APDCAT (Catalonia) - PS 41/2022

From GDPRhub
Revision as of 14:18, 11 April 2023 by 10.90.129.160 (talk)
APDCAT - PS 41/2022
Apdcat-logo.png
Authority: APDCAT (Catalonia)
Jurisdiction: Spain
Relevant Law: Article 5(1)(a) GDPR
Article 9 GDPR
Type: Complaint
Outcome: Upheld
Started: 04.11.2021
Decided:
Published:
Fine: 20.000 EUR
Parties: Universitat Oberta de Catalunya
National Case Number/Name: PS 41/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Catalan, Valencian
Original Source: APDCAT (in CA)
Initial Contributor: Bernardo Armentano

The Spanish DPA considered the use of facial recognition systems to prevent fraud in online university examinations to be disproportionate. It imposed the data controller a fine of €20.000,00 for violating Articles 5(1)(a) and 9 GDPR .

English Summary

Facts

The Universitat Oberta de Catalunya (the data controller) adopted a facial recognition system to verify the identity of students before they took online exams. The system captured the image of the students' faces to compare them with the photos on their identity cards and thus allow them to take the exam. Students who refused to do so were considered as 'absentees'. One of the students (the data subject) filed a complaint with the Catalan DPA, which launched an investigation. In response, the data controller claimed that the data collected was not sensitive data according to Opinion 3/2012 of the Article 29 Working Party. It also argued that the processing of such data was necessary for the performance of the contract (university enrollment) and based on its legitimate interest of preventing academic fraud. During the procedures, the DPA verified that a total of 31.501 students had to use the facial recognition technology in order to be allowed to take the exams.

Holding

The DPA highlighted that Article 4(14) GDPR defines biometric data as 'personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data'. This definition excludes the application of Opinion 3/2012 of the Article 29 Working Party, which predates the GDPR and is therefore outdated. In the DPA's view, this is sensitive data under Article 9(1) GDPR and, as such, could only be processed for identification or authentication purposes in exceptional situations. However, the data controller did not provided any of the exceptions provided for by Article 9(2). Moreover, as no genuine alternative was offered to students, any consent obtained is invalid. While acknowledging that facial recognition technology could be an effective means of preventing academic fraud, the DPA stated that there were other less intrusive and equally effective measures available to prevent fraud. For this reason, its implementation was considered disproportionate. On such grounds, the DPA found a violation of Articles 5(1)(a) and 9 GDPR and imposed a fine €20.000,00.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Catalan, Valencian original. Please refer to the Catalan, Valencian original for more details.