Court case III OSK 4804/21 – Court Ruling (Poland, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Polish school used a fingerprint scanner to check if students paid for meals, but the way they handled consent was not right. The school did not have valid consent for processing students' biometric data, which led to a ruling against them. This case emphasizes the need for clear and valid consent when using sensitive data like fingerprints.
What happened
A school installed a fingerprint scanner to verify meal payments but lacked valid consent from students for processing their biometric data.
Who was affected
Students at the school who were required to use their fingerprints to access meals.
What the authority found
The court upheld that the school violated GDPR rules by not obtaining valid consent for processing biometric data.
Why this matters
This ruling highlights the importance of obtaining proper consent for sensitive data and using less intrusive methods when possible. Schools and organizations should review their data collection practices to ensure compliance.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A school (the controller) installed a fingerprint scanner by the entrance to the canteen. By scanning students’ fingerprints the device verified whether a meal was paid. The processing was based on their parents’ consent. The Polish DPA (UODO) initiated ex officio proceedings against the controller. During the proceedings, the controller explained they didn’t possess the students’ fingerprint samples. Such a sample was stored only within the fingerprint scanner. When a student ceased to eat in the canteen, their fingerprint stored in the fingerprint scanner was immediately deleted. After investigation, the DPA found violations of Article 5(1)(c) GDPR and Article 9(1) GDPR. The controller processed the biometric data under Article 4(14) GDPR. Nevertheless, the processing of biometric data was not based on a valid consent under Article 9(2)(a) GDPR. The students not using the fingerprint scanner were treated differently, i.e., they had to verify their identity by telling their name and contract number while entering the canteen. For this reason, the DPA claimed the consent was not freely given. Moreover, the DPA stated that processing of the biometric data violated data minimisation principle, as the controller was able to use less privacy intrusive means. Hence, the controller was fined PLN 20,000. Additionally, the DPA ordered deletion of the students’ fingerprints data and a ban on its further processing. The controller lodged an appeal with the Voivodeship Administrative Court of Warsaw (Wojewódzki Sąd Administracyjny w Warszawie). The controller argued they didn’t process biometric data. Furthermore, the controller disagreed with the DPA that the parents’ consent was an inappropriate legal basis for the processing at stake. The court upheld the appeal. For the court the interpretation of the data minimisation principle, relied upon by the DPA, was too strict. The controller proved the relation between the fingerprints processing and its purpose. Furthermore, th
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case III OSK 4804/21 in PL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case III OSK 4804/21 - Poland (2024). Retrieved from cookiefines.eu
Last updated: