UODO - ZSZZS.440.768.2018

From GDPRhub
Revision as of 16:08, 9 March 2020 by AL (talk | contribs)
UODO - ZSZZS.440.768.2018
UODO.jpg
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(c) GDPR
Article 9(1) GDPR
Article 58(2)(f) GDPR
Article 58(2)(g) GDPR
Article 58(2)(i) GDPR
Article 83(2) GDPR
Article 83(3) GDPR
Article 83(5)(a) GDPR
Article 83(7) GDPR
Type: Investigation
Outcome: Violation found
Decided: 18. 2. 2020
Published: 5. 3. 2020
Fine: 20.000 PLN
Parties: Szkoła Podstawowa nr 2 w Gdańsku (Primary School in Gdańsk)
National Case Number/Name: ZSZZS.440.768.2018
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Polish
Original Source: UODO (in PL)
Initial Contributor: {{{Initial_Contributor}}}

The President of the Personal Data Protection Office of Poland (PUODO) imposed a fine of PLN 20,000 (EUR 4,700) on Primary School in Gdańsk for unlawful processing of children's biometric data when using the school canteen.

English Summary

Facts

Primary school in school Gdańsk processed special categories of personal data (biometric data) of 680 children without a legal basis, whereas in fact it could use other forms of students identification.

Dispute

Holding

Following an ex officio administrative proceedings, the President of the UODO has established that the school is using a biometric reader at the entrance to the school canteen that identifies the children in order to verify the payment of the meal fee.

The proceedings has shown that the school obtains the data and processes them on the basis of the written consent of the parents or legal guardians. The solution has been in place since 1 April 2015. In the school year 2019/2020, 680 pupils use a biometric reader and four pupils - an alternative identification system.

Comment

You can share your comment here!

Further Resources

Fine for processing students’ fingerprints imposed on a school

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

Pursuant to Article 104 § 1 of the Act of 14 June 1960, the Code of Administrative Procedure (Journal of Laws of 2018, item 2096, as amended) and Article 7 (1) and (2), Article 60, Article 102 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2010, No. 153, item 259, as amended), and Article 7 (1) and (2), Article 60, Article 102 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2010, No. 153, item 259, as amended), the following are hereby notified to the Commission of 2019, item 1781) in connection with Article 5 paragraph 1 point c, Article 9 paragraph 1, Article 58 paragraph 2 point f, point g and point i and with Article 83 paragraph 2 and 3, Article 83 paragraph 5 point a, Article 83 paragraph 7 of the Regulation of the European Parliament and of the Council of the EU 2016/679 of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 04.05.2016, p. 1, as amended by OJ L 127, 23.05.2018, p. 2), after conducting administrative proceedings on collection of fingerprints of children for biometric identification purposes when they use the services of a school canteen by the Primary School in Gdańsk, for which the City of Gdańsk is the running authority, President of the Office for Personal Data Protection,

stating that there has been a violation by the Primary School in Gdańsk. for which the City of Gdańsk is the running authority, the provisions of Article 5(1)(c) and Article 9(1) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 2016/679 of 27 April 2016). EU L 119, 04.05.2016, p. 1, as amended by OJ L 127, 23.05.2018, p. 2), which involves processing children's biometric data when they use a school canteen:

- orders the Primary School No. 2 in Gdańsk to delete personal data in the scope of information about characteristic fingerprint points of children using the school canteen services processed into digital form,

-orders the Primary School No. 2 in Gdańsk to stop collecting personal data in the scope of information about characteristic fingerprint points of children using the school canteen services processed into digital form,

-imposes a fine of PLN 20 000.00 (say: twenty thousand zlotys) on Primary School No. 2 in Gdańsk for the infringement found in this decision.

Justification 

The Office for the Protection of Personal Data has obtained information about irregularities in the process of processing personal data of pupils of the Primary School in G., hereinafter referred to as the School, consisting in collecting fingerprints of children using the school canteen services. As a result of the above, proceedings were initiated ex officio on the irregularities in personal data processing by the School.

In the course of the proceedings conducted in this case the President of the Office for Personal Data Protection (hereinafter referred to as the President of the Office for Personal Data Protection) established the following facts:

The School uses a biometric reader named [...] located at the entrance to the school canteen, which identifies children taking meals in the school canteen in order to verify payment of the meal fee for the day. The school obtains the data on the basis of a written consent of the parent (legal guardian).

The school uses a biometric reader from [...] September 2015. In the school year 2018/2019 the School was attended by 1247 students, 603 of whom used the biometric reader and 2 students from an alternative identification system. In the school year 2019/2020, the school was attended by 1121 students, of which 680 were using a biometric reader and 4 students using an alternative identification system.

As the School explained on [...] December 2018. The School does not have any collection that contains images of children's fingerprints. Data related to the fingerprint reader is collected only in the reader itself in the form of a byte sequence. During reading, the reader compares whether there is an appropriate byte sequence, and if so, it sends only the item number to the program. The position number is assigned to a specific child.

Two people have access to the data in the reader: the system administrator and the authorising officer - authorized staff of the School.

According to the School's explanations of [...] December 2018, a parent in a contract for the use of meals in the school canteen has a choice of: giving consent or not giving consent to the use of a fingerprint reader. Parents are informed about this possibility on the school canteen's website.

According to the lunch rules on the school canteen website - students who do not have biometric identification, let everyone pass and wait at the end of the queue (point 3), and when all students with biometric identification enter the canteen, the single entry of students without biometric identification begins (point 9).

According to the School's explanations of [...] December 2018, after the termination of the lunch agreement in the school canteen, the data needed for identification on the fingerprint, i.e. the sequence of bytes stored in the reader is deleted. After deletion, a new archive copy is made on the micro SD card, which is stored in a secured room.

According to the School's explanations of [...] September 2019, in the situation when a parent of a given child does not withdraw his/her consent to use the biometric reader and the child stops using the school canteen services, (without termination of the agreement on the use of lunches in the school canteen) the biometric pattern recorded in the reader is stored until the termination or until the end of the school year. The biometric template stored in the reader and on the SD card remains for the duration of the holiday. If the school canteen lunch agreement is not extended for the new school year, the above data will be deleted by September [...] each year at the latest.

According to the School's explanations of [...] September 2019, after signing the agreement and giving the parent's consent to use the biometric reader, the child is registered in the system of payment and meal registration (SEWiP) by entering his or her name, surname, class and first name, surname, e-mail address, contact phone number of the parent. Then (if the parent has consented) the child's fingerprint pattern is registered in the reader. From that moment on, the pattern is identified by the above mentioned system with a sequential number in the reader. When the reader finds the biometric pattern, corresponding to the fingerprint applied at a given moment, it sends to the system the number which is assigned to the person in the system and then reads the lunch status (paid/unpaid).

In the opinion of the School, no data that would be biometric are recorded in the system.

The SEWiP program (system for recording payments and meals) is installed on the school server. The server is protected against unauthorized access with a password. The server also has antivirus protection with firewall. Access to the server is provided by an authorized employee of the School.

After reviewing all the evidence gathered in the case, the President of the Office of Personal Data Protection weighed the following.

In accordance with Article 9(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (OJ EU.L.2016.119.1), hereinafter referred to as FAMILY, it is prohibited to process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and genetic or biometric data processed to identify unambiguously an individual or data concerning his or her health, sexuality or sexual orientation. In turn, according to Article 4(14) of the FAMILY, biometric data shall mean personal data which result from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual and which enable or confirm the unambiguous identification of that individual, such as facial images or dactyloscopic data.

It is important to underline that children require specific protection of their personal data as they may be less aware of the risks, consequences, safeguards and rights they may have in relation to the processing of personal data (recital 38 of the TYROM). Member States of the European Union have the additional right to clarify national rules relating to the processing of a specific category of personal data (including biometric data) in order to specify the conditions which determine the lawfulness of the processing of these personal data (recital 10 of the PDA). Where the processing of personal data is carried out for the purpose of complying with a legal obligation imposed on the controller, it should be based on Community law or Member State law. It is not required that there is a specific legal provision for each individual processing. It is sufficient that the legal framework is the basis for multiple processing operations under a single legal obligation (to which the controller is subject) or that the processing is necessary for the performance of a task carried out in the public interest (recital 45 of the GDR). It should be underlined that biometric data are by their nature particularly sensitive in the light of fundamental rights and freedoms and therefore need special protection. The context in which they are processed can pose a serious risk to fundamental rights and freedoms and, in principle, such data should not be processed, with the exception of the grounds for legitimising the process in the PCOs. However, Member States' law may include specific data protection provisions adapting the application of the rules of the FDC so that legal obligations can be fulfilled or a task carried out in the public interest or in the exercise of public authority entrusted to the controller. In addition to the specific requirements applicable to such processing, general principles and other provisions of this Regulation should apply, in particular as regards the conditions for the lawfulness of processing (recital 51 of the GDR).

The biometric system identifies those features which are in principle unchanged and often (as in the case of dactyloscopic data) impossible to change. In view of the uniqueness and permanence of biometric data, which are unchangeable over time, the use of biometric data should be carried out with special care and consideration. It should therefore be pointed out that a possible leakage of biometric data will result in a high risk of infringing individuals' rights and freedoms. This is particularly true for children's biometric data, since the decision to make such data available to a child by legal guardians and the possible leakage will not be reversed over time, even after the child has reached the age of majority.

On the basis of the collected evidence, it should be concluded that children whose parents have agreed to identify them and to identify their entitlement to receive a meal (on a given day) by means of a fingerprint are obtained. From this image the controller [...] automatically selects the selected features of the fingerprint and converts them into a digital record (biometric pattern), which it stores in its memory. The position number (from 1 to 3000) is assigned to digital recording after placing a finger in the reader, the system compares it with biometric patterns stored in the reader's memory. Later, it connects the position number with the same number in SEWiP, to which his name, surname, class, right to a meal on a given day and first name, surname, e-mail address, contact phone of a parent are assigned. In the opinion of the President of UODO, students' data obtained by the School, including information on characteristic fingerprint points processed into a digital record, constitute biometric data within the meaning of the aforementioned provision (Article 4 point 14 of the Code of Administrative Procedure) contrary to the explanations provided by the School. As a result of juxtaposing the biometric template registered on the device with a child's finger attached to the biometric reader, as well as other information (including item number, name, surname, class and lunch entitlement), it is possible to identify it.

The processing of a specific category of personal data, to which biometric data belong, is regulated by Article 9(1) of the TYPE, according to which the processing of personal data revealing biometric data for the purpose of unambiguously identifying an individual is prohibited. This paragraph shall not apply, inter alia, if one of the following conditions is met: the data subject has given his or her explicit consent to the processing of the personal data for one or more specific purposes, unless Union law or Member State law provides that the prohibition referred to in paragraph 1 (point (a)) cannot be waived by the data subject. The catalogue mentioned in Article 9(2) TYPE is closed. Each of the grounds for legitimising the processing of personal data is autonomous and independent. This means that, as a rule, these prerequisites are equal, and therefore fulfilling at least one of them constitutes a legitimate processing of personal data. In addition, the processing of personal data must comply with the principles laid down in Article 5(1) of the GDR. These principles include, inter alia, data minimisation (point c). This principle requires that the processing is adequate, relevant and limited to what is necessary for the purposes for which it is processed.

The school has indicated in the complex explanations that the processing of biometric data is based on the voluntary consent of the pupils' parents (legal guardians). According to Article 4(11) TYPE 4(11), 'the data subject's consent' shall mean the freely given, specific, informed and unambiguous indication of his wishes by way of a statement or explicit affirmative action to which the data subject gives his consent to the processing of personal data concerning him. However, the Union legislator states in Recital 43 of the TYPE that, in order to speak of voluntary consent, it should not constitute a valid legal basis for the processing of personal data, in particular in a situation where there is a clear imbalance between the data subject and the controller.

According to Article 106 of the Act of 14 December 2016. Educational Law (Journal of Laws of 2019, item 1148) in order to ensure the proper performance of care tasks, in particular to support the proper development of students, a school may organize a canteen. Therefore, it should be stated that the basis for processing of any children's personal data in connection with the realization of this task of the school could not be the consent, because the basis for processing of children's personal data by the School for this purpose is Article 6(1)(e) of the GCRL, according to which the processing is lawful, inter alia, when the processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority entrusted to the controller. This means that the School processes the student's personal data on the basis of the law in the performance of its statutory tasks. Therefore, it does not need a separate consent of parents or an adult student to process personal data in connection with these tasks, i.e. the provision of services by the school canteen. While providing this service, the School may only process the student's personal data which are necessary to provide the school canteen services. It should be noted that the provisions of common law indicate the type of data that the School may collect from its students. None of them allows the School to process (collect and collect) biometric data (the processing of which is in principle prohibited in Article 9(1) of the FAMILY) of pupils in order to perform this task. 

In such a situation, the Parent's consent cannot be a ground to legalise the processing of biometric data, as consent is a ground to legalise the processing of personal data only if there are no other grounds for such processing. To consider the fact that the parents of their children's consent as a circumstance legalizing the collection of data other than those indicated by the Polish legislator would constitute a circumvention of these provisions. It is worth emphasizing that according to the rules of issuing lunches placed on the website of the school's canteen, students who do not have biometric identification shall let everyone through and wait at the end of the queue (point 3), and when all students with biometric identification enter the canteen, the single entry of students without biometric identification begins (point 9). The above mentioned rules introduce an unequal treatment of pupils as they clearly promote pupils with biometric identifications.

Therefore, it should be considered that the School had no legal basis to allow the processing of biometric data of children using the school canteen services. Therefore, since the School does not have any of the premises specified in Article 9(2) of the PCOB, such a procedure leads to a violation of Article 9(1) of the PCOB and the principle of data minimisation established in the PCOB, according to which the data controller, in this case the School, should not acquire data beyond the limits of what is necessary to achieve the objectives. It should be noted that the processing of biometric data is not necessary to achieve the purpose of identifying the child's entitlement to receive lunch. This identification can be carried out by the school by other means, less interfering with the privacy of the child using the school canteen. The collected evidence shows that the School enables the use of the school canteen services by means of a fingerprint, electronic card or on the basis of the name and contract number. Therefore, there are alternative forms of identification of a child's entitlement to lunch at the School. It should be emphasized that biometric data can be used, inter alia, for the purposes of personal and industrial security, information protection, verification of suspects and assessment of their participation in crime, issuing identification documents (passports), control of access to specific security spheres - in these cases, these processes can be considered as justified by the subject of protection or the seriousness of the purpose pursued, and the scope of data used is adequate. However, the verification of who intends to use a school canteen and whether he or she is entitled to receive lunch, through the biometric data collected from pupils, is in the view of the authority too intrusive to their privacy, compared to the seriousness of the purpose for which it is to be processed.

Taking into account the above mentioned findings, the President of the Office for the Protection of Personal Data, in exercising his right specified in Article 58(2)(f) and (g) of the FAMILY, orders the School to delete personal data in the scope of information about characteristic fingerprints of fingers of children using the services of a school canteen processed in a digital form and orders to stop collecting personal data in the scope of information about characteristic fingerprints of fingers of children using the services of a school canteen processed in a digital form,

According to Article 58(2)(i) of the GOP, each supervisory authority is entitled to impose, in addition to or instead of the other remedies provided for in Article 58(2) of the GOP, an administrative penalty payment pursuant to Article 83 of the GOP, depending on the circumstances of the specific case. The President of the PPA states that, in the present case, the conditions for imposing an administrative penalty payment on the Administrative School are met.

Pursuant to Article 83(2) of the GOP, administrative fines are imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j) of the GOP. The President of the PPA, when deciding to impose a fine on the Administrative School and when fixing the amount of the fine pursuant to Article 83(2)(a) to (k) of the GOP, took into account the following circumstances of this case:

Biometric data of children were processed without a legal basis, in breach of the principle of minimisation, a situation which lasts from [...] May 2018 to the present. Currently 680 children are involved. The authority has no evidence that data subjects have suffered material damage, but the mere infringement of the principle of minimisation of a specific category of data may already constitute non-financial damage. The action of the School may lead to unjustified differentiation of the situation of pupils using the services of the school canteen (nature, gravity and duration of the breach);

The infringement found in this case is of considerable gravity and seriousness as it concerns the processing of special categories of data and is the data of children. The processing takes place without a legal basis and infringes the basic principle of minimisation with regard to the processing of personal data (Article 5(1)(c) of the FYROM). The infringement found continues until now (nature, gravity and duration of the infringement);

The school took an informed decision, motivated by the desire to efficiently identify the children who were eating in the school canteen in order to verify the payment of the meal fee for the day in question, which means that it must be attributed to the intentional conduct that violated Articles 5(1)(c) and 9(1) of the PCO (intentional or unintentional nature of the violation);

The controller has not taken action to minimise the potential for non-pecuniary harm because it has not qualified its action as unlawful (actions taken by the controller to minimise harm to data subjects);

The infringement found is not related to the implementation and quality of the organisational and technical measures applied by the School - under Articles 25 and 32 of the GCU - and therefore there is no need to determine the degree of the School's responsibility in this context (the degree of responsibility of the controller, including technical and organisational measures);

It has not been established that the School has previously committed a breach of the rules of the FAMILY, which would be significant for this proceeding (any relevant previous breaches by the administrator or processor);

The infringement concerned biometric data - a category of sensitive data (categories of personal data concerned);

The President of PODO obtained information about unlawful processing of the above mentioned personal data by the School ex officio (the way the supervisory authority learnt about the breach);

The measures referred to in Article 58 paragraph 2 of the PAC have not been previously applied to the School in the same case (compliance with the measures imposed on the controller in the same case);

The School does not apply the approved codes of conduct under Article 40 of the ORs or the approved certification mechanisms under Article 42 of the ORs (application of codes of conduct or certification mechanisms);

The President of the Office for the Protection of Personal Data considered the circumstances mentioned in points 1, 2, 3 and 7 above as aggravating circumstances and having an impact on the amount of the penalty. On the other hand, the circumstances mentioned in points 4, 5, 8, 9 and 10 above did not have any impact on the fact of imposing a penalty as well as the administrative penalty itself.

In the opinion of the President of the Office for the Protection of Personal Data, the administrative fine applied in the circumstances of this case fulfils the functions referred to in Article 83 paragraph 1 of the GDPA, i.e. is effective, proportionate and dissuasive in this individual case.

It should be stressed that the penalty will be effective if its imposition leads to the School adapting its data processing to a lawful state. The application of an administrative fine in the present case is necessary also taking into account that the School has completely ignored the processing of children's biometric data by stating that it does not process data in this respect.

In the opinion of the President of the Office for the Protection of Personal Data, the administrative fine will fulfil a repressive function, as it will be a response to the School's violation of the provisions of the PAC, but also a preventive one, as the School itself will be effectively discouraged from violating the provisions of personal data protection in this way in the future.

In the circumstances of the present case, that is to say, in view of the finding of a breach of the principle of minimisation under Article 5(1)(c) of the GDR and Article 9(1) of the GDR, Article 83(7) of the GDR applies, according to which, without prejudice to the supervisory authority's corrective powers referred to in paragraph 58(2), each Member State may determine whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State. In accordance with Article 102 1 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), hereinafter referred to as the Act of 2018, the President of the Office for the Protection of Personal Data may impose, by way of a decision, administrative fines of up to PLN 100,000, inter alia, on entities from the public finance sector referred to in Article 9 points 1-12 and 14 of the Act of 27 August 2009 on Public Finance (Journal of Laws of 2019, item 869).

In connection with the foregoing, it should be pointed out that the fine of PLN 20 000.00 meets, in the established circumstances of this case, the conditions referred to in Article 83 par. 1 of the IDB due to the seriousness of the infringement found in the context of the basic principle of IDB - minimisation of data.

In this factual and legal situation, the President of the Office for the Protection of Personal Data resolved, as in the operative part.

Letter: The decision is final. Pursuant to Article 7(2) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) in connection with Article 13(2), Article 53(1) and Article 54 of the Act of 30 August 2002. The Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325 as amended), a party dissatisfied with this decision has the right to lodge a complaint with the Voivodship Administrative Court in Warsaw within 30 days from the date of delivery to the party. The complaint shall be lodged through the President of the Office for the Protection of Personal Data (address: Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw). The entry from the complaint is PLN 200. The party has the right to apply for exemption from court costs or the right to assistance.

Pursuant to Article 105 paragraph 1 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), an administrative fine shall be paid within 14 days from the date of expiry of the deadline for filing a complaint with the Provincial Administrative Court, or from the date on which the decision of the administrative court becomes final, to the bank account of the Office for the Protection of Personal Data in the NBP O/O Warszawa no. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Article 105 paragraph 2 of the aforementioned Act, the President of the Office for the Protection of Personal Data may, upon a justified request of the penalised entity, postpone the date of payment of the administrative fine or spread it over instalments. In the case of postponement of the date of payment of the administrative fine or its distribution in instalments, the President of the Office for the Protection of Personal Data shall calculate interest on the unpaid amount on an annual basis, using the reduced rate of interest for delay, announced on the basis of art. 56d of the Act of August 29th, 1997. - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date of submission of the application.