
The use of facial recognition on a school has led to the first Swedish GDPR-fine

The use of facial recognition on a school has led to the first swedish GDPR fine
April 19, 2024
Introduction
A school in Sweden recently received a $20.000 fine for failing to comply with GDPR and obtain the proper permission for the use of face recognition technology. The school wanted to use facial recognition software on high-school students to keep track of their attendance.

A high school in Sweden, Skellefteå, initiated a pilot project with 22 participating students. The purpose of the pilot project was to use facial recognition technology to monitor the students attendance in class instead of traditional roll calling.
However, the Swedish DPA claimed that the school failed to comply with several GPPR-articles including getting the necessary permissions from the participants, writes the Swedish DPA.
The School claimed that it did receive permissions from the users, but DPA claimed that to be invalid on the basis of a “clear imbalance between the data subject and the controller.” In this case because the students are in a dependency position to the board.
According to the DPA this was a serious offence as the school in this way unlawfully processed sensitive biometric data on its students and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA.
While the size of the fine is not big compared to what the maximum fine could amount to (appr. € 1 mio. for government entities) and compared to other European fines, it does show the GDPR-reinforcements is spreading across the continent.
What is facial recognition technology, and how does it work?

Facial recognition technology is a type of biometric software that identifies or verifies a person based on their facial features. It works by capturing an image of a face, analyzing key facial points (such as distance between eyes, nose shape, and jawline), and converting these into a digital template that can be compared with other stored templates to find a match.
Is facial recognition allowed under GDPR?

Yes, but only under strict conditions. Facial recognition involves biometric data, which is classified as sensitive personal data under GDPR. This means it is generally prohibited unless there is a clear legal basis, such as explicit consent or a strong public interest, and additional safeguards are in place. You can read more about the GDPR rules on biometric data and facial recognition here: https://eur-lex.europa.eu/eli/reg/2016/679/2016-05-04/eng
Why is facial recognition considered sensitive personal data?

Facial recognition data is considered sensitive because it is unique to each individual and can be used to identify a person with high accuracy. Biometric data is also difficult to change if compromised, making misuse or breaches particularly high-risk for individuals’ privacy and security.
Why was the Swedish school fined for using facial recognition?

The Swedish school was fined because it processed students’ biometric data without meeting GDPR requirements. The authorities found that the consent was not valid due to the imbalance of power between students and the school, and that the school also failed to conduct a proper data protection impact assessment or consult the data protection authority beforehand.
When can organizations legally use facial recognition under GDPR?

Organizations can only use facial recognition when they have a valid legal basis under GDPR. This typically requires explicit consent or a strong legal justification, a documented data protection impact assessment, and strict safeguards to protect the data. In many cases involving schools, employers, or similar power imbalances, obtaining valid consent is especially difficult.













