The Swedish DPA, Datainspektionen, uses its rights to issue fine for breaches of GDPR. A high school in Skellefteå has tried using a camera with facial recognition to register student’s presence in class.

Biometric data, that are used for facial recognition, are considered as special categories of personal data according to GDPR Article 9, and specific exception are demanded to be able to process them. Skellefteå argues that they have gathered the explicit consent from the affected 22 students, but Datainspektionen argues that the consent cannot be valid, as the students have had dependences towards the school.

The fine is set to a moderate 200 000SEK (appr 20 000EURO). The fine is determined by the fact that Skellefteå is a public entity, and that it has only been a limited trial. The maximum fines for public entities in Sweden is 10 000 000SEK.

Datainspektionen concludes that the facial recognition has meant that students are surveilled by camera in their daily environment, that it has been a breach of their integrity, and that control of presence in class can be done in a less offensive way.