Updated: Apr 14, 2020
The Swedish DPA has fined a municipality 200 000 SEK (about 20 000 euros) for the use of facial recognition technology to monitor the attendance of students in school.
Read the full press release in Swedish here
A school in northern Sweden has carried out a pilot of facial recognition to keep track of students’ attendance in school. The test was performed in one school for a constrained period.
The Swedish DPA concluded that the test violates numerous articles in GDPR and has imposed a fine on the municipality of about 20000 euros. In Sweden, public authorities can receive a maximum fine of 10 million SEK (about 1million euros). This is the first fine of its kind issued by the Swedish DPA.
The school has processed sensitive biometric information unlawfully and failed to do an adequate impact assessment which includes seeking prior consultation with the Swedish DPA.
The college has based the processing on consent, but the Swedish DPA considers that consent was not a legitimate legal basis given the clear imbalance between the data subject and the controller.