Gymnasienämnden in Skellefteå fined 200.000 SEK for violating Article 5, 9, 35 and 36 of the GDPR, and 3 kap. 3 § dataskyddslagen.
The Swedish Data Protection Authority issues its first GDPR monetary administrative sanction. The use of a facial recognition technology (a limited trail program conducted at a local high school) to systematically monitor the attendance of students at a public high school was found to violate students right to privacy. In its decision (DI-2019-2221), Datainspektionen held that Gymnasienämnden in Skellefteå did not have legal grounds to collect biometric data for purposes of taking school attendance of students, and the processing was therefore unlawful.
Key takeaways from the decision:
Failure to conduct a proper DPIA can be expensive. If the processing contemplated is (objectively) questionable from a privacy perspective, the DPO should request prior consultation with the supervising authority, and finally, ensure you have legal grounds for your processing.
Click link to read the full decision (in Swedish).
The use of “consent” as legal grounds for collecting “sensitive personal data” and obtained from students was held to be improper. Gymnasienämnden also attempted to rely on the exception in article 9.2 (g) (collection is lawful if due to substantial vital interest). However, Datainspektionen found this exemption inapplicable to this case, since the purposes for which gymnasienämnden wanted to collect data would violate 3 kap. 3 § dataskyddslagen.
Written by Niclas Hannerstig
