Garante per la protezione dei dati personali – Court Ruling (Italy, 2024)
The Italian Supreme Court ruled on a case involving a university that used software to monitor students during exams. The Court decided that the data collected did not qualify as biometric data, which is significant because it clarifies what constitutes biometric information under data protection laws. This ruling is important for educational institutions using similar technologies.
What happened
The Italian Supreme Court ruled that the data processed by a university's proctoring software did not fall under the definition of biometric data.
Who was affected
Students monitored by the university's proctoring software were affected.
What the authority found
The Court found that the data collected did not meet the criteria for biometric data as defined by GDPR.
Why this matters
This ruling provides clarity on the definition of biometric data, which is crucial for educational institutions using monitoring software. It encourages schools to carefully evaluate their data practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On 16 September 2021, the Italian DPA issued a €200,000 fine against the controller, a university. While Covid-19 restrictions were in place, it used a proctoring software to ensure students were not cheating during the examination. Among other matters, the DPA found that the controller was processing biometric data without a legal basis. The controller challenged the DPA decision before the Court of Milan. On 20 October 2022, this Court partially upheld the controller’s appeal and overturned the DPA decision. It ruled that the data that was processed did not fall into the definition of biometric data as per Article 4(14) GDPR. On 12 January 2023, the DPA appealed the decision of the Court of Milan before the Supreme Court, which upheld the appeal and overturned the judgement. Firstly, the court analysed whether the data processed fell into the definition of biometric data in accordance with Article 4(14) GDPR. The court reminded that, according to this definition, personal data is biometric data when (1) it results from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person and (2) this processing allows or confirms the unique identification of that natural person. Secondly, the Supreme Court disagreed with the judgement of the Court of Milan: according to the former, this processing was actually involving biometric data. It observed that the software was not only filming students while they were taking the exam, but also analysing the recording. More specifically, it was detecting “unusual behaviours” and collecting these “anomalous elements” into a video. This video was then sent to the professor, who could then decide if a further investigation was necessary. The court pointed out that, among other functions, this processing allowed to uniquely identify the person, as during all the recording time the software constantly checks if the person behind the camera is actually the student who is su
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (1)
Other cases involving Garante per la protezione dei dati personali in IT
Details
About this data
Cite as: Cookie Fines. Garante per la protezione dei dati personali - Italy (2024). Retrieved from cookiefines.eu
Last updated: