Università Commerciale “Luigi Bocconi” di Milano – €200,000 Fine (Italy, 2021)
Università Commerciale “Luigi Bocconi” di Milano was fined EUR 200,000 for requiring students to consent to the processing of sensitive data for online exams. The Italian data protection authority found that the university's approach violated GDPR rules. This case stresses the importance of lawful data processing in educational settings.
What happened
The university required students to consent to process sensitive personal data to take online exams during the COVID-19 pandemic.
Who was affected
Students at the university who were required to consent were affected.
What the authority found
The authority ruled that the university could not rely on consent for processing personal data related to exam qualifications, violating GDPR principles.
Why this matters
This ruling sets a precedent that educational institutions must adhere to strict data protection laws. It encourages universities to find lawful bases for data processing beyond consent.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A student at the 'Luigi Bocconi' Commercial University of Milan filed a complaint to the Italian DPA (Garante) regarding possible violations of the GDPR by the academic institution. They alleged that it unlawfully requested students' consent to the processing of special categories of personal data. If they refused, students would not be able to carry out online exams. In response to a 'request for clarification' about this processing by the complainant, the university's DPO informed them it considered this processing to be necessary to carry out exams at a distance given the COVID-19 pandemic. The Italian DPA considered a range of issues in this case. First, it assessed the general conditions of lawfulness of the processing of personal data in the university environment. It held the same data protection framework applies to public and private universities. Consequently, the processing of student data aimed at issuing university qualifications could not be based on legal bases such as consent and/or contract, and the data controller was required to comply with general principles of data protection per Article 5 GDPR. It also had to guarantee and be able to demonstrate that the processing was carried out in accordance with the GDPR, and in particular take into account the principle of data protection by design and default per Article 25 GDPR. Second, the DPA considered whether the university could generally process of student data through the 'Respondus' software it used to monitor students during their exams. The software "captures the video images and the student's screen by identifying and marking with a flag the moments in which unusual and/or suspicious behaviour is detected by video recording and snapshots taken at random intervals to keep track of anomalous behaviour such as: look not turned towards the monitor, face partially absent from the photo, missing face". It then flags such behaviour for further review. The Garante held the use of such software by u
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Università Commerciale “Luigi Bocconi” di Milano in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
16 September 2021
Authority
Garante per la protezione dei dati personali
Fine Amount
€200,000
GDPRhub ID
gdprhub-4253About this data
Cite as: Cookie Fines. Università Commerciale “Luigi Bocconi” di Milano - Italy (2021). Retrieved from cookiefines.eu
Last updated: