Finally some action in Sweden!
The ruling is in Swedish, but to summarise the school was using facial recognition on its students. Facial recognition is biometric data, hence sensitive (special categories of data in the GDPR). They used consent as the legal basis but this was considered as unlawful due to the imbalance of relationship between the controller (school) and the data subject (student of 16+ yrs). Basically the student had no choice.
But there is more. The Swedish data protection authority based their decision on the following:
- Art 5 – personal data collected was intrusive and more was collected that was needed for the purpose
- Art 9 – the school did not have a legal exception to handle sensitive data. It is forbidden to collect sensitive data unless this is the case.
- Art 35-36 – seems that a DPIA was not done.
What does this mean to other schools or even any public or private entity looking to use intrusive biometrics? Do a data protection impact assessment (DPIA), from here you will be able to get a clean picture on the potential risk of harm to the rights and freedoms of the data subject.
For me personally and professionally, I’m just happy that China’s big brother approach has been nipped in the bud here in Sweden 🙂