Bocconi University – €200,000 Fine (Italy, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Bocconi University was fined EUR 200,000 for not properly informing students about data collection during online exams. The university used software that recorded students without clear communication about data use and storage. This case shows the need for transparency in data practices, especially with remote learning tools.
What happened
Bocconi University used monitoring software during exams without adequately informing students about data collection and processing.
Who was affected
Students taking online exams at Bocconi University who were recorded and monitored without clear information.
What the authority found
The Italian Data Protection Authority found Bocconi University violated GDPR by failing to inform students about the processing of their personal data during exams.
Why this matters
This ruling emphasizes the importance of transparency and clear communication about data practices, particularly in educational settings using remote technologies. Institutions should ensure students are fully informed about how their data is used and stored.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The Italian DPA (Garante) has imposed a fine of EUR 200,000 on Bocconi University. A student had filed a complaint with the DPA about possible GDPR violations related to the use of a monitoring system during written exams. In the context of the emergency situation triggered by the Covid-19 pandemic, the university had equipped itself with the remote monitoring software Respondus provided by the American company Respondus Inc. to ensure the normal running of the exams, since it was not possible to take the exams live and in person as usual. The software was able to monitor the behavior of the students through video recordings and snapshots taken at random intervals. In addition, the exam was audio-visually recorded and a photograph was taken of each examinee at the beginning of the exam. At the end of the exam, the system processed the video, inserted warning signals regarding possible indications of incorrect behavior, and, among other things, assigned a so-called 'review priority' so that the examiner could subsequently assess whether an unauthorized act had been committed during the exam. In its investigation the DPA found that students were not properly informed of the processing of their personal data involved in the use of Respondus. For instance they were not informed that they would be audiovisually recorded and that the images would subsequently be processed. In addition, students were not provided with information regarding specific retention periods for personal data. Nor had they received sufficient information about the fact that their personal data would be transferred to the United States; instead, they were only informed in general terms that personal data would be processed both within and outside the territory of the European Union. Furthermore, the DPA found that the little information the students had received was presented in a fragmented and disorganized manner in various documents. The DPA considered this to be a violation of the principles of
Related Enforcement Actions (0)
No other enforcement actions found for Bocconi University in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
16 September 2021
Authority
Garante per la protezione dei dati personali
Fine Amount
€200,000
Enforcement Tracker ID
ETid-876
About this data
Cite as: Cookie Fines. Bocconi University - Italy (2021). Retrieved from cookiefines.eu
Last updated: