A school in northern Sweden has conducted a pilot using facial recognition to keep track of students' attendance in school. The test run was conducted in one school class for a limited period of time.
The Swedish DPA concluded that the test violates several articles in GDPR and has imposed a fine on the municipality of approximately 20 000 euros. In Sweden public authorities can receive a maximum fine of 10 million SEK (approximately 1 million euros). This is the first fine issued by the Swedish DPA.
The school has processed sensitive biometric data unlawfully and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA.
The school has based the processing on consent but the Swedish DPA considers that consent was not a valid legal basis given the clear imbalance between the data subject and the controller.
More news on this topic
-
Administrative fines against two companies in the SL Group
3 July 2025 -
Administrative fine against the Equality Ombudsman when personal data was collected via a web form
12 May 2025 -
The Hospital Board has failed in its security measures when handling e-mail
12 May 2025 -
Administrative fines against Apoteket and Apohem for transferring personal data to Meta
3 July 2025
More news on this topic
-
Administrative fines against two companies in the SL Group
3 July 2025 -
Administrative fine against the Equality Ombudsman when personal data was collected via a web form
12 May 2025 -
The Hospital Board has failed in its security measures when handling e-mail
12 May 2025 -
Administrative fines against Apoteket and Apohem for transferring personal data to Meta
3 July 2025