Persónuvernd (Iceland) - 2020112830: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Iceland |DPA-BG-Color= |DPAlogo=LogoIS.png |DPA_Abbrevation=Persónuvernd (Iceland) |DPA_With_Country=Persónuvernd (Iceland) |Case_Number_Nam...")
 
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 55: Line 55:
}}
}}


The Icelandic DPA reprimanded a university for not providing students adequate information regarding the processing of their personal data when remotely monitoring exams taken at home on Zoom calls due to COVID19, in violation of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and [[Article 32 GDPR|Article 32 GDPR]].
The Icelandic DPA reprimanded a university for not providing students adequate information regarding the processing of their personal data when remotely monitoring exams taken at home via Zoom due to the COVID19 pandemic, in violation of [[Article 5 GDPR#1f|Articles 5(1)(f)]] and [[Article 32 GDPR|32 GDPR]].


== English Summary ==
== English Summary ==
Line 61: Line 61:
=== Facts ===
=== Facts ===
A student filed a complaint with the Icelandic DPA (Persónuvernd) against Reykjavík University regarding the online monitoring of an examination which was taken at home on Zoom due to the COVID19 pandemic. The student claimed that it had been forced to consent to the online monitoring, and that their objection to the monitoring had not been taken into account, that they had not received sufficient information regarding the processing and security of their personal data in this context (including if other students could record the session), and that it was possible that personal data related to their spouse’s remote health care consultation could have been filtered into the audio recordings.
A student filed a complaint with the Icelandic DPA (Persónuvernd) against Reykjavík University regarding the online monitoring of an examination which was taken at home on Zoom due to the COVID19 pandemic. The student claimed that it had been forced to consent to the online monitoring, and that their objection to the monitoring had not been taken into account, that they had not received sufficient information regarding the processing and security of their personal data in this context (including if other students could record the session), and that it was possible that personal data related to their spouse’s remote health care consultation could have been filtered into the audio recordings.
The University, in their defense, stated that they had a legitimate interest to monitor the examination in order to ensure its integrity, and that the student had been given the option to take the exam in person, but that this option was declined. The University also clarified that the option for attendees to record the session was disables, and that audio-recordings only took place during the beginning of the session during the attendance roll call, and that afterwards during the actual exam, only video recordings were made, and students were told to turn off their microphones.
 
The university, in their defense, stated that they had a legitimate interest to monitor the examination in order to ensure its integrity, and that the student had been given the option to take the exam in person, but that this option was declined. The University also clarified that the option for attendees to record the session was disables, and that audio-recordings only took place during the beginning of the session during the attendance roll call, and that afterwards during the actual exam, only video recordings were made, and students were told to turn off their microphones.


=== Holding ===
=== Holding ===
The Icelandic DPA dismissed the student’s claim regarding the alleged forced consent to the online monitoring of the exam and the disregard for their objection, confirming that the student had indeed been given the option of taking the examination in person at the campus. Furthermore, it explained that in any case, consent could not be a valid legal basis for this processing, since it could not be freely given in this context due to the nature of the relationship between the University and the student. However, it confirmed the University’s position with regard to its legitimate interest in monitoring the examination, and hence held that the processing was lawful under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].
The Icelandic DPA dismissed the student’s claim regarding the alleged forced consent to the online monitoring of the exam and the disregard for their objection, confirming that the student had indeed been given the option of taking the examination in person at the campus. Furthermore, it explained that in any case, consent could not be a valid legal basis for this processing, since it could not be freely given in this context due to the nature of the relationship between the University and the student. However, it confirmed the university’s position with regard to its legitimate interest in monitoring the examination, and hence held that the processing was lawful under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].
 
Regarding the student’s claim related to the potential exposure of their spouse’s medical data within the recordings, the DPA held that the complaint did not include a power of attorney from the student's spouse, and therefore only claims related to the student’s own personal data would be considered. Additionally, the DPA noted that in any case, due to the fact that audio recordings only took place during the roll call at the beginning of the Zoom session, and not throughout the examination itself, it was unlikely that their spouse’s medical data were captured in the recordings.  
Regarding the student’s claim related to the potential exposure of their spouse’s medical data within the recordings, the DPA held that the complaint did not include a power of attorney from the student's spouse, and therefore only claims related to the student’s own personal data would be considered. Additionally, the DPA noted that in any case, due to the fact that audio recordings only took place during the roll call at the beginning of the Zoom session, and not throughout the examination itself, it was unlikely that their spouse’s medical data were captured in the recordings.  
As to the security of the personal data, the DPA held that the University had implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk in the processing under [[Article 32 GDPR|Article 32 GDPR]]. The DPA took into account, inter alia, that a GDPR compliant processing agreement existed for the hosting of Zoom calls, which included restricted access to system administrators with strong passwords, that meeting data streams were encrypted, that the option for other attendees to record sessions was disabled, that recordings were deleted after 30 days, and that access to these recordings were only available to the heads of departments on the grounds of a reasonable suspicion that cheating occurred in an examination.
 
However, the DPA found that the University had not fulfilled its responsibility to properly inform the students subjected to the online monitoring as to the legal basis, purposes, security measures and their data protection rights related to this processing. Therefore, the DPA held that this processing was unlawful under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] since it was not carried out in a transparent form, without providing the students the information required under [[Article 13 GDPR|Article 13 GDPR]]. Therefore, it issued a reprimand against the University on this point, and ordered them to adequately comply with this obligation in the future.
As to the security of the personal data, the DPA held that the university had implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk in the processing under [[Article 32 GDPR]]. The DPA took into account, inter alia, that a GDPR compliant processing agreement existed for the hosting of Zoom calls (which included restricted access to system administrators with strong passwords), that meeting data streams were encrypted, that the option for other attendees to record sessions was disabled, that recordings were deleted after 30 days, and that access to these recordings were only available to the heads of departments on the grounds of a reasonable suspicion that cheating occurred in an examination.
 
However, the DPA found that the university had not fulfilled its responsibility to properly inform the students subjected to the online monitoring as to the legal basis, purposes, security measures, and the student's data protection rights related to this processing. Therefore, the DPA held that this processing was unlawful under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] since it was not carried out in a transparent form, without providing the students the information required under [[Article 13 GDPR]]. Therefore, it issued a reprimand against the university on this point, and ordered them to adequately comply with this obligation in the future.


== Comment ==
== Comment ==

Latest revision as of 17:26, 6 April 2022

Persónuvernd (Iceland) - 2020112830
LogoIS.png
Authority: Persónuvernd (Iceland)
Jurisdiction: Iceland
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(f) GDPR
Article 13 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 12.11.2020
Decided: 08.03.2022
Published: 16.03.2022
Fine: None
Parties: Reykjavík University
National Case Number/Name: 2020112830
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Icelandic
Original Source: Persónuvernd (in IS)
Initial Contributor: Cesar Manso-Sayao

The Icelandic DPA reprimanded a university for not providing students adequate information regarding the processing of their personal data when remotely monitoring exams taken at home via Zoom due to the COVID19 pandemic, in violation of Articles 5(1)(f) and 32 GDPR.

English Summary

Facts

A student filed a complaint with the Icelandic DPA (Persónuvernd) against Reykjavík University regarding the online monitoring of an examination which was taken at home on Zoom due to the COVID19 pandemic. The student claimed that it had been forced to consent to the online monitoring, and that their objection to the monitoring had not been taken into account, that they had not received sufficient information regarding the processing and security of their personal data in this context (including if other students could record the session), and that it was possible that personal data related to their spouse’s remote health care consultation could have been filtered into the audio recordings.

The university, in their defense, stated that they had a legitimate interest to monitor the examination in order to ensure its integrity, and that the student had been given the option to take the exam in person, but that this option was declined. The University also clarified that the option for attendees to record the session was disables, and that audio-recordings only took place during the beginning of the session during the attendance roll call, and that afterwards during the actual exam, only video recordings were made, and students were told to turn off their microphones.

Holding

The Icelandic DPA dismissed the student’s claim regarding the alleged forced consent to the online monitoring of the exam and the disregard for their objection, confirming that the student had indeed been given the option of taking the examination in person at the campus. Furthermore, it explained that in any case, consent could not be a valid legal basis for this processing, since it could not be freely given in this context due to the nature of the relationship between the University and the student. However, it confirmed the university’s position with regard to its legitimate interest in monitoring the examination, and hence held that the processing was lawful under Article 6(1)(f) GDPR.

Regarding the student’s claim related to the potential exposure of their spouse’s medical data within the recordings, the DPA held that the complaint did not include a power of attorney from the student's spouse, and therefore only claims related to the student’s own personal data would be considered. Additionally, the DPA noted that in any case, due to the fact that audio recordings only took place during the roll call at the beginning of the Zoom session, and not throughout the examination itself, it was unlikely that their spouse’s medical data were captured in the recordings.

As to the security of the personal data, the DPA held that the university had implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk in the processing under Article 32 GDPR. The DPA took into account, inter alia, that a GDPR compliant processing agreement existed for the hosting of Zoom calls (which included restricted access to system administrators with strong passwords), that meeting data streams were encrypted, that the option for other attendees to record sessions was disabled, that recordings were deleted after 30 days, and that access to these recordings were only available to the heads of departments on the grounds of a reasonable suspicion that cheating occurred in an examination.

However, the DPA found that the university had not fulfilled its responsibility to properly inform the students subjected to the online monitoring as to the legal basis, purposes, security measures, and the student's data protection rights related to this processing. Therefore, the DPA held that this processing was unlawful under Article 5(1)(a) GDPR since it was not carried out in a transparent form, without providing the students the information required under Article 13 GDPR. Therefore, it issued a reprimand against the university on this point, and ordered them to adequately comply with this obligation in the future.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Solutions

Electronic transcripts of Reykjavík University exams are not in accordance with the law

Case no. 2020112830

3/16/2022

The Data Protection Authority ruled in a case where a complaint was made about the electronic passing of an examination at the complainant's home.

First, it was complained that the complainant's spouse's sensitive personal information might have found its way into the university's recordings. This part of the complaint was dismissed as it did not follow the authority of the complainant's spouse. In addition, audio recordings were made only at the census at the beginning of the exam period.

Secondly, it was complained that prior to the processing, the university had received forced student approval, a lack of security of personal information and insufficient instruction due to the monitoring.

Thirdly, it was complained that the complainant's objections to the processing had not been taken into account.

The Data Protection Authority came to the conclusion that there was an adequate processing permit for the processing, which was based on the school's legitimate interests prior to the monitoring. Also that Reykjavík University had taken adequate measures due to the complainant's objections when he invited the complainant to take the examination in question in the university's study.

The Data Protection Authority also considered that the school had taken adequate measures to ensure the security of the personal information collected during the recording.

On the other hand, the Data Protection Authority came to the conclusion that Reykjavík University had not fulfilled its responsibility to inform and educate students who were subject to the monitoring in a satisfactory manner about their rights due to it. Therefore, the processing was not in accordance with the law and the school was required to provide its students with adequate instruction on the processing of personal information that may take place in connection with electronic transfer in exams.

Ruling

On March 8, 2022, the Data Protection Authority issued a ruling in case no. 2020112830:

I.
Procedure
1.
Outline of case

On 12 November 2020, the Data Protection Authority received a complaint from [A] (hereinafter the complainant) about the audio and video recording of Reykjavík University (RU) during the examination period at his home.

More specifically, the complaint was that RU had carried out electronic monitoring with the complainant during the examination period at his home with the teleconferencing equipment Zoom, thereby making it possible for other examiners to have a parallel recording of his personal information and possibly his wife's sensitive personal information.

There were also complaints about forced consent for the processing, lack of security of the personal information processed and insufficient training due to the monitoring. It was also complained that the complainant's objections to the processing had not been taken into account.

The complaint was accompanied by a document entitled "Instructions for students in electronic translation".

By letter dated On 16 June 2021, RU was notified of the complaint and given an opportunity to comment on it. Response letter, dated On 15 July this year, the Data Protection Authority received a copy of the complainant's processing file and e-mail communication with RU employees, among other privacy representatives of the university. By letter dated On 19 August 2021, the complainant was given an opportunity to comment on RU's explanations. On October 7, the complainant's objections were received. At 13 p.m. received the complainant's e-mail together with a screenshot of RU's announcement regarding the upcoming exams. On January 24, 2022, the Data Protection Authority requested further explanations from RU regarding six specified issues. RU's reply was received on 8 February. together with an assessment of the impact on privacy (MÁP) due to the monitoring and a document with the content of the notification to students, dated. November 5, 2020. On February 9, 2022, the Data Protection Authority requested certain information about education regarding the monitoring in a telephone conversation with RU and the duration of the exam that the complaint concerned, and the school's response was received the same day.

All the above documents have been taken into account in resolving the case, although not all of them are specifically mentioned in the following ruling.

The handling of the case has been delayed due to delays in replies from the complainant and a great deal of work by the Data Protection Authority.

2.
The complainant's views

The complainant bases his complaint on the fact that he was forced to accept a video and audio recording of his home during the examination period and had no other choice. The recordings were made in such a way that a number of students were together at a Zoom meeting and it was not possible to ensure that the students did not have parallel recordings in progress. The complainant's spouse had had to seek remote health care at the same time and the complainant had been concerned that her sensitive personal information might be found on RU or fellow students' recordings. Late in the day, the complainant was invited to take the test in the school's study, but due to his spouse's risk factor for Covid-19 and limited information on the arrangements for infection control there, he was unable to accept the facility.

The complainant also relies on the fact that instruction due to RU's electronic translation was unsatisfactory, among other things about processing authorizations on which the school was based and the security of personal information. His objections to the processing had not been taken into account. Finally, the complainant refers to the need to carry out an assessment of the impact on the processing of personal data due to the monitoring before the processing began.

3.
RU's views

RU is based on the fact that due to the Covid-19 epidemic and the government's rapid changes to infection control limits, the school's management, in consultation with the heads of the school's education and information technology department and the school's privacy officer, made the decision to use teleconferencing equipment. 2020. After evaluating the possible solutions, RU came to the conclusion to use the program Zoom, which was considered to best meet the school's requirements, but at the same time the students' experience of using that program had weight in the choice.

It was stated in RU's explanations that at the beginning of each examination a census had been taken. While this was taking place, it was requested that the students had turned on the microphone and that a sound recording was made. Other than that, it was only a video recording during exam time. The settings of the program were such that only the host could record the equipment.

Instruction on the arrangements for the electronic passing of examinations was twofold, on the one hand it was done by e-mail sent to students, but on the other hand it was the responsibility of each teacher to explain the arrangement to his students. Students have thus been given clear instructions on how to conduct exams and use the solution, including clear instructions to point the camera at themselves for the purpose of being able to monitor the student during exams. Therefore, RU considered it impossible for other household members or household circumstances to be seen in a photo or sensitive personal information to be included in the recordings. In addition, an e-mail was sent to students on 5 November 2020 where those who did not have the facilities to take exams at home were offered facilities at the school for exams. The complainant had been offered such a remedy but did not accept it.

The purpose of the process was to prevent exam fraud and ensure the quality of studies at RU. There was not enough time to renegotiate all final exams with a view to having them in the form of home exams. RU bases the processing of personal information due to electronic transfer on the legitimate interests of the university, cf. 6. tölul. Article 9 Act no. 90/2018, Coll. also point f of the first paragraph. Article 6 Regulation (EU) 2016/679. The school had a greater interest in ensuring the quality of studies and reliable results of final examinations than the students in that the processing did not take place due to possible inconveniences due to it. Only the necessary personal information has been processed to achieve the purpose. It was not planned to work with sensitive personal information and instructions to students on short audio recording and camera setting should have ensured this.

RU's explanations also state that the security of the personal information has been ensured. It was RU's conclusion following an assessment of the impact on privacy that the use of the solution was in accordance with laws and rules on privacy.

It is stated that RU has used local access to Zoom (e. On-premise) which is operated and hosted by the University of Iceland (UI) in connection with the operation of the Research and University Network in Iceland (RHnet). HÍ / RHnet has again entered into an agreement with NorduNet, a research network for Nordic universities, which has entered into a Master Subscription Agreement with Zoom. The recordings were hosted at UI and only IP numbers and metadata regarding the meeting were hosted in Zoom's cloud solution in Europe on the basis of an agreement between NorduNet and Zoom. A processing agreement has been concluded with the University of Iceland in accordance with the requirements of the Data Protection Act. Internet traffic was SSL-protected and meeting data streams were encrypted. Access restrictions were such that the individual in charge of electronic superstructure and RU's system administrators with administrative access only had access to the Zoom system on behalf of RU and strong passwords were used. Recordings were deleted 30 days after the exam date and no copies were preserved. If the material had only been examined, there would be a reasonable suspicion of cheating in an examination and then the head of department would have one access to the recording.

II.
Assumptions and conclusion
1.
Delimitation of a case

As stated above, there is a complaint about, among other things, the processing of sensitive personal information of the complainant's spouse, who the complainant believes may have found his way into an audio and / or video recording in the electronic translation of an examination in his home.

As the power of attorney of the complainant's spouse was not submitted with the complaint, it will be considered that the complainant is complaining on his own behalf and the above-mentioned part of the complaint is therefore dismissed. It should also be noted that in the case it is clear that the audio recording was only at the beginning of the examination period during the census and not after it. It is therefore not clear that the personal information of the complainant's spouse was processed in the manner referred to in the complaint.

2.
Scope - Responsible

Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or completely automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.

Electronic monitoring is defined in point 9. Article 3 Act no. 90/2018 as monitoring that is continuous or repeated regularly and involves supervision of individuals with remote-controlled or automatic equipment and takes place in public or in an area that is normally visited by a limited group of people. The term includes monitoring that leads to, should or may lead to the processing of personal data and television monitoring that takes place using television cameras, webcams or other similar equipment, without the collection of images or other actions equivalent to the processing of personal data.

The electronic transcript of the examination in question took place in such a way that each student was supervised throughout the examination period. In view of the above, it is the opinion of the Data Protection Authority that this was an ongoing monitoring that falls under the aforementioned definition of electronic monitoring according to Act no. 90/2018 on personal protection and processing of personal information.

This case concerns audio and video recording during the electronic translation of an examination for two hours and thirty minutes. In this respect and in the light of the above provisions, this case concerns the processing of personal data which falls within the competence of the Data Protection Authority.

The person responsible for the processing of personal information complies with Act no. 90/2018 is named the responsible party. As such, Reykjavík University is considered to be responsible for the processing in question.

2.
Legality of processing
2.1.
Legal environment

In order for electronic monitoring to be permitted, the conditions of Article 14 must be met. Act no. 90/2018. In the first paragraph. of the provision stipulates that electronic monitoring is always subject to the condition that it is carried out for objective purposes. As has been stated, this is electronic monitoring that leads to the processing of personal information. In order for the processing of such information to be permitted, one of the conditions provided for in Article 9 must be met. Act no. 90/2018 and Article 6. of Regulation (EU) 2016/679, also to be complied with. Such authorization may, for example, be the consent of the person subject to the monitoring, cf. 1. tölul. Article 9 of the Act, but as is the case here, such consent is not possible due to the situation between the guarantor and the complainant, as it could not be considered unforced, cf. definition of the term consent in point 8. Article 3 of the Act. In the light of the facts of the case, it is therefore best to consider whether the processing can be based on point 6. Article 9 Act no. 90/2018, Coll. also point f of the first paragraph. Article 6 Regulation (EU) 2016/679 that the processing is necessary due to legitimate interests that the responsible party or a third party safeguards unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh.

In general, electronic monitoring must ensure that it is clearly notified, such as by a signal or in another prominent manner, and that the person responsible for it is informed, cf. Paragraph 4 Article 14 Act no. 90/2018.

In addition to the above conditions, the processing of personal data must comply with all the principles of the first paragraph. Article 8 Act no. 90/2018, Coll. Paragraph 1 Article 5 Regulation (EU) 2016/679. Among other things, it stipulates that personal data shall be processed in a lawful, fair and transparent manner towards the data subject (point 1 of the legal provision and point a of the regulatory provision); that they shall be obtained for clearly stated, legitimate and objective purposes and not further processed for other and incompatible purposes (point 2 of the legal provision and point b of the regulatory provision); that they shall be sufficient, relevant and not in excess of what is necessary for the purpose of the processing (point 3 of the legal provision and point c of the regulation provision) and that they shall be processed in such a way as to ensure the appropriate security of personal data (point 6 of the legal provision and point f of the regulatory provision).

2.2.
Processing authorizations

As stated above, electronic monitoring must meet the conditions of Article 14. Act no. 90/2018 so that it is considered permissible, among other things that it is carried out for objective purposes. According to RU's explanations, the purpose of the electronic transfer was to prevent exam fraud and to ensure the security and reliability of the results of exam solutions and thus the quality of study at RU. The Data Protection Authority considers that RU's purpose is considered relevant and fulfills the conditions of the first paragraph. the above provision. It is the opinion of the Data Protection Authority that in light of the above-mentioned interests of RU, the processing could have relied on a processing authorization in point 6. Article 9 of the Act and item f of the first paragraph. Article 6 of Regulation (EU) 2016/679, which authorizes processing with reference to legitimate interests, as previously stated.

RU's explanations state that due to the rapid changes in the government's disease control measures, there was no time to change the school's local exams to home exams without a seat. It can be accepted that, as in this case, the electronic translation of exams in students' homes has been necessary in the interests of RU to prevent exam fraud and ensure the reliability of exams and thus the quality of studies in the changed circumstances. Furthermore, it will not be seen that the interests or fundamental rights and freedoms of students who demand the protection of personal data outweighed the interests of the processing. RU's explanations also state that those who did not have facilities at home were offered to take the exams in the school's study. The complainant was offered such a remedy but chose not to accept it.

In light of the above, it is the opinion of the Data Protection Authority that the processing has complied with the first paragraph. Article 14 and that she could have relied on point 6. Article 9 Act no. 90/2018, Coll. paragraph 1 (f) Article 6 Regulation (EU) 2016/679.

2.3.
Data security

According to point 6. Paragraph 1 Article 8 Act no. 90/2018 and item f of the first paragraph. Article 5 of Regulation (EU) 2016/679, personal data shall be processed in such a way as to ensure their security. The assessment of adequate security shall take into account the risk that the processing entails, in particular with regard to unintentional or illegal processing of personal data or that it is lost, altered, published or access to it without permission, cf. Paragraph 2 Article 32 of the Regulation.

The security of personal information is discussed in more detail in Section 2 of IV. chapter of the regulation. According to the first paragraph. Article 32 of the Regulation, cf. Paragraph 1 Article 27 Act no. 90/2018, the responsible party and the processing party shall take appropriate technical and organizational measures to ensure adequate security of personal data in relation to the risk, taking into account the latest technology, cost of implementation, nature, scope, context and purpose of processing and risk, different and different, for rights and freedoms of individuals.

RU's description of the security measures for the use of Zoom can be found in section I.3 earlier in the ruling. With reference to what is stated there, it is the opinion of the Data Protection Authority that it cannot be seen that the security of the data in question was considered insufficient so that the processing contravenes the above provisions of Act no. 90/2018 and Regulation (EU) 2016/679.

2.4.
Education, electronic monitoring warnings and principles

One of the principles of the Data Protection Act on the processing of personal data is that care shall be taken to ensure that it is processed in a lawful, fair and transparent manner towards the data subject, cf. 1. tölul. Paragraph 1 Article 8 Act no. 90/2018 and item a of the first paragraph. Article 5 Regulation (EU) 2016/679. Then it is required in point 2. of the provision that personal information is obtained for clearly stated, lawful and objective purposes, and in point 3. it stipulates that personal information shall be sufficient, relevant and not in excess of what is necessary for the purpose of the processing. With reference to all of the above, it is the opinion of the Data Protection Authority that it cannot be seen that the processing has violated the principles of the Act and the Regulation on Purpose and Proportionality.

In order to assess whether the condition of transparency has been met, it may be necessary to look at provisions on the obligation to provide education, cf. Article 17 Act no. 90/2018 and 12.-14. gr. Regulation (EU) 2016/679. Article 10 also discusses education and the obligation to provide information regarding electronic monitoring. rules no. 837/2006 on electronic monitoring and processing of personal information generated by electronic monitoring.

When personal information is obtained from the data subject, through electronic monitoring as in this case, the obligation to provide education according to Article 13 applies. of the Regulation. In Article 13 of the Regulation states, among other things, that when collecting the personal information, the responsible party shall explain to the data subject the purpose of the planned processing of the personal information and what its legal basis is, cf. paragraph 1 (c) of the provision. When the processing is based on paragraph 1 (f). Article 6 of the Regulation, the responsible party shall also inform about the legitimate interests of the responsible party or a third party, cf. paragraph 1 (d) the same provision. The recipients or categories of recipients of the personal information, if any, must also be informed, cf. point e of the provision. It is also stated in the second paragraph. Article 13 of the Regulation that in addition to the information referred to in para. the controller shall, at the time the personal data is collected, provide the data subject with additional information necessary to ensure fair and transparent processing, including the data subject's right of access to his personal data, his right to object to the processing, the right to submit a complaint to the supervisory authority and information on whether an individual is obliged to provide personal information and the possible consequences if he does not provide the information.

It should also be borne in mind that according to point 39 of the preamble to the Regulation, the data subject should be aware when personal data about him is collected, used, examined or processed in another way, and to what extent personal data is or will be processed.

In Article 10 rules no. 837/2006, on electronic monitoring and the handling of personal information generated by electronic monitoring, deals with the obligation to provide information and training. It states, among other things, that the person responsible for electronic monitoring shall provide training to those who are subject to it. It is also stated that the training shall cover the purpose of the monitoring, who has or may have access to the information collected and how long it will be stored. The provision also specifies items in eight items that must also be covered.

The complainant's complaint states that, prior to the examination period, he had not received sufficient information on the implementation of monitoring and his rights due to electronic transfer by RU. Among other things, he had received insufficient information on whether monitoring was carried out only in real time (without the collection of images) or whether it was a video recording, how the audio recording was done, whether his fellow students could record the meeting during exam time and how the security of personal information was ensured. .

RU's explanations state that instruction to students about electronic transfer took place on the one hand through an instruction sheet that was sent to students by e-mail and on the other hand that teachers informed their students about the arrangement with regard to the information sheet that teachers had received. RU's answers to the Data Protection Authority's question stated that the instructions to students stated that they should only have switched on the microphone while a census was taken at the beginning of the examination. Recording of sound in the exam itself would not have taken place in this way, and therefore the students' ambient sound would not have been able to find its way onto the recordings.

In the case, it is clear that the complainant received a document entitled "Instructions for students in electronic translation". He also requested information on the implementation of the exam and his rights due to the electronic translation by e-mail on 4, 6, 10 and 11 November 2020. RU's answers were received 6th and 9th and 10th cm, but the school did not respond to the complainant's letter, day. 11. s.m.

The student guidance document states how students should behave in an electronic setting and what they need to do to take an exam in a meaningful way. These are technical instructions for the implementation and not education for students about their rights due to it. However, the instructions in question state that the meetings are recorded, what the purpose of the monitoring is and that the recordings are deleted within one month from the date of examination. The third section of the instructions states: “Turn on the camera and microphone. It is not permitted to have an artificial background and a filter. "The fifth part of the instructions states:" The seat takes a census. Students must have a photo ID ready and show it on camera when their name is read out ".

The teacher's information document does not contain information about students' rights due to the electronic transfer, nor does it mention that the contents of the document should be disseminated to them. There is also nothing in the case that confirms that the teachers specifically informed the complainant about their rights due to the monitoring.

The aforementioned e-mails from RU's Privacy Officer to the complainant on 6 and 9 November 2020 provide information on the purpose and objectives of the electronic transfer, the legal basis for the processing and the retention period of the data. The complainant was also pointed out the right to complain to the Data Protection Authority regarding the processing, in addition to which he was invited to a meeting with the rector of the school to review the electronic translation of exams at RU. He was then invited to book a study in the school for examination. The complainant accepted a meeting with the Rector at the end of the exam period but refused to book a study.

From the above, it is clear that RU students were only instructed to have turned on the microphone and not to turn off the microphone after the census. It was not stated that the audio recording would only take place during the census. The instructions do not discuss the configuration of the system that gives the host a single option to record the meeting or the legal authority on which the processing is based. The guidelines do not specify how RU will ensure the security of students 'personal information, nor do they discuss students' right to access their personal information. There is also no discussion of students' right to object to the processing or to lodge a complaint with the supervisory authority. There is also no information on whether the student is obliged to provide personal information and the possible consequences if he does not provide the information.

Furthermore, in the above-mentioned answers of the data protection officer, there is no confirmation that the video recording will take place during the exam period in electronic translation. There is also no mention that audio recording lasts only during the census.

Considering the limited information contained in the student guidance document, the teachers 'information document and the e-mails of RU's privacy representatives regarding the processing of personal information and students' rights due to electronic examinations, the Data Protection Authority's assessment is that RU has not shown that the school has fulfilled its educational obligation. sbr. Article 13 of Regulation (EU) 2016/679, cf. also Article 17. Act no. 90/2018. For that reason alone, it cannot be seen that RU took care in the processing of the complainant's personal information that it was processed in a lawful, fair and transparent manner towards the data subject, cf. 1. tölul. Paragraph 1 Article 8 Act no. 90/2018 and item a of the first paragraph. Article 5 Regulation (EU) 2016/679.

2.5.
Opposes the processing of personal information

From the complainant's e-mails to RU on 4, 6, 10 and 11 November 2020, it could be deduced that the complainant objected to the processing of personal information about him. The data subject may object to the processing of personal information about himself when the processing is based on legitimate interests, cf. paragraph 1 (f) Article 6 Regulation (EU) 2016/679. The responsible party shall then not process the personal information further unless he can demonstrate important legitimate reasons for the processing that take precedence over the interests, rights and freedoms of the data subject or the establishment, maintenance or defense of legal claims, cf. Article 21 of the Regulation. The responsible party shall also provide the registered person with information on the actions taken in response to such a request, without undue delay and in any case within one month of receipt of the request, in accordance with the third paragraph. Article 12 of the Regulation.

It is known that RU took action following the complainant's errands and offered him another option, which involved taking an examination in the school's study. The complainant declined the offer and chose to take the exam by electronic means at his home.

With reference to the above and the case file in other respects, it is the opinion of the Data Protection Authority that despite the fact that RU did not respond to each of the complainant's complaints, the school, as in this case, responded to the complainant's objections satisfactorily. It will therefore not be considered that RU has violated its obligation according to Article 21. Act no. 90/2018 and Article 21. of Regulation (EU) 2016/679, cf. also Article 12. of the Regulation.

3.
Summary and instructions

In view of the above, the Data Protection Authority is of the opinion that RU's processing of the complainant's personal information due to the electronic translation of examinations at his home could have been based on point 6. Article 9 Act no. 90/2018 and item f of the first paragraph. Article 6 of Regulation (EU) 2016/679 on the processing of personal data, this is necessary due to the legitimate interests of the responsible party or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh.

It is also the opinion of the Data Protection Authority that RU has taken adequate measures to ensure the security of personal information collected during the processing in question. RU also responded satisfactorily to the complainant's objections by inviting him to take the examination in the school's study, cf. Article 21 of the Act and Articles 12 and 21. of the Regulation.

On the other hand, it cannot be seen that RU has fulfilled its duty to inform and educate students who were monitored about their rights in a satisfactory manner, cf. Article 13 Regulation (EU) 2016/679 and Article 17. Act no. 90/2018. Due to the above-mentioned lack of education, the Data Protection Authority considers that the processing did not comply with the principle of legality, fairness and transparency, cf. 1. tölul. Paragraph 1 Article 8 of the Act and point a of the first paragraph. Article 5 of the Regulation.

In accordance with this conclusion, and with reference to point 4. Article 42 Act no. 90/2018, it is hereby proposed that Reykjavík University subsequently provide its students with instruction on the processing of their personal information that may take place in connection with electronic transfer in examinations, in accordance with Article 13. Regulation (EU) 2016/679.

No later than 8 April 2022, Reykjavík University shall send the Data Protection Authority confirmation that these instructions have been complied with, together with a description of the implementation of the instruction and information on its content.

In view of the circumstances of the case, e.g. á m. the pressure that the school community was under at the time the facts of the case took place, as well as the offenses in question, was not considered a reason to place this case in a criminal case, cf. Paragraph 1 Article 47 Act no. 90/2018.

U r s k u r ð a r o r ð:

Reykjavík University's processing of personal information about [A] due to electronic translation in an examination did not comply with the provisions of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, on the obligation to provide information and transparency.

With reference to point 4. Article 42 Act no. 90/2018, it is hereby proposed that Reykjavík University subsequently provide its students with instruction on the processing of their personal information that may take place in connection with electronic transfer in examinations, in accordance with Article 13. Regulation (EU) 2016/679.

No later than 8 April 2022, Reykjavík University shall send the Data Protection Authority confirmation that these instructions have been complied with, together with a description of the implementation of the instruction and information on its content.

Ólafur Garðarsson

chairman

Björn Geirsson Vilhelmína Haraldsdóttir

Þorvarður Kári Ólafsson