School in Skellefteå – €18,630 Fine (Sweden, 2019)

A school in Skellefteå made a trial to use facial recognition technology. The fine was imposed against the school which had used facial recognition technology to monitor the attendance of students. Even though, in general, data processing for the purpose of monitoring attendance is possible doing so with facial recognition is disproportioned to the goal to monitor attendance. The supervisory authority is of the opinion that biometric data of students was processed which is why Art. 9 GDPR is applicable. Additionally, the authority argued that consent can not be applied since students and their guardians cannot freely decide if they/their children want to be monitored for attendance purposes. When examining if the school board can rely on any of the exemptions listed in Art. 9 (2), the supervisory authority found that this was not the case. The supervisory authority also found that there was a case of a processing activity with high risks since new technology was used to process sensitive personal data concerning children who are in a dependency position to the high school board and due to camera surveillance being used in the students everyday environment. In the view of the authority, the school board was not able to demonstrate compliance with Art. 35 GDPR and that the school board was required to consult the authority in accordance with Art. 36 (1) GDPR.