GDPR School-Specific Fines


2019-08-20 A school in Skelleftea, Sweeden made a trial to use facial recognition technology. The fine was imposed against the school which had used facial recognition technology to monitor the attendance of students. Even though, in general, data processing for the purpose of monitoring attendance is possible doing so with facial recognition is disproportioned to the goal to monitor attendance. The supervisory authority is of the opinion that biometric data of students was processed which is why Art. 9 GDPR is applicable. Additionally, the authority argued that consent can not be applied since students and their guardians cannot freely decide if they/their children want to be monitored for attendance purposes. When examining if the school board can rely on any of the exemptions listed in Art. 9 (2), the supervisory authority found that this was not the case. The supervisory authority also found that there was a case of a processing activity with high risks since new technology was used to process sensitive personal data concerning children who are in a dependency position to the high school board and due to camera surveillance being used in the students everyday environment. In the view of the authority, the school board was not able to demonstrate compliance with Art. 35 GDPR and that the school board was required to consult the authority in accordance with Art. 36 (1) GDPR.

Art. 5 (1) c) GDPR, Art. 9 GDPR, Art. 35 GDPR, Art. 36 GDPR (Ruling – Insufficient legal basis for data processing) Fine: €18,630 Link

NORWAY2019-04-29 Oslo Municipal Education Department, Norway: Fine for security vulnerabilities in a mobile messaging app developed for use in an Oslo school. The app allows parents and students to send messages to school staff. Due to insufficient technical and organisational measures to protect information security, unauthorised persons were able to log in as authorised users and gain access to personal data about students, legal representatives and employees.

Art. 32 GDPR (Ruling – Insufficient technical and organisational measures to ensure information security) Fine: €203,000 Link

NORWAY2019-03 Bergen Municipality, Norway: The incident relates to computer files with usernames and passwords to over 35000 user accounts in the municipality’s computer system. The user accounts related to both pupils in the municipality’s primary schools, and to the employees of the same schools. Due to insufficient security measures, these files have been unprotected and openly accessible. The lack of security measures in the system made it possible for anyone to log in to the school’s various information systems, and thereby to access various categories of personal data relating to the pupils and employees of the schools. The fact that the security breach encompasses personal data to over 35 000 individuals, and that the majority of these are children, were considered to be aggravating factors. The municipality had also been warned several times, both by the authority and an internal whistleblower, that the data security was inadequate.

Art. 32 GDPR (Ruling – Insufficient technical and organisational measures to ensure information security) Fine: €170,000 Link