News flash – The Swedish Data Protection Authority issues its first GDPR monetary administrative sanction

August 21, 2019

Gymnasienämnden in Skellefteå fined 200.000 SEK for violating Article 5, 9, 35 and 36 of the GDPR, and 3 kap. 3 § dataskyddslagen.

The Swedish Data Protection Authority issues its first GDPR monetary administrative sanction. The use of a facial recognition technology (a limited trail program conducted at a local high school) to systematically monitor the attendance of students at a public high school was found to violate students right to privacy. In its decision (DI-2019-2221), Datainspektionen held that Gymnasienämnden in Skellefteå did not have legal grounds to collect biometric data for purposes of taking school attendance of students, and the processing was therefore unlawful.

Key takeaways from the decision:

Failure to conduct a proper DPIA can be expensive. If the processing contemplated is (objectively) questionable from a privacy perspective, the DPO should request prior consultation with the supervising authority, and finally, ensure you have legal grounds for your processing.

Click link to read the full decision (in Swedish).

The use of “consent” as legal grounds for collecting “sensitive personal data” and obtained from students was held to be improper. Gymnasienämnden also attempted to rely on the exception in article 9.2 (g) (collection is lawful if due to substantial vital interest). However, Datainspektionen found this exemption inapplicable to this case, since the purposes for which gymnasienämnden wanted to collect data would violate 3 kap. 3 § dataskyddslagen.

Written by Niclas Hannerstig

Related news

We use third party cookies on this website in purpose to improve the experience on the website and analyze our traffic in order to learn more about the use of our site. The cookie information is collected by our supplier and is anonymous. By continuing to use our website you approve the use of cookies. You can always change your cookie preferences in your browser. Read our Privacy and Cookie Policy.