Szkoła Podstawowa nr 2 w Gdańsku (Primary School in Gdańsk) – Fine (Poland, 2020)

Primary school in school Gdańsk processed special categories of personal data (biometric data) of 680 children when they used the school canteen after receiving their parents' consent. The solution has been in place since 1 April 2015. The parents get informed via the canteen's website. Children whose parents have consented get their meals with priority. Two people, the system administrator and the authorising officer, have access to the database. The server is protected against unauthorized access with a password. Following an ex officio administrative proceedings, the President of the UODO has established that the school is using a biometric reader at the entrance to the school canteen that identifies the children in order to verify the payment of the meal fee. The UODO highlighted that it is special categories of personal data and that extra protection has been set out for children. In this case the UODO found that the consent given by the parents was not valid in particular because of the imbalance of the parties, hence the processing of biometric data did not have a valid legal basis. It also stressed that there it promotes unequal treatment among the students. The identification of the students could have been achieved through less intrusive means. For the mentioned reasons, the UODO ordered the primary school to delete the biometric data concerned, to cease the collection of this data in the first place and it imposed the fine of PLN 20,000.