KamR Stockholm - Case No. 5888-20

From GDPRhub
KamR Stockholm - Case No. 5888-20
Courts logo1.png
Court: KamR Stockholm (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5 GDPR
Article 9 GDPR
Article 9(1) GDPR
Article 9(2) GDPR
Article 35 GDPR
Article 36 GDPR
Decided: 01.03.2021
Published:
Parties:
National Case Number/Name: Case No. 5888-20
European Case Law Identifier:
Appeal from: IMY (Sweden)
Case No. 5888-20
Appeal to: Not appealed
Original Language(s): Swedish Swedish
Original Source: Datainspektionen (in Swedish) IMY (in Swedish)
Initial Contributor: Natalie

The Court of Appeal in Stockholm upheld a decision of the Swedish DPA (IMY) to fine a school €20,000 (SEK 200,000) for using facial recognition technology to register student attendance.

English Summary

Facts

The Swedish DPA carried out an investigation of the Upper Secondary School Board in Skellefteåmunicipality and its pilot project at a high school that used facial recognition to record student attendance.

The cameras installed with this technology use biometric personal data to uniquely identify natural persons. Such biometric personal data qualifies as particularly sensitive personal data (under Article 9 GDPR) concerning children. According to Article 9(1), the processing of such data shall be prohibited. The prohibition does not apply if the data subject consents to the processing of personal data for a specific purpose (Article 9 (2). For a consent to be valid, it must have been given voluntarily.

Following an initial decision by the Swedish DPA, holding that the Board had violated the GDPR, the Upper Secondary School Board contended that students and their guardians provided valid consent to use of the facial recognition technology and appealed to the Court of Appeal.

Following the appeal, the Court of Appeal in Stockholm upheld the decision of the Swedish DPA. The Upper Secondary School Board appealed the decision to the administrative court but the administrative court dismissed the appeal, finally rendering the decision of the Swedish DPA final.

Holding

The Swedish DPA (IMY) held that the use of facial recognition technology to register student attendance is in violation with Articles 5, 9, 35 and 36 GDPR. It explained that students cannot provide meaningful consent to such data processing because of their dependence on school services. While there is a legal basis for administering the attendance of students at school, there is no legal basis to perform the task through the processing of sensitive data. The technology amounts to an intrusion of student integrity and is thus disproportionate to the task of measuring attendance. Furthermore, the DPA considered that the risk assessment reported by the Upper Secondary School Board did not meet the requirements of Article 35 GDPR; the Board should have consulted with the DPA before implementing the technology, and because it failed to do so, it also violated Article 36 GDPR.

On the issue of consent, the DPA and the Court of Appeal elaborated that recitals 42 and 43 of the Data Protection Regulation state that consent should not be considered voluntary if the data subject has no genuine or free opportunity to refuse or withdraw their consent. In order to ensure that consent is given voluntarily, consent should therefore not be a valid legal basis for the processing of personal data if there is significant inequality between the data subject and the controller. This applies in particular if the person responsible for personal data is a public authority and it is therefore unlikely that the consent has been given voluntarily in the circumstances. In this case, there is a clear inequality between students and the data controller. The consent can therefore not be considered voluntary and thus does not constitute a legal basis for the treatment of personal data.

On the issue of proportionality, the Court of Appeal explained that Article 5 GDPR only allows for personal data to be collected for specific, explicit and justified purposes. In addition, personal data processed must be adequate, relevant and not too extensive in relation to the purposes for which they are treated. The facial recognition technology was used in the student’s everyday environment, leading to a major infringement in student integrity. Attendance checks are possible in a less privacy-infringing manner. Therefore, attendance checks through facial recognition had been too extensive and disproportionate to the purpose.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

                                               Decision Diary No. 1 (20)
                                               2019-08-20 DI-2019-2221







                                               Skellefteå Municipality, Upper Secondary School Board






               Supervision according to the EU Data Protection Regulation


               2016/679 - face recognition for

               attendance control of students


               Content

               The Data Inspectorate's decision ………………………………………………………………… ..2
               Report on the supervisory matter …………………………………………………………. 2

               Grounds for the decision ………………………………………………………………………… ..4
                  Personal data responsibility ………………………………………………………………… 4

                  Experimental project ……………………………………………………………………………… .4
                  Legal basis for the processing of personal data (Article 6) 4 .4
                    Consent as a legal basis ……………………………………………………. 4

                    The treatment is necessary to perform a task of general
                    Interest …………………………………………………………………………………… ..6

                  Sensitive personal data (Article 9) …………………………………………… ... 7
                  Basic principles for the processing of personal data

                  (Article 5) ……………………………………………………………………………………… ..11
                  Impact assessment and prior consultation (Articles 35, 36) ………… 13
                  Permission according to the Camera Surveillance Act ……………………………………… ..15

                  Risk that the regulations will be violated if planned
                  treatment …………………………………………………………………………………… 16

               Choice of intervention ……………………………………………………………………………… ..16
                  Penalty fee ……………………………………………………………………………… 17

                    Determination of the amount of the penalty ………………………… .... 18
                  Warning ………………………………………………………………………………………… ..19

               How to appeal verk ..20










Postal address: Box 8114, 104 20 Stockholm E-mail: datainspektionen@datainspektionen.se
Website: www.datainspektionen.se Phone: 08-657 61 00Datainspektionen DI-2019-2221 2 (20)







                   The Data Inspectorate's decision

                   The Data Inspectorate states that the upper secondary school board in Skellefteå municipality

                   by using face recognition via camera for presence control of
                   students have processed personal data in violation of
                                                               1
                       Article 5 of the Data Protection Regulation by dealing with pupils
                           personal data on a brought personal integrity more intrusive

                           way and included more personal data than what is necessary for
                           the stated purpose (attendance check),

                       Article 9 by processing sensitive personal data

                           (biometric data) without having a valid treatment
                           exceptions to the prohibition on processing sensitive personal data and

                       Articles 35 and 36 by failing to comply with the requirements
                           impact assessment and not having submitted one

                           prior consultation with the Data Inspectorate.

                                                                                          2
                   The Data Inspectorate decides on the basis of ch. Section 2 of the Data Protection Act and
                   Articles 58 (2) and 83 of the Data Protection Ordinance that the Upper Secondary School Board in

                   Skellefteå municipality must pay an administrative sanction fee of 200,000
                   kronor.



                   The Data Inspectorate states that the Upper Secondary School Board in Skellefteå municipality
                   likely to infringe Articles 5 and 9 with the continued use of

                   face recognition for presence control.


                   The Data Inspectorate decides to give the Upper Secondary School Board in Skellefteå
                   municipality a warning under Article 58 (2) (a) of the Data Protection Regulation.




                   Report on the supervisory matter

                   Through data in the media, the Data Inspectorate has been made aware that
                   The upper secondary school board in Skellefteå municipality (hereinafter the upper secondary school board) in one

                   pilot project at Anderstorps gymnasium in Skellefteå has been used




                   1 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016

                   on the protection of individuals with regard to the processing of personal data and on that
                   free movement of such data and repealing Directive 95/46 / EC (General
                   Data Protection Regulation).
                   2 The Act (2018: 218) with supplementary provisions to the EU Data Protection RegulationData Inspectorate DI-2019-2221 3 (20)






                  facial recognition to register students' attendance in a class during a few

                  weeks.


                  The purpose of the supervision has been to review the upper secondary school board's
                  processing of personal data through facial recognition for

                  presence control has been in accordance with the data protection rules.


                  The Data Inspectorate has reviewed personal data processing as
                  the upper secondary school board has implemented in the current project and also taken

                  position on any future treatments. The Data Inspectorate has within
                  in the context of this supervision has not made any assessment regarding safety or

                  the duty to provide information in connection with the treatments in question.

                  The review has revealed that the upper secondary school board during three weeks has

                  processed personal data through face recognition to check
                  the presence of 22 high school students and the high school board considered

                  in the future process personal data through the use of face recognition
                  for attendance control. The purpose has been to in a simpler and more efficient way

                  register attendance at high school lessons. To register attendance at
                  a traditional way tarenligtgymnasienämnden 10 minutes per lesson and

                  using face recognition technology for presence control it would
                  according to the board save 17,280 hours per year at the current school.


                  The Upper Secondary School Board has stated that the facial recognition has been implemented

                  in that the students have been filmed by a camera approaching a classroom.
                  Images from the camera surveillance have been compared with pre-registered ones

                  pictures of each participant's face. The information that has been registered is
                  biometric data in the form of face images and first and last names. The information

                  has been stored in a local computer without internet connection stored in one
                  lockers. Express approvals have been obtained from guardians and

                  it has been possible to waive the registration of personal data with
                  biometric data.


                  The supervisory case began with a supervisory letter on 19 February 2019. Answer to
                  The supervisory letter was received on 15 March 2019, supplementing the annexes

                  April 2, 2019. Later additions from the high school board came in on the 16th
                  August and 19 August 2019. Data Inspectorate DI-2019-2221 4 (20)







                  Justification of decision


                  Personal data responsibility
                  The Upper Secondary School Board has stated that the board is responsible for personal data

                  personal data processing that has taken place within the framework of the pre-project with
                  face recognition for attendance control at Anderstorps gymnasium in

                  Skellefteå municipality. The Data Inspectorate shares this view.


                  Experimental project
                  The current personal data processing has taken place within the framework provided

                  pilot project. The Data Inspectorate states that the Data Protection Ordinance
                  does not contain any exceptions for pilot or pilot activities.

                  The requirements of the regulation therefore need to be met in order to implement such
                  type operations.


                  Legal basis for the processing of personal data (Article 6)

                  Article 6 of the Data Protection Regulation states that processing is only lawful

                  if one of the conditions specified in the article is met.

                  Consent as a legal basis

                  The Upper Secondary School Board has in a statement that came in to the Data Inspectorate on
                  March 15, 2019 p. a. stated consent has been given to the treatment that has

                  occurred within the framework of attendance management.


                  The upper secondary school committee's statement states, among other things: a. the following.

                        “Ie. the students' guardians receive information about the project's purpose and
                        which personal data processing will take place and may give its

                        express and voluntary approval for the processing of personal data.
                        Students who do not want to participate do not need to participate, attendance is checked then

                        according to previous routines. Students also receive information that they reach as
                        preferably can withdraw their approval for the processing of personal data.

                        (p. 6). ”


                  Article 6 (1) of the Data Protection Regulation states

                  personal data processing is legal if the data subject has left
                  consent to the processing of his personal data in one or more specific ways

                  purpose.Datainspektionen DI-2019-2221 5 (20)








                   Consent of the data subject is defined in Article 4 (11) of the Data Protection Regulation
                   such as any kind of voluntary, specific, informed and unambiguous expression of will,

                   by which the data subject, either by a statement or by a
                   unequivocal affirmative action, accepts the processing of personal data concerning

                   him or her.


                   Recital 43 of the Data Protection Regulation further states the following.


                         “To ensure that consent is given voluntarily, it should not constitute

                         valid legal basis for the processing of personal data in a specific case
                         where there is significant inequality between the data subject and the data subject

                         personal data controller, especially if the personal data controller is one
                         public authority and it is therefore unlikely that the consent has

                         provided voluntarily in all circumstances such as this particular
                         situation includes. "


                   This means that the assessment of whether a consent has been given is not only voluntary

                   shall take place on the basis of the freedom of choice that prevails, but also the relationship that
                   exists between the data subject and the data controller.

                   The space provided for voluntary consent in the public sector is therefore
                   limited. Within the school area, it is clear that the student is in a position of dependence

                   to the school in terms of grades, study grants, education and thus the opportunity to
                   future work or further studies. In addition, often the question of children.


                   The Education Data Inquiry made the assessment that it is still possible to

                   secure personal data processing use consent also in
                   the relationship between a childminder and a preschool and a student

                   guardian or the student himself depending on age and a school. An example
                   on close consent could provide a suitable basis for

                   personal data processing is prior to photography the students in order to create
                   electronic school catalogs or photography to document

                   activities in preschool and school, not least for the purpose of being able to account for
                   the one for childminders. (SOU 2017: 49 EU Data Protection Regulation

                   and the field of education p. 137)

                   Attendance control is regulated by public law

                   school activities and the reporting of attendance are of significant importance to the Data Inspectorate DI-2019-2221 6 (20)






                   eleven. This treatment is therefore not comparable to it

                   personal data processing that can take place to administer school photography.
                   During attendance checks, the student is in such a position of dependence that it prevails

                   significant inequality. The Data Inspectorate therefore does not consider consent
                   may constitute a legal basis for the processing of personal data such as this

                   supervision includes.


                   The treatment is necessary to perform a task of general interest
                   The Upper Secondary School Board has also stated that the legal basis led

                   personal data processing that has taken place within the framework of the pre-project with
                   facial recognition is the Public Administration Act's requirement for efficient case management,

                   the Education Act's requirements for measures in the event of absence and the obligation for
                   high schools night report invalid absence to Central
                   the Student Aid Board (CSN).


                   According to Article 6 (1) (e) of the Data Protection Regulation, processing is lawful if it is

                   necessary to perform a task of general interest or as part of it
                   exercise of personal data controllers' authority.


                   Article 6 (2) of the Data Protection Regulation states, inter alia, that

                   States may maintain or introduce more specific provisions to adapt
                   the application of the provisions of the Data Protection Regulation in order to comply

                   points in the same article. According to Article 6 (3), the task shall be of general interest
                   in accordance with Article 6.1 evara determined in accordance with Union or national law

                   Right.


                   According to ch. Section 16, first paragraph of the Education Act (2010: 800) requires a pupil in
                   the upper secondary school participates in the activities that are arranged to provide the intended

                   the education, if the student does not have a valid reason for not attending.


                   If a student in upper secondary school is absent from that activity without a valid reason
                   arranged to carry out the intended education, the principal shall ensure that
                   student guardians are informed on the same day that the student has been

                   absent. If there are special reasons, student guardians do not need to
                   be informed on the same day (Chapter 15, Section 16, second paragraph of the Education Act).


                   The personal data processing that usually takes place to administer students'

                   attendance at school is necessary due to the task of the principals
                   according to ch. 15 Section 16 of the Education Act and thus constitutes a task of general interestData Inspectorate DI-2019-2221 7 (20)






                   pursuant to Article 6.1 (e) of the Data Protection Regulation. In some parts it can also

                   there is a legal obligation under Article 6 (1) (c) of the Data Protection Regulation.


                   According to the preparatory work for the Data Protection Act (Bill 2017/18: 105 New Data Protection Act p.
                   51) however, the requirements for supplementary national regulation are increasing

                   regarding precision and predictability when it comes to the question of a more tangible
                   infringement. It is also stated that the intrusion is significant and entails

                   monitoring or mapping of the individual's personal circumstances is required
                   in addition, special legal support according to ch. 6 and 20 §§ form of government.


                   The Data Inspectorate can state that there is a legal basis for this

                   administer students' attendance at school, but that there is no explicit
                   legal support to perform the task through the treatment of sensitive
                   personal data or in another more privacy-infringing way.



                   Sensitive personal data (Article 9)
                   The facial recognition that has been rancid in the present case has meant that

                   Attendance control has been rendered by biometric personal data about children
                   have been treated to uniquely identify these.


                   According to Article 9 (1) of the Data Protection Regulation, the processing of

                   biometric personal data to uniquely identify a natural person a
                   processing of specific categories of personal data (so-called sensitive)
                   personal data). The starting point is that it is forbidden to process such

                   tasks. In order to process sensitive personal data, this is required
                   exemption from Article 9 (2) of the Data Protection Regulation.


                   As stated above, the high school board has given its consent from

                   the guardians have been harmed in connection with the current treatments
                   supervision refers to.


                   According to Article 9 (2) (a) of the Data Protection Regulation, the processing of sensitive data

                   personal data permitted if the data subject has expressly provided
                   consent to the processing of this personal data provided or more

                   specific purposes, except in the case of Union law or the national law of the Member States
                   law provides that the prohibition in paragraph 1 may not be lifted by the data subject.


                   As previously reported, there is generally a significant inequality

                   relationship between the upper secondary school board and the students and attendance control isDatainspektionen DI-2019-2221 8 (20)







                   unilateral control measure where this inequality prevails. Consent can therefore not,
                   as previously stated, is considered to be provided voluntarily within the framework of

                   school activities. Consent is therefore not possible to apply as an exception
                   from the prohibition to process sensitive personal data in the case in question.


                   The Upper Secondary School Board also invokes the rules of the Administrative Procedure Act

                   efficient case management and the school law's rules on handling absence.


                   Article 9 (2) (g) of the Data Protection Regulation follows the prohibition on processing
                   sensitive personal data if the processing is necessary out of consideration

                   in the public interest, on the basis of Union law or
                   national law of the Member States, which shall be proportionate to it

                   pursued the purpose, be compatible with the essential content of the right to
                   data protection and contain provisions on appropriate and specific measures for

                   to ensure the data subject's fundamental rights and interests.


                   National supplementary provisions apply except except important
                   public interest has i.a. a. introduced in ch. § 3 of the Data Protection Act.3

                   According to ch. Section 3, first paragraph 2 of the Data Protection Act appears sensitive
                   personal data may be processed on the basis of Article 9 (2) (g) of the

                   Regulation if necessary in the interests of the public interest
                   and the processing is necessary for the handling of a case.


                   In the preparatory work (Bill 2017/18: 105 New Data Protection Act) it is stated, among other things. a. the following.



                          “The Government's view, however, is that in most cases the concept of case

                          is relatively clear (see Bill 2016/17: 180 pp. 23–25 and p. 286).
                          The term is used as a delimitation for the Public Administration Act

                          scope and should, in the Government's view, also be used




                   3
                    Individual school principals' processing of sensitive personal data has
                   regulated in Chapter 26 a. Section 4 of the Education Act (2010: 800), which corresponds to Chapter 3 § 3

                   the Data Protection Act. As this supervision refers to the municipal school and it is missing
                   sector-specific provisions regarding the treatment of sensitive

                   personal data in this type of school activity ch. 3 Section 3 of the Data Protection Act
                   applicable.Data Inspectorate DI-2019-2221 9 (20)






                         here. The provision should therefore be applicable in the handling of a

                         matter. (p. 87) ”


                   Furthermore, the following is stated in the preparatory work for the Public Administration Act

                   (Bill 2016/17: 180 A modern and legally secure administration - new administrative law).


                         The term processing includes all measures taken by an authority

                         takes from the time a case is initiated until it is closed. The expression
                         case is not defined in the law. Characteristic of what constitutes a

                         case, however, is that it is regularly concluded by a statement from
                         authority that is intended to have actual effects on a

                         recipient in the individual case. A case is closed by a decision of
                         some kind. In assessing the question of whether an authority

                         position is to be regarded as a decision in this sense it is
                         the purpose and content of the statement that determines the nature of the statement, not its

                         external form (p. 286). "


                   The Data Inspectorate states that the attendance check is in full swing
                   facial recognition does not constitute a case handling without question

                   about an actual action. The provision in ch. Section 3, first paragraph 2
                   The Data Protection Act is therefore not applicable to personal data processing

                   which the upper secondary school board has carried out in connection with face recognition
                   attendance control of students.


                   Of ch. 3 Section 3, first paragraph 1 of the Data Protection Act appears sensitive

                   personal data may be processed by an authority if the data has been provided
                   to the authority and the processing is required by law. Regarding this

                   provision appears, among other things. a. following the preparatory work (prop.2017 / 18: 105 New
                   data protection law).



                         “The provision clarifies that it is permissible for authorities to perform
                         such processing of sensitive personal data as is required in

                         the activities of the authorities as a direct consequence of, above all
                         the provisions of the Public Access and Secrecy Act and the Administrative Procedure Act

                         on how public documents are to be handled, for example through requirements for
                         record keeping and obligation to receive e-mail. Treatment of sensitive Data Inspectorate DI-2019-2221 1 0 (20)






                         personal data on the basis of this paragraph may only be made about the data

                         has been submitted to the authority. (p. 194) ”


                   The Data Inspectorate states that ch. Section 3, first paragraph 1 of the Data Protection Act

                   not relevant to the current processing of personal data.


                   According to ch. Section 3, first paragraph 3 of the Data Protection Act also applies to authorities in other respects
                   case process sensitive personal data if the processing is necessary with

                   consideration of an important public interest and does not imply undue infringement of
                   the data subject's privacy.


                   In the preparatory work (Bill 2017/18: 105 New Data Protection Act) it is stated, among other things. a. the following.



                         "The provision is not intended to be applied casually in it
                         ongoing operations. It is required that the data controller, in it

                         individual case, make an assessment of whether the treatment involves one
                         undue invasion of the data subject's privacy. If
                         the treatment would involve such an infringement, it must not take place in accordance with

                         this provision. To determine if the intrusion is improper must
                         the authority to make a proportionality assessment where the need to

                         carry out the processing is weighted against the data subjects' interest in
                         the treatment does not take place. The assessment of the data subjects' interest in

                         the treatment does not take place should be based on the interest of privacy protection that
                         the registrants typically have. The person responsible for personal data must

                         thus not making an assessment in relation to each individual concerned. At
                         the assessment of the intrusion on the individual's personal integrity shall be important

                         added to i.a. the sensitivity of the data, the nature of the processing, the
                         attitude the data subjects can be assumed to have to the treatment, the spread

                         the information may be obtained and the risk of further processing for others
                         purpose than the collection purpose. This means e.g. that the provision

                         can not be used as a basis for creating privacy-sensitive
                         compilations of sensitive personal data. (p. 194) ”.



                   Attendance management is a comprehensive and central task in the school system and
                   skerslentrian-wise in that running business. The Data Inspectorate

                   assesses therefore that ch. § 3 first paragraph 3 of the Data Protection Act can not
                   applied to the personal data processing that takes place for attendance management.
                   The provision can thus not be applied to the personal data processingData Inspectorate DI-2019-2221 1 1 (20)






                  which the upper secondary school board has carried out. In addition, the Data Inspectorate considers that they

                  the current personal data processing has entailed undue intrusion into
                  the privacy of the registered as the high school board through camera surveillance in

                  students' everyday environment has processed sensitive personal data concerning
                  children who are dependent on

                  the upper secondary school board the purpose of attendance management.


                  Against this background, the Data Inspectorate finds that the national
                  supplementary provisions concerning the exemption in 9.2 g i

                  the Data Protection Ordinance on important public interest which has been introduced in ch. 3
                  § first paragraph of the Data Protection Act does not apply to them

                  personal data processing covered by this supervision.

                  In addition, it appears from ch. Section 3, second paragraph, of the Data Protection Act

                  prohibited from performing applications that take place on the basis of ch. § 3 first paragraph in
                  purpose of obtaining a selection of personal data on sensitive personal data.

                  Since the purpose of facial recognition is to identify students, can
                  The Data Inspectorate states that the attendance check presupposes searches

                  based on sensitive personal data. The latter mentioned meant current
                  the treatments covered by this supervision have also been in breach of 3

                  Cape. Section 3, second paragraph, of the Data Protection Act.


                  In summary, the Data Inspectorate considers that the exemption in 9.2 g in
                  the Data Protection Regulation does not apply to the current processing of

                  personal data. Because what has emerged in the case is not either
                  provided for any of the other exceptions in Article 9 (2) (i)

                  the Data Protection Ordinance may become relevant, the Data Inspectorate considers that
                  The upper secondary school board has lacked the conditions to process biometrics

                  personal data to uniquely identify students for attendance management such as
                  has been. These personal data processing has thus taken place in violation of

                  Article 9 of the Data Protection Regulation.


                  Basic principles for the processing of personal data (Article 5)
                  It can be stated that the personal data controller according to Article 5 (2)

                  The Data Protection Regulation is responsible for compliance with the Regulation and shall
                  demonstrate compliance with the basic principles.


                  Article 5 of the Data Protection Regulation states, among other things: a. that the personal data shall

                  collected for special, explicitly stated and justified purposes and notDatainspektionen DI-2019-2221 1 2 (20)






                   later treated in a way that is compatible with these purposes

                   (purpose limitation). In addition, personal data must be processed
                   adequate, relevant and not comprehensive in relation to the purposes for which

                   which they are processed (data minimization). For recital 39, personal data followed
                   may be treated only if the purpose of the treatment cannot be achieved in one

                   satisfactorily with other methods.


                   On the question, the high school board has made the proportionality assessment
                   regarding the current personal data processing, the board has provided

                   the following answer in the sitting statement that was received on March 15, 2019.


                         “It is important to have a secure identification to know who the students are

                         present and meet the requirements contained in the Education Act for action then
                         students have high absenteeism. The method of face recognition is assessed

                         needed to know for sure that attendance is being recorded correctly.
                         Face recognition is also a clear increase in quality compared to
                         the previous manual handling which on inspection proved to have deficiencies

                         in such a way that it is not always correct. Of the various alternative methods
                         tested, facial recognition was judged to be the best method

                         meets the requirements both from the legislation and from the purpose of the project. "


                   The Data Inspectorate has previously established the personal data processing

                   which this supervision covers has involved the treatment of sensitive
                   personal data concerning children who are dependent on i

                   relation to the upper secondary school board and that these treatments have taken place
                   through camera surveillance in the students' everyday environment. The Data Inspectorate

                   assessed these treatments - even if it is a question of relatively few
                   students and a relatively limited period of time - has meant a lot

                   invasion of student integrity.


                   The Upper Secondary School Board has stated that the purpose of these treatments has been used
                   attendance control. Attendance checks can be done in other ways that are smaller

                   privacy violators. The Data Inspectorate considers this to be the case
                   the method, to use face recognition via camera for presence control, has

                   has been comprehensive and implemented in order to promote personal integrity
                   intervening manner and thereby been disproportionate to
                   the purpose. The Upper Secondary School Board's proceedings have thus been carried out in combat

                   with Article 5 of the Data Protection Ordinance.Data Inspectorate DI-2019-2221 1 3 (20)






                   Impact assessment and prior consultation (Articles 35, 36)

                   According to Article 35, a data controller shall make an assessment of a
                   planned processing consequences of the protection of personal data, in particular

                   whether a treatment is to be carried out with new technology and taking into account its nature,
                   scope, context and purpose are likely to lead to a high risk of

                   the rights and freedoms of natural persons.


                   On the question of whether the upper secondary school board has made an impact assessment according to
                   Article 35 the start of the current project has the high school board in its

                   response received on March 15, 2019 referred to a risk assessment performed.
                   The following is the assessment made.



                         “Face recognition is admittedly biometric data and according to
                         the Data Protection Regulation sensitive personal data which requires special

                         decision to be dealt with. However, the information is not classified either
                         if they are sensitive. The students' guardians also give their consent

                         the processing of personal data and there is legal support for
                         the treatment both in the Public Administration Act and in the Education Act. The handling

                         described by the provider for handling the sensitive data
                         such as that there is no mains connection of the equipment that handles
                         information that only authorized personnel have access to

                         personal data that only the target group is handled, that those who
                         registered gives his consent and that the data will be deleted after

                         the test period means that the handling is judged to be within the framework of
                         the Data Protection Regulation. Overall, no special is required

                         risk assessment to handle sensitive personal data without it
                         needed is that the upper secondary school board approves in its register list

                         the handling of biometric data and also the entry of a
                         reason to use the data. Head of Administration for

                         the upper secondary school office has a delegation to make decisions on approval of
                         handling of personal data and also sensitive personal data. (p. 4) ”.



                   In its response, the Board referred to the appendix “Skellefteå municipality -
                   The classroom of the future ”. The appendix (p. 5) states that an advantage of

                   facial recognition is that it is easy to mass register a large group
                   such as a class. The disadvantages are that it is technically advanced

                   solution that requires relatively many images of each individual and that the cameraData Inspectorate DI-2019-2221 1 4 (20)






                  must have a clear view of all students present and that any headgear / shawl

                  may cause identification to fail.


                  Article 35 (7) of the Data Protection Regulation states that at least the following shall:
                  included in an impact assessment. A systematic description of it

                  planned treatment and the purposes of the treatment, an assessment of the need
                  of and the proportionality of the treatment in relation to the purposes, a

                  assessment of the risks posed by data subjects' rights and freedoms referred to in
                  paragraph 1, and the measures planned to address the risks, including:

                  safeguards, security measures and procedures to ensure the protection of
                  personal data and to ensure compliance with this Regulation, taking into account

                  to the rights and entitlements of data subjects and other persons concerned
                  interests.


                  The Data Inspectorate states that the upper secondary school board has made one
                  risk assessment. In the risk assessment, it has been concluded that the legal aid

                  one refers to and the security the treatment is covered by made no one
                  special risk assessment needs to be made sensitive

                  personal data.


                  According to the Swedish Data Inspectorate's assessment, the current treatments are harsh
                  included a number of factors that suggest an impact assessment according to

                  Article 35 would have been completed before the start of the proceedings. The treatments have
                  happened with camera surveillance which is systematic surveillance and they have

                  included sensitive personal data about children in an environment where they are in
                  dependency. Face recognition is also a new technology. Requirements for one

                  impact assessment under Article 35 may therefore be based on those assessments
                  which preceded the current use.


                  The Data Inspectorate assesses the risk assessment of the upper secondary school board

                  reported to the defendant the assessment of the risks involved
                  registered rights and freedoms as well as an account of
                  the proportionality of the treatment in relation to its purposes why the requirements

                  in Article 35 cannot be considered fulfilled.


                  According to Article 36 of the Data Protection Regulation, a personal data controller shall:
                  consult with the regulatory authority on an impact assessment

                  data protection under Article 35 shows that the processing would lead to a high risk
                  if there is no personal data controller to take measures to reduce the risk. Data Inspectorate DI-2019-2221 1 5 (20)








                  Based on what has emerged in the case, the high school board did not
                  submitted a prior consultation to the Data Inspectorate. The inspection

                  assesses that there have been a number of factors that have made it high
                  risk differentiates rights and freedoms with the treatments. For example

                  These treatments include new technologies that relate to sensitive personal data
                  concerning children who are dependent on the upper secondary school board

                  and that these treatments have been rendered through camera surveillance in the students'
                  everyday environment. Because the risk assessment the upper secondary school board has submitted

                  In the absence of an assessment of current risks, the rights of data subjects were recorded
                  freedoms with the treatments, the high school board could not show either

                  that the high risk under Article 36 has been reduced. The Data Inspectorate states
                  because the current treatments should have caused one
                  prior consultation with the Data Inspectorate in accordance with Article 36 before processing

                  initiated. The treatments were also carried out in breach of Article 36.


                  Permit according to the Camera Surveillance Act

                  The Camera Surveillance Act contains national regulations concerning cameras
                  monitoring which according to § 1 supplementary data protection ordinance. Of § 2

                  The Camera Surveillance Act states that the purpose of the law is to meet the need
                  of camera surveillance for legitimate purposes and to protect natural persons

                  counter-intrusion into the privacy of such security.

                  The definition of camera surveillance in section 3 of the Camera Surveillance Act entails

                  among other things, the question of equipment being used on such
                  ways that involve permanent or regular repeated personal surveillance.


                  According to section 7 of the Camera Surveillance Act, a permit is required for camera surveillance of a

                  place to which the public has access, if the surveillance is to be conducted by one
                  authority.


                  The Data Inspectorate states that this has been a question of a persistent and regular issue

                  repeated personal surveillance used by the local high school board
                  camera surveillance with technology for face recognition in connection with its

                  attendance control projects during the three-week period.


                  The Upper Secondary School Board is an authority and must therefore have a starting point
                  permission to camera-monitor a place to which the public has access. The question is

                  then if the public is considered to have access to the place that the upper secondary school boardData Inspectorate DI-2019-2221 1 6 (20)






                  camera surveillance through the use of face recognition technology in

                  in connection with attendance registration of students. In practice, the concept emerged
                  "Place to the public access" shall be interpreted white (see Supreme

                  the decision of the Administrative Court RÅ 2000 ref. 52).


                  In general, a school product is placed in a place to which the public does not have access,
                  however, there are certain areas of school where the public is considered to have

                  access. Examples of such areas are the main entrances and corridors
                  leads to the principal's office. The investigation revealed the students

                  were registered using face recognition each time they entered one
                  classroom. A classroom is not to be considered a place for the general public

                  access.

                  Against the background of what has emerged about whether the place for surveillance assesses

                  The Data Inspectorate that it is not a question of a place for the general public
                  access. There is thus no requirement to apply for a permit. To

                  The camera surveillance is unlicensed, however, does not necessarily mean that it
                  permitted surveillance. If camera surveillance includes

                  personal data processing, the data protection rules must be followed, e.g. the obligation to
                  clearly inform about the camera surveillance.


                  Risk that the regulations will be violated during planned further treatment

                  Based on what has emerged in the case, the high school board has considered
                  to re-process personal data through face recognition in the future

                  for attendance control avelever. The Data Inspectorate has found that
                  the upper secondary school board's proceedings have been in breach of Articles 5 and 9

                  the Data Protection Regulation. The Data Inspectorate finds that
                  the upper secondary school board risks violating the said regulations even at

                  planned treatments.



                  Choice of intervention

                  Article 58 of the Data Protection Regulation lists all the powers

                  The Data Inspectorate has. According to Article 58 (2), the Data Inspectorate has a number
                  corrective powers, e.g. a. warnings, reprimands or restrictions

                  of treatment.Datainspektionen DI-2019-2221 1 7 (20)






                   Pursuant to Article 58 (2) (i) of the Data Protection Regulation

                   the supervisory authority shall impose administrative penalty fees in accordance with
                   with Article 83. According to Article 83 (2), administrative penalty fees,

                   depending on the circumstances of the individual case, is imposed in addition to or in
                   instead, the measures referred to in Article 58 (2) (a) to (h) and (j)

                   Article 83 (2) (n) which factors shall be taken into account in administrative decisions
                   penalty fees in general shall be imposed and in determining

                   the size of the fee.


                   Instead, sanction fees may in certain cases according to recital 148 to
                   data protection regulation a reprimand is instead issued penalty fees

                   if it is a question of a minor infringement. However, consideration must be given
                   circumstances such as the nature, severity and
                   duration.


                   For authorities may, in accordance with Article 83 (7), national supplementary

                   provisions are introduced regarding administrative penalty fees. Of ch. 6 § 2
                   The Data Protection Act states that the supervisory authority may charge a penalty fee

                   by an authority in respect of infringements referred to in Article 83 (4), 83 (5) and 83 (6) of
                   the Data Protection Regulation. In that case, Article 83 (1), (2) and (3) of the Regulation shall apply

                   apply.


                   Penalty fee
                   The Data Inspectorate has assessed the upper secondary school board in the cases in question

                   the processing of personal data has infringed Article 5, Article 9, Article 35
                   and Article 36 of the Data Protection Regulation. These articles are covered by article

                   83.4 and 83.5 and in the event of a violation of these, the supervisory authority shall
                   consider imposing an administrative penalty fee in addition to, or instead of,

                   other corrective measures.


                   In the light of eight personal data processing such supervision
                   has involved the processing of sensitive personal data concerning children

                   who is in a dependent relationship with the upper secondary school board and that
                   these treatments are rancid through camera surveillance in students' everyday lives

                   environment, is not the issue of a minor infringement. There is thus no reason
                   to replace the penalty fee with a reprimand.Datainspektionen DI-2019-2221 1 8 (20)






                   No other corrective action is relevant for that treatment either

                   as happened. The Upper Secondary School Board shall thus be charged with administrative
                   penalty fees.


                   Determination of the amount of the sanction

                   Pursuant to Article 83 (1) of the Data Protection Regulation, any regulatory authority
                   ensure that the imposition of administrative penalty fees in each individual

                   case effective, proportionate and dissuasive.


                   The administrative penalty fee may not exceed Article 83 (3)
                   the amount for the most serious infringement if it is a question of an other

                   data processing or interconnected data processing.

                   For authorities applicable according to ch. 6 § 2 second paragraph of the Data Protection Act that

                   the penalty fees shall be set at a maximum of SEK 5,000,000
                   infringements referred to in Article 83 (4) of the Data Protection Regulation and up to

                   SEK 10,000,000 in the case of infringements referred to in Article 83 (5) and (6).
                   Violations of Articles 5 and 9 are covered by the higher penalty fee

                   under Article 83 (5), while infringements of Articles 35 and 36 are covered by it
                   lower the maximum amount according to Article 83.4. In this case, the question is the same

                   data processing why the amount may not exceed SEK 10 million.


                   Article 83. 2 of the Data Protection Regulation sets out all the factors that should
                   taken into account when determining the size of the penalty fee. In the assessment of

                   the size of the penalty fee shall include a. Article 83 (2) (a) is taken into account
                   (nature, severity and duration of the infringement), b (intent or

                   negligence), g (categories of personal data), h (how the violation came about
                   The Data Inspectorate's knowledge) and k (other aggravating or mitigating

                   factor for example direct or indirect financial gain)
                   the Data Protection Regulation.


                   In the Data Inspectorate's assessment of the penalty fee, account has been taken of the fact that
                   there have been infringements concerning several articles of the Data Protection Regulation,

                   infringement of Articles 5 and 9 has been deemed more serious and
                   covered by the higher penalty fee. Furthermore, it has been taken into account that

                   the violation has sensitive personal data, concerning children who have been harmed
                   in a position of dependence in relation to the upper secondary school board. The treatments have

                   has taken place in order to streamline operations, the treatment has thus taken place
                   intentionally. These circumstances are aggravating. Data Inspectorate DI-2019-2221 1 9 (20)








                  Account has also been taken of the fact that the treatment has taken place
                  The Data Inspectorate's knowledge via information in the media.


                  As mitigating circumstances, it is taken into account that the treatment has been ongoing during

                  a limited period of three weeks and only included 22 students.


                  The Data Inspectorate decides on the basis of an overall assessment that
                  The upper secondary school board in Skellefteå municipality must pay the administrative fee

                  penalty fee of SEK 200,000.


                  Warning
                  According to Article 58 (2) (a), the Data Inspectorate has the authority to issue warnings to

                  a personal data controller or personal data assistant that planned
                  treatment is likely to violate the provisions of this

                  Regulation.


                  The upper secondary school board in Skellefteå municipality has arranged for them to continue
                  use face recognition for attendance control avelever. These

                  treatments will in a corresponding manner violate the provisions of
                  the Data Protection Regulation. Due to the risk of future infringements in

                  in connection with the planned treatments, a warning is now given in accordance with
                  Article 58 (2) (a) of the Data Protection Regulation.





                  This decision was made by Director General Lena Lindgren Schelin after
                  presentation by lawyers Ranja Bunni and Jenny Bård. At the final

                  the proceedings are the chief lawyer Hans-Olof Lindblom and the unit managers
                  Katarina Tullstedt and Charlotte Waller Dahlberg and the lawyer Jeanette Bladh

                  Gustafson participated.


                  Lena Lindgren Schelin, 2019-08-20 (This is an electronic signature)


                  Appendices
                  Appendix 1 - How to pay penalty fee


                  Copy for knowledge of:
                  Data protection representative for the upper secondary school board in Skellefteå KommunDatainspektionen DI-2019-2221 2 0 (20)







                  How to appeal

                  If you want to appeal the decision, you must write to the Data Inspectorate. Enter i
                  the letter which decision you are appealing and the change you are requesting.

                  The appeal must have been received by the Data Inspectorate no later than three weeks from
                  on the day the decision was announced. If the appeal has been received in due time

                  The Data Inspectorate further sends this to the Administrative Court in Stockholm
                  examination.


                  You can e-mail the appeal to the Data Inspectorate if it does not contain
                  any privacy-sensitive personal data or data that may be covered by

                  secrecy. The authority's contact details appear on the first page of the decision.