GDPR and is therefore outdated. In the DPA's view, this is a special category of data under Article 9(1) GDPR and, as such, could only be processed for identification or authentication purposes in exceptional situations. However, the controller did not substantiate any of the exceptions provided for by Article 9(2). Moreover, as no genuine alternative was offered to students, any consent obtained from them was invalid. While acknowledging that facial recognition technology could be an effective means of preventing academic fraud, the DPA stated that there were other less intrusive and equally effective measures available to prevent fraud. For this reason, its implementation was considered disproportionate. On such grounds, the DPA found a violation of Articles 5(1)(a) and 9 GDPR and imposed a fine €20,000.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Catalan, Valencian original. Please refer to the Catalan, Valencian original for more details.