CNPD (Portugal) - Deliberação 2021/622

From GDPRhub
CNPD (Portugal) - Deliberação/2021/622
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6(1)(e) GDPR
Article 6(1)(f) GDPR
Article 22 GDPR
Article 45 GDPR
Article 46 GDPR
Type: Complaint
Outcome: Upheld
Decided: 11.05.2021
Published: 28.05.2021
Fine: None
Parties: n/a
National Case Number/Name: Deliberação/2021/622
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Portuguese
Original Source: CNPD (in PT)
Initial Contributor: n/a

The Portuguese DPA ordered an educational institution to stop using a proctoring app to evaluate students online, as the app infringed the principles of lawfulness, purpose limitation, and data minimisation. The DPA also ordered the institution to instruct the relevant processor to delete all previously stored data.

English Summary


The Portuguese DPA (CNPD) received a complaint against the use of two applications ("Respondus Lockdown Browser" and "Respondus Monitor"), that were meant to be used for online evaluations to students. Those applications were used by an unknown party (allegedly an educational institution) and developed by Respondus Inc., an American company. Respondus and the controller had carried out a data processing agreement, that was part of the licensing contract.

Both applications could be integrated with learning platforms. "Respondus Lockdown Browser" is used to block the computer of the students, so they could not access any other application, while "Respondus Monitor" is used to monitor them.

Blocking the computer means that the students could not access any other application nor use any of the functions of the computer. Only the application was shown full-screen. "Respondus Monitor", a proctoring application, used the camera and video analysis techniques in order to monitor students. It also took photos of the students, including themselves and their IDs, and images of the surroundings. It also had a facial detection check system.

Monitoring is carried out every second through three vectors:

  • facial, movement and light detection of the student and their surroundings
  • obtaining information from the device (keyboard activity, mouse activity, hardware modifications) to identify patterns
  • analysis of the students' interaction with the exam, including time counting and answer changing, as well as comparing answers between students

Even if the application records video, sound recording is deactivated by default, although can be activated by the institution. Videos are processed afterwards and put through a facial recognition and detection system to determine if the student stayed in the same place and whether there were other persons around, to detect if the same person started and ended the exam.

The application also monitored all the information from the device, including the quality of the internet connection and potential internet failure.

After the event, a report was also sent to the teachers.

Students were obliged to accept the terms and conditions of the application, including terms relating to data protection.

Additionally, Respondus processes data in servers located outside EEA, and that they use Amazon Web Services. The transfers are carried out on the basis of the Privacy Shield and/or SCCs.

The following categories of personal data are transferred:

  • authentication data
  • identification data
  • contact data
  • unique identification numbers and course identification
  • pseudoanonymized identifiers
  • pictures, video and audio
  • educational data
  • IP address

Respondus also process random data for improving their services, being also possible to share them with researchers (including biometric experts).

For this processing, the educational institution relied, as their legal basis, on having a legitimate interest in evaluating the performance of the students in a fair and equal way. In accordance to the DPIA carried out beforehand, the processing was necessary to evaluate students at a distance in the context of the pandemic. The controller concluded that the rights of the students were adequately protected.


The CNPD concluded, in the first place, that the educational institution was undoubtedly a controller, while Respondus was a processor.

Secondly, the DPA remarked that they had issued a recommendation for online education and evaluation in which they established that online evaluation should be carried out preferably via the institutional platform. However, the controller did not provide any explanation about the circumstances or criteria that led it to using the Respondus application.

Additionally, the DPA noted that "Respondus Lockdown Browser" could have been used on its own, and that the purposes for the additional use of "Respondus Monitor" were not defined nor clear. Therefore, the purpose limitation principle from Article 5(1)(b) GDPR had been infringed. The DPA also added that the fact that the use of the proctoring app, as well as some of its functionalities, was left to the decision of the departments or processors generated uncertainty with regards a very intrusive processing of personal data, and could thus lead to discrimination.

Thirdly, the DPA stated that the controller, as a public institution, should not have relied on a legitimate interest but on Article 6(1)(e), as the processing is carried out in order to comply with a task of public interest set by the law. Also, the DPA said, in case of having an actual interest in such processing, it would always depend on being able to prove that it could not have been done in any other way. Additionally, if using a legitimate interest as a basis, the controller should have balanced the interests and rights of the students against their own and proved that their own overweighed the ones of the students, which they did not do.

In addition, the DPA remarked that it was oblivious that the controller had not taken into account the whole extent of the intrusion to privacy that the processing entailed, what is clearly shown by the lack of any measures to mitigate its effect. According to the DPA, the controller was processing biometric data, since apart from the facial recognition and detection systems used, the monitoring of the mouse, keyboard and movement activity also constituted biometric patterns processing.

Particularly, the DPA noted that the processing entailed a granular monitoring and surveillance that allowed an intensive collection of data that were used in order to create a profile of individuals by means of automated processing, and that the controller had failed to carry out any kind of assessment in order to asses the adequacy, necessity and proportionality of the processing. In addition, the DPA noted that the parameters and logic of such automated processing were not disclosed, and the profiling was also opaque.

According to the CNPD, the processing is particularly sensitive, so the controller's failure to justify its necessity and proportionality reveals that it was unnecessary and disproportionate, and that it therefore breached the minimization principle from Article 5(1)(c) GDPR.

The DPA also noted that, again, the lack of instructions and criteria given to the professors regarding the interpretation of the reports issued by the system could lead to discrimination and the data subject could be negatively affected in a legal sense, without any of the possibilities and safeguards that Article 22 GDPR offers. The DPA remarked that there is a human intervention in the process does not suffice not to consider it automated decision making.

Fourthly, the DPA discusses the role that Respondus played not only as a processor, since they also processed data for their own purposes when using it to improve their systems, hence being a controller for such processing. The fact that the students were forced to accept the terms and conditions of the application, including the privacy processing, made consent invalid, since it was not freely given. Therefore, Respondus processed data without a valid legal basis, infringing this way the lawfulness principle from Article 5(1)(a) GDPR.

The DPA also remarked that this was not considered in the DPIA, nor the existence of an interference in the device communications and the level of intrusion to privacy that such thing poses.

Additionally, the CNPD addressed the transfer of data to the United States. The DPA concluded that neither the Privacy Shield nor the SCCs used were valid, in light of the Schrems II judgment, as they don't allow an adequate level of data protection. If Respondus would have wanted to relied on the SCCs they should have adopted supplementary measures to guarantee such level of protection. Therefore, Respondus should not have transferred data to the United States.

The decision was adopted by the DPA through an urgent procedure, since the application had not still been used as such but was already available for download, what would already imply processing of data. In light of such urgency, the DPA warned the controller that the use of Respondus applications in the way they were meant to be used would violate Article 5(1)(a), (b) and (c) GDPR, and ordered the controller to stop the processing and to require the processor to delete all the already stored data.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.