CNPD (Portugal) - Deliberação/2021/622

From GDPRhub
Revision as of 11:02, 21 July 2021 by Cvl (talk | contribs)
CNPD (Portugal) - Deliberação/2021/622
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6(1)(e) GDPR
Article 6(1)(f) GDPR
Article 22 GDPR
Article 45 GDPR
Article 46 GDPR
Type: Complaint
Outcome: Upheld
Decided: 11.05.2021
Published: 28.05.2021
Fine: None
Parties: n/a
National Case Number/Name: Deliberação/2021/622
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Portuguese
Original Source: CNPD (in PT)
Initial Contributor: n/a

The Portuguese DPA forbid an educational institution from using a proctoring app to evaluate students online due to the infringement of the lawfulness principle, the purpose limitation principle and the data minimization principle. The DPA ordered the controller to stop the processing and to require the processor to delete all the already store data.

English Summary


The Portuguese DPA (CNPD) received a complaint against the use of two applications ("Respondus Lockdown Browser" and "Respondus Monitor"), used for online evaluations to students. Those applications were used by an unknown party (probably an educational institution) and developed by Respondus Inc., an American company. Respondus and the controller had carried out a data processing agreement, that was part of the licensing contract.

Both applications could be integrated with learning platforms. "Respondus Lockdown Browser" is used to block the computer of the students, so they could not access any other application, while "Respondus Monitor" is used to monitor them.

Blocking the computer means that the students could not access any other application nor use any of the functions of the computer. Only the application was shown full-screen. "Respondus Monitor", a proctoring application, used the camera and video analysis techniques in order to monitor students. It also took photos of the students, including themselves and their IDs, and images of the surroundings. It also had a facial detection check system.

Monitoring is carried out every second through three vectors:

  • facial, movement and light detection of the student and their surroundings
  • obtaining information from the device (keyboard activity, mouse activity, hardware modifications) to identify patterns
  • analysis of the students' interaction with the exam, including time counting and answer changing, as well as comparing answers between students

Even if the application records video, sound recording is deactivated by default, although can be activated by the institution. Videos are processed afterwards and put through a facial recognition and detection system to determine if the student stayed in the same place and whether there were other persons around, to detect if the same person started and ended the exam.

The application also monitored all the information from the device, including the quality of the internet connection and potential internet failure.

After the event, a report is sent to the teachers.

Students were obliged to accept the terms and conditions of the application, including terms relating to data protection.

Additionally, Respondus processes data in servers located outside EEA, and that they use Amazon Web Services. The transfers are carried out on the basis of the Privacy Shield and/or SCCs.

The following categories of personal data are transferred:

  • authentication data
  • identification data
  • contact data
  • unique identification numbers and course identification
  • pseudoanonymized identifiers
  • pictures, video and audio
  • educational data
  • IP address

Respondus also process random data for improving their services, being also possible to share them with researchers (including biometric experts).

For this processing, the educational institution relied, as their legal basis, on having a legitimate interest in evaluating the performance of the students in a fair and equal way. In accordance to the DPIA carried out beforehand, the processing was necessary to evaluate students at a distance in the context of the pandemic. The controller concluded that the rights of the students were adequately protected.


The CNPD concluded, in the first place, that the educational institution was undoubtedly a controller, while Respondus was a processor.

Secondly, the DPA remarked that the had issued


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.