A school in Sweden recently received a $20.000 fine for failing to comply with GDPR and obtain the proper permission for the use of face recognition technology. The school wanted to use facial recognition software on high-school students to keep track of their attendance.
A high school in Sweden, Skellefteå, initiated a pilot project with 22 participating students. The purpose of the pilot project was to use facial recognition technology to monitor the students attendance in class instead of traditional roll calling.
However, the Swedish DPA claimed that the school failed to comply with several GPPR-articles including getting the necessary permissions from the participants, writes the Swedish DPA.
The School claimed that it did receive permissions from the users, but DPA claimed that to be invalid on the basis of a “clear imbalance between the data subject and the controller.” In this case because the students are in a dependency position to the board.
According to the DPA this was a serious offence as the school in this way unlawfully processed sensitive biometric data on its students and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA.
While the size of the fine is not big compared to what the maximum fine could amount to (appr. € 1 mio. for government entities) and compared to other European fines, it does show the GDPR-reinforcements is spreading across the continent.