Garante per la protezione dei dati personali – Court Ruling (Italy, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Italian Supreme Court ruled that a university's use of proctoring software during exams involved biometric data processing. This overturned a previous decision that said the data did not qualify as biometric. This case is important because it clarifies what counts as biometric data under privacy laws.
What happened
The court found that the university's proctoring software processed biometric data without a legal basis.
Who was affected
Students whose biometric data was captured during online examinations.
What the authority found
The Supreme Court ruled that the university's processing of data through the proctoring software constituted biometric data processing, which required a legal basis.
Why this matters
This ruling sets a precedent for how educational institutions must handle biometric data. Companies using similar technologies should ensure they have the proper legal basis for processing such sensitive information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On 16 September 2021, the Italian DPA issued a €200,000 fine against the controller, a university. While Covid-19 restrictions were in place, it used a proctoring software to ensure students were not cheating during the examination. Among other matters, the DPA found that the controller was processing biometric data without a legal basis. The controller challenged the DPA decision before the Court of Milan. On 20 October 2022, this Court partially upheld the controller’s appeal and overturned the DPA decision. It ruled that the data that was processed did not fall into the definition of biometric data as per Article 4(14) GDPR. On 12 January 2023, the DPA appealed the decision of the Court of Milan before the Supreme Court, which upheld the appeal and overturned the judgement. Firstly, the court analysed whether the data processed fell into the definition of biometric data in accordance with Article 4(14) GDPR. The court reminded that, according to this definition, personal data is biometric data when (1) it results from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person and (2) this processing allows or confirms the unique identification of that natural person. Secondly, the Supreme Court disagreed with the judgement of the Court of Milan: according to the former, this processing was actually involving biometric data. It observed that the software was not only filming students while they were taking the exam, but also analysing the recording. More specifically, it was detecting “unusual behaviours” and collecting these “anomalous elements” into a video. This video was then sent to the professor, who could then decide if a further investigation was necessary. The court pointed out that, among other functions, this processing allowed to uniquely identify the person, as during all the recording time the software constantly checks if the person behind the camera is actually the student who is su
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (1)
Other cases involving Garante per la protezione dei dati personali in IT
Details
About this data
Cite as: Cookie Fines. Garante per la protezione dei dati personali - Italy (2024). Retrieved from cookiefines.eu
Last updated: