Università Commerciale “Luigi Bocconi” di Milano – €200,000 Fine (Italy, 2021)
Università Commerciale 'Luigi Bocconi' di Milano was fined for requiring students to consent to the processing of sensitive personal data for online exams. The university's actions were deemed unlawful because they pressured students into giving consent under the threat of not being able to take their exams. This ruling emphasizes that educational institutions must respect privacy rights when handling student data.
What happened
The university unlawfully required students to consent to process sensitive personal data for online exams, threatening them with exam access denial if they refused.
Who was affected
Students at Università Commerciale 'Luigi Bocconi' di Milano were affected by the university's consent requirements for their personal data.
What the authority found
The Italian DPA ruled that the university's processing of student data lacked a valid legal basis and violated GDPR principles.
Why this matters
This case sets a precedent that educational institutions cannot pressure students into consent for data processing. It highlights the need for universities to adopt fair data practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A student at the 'Luigi Bocconi' Commercial University of Milan filed a complaint to the Italian DPA (Garante) regarding possible violations of the GDPR by the academic institution. They alleged that it unlawfully requested students' consent to the processing of special categories of personal data. If they refused, students would not be able to carry out online exams. In response to a 'request for clarification' about this processing by the complainant, the university's DPO informed them it considered this processing to be necessary to carry out exams at a distance given the COVID-19 pandemic. The Italian DPA considered a range of issues in this case. First, it assessed the general conditions of lawfulness of the processing of personal data in the university environment. It held the same data protection framework applies to public and private universities. Consequently, the processing of student data aimed at issuing university qualifications could not be based on legal bases such as consent and/or contract, and the data controller was required to comply with general principles of data protection per Article 5 GDPR. It also had to guarantee and be able to demonstrate that the processing was carried out in accordance with the GDPR, and in particular take into account the principle of data protection by design and default per Article 25 GDPR. Second, the DPA considered whether the university could generally process of student data through the 'Respondus' software it used to monitor students during their exams. The software "captures the video images and the student's screen by identifying and marking with a flag the moments in which unusual and/or suspicious behaviour is detected by video recording and snapshots taken at random intervals to keep track of anomalous behaviour such as: look not turned towards the monitor, face partially absent from the photo, missing face". It then flags such behaviour for further review. The Garante held the use of such software by u
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Università Commerciale “Luigi Bocconi” di Milano in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
16 September 2021
Authority
Garante per la protezione dei dati personali
Fine Amount
€200,000
GDPRhub ID
gdprhub-4253About this data
Cite as: Cookie Fines. Università Commerciale “Luigi Bocconi” di Milano - Italy (2021). Retrieved from cookiefines.eu
Last updated: