Court case III OSK 4804/21 – Court Ruling (Poland, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A school (the controller) installed a fingerprint scanner by the entrance to the canteen. By scanning students’ fingerprints the device verified whether a meal was paid. The processing was based on their parents’ consent. The Polish DPA (UODO) initiated ex officio proceedings against the controller. During the proceedings, the controller explained they didn’t possess the students’ fingerprint samples. Such a sample was stored only within the fingerprint scanner. When a student ceased to eat in the canteen, their fingerprint stored in the fingerprint scanner was immediately deleted. After investigation, the DPA found violations of Article 5(1)(c) GDPR and Article 9(1) GDPR. The controller processed the biometric data under Article 4(14) GDPR. Nevertheless, the processing of biometric data was not based on a valid consent under Article 9(2)(a) GDPR. The students not using the fingerprint scanner were treated differently, i.e., they had to verify their identity by telling their name and contract number while entering the canteen. For this reason, the DPA claimed the consent was not freely given. Moreover, the DPA stated that processing of the biometric data violated data minimisation principle, as the controller was able to use less privacy intrusive means. Hence, the controller was fined PLN 20,000. Additionally, the DPA ordered deletion of the students’ fingerprints data and a ban on its further processing. The controller lodged an appeal with the Voivodeship Administrative Court of Warsaw (Wojewódzki Sąd Administracyjny w Warszawie). The controller argued they didn’t process biometric data. Furthermore, the controller disagreed with the DPA that the parents’ consent was an inappropriate legal basis for the processing at stake. The court upheld the appeal. For the court the interpretation of the data minimisation principle, relied upon by the DPA, was too strict. The controller proved the relation between the fingerprints processing and its purpose. Furthermore, th
GDPR Articles Cited
A school (the controller) installed a fingerprint scanner by the entrance to the canteen. By scanning students’ fingerprints the device verified whether a meal was paid. The processing was based on their parents’ consent. The Polish DPA (UODO) initiated ex officio proceedings against the controller. During the proceedings, the controller explained they didn’t possess the students’ fingerprint samples. Such a sample was stored only within the fingerprint scanner. When a student ceased to eat in the canteen, their fingerprint stored in the fingerprint scanner was immediately deleted. After investigation, the DPA found violations of Article 5(1)(c) GDPR and Article 9(1) GDPR. The controller processed the biometric data under Article 4(14) GDPR. Nevertheless, the processing of biometric data was not based on a valid consent under Article 9(2)(a) GDPR. The students not using the fingerprint scanner were treated differently, i.e., they had to verify their identity by telling their name and contract number while entering the canteen. For this reason, the DPA claimed the consent was not freely given. Moreover, the DPA stated that processing of the biometric data violated data minimisation principle, as the controller was able to use less privacy intrusive means. Hence, the controller was fined PLN 20,000. Additionally, the DPA ordered deletion of the students’ fingerprints data and a ban on its further processing. The controller lodged an appeal with the Voivodeship Administrative Court of Warsaw (Wojewódzki Sąd Administracyjny w Warszawie). The controller argued they didn’t process biometric data. Furthermore, the controller disagreed with the DPA that the parents’ consent was an inappropriate legal basis for the processing at stake. The court upheld the appeal. For the court the interpretation of the data minimisation principle, relied upon by the DPA, was too strict. The controller proved the relation between the fingerprints processing and its purpose. Furthermore, th
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case III OSK 4804/21 in PL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case III OSK 4804/21 - Poland (2024). Retrieved from cookiefines.eu
Last updated: