First GDPR Facial Recognition Fine For Sweden School

By: Charles Rollet, Published on Aug 22, 2019

A school in Sweden has been fined $20,000 for using facial recognition to keep attendance in what is Sweden's first GDPR fine. Notably, the fine is also the EU's first GDPR fine for facial recognition, adding some clarity to use of the technology in the GDPR era.

sweden gdpr fine school face recognition

In this post, we examine the fine and its impact, including:

  • First Sweden GDPR fine ever
  • First GPDR facial recognition
  • What happened at the school
  • How the school justified it
  • The role of a data protection impact assessment
  • How the fine was calculated
  • Warning for further use
  • GDPR compliance for facial recognition
  • Negative market impact of such precedent
  • UPDATE: school will appeal

* ****** ** ****** has **** ***** $**,*** for ***** ****** *********** to **** ********** ** what ** ******'* ***** GDPR ****. *******, *** fine ** **** *** EU's ***** **** **** for ****** ***********, ****** some ******* ** *** of *** ********** ** the **** ***.

sweden gdpr fine school face recognition

** **** ****, ** examine *** **** *** its ******, *********:

  • ***** ****** **** **** ever
  • ***** **** ****** ***********
  • **** ******** ** *** school
  • *** *** ****** ********* it
  • *** **** ** * data ********** ****** **********
  • *** *** **** *** calculated
  • ******* *** ******* ***
  • **** ********** *** ****** recognition
  • ******** ****** ****** ** such *********
  • ******: ****** **** ******

[***************]

First ****** **** **** ****

**** ** *** ***** GDPR **** ** ****** ever, ** ****** ** the****** *******:

First **** ****** *********** **** ****

********* ** ** **** review ** **** *****, including ******* *** *************** *********** *******, **** ** *** first **** * **** fine *** **** ****** for ****** ***********.

What ********

*********** * ************** ** ********** **** ********** ********* ('Datainspektionen'), ** ******** ** Anderstorp’s ***** ********* ****** in*********å *************** ***** ********** ******** via ****** *********** *** a * **** ***** period ** ****. **** was **** ****** ** a ************ ****** ***** at *** ******** ** a *********; ***** **** no ******* ***** *** camera's ***** ** **** software *** ****.

********* ** *** ********, the ****** ****** *** system *** ** **** time ******** ********, ***** takes ** **** **,*** working ***** *** ****:

** ******** ********** ********* to *** **** ******, a *********** *** ***** 10 ******* *** ****** and ** ***** **** recognition ********** *** ********** control ** *****, ********* to *** ****** *****, save **,*** ***** * year ** *** ******* school.

** ** *** **** how ******** **** **, though *** ****** ******* said ****** ********** *** each ****** ********, *******, whether ** **** ** minutes *** ***** ****** is *******.

Legal ***** *** **********: *******

*** *******' **** ***** for ********** *** *******, as *** ******** ******** had ****** ******* *****. The ****'******** ***** ********** ********** ****** for * *** **********, including "******** *******" **** data ********.

GDPR ******** ** ******* *** *****

******'* *** ***** ******* major **** **********. *******, it ********** **** *** Article * ******* ************* was *** *****, ***** there ** ** ******* balance ** ***** ******* the ****** *** *** students, **** ******* ***** not **"****** *****":

** *******, ** ** clear **** *** ******* is ** * ********* position ** *** ****** in ***** ** ******, funding, *********, *** **** future **** ** ***** opportunities.

Other **** *********: ****************

*** ****'******** ******* **** ******** **** collection ** "********, ******** and ******* ** **** is *********" *** *** purpose ** **********. *******, the *** ****** ***** facial *********** ******* ****** in * "********** ********" ** *** school *** "**************** ** relation ** *** *******" of *** **********, ******:

********** ****** *** ** done ** ***** **** that *** ******* ******* violation *** ********.

No **** ********** ****** **********

*** ***** **** ********* was **** *** **** school, ***** ** ******* out * **** **********, did *** ******* * Data ********** ****** ********** as ********** ******** ** the****'* ******* **.

***** *** ******** **** any ********** "***** *** technologies" **** ******** "********** on * ***** ***** of ******* ********** ** data" [*.*. **********]. ***** must ******* ******** ************ of ********* "***** ** the ****** *** ********" and * "********* *** proportionality" **********.

***********, *******'* ******* ********** **** *********** "******* the *********** *********" ***** to ********** ** *** DPIA ********* ** "***** result ** * **** risk" ******* ********** ********.

*** **** ****** *** not ******* * **** nor ******* **** ******'* DPA, ********* ******** ** and **.

How *** **** *** **********

*** ******* *** ********** the ************* "***********" *********** that "*** ********* *** ******** sensitive ******** **** ********** children *** ***** * ********** ******** in ******** ** *** high ******." ************, ********* Articles * *** * was ********** "**** *******" than ***** **** ********.********** ******* ******** **** only ** ******** **** involved *** *** **** period *** ******* (* weeks).

****, * **** ** 200,000 ******* *****, ** slightly **** **** $**,***, was **********. *** **** school ***** *** ****** the ****.

******* *** ******* ***

***********, *** ****** ******** says **** **** ** continue ** *** **, prompting *** ******* **** Protection ********* ** ******* a *******:

*** **** ****** ***** of *********å ************ *** stated **** **** ****** to ******** *** **** recognition *** ********' ******** control. ***** ********** **** similarly ******* *** ********** of **** ********** **********. Due ** *** **** of ****** ********** ** In ********** **** *** planned **********, * ******* is *** *****

UPDATE */*/**: ****** *********

*** **** *** ******** by *** ****** ** September *,********* ** ** *******************, * ******* ***** for ***** ***** ********, which ******** *** ******:

*** ******** *********å'* ******** to ******. ** **** be ** *********** ** deepen *** ******* *** Data ************'* ******** *** conclusions. ** ******** ******** and ******* ** *** members' ******* *** ****** development ** * ******* age, **** ***** *********, Director ** *** ********** of ************ ** ***.

**** **** ***** **** appeal *** ****** **** it ** *******.

******** ****** ******

******* *** *** ** the ******* ****** ******* for ****** *********** ****** the *****. **** ****** could **** * ******** effect ** ***** ******* that *** ** *********** using ****** *********** *** increases *** ********** *** risks ** ******* ****** to **** ****** *********** to *******.

**** ***********

**** *********** *******:

  • ** ****** *********** ****** on *******, ** **** be "********" *** "****** given" ** ********** ** the ****. ** ***** is * ***** ********** in *** ******* ** power ******* *** ********** and *** **** *******, Data ********** *********** *** not ******** ** *****.
  • ***** *** **** ********* for *** *** ** facial *********** ***** ***** result "** * **** risk ** *** ****** and ******** ** ******* persons". ***** **** ******'* DPA *** ********* **** filming ******** *** ********** constitutes **** * ****, this ***** *** *** can ** ***** ****** reached.
  • ***** ** ****** *********** must ******** ******* **'* proportionate - *** *******, is ***** * ****** way ** ** **** without **** ** ********* technology?
  • ****** *********** **** ***** are ****** ** ** higher **** ***** ****, with *** ******* *** explicitly ****** **** ** fines ******* * (*.*. biometrics) ***** **** *******.

Comments (22)

John Honovich

IPVM | 08/22/19 01:41pm

**** * ******* ****** providing **** ******* ** this ******:

** ****** * ********** upper ********* ******. ************ those **** ** ******* have ********* **** **** attendance. ****** *** ********* between **-** ***** ** age *** * *** less ********* ******** ** students ******** **** *********** and **********/******* *********** ***************. What * ** ****** to *** ** **** attendance ****** ***** ********** be * *********. ********** is **** ********* ** a ******** (********** ** federal ***** ** *** US) ***** ********* ** approx. *** ******* * month. ****’* *** ********** checks *** *********.

******* ***** *** *** class – ** * here? ***/*** ******* ***** say. “***, *** ****** now.” *** **** * doesn’t **** **. ******** that ***** *** **-** students ** * ***** - ** ******* ***** quite **********.

John Honovich

IPVM | 08/22/19 05:19pm

*** ******* ***** ******* interviewing *** ** ******* of *** ******, *** ********:

*** **** ******'* ** strategist ***** ******** ** surprised *** *** **** expecting ****** ******* ** was * ***** ******* project.

- * ** *** understand ***** ********** *****, moreover ** *** **** out ** ** ******** were **, *** ****** did *** ****** *** approval, ******** ***** ********.

*** ************ *** *** yet ******* ******* ** will ****** ******* *** authority's ********.

Undisclosed #1

In reply to John Honovich | 08/22/19 10:00pm

*** ** ** ******** were **, *** ****** did *** ****** *** approval, ******** ***** ********.

*'* ** ******... ******* ********** ** ******** * pretty ****** ***** *** appeal ***...

*** **** ************'* ******** of '********** ** ******* of *****' ** ******** undermined ** *** ***** from **. ******** *****.

#***********

John Honovich

IPVM | In reply to Undisclosed #1 | 08/22/19 10:03pm

*** ****** *** *** submit *** ********

****, ** *** ****** did *** ****** *** approval, **** *** **** make ** ***** ***** GDPR? ******* ******* ** required *** ********* ********** unless ***** ** ****** interest, ***** **** *** apply ****. ***/**, *******?

Undisclosed #1

In reply to John Honovich | 08/22/19 11:07pm

* **** ***** ** saying **** *** * students *** *** *** 'opt **' **** *** used ** *** *****....

* ***'* **** **** that *****, *** *'* like ** **** *** explanation *** *** *** 7 **** ********, *** if ** *** **** this ** ** *** case * ***** ** has ****** ******* *** appealing *** *********.

Undisclosed #1

In reply to Undisclosed #1 | 08/22/19 11:11pm

* ***** **** *** pursued ********* ******* ***** ignored *** *****-******** *** guidelines ********* **** ** has ** **** **** before ******** *** *** technology - ***** ** didn't **.

Undisclosed #1

In reply to Undisclosed #1 | 08/22/19 11:17pm

**** ************ ******** *******

Avatar

Charles Rollet

In reply to John Honovich | 08/23/19 04:04am

* ***** **** **** means ** **** ** out ** ** ******** signed ******* *****, **** the **** ****** ***, i.e. ***** * **** not ******** ********** ** all. ** ***** *** IT *******'* ******** ***** is: '***, ** *** students *** *** ** this, *** **** ***, but ** ***** *** sanctioned'.

*******, **** ******* **** students ***** *** *** no **** ****** ***** the ****. *** **** issue *********** ** *** data ********** ********* ** the ***** ********* ******* students *** *** ****** ("** ** ***** **** the ******* ** ** a ********* ******** [** the ******]"), ******* ******* cannot ** "****** *****." There ** ******* ** the **** ******** **** factor **** ******* **** data ******** ****** ** opt ***. ******* ******:

** ***** ** ****** that ******* ** ****** given, ******* ****** *** provide * ***** ***** ground *** *** ********** of ******** **** ** a ******** **** ***** there ** * ***** imbalance ******* *** **** subject *** *** **********, in ********** ***** *** controller ** * ****** authority

John Honovich

IPVM | In reply to Charles Rollet | 08/23/19 11:44am

***** * **** *** facially ********** ** ***

**, *** **** **** work ************? ** *** camera *** ** ** such * *** **** the ******** *** ***** out *** ********** ***** the **** **** *** facial *********** ****** ** covering?

Avatar

Charles Rollet

In reply to John Honovich | 08/26/19 04:11am

***** * **** *** opted *** **** *** being ******** ********** ** the ***** **** **** did *** ******* *******/********* that ******* *** ******** to ***** **** *** record ***** **********, ** was **** **** *** other ** ****, *** the ******* *** ******:

*** *********** **** *** been ********** *********** **** ** *** form ** ****** ****** as **** ** ***** and **** *****.

** ***** * **** never ******** ***** **** to ** **** ** the ******. *** ****** was *** * **** controller ** ***** ********** information. **** **** **** not * ***** ** the ****.

*******, ***'** ******* **** if ***** * **** were ************ ***** ****** by * ************ ******, even ** **** ****'* provide ***** **** ********** and **** **** *** being *******, **'* ***** considered ********** ********** **** requires ***** *******, ** we *** **** ****** ** ************ *** *********** ***** states **** **** ******* need ******* **** ******** being ******, *** **** the ****:

*** *** ***** ****'* unclear **** *** ******* DPA's ****** ** ******* there *** * ************ camera ** *** ********* recording *** *** ********, or ** ******-******* **** system **** ********** **** student ************ (*** ******* via * ****** *********** terminal):

** ** *** ** access *******-**** ******, ***** would ** ** **** issue **** ***** * students *** *** *** consent, ** **** ***** easily ***** ***** ****** altogether. *******, ** ***** was * ************ ****** filming *** ***** *********, for ** ** ** fully **** *********, ** would **** ** ***** filming *** ***-********** ******** - ****** ** ******** them **** *** ******'* FoV ** ***** **** kind ** ******* ******.

*'** ******** ** **** the ******* *** ****** what **** ** ****** was ** *** *** will ****** **** ******* upon ********.

Undisclosed #1

In reply to Charles Rollet | 08/23/19 02:14pm

"** ***** ** ****** that ******* ** ****** given, ******* ****** *** provide * ***** ***** ground *** *** ********** of ******** **** ** a ******** **** ***** there ** * ***** imbalance ******* *** **** subject *** *** **********, in ********** ***** *** controller ** * ****** authority"

"*** **** ***** *********** by *** **** ********** authority ** *** ***** imbalance ******* ******** *** the ******"

*** *** *** *********** agencies ********* ****** *** EU **** ******* *** facial *********** ***** ***************** * ***** ********* of ***** ** ********?

Avatar

Charles Rollet

In reply to Undisclosed #1 | 08/26/19 04:38am

**** ** * **** question *** *** *** correct **** ***** ** always * **** ********* of ***** ******* ** individual *** * ****** force. *******, ** *********** are **** ***** ** this, ***** ** *** they ***** ***** *** the "*******" ************* **** the ****'******** *- ******* **** *** the "*********** ****** ********" justification, ***** ** ****** separate *** *****:

Robert Hickling

In reply to Charles Rollet | 08/27/19 09:13am

*** **** **** *** cover *** *** ** personal **** *** *** enforcement ********. ***** ** a ******** ***** ********** that ****** **** ****** the *** *********** *********.

Avatar

Charles Rollet

In reply to Robert Hickling | 08/27/19 09:32am

***'** ******* ******, ***** about ** ******* *********** #1. ****** *** ****'******** *('******** *****') ********** ******** law ***********:

****** *********** ************* ******* ******* ********** of ******** **** **** facial ***********, ******* ** is *********

***** ** ******* **** where ******** *********, ******* to *********** ********** *** the ****** *** ******** of *** **** *******

*** ********** **** **** meet *** ** *** three ********* **********:

****** ***, ** **** for ** ****** ** obtain ******* *** ****** recognition.

Undisclosed #1

In reply to Charles Rollet | 08/27/19 11:56pm

** * ***...

*** ********** *** ** used ** *** ***********, but *** ****** ****.

**** ****** ****.

Avatar

Salvatore D'Agostino

IDmachines | In reply to Undisclosed #1 | 08/29/19 01:17pm

***** ** ***** * need ** ** ***** about ******* (******** *****) and ************* **** *** law ***********, **** **** sure **** ****** ******. Transparency **** * **** way ** ******* **** of ***** ******. ** someone *** *** ******** this ********** (**) *** over ** ***** (********* in ******** ** ****), we ******* ***** ******* long ***.

Avatar

Daniel McKimm

08/22/19 07:49pm

**** **** ** ** are ********* ** ** that ********** *** ****** its ********** ** *** GDPR **** *** ********** Consumer ******* *** ** the ***** ** *** FCC’s *********** ** *** Neutrality **** *** ********* of *** **** **** Internet *****. *’* *** saying ****** ** ***** laws *** *** ‘** all’ ‘*** ***’ ******** toward ******** *** ****** privacy **********, *** ** least **** *** ** and ********** ********** ***** was ** ***** *** both *** ****** **** faith ******* ****** ********** address *** ****** ******* protection.


**** ** ********** ** more ******* ****** ********* Net ********** *** *** current ***’* ******* ** acknowledge, *** ***** *******, the ******’* ****** ********* Internet ******. *** ******* FCC, ***** *** ************ of **** ***, ****** Verizon ******, *** ******* developed * ******* **** of ******* ** ****** the **************, ******* *********, redlining, ********, **********, **** prioritization (“************** *** *** purposes ** ****** *****, not *** ****** ****** or *** *********** ********”), and **** ****-****** — “the ******** ** ********* certain ***** ** ******* from ******** ******* * data *** (***** ***** an ********* ******* *** ISP *** *** ********)” to ******** *** **** Open ******** ***** ***** the ****** *** ************ Tom *******.

Avatar

Skip Cusack

08/26/19 01:38pm

***** ** ** **** Face *** ** ****** among ********** ** *** fact **** *** ********* signal, ****** *** ****, is ****** ** ******* 24/7. ** **** ** would ** ********** ** it ****'*.

** *** *** ****** about **** *******? *** iris *** ******, **** protection ***** *****. *** isn't * **** ******* taken *** ********' **********? License? ******** ** ************ all *** ****? **** is *** ***** ** penalties *** *** ************ data ** ******** ** safeguard?

Avatar

Salvatore D'Agostino

IDmachines | 08/29/19 01:24pm

****, ** *** **** place */* *** ********* of *** ********** ***** identified *** ***. **** most ***** ********** ***** is ******* * ***** interaction. **** ***** ** another *** ***** ** could ** **** */* user ******* ** *** taking *****. **** ** why ****** *** ************ about *** ****** ** surveillance *******. *** **** issues ***** ** *** use ** ******** ****, including **********, ** ** just *** **** **** the ** *** **** can **** ********* *********** realities. ** **** **** opt-in ***** **** ****** as ****'* * **** in *** ******* **** assessment.

Avatar

Salvatore D'Agostino

IDmachines | 08/29/19 07:18pm

*** ********* ** **** sure *** ****** **** in*****

Avatar

Salvatore D'Agostino

IDmachines | In reply to Salvatore D'Agostino | 08/29/19 07:25pm

**** **** **** *** US***** ****** ******** ** use ****** *********** ******** | **** | *****.***

Avatar

Charles Rollet

09/09/19 07:31am

******: ** *'** **** added ** *** ****, the **** *** **** appealed ** *** ****** on ********* *,********* ** ** *******************, * ******* ***** for ***** ***** ********, which ****:

*** ******** *********å'* ******** to ******. ** **** be ** *********** ** deepen *** ******* *** Data ************'* ******** *** conclusions. ** ******** ******** and ******* ** *** members' ******* *** ****** development ** * ******* age, ********* *********,******** ** *** ********** of ************ ** ***.

**** **** ***** **** and ****** **** ** is *******.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on GDPR

Mobotix First CNPP CCTV Cybersecurity Certification Examined on Sep 05, 2019
Mobotix recently became the first video surveillance manufacturer to receive the CNPP cybsersecurity certification for its cameras, in which they...
UK Facewatch GDPR Compliance Questioned on Aug 27, 2019
Even as the GDPR strictly regulates biometrics, a UK company called Facewatch is selling anti-shoplifter facial recognition systems to hundreds of...
Anyvision Facial Recognition Tested on Aug 21, 2019
Anyvision is aiming for $1 billion in revenue by 2022, backed by $74 million in funding. But does their performance live up to the hype they have...
Suprema Biometric Mass Leak Examined on Aug 19, 2019
While Suprema is rarely discussed even within the physical security market, the South Korean biometrics manufacturer made global news this past...
Biometrics Usage Statistics 2019 on Aug 13, 2019
Biometrics are commonly used in phones, but how frequently are they used for access? 150+ integrators told us how often they use biometrics,...
Milestone "GDPR-ready" Certification Claim Critiqued on Aug 12, 2019
Milestone is touting that its latest XProtect VMS is "GDPR-ready" with a 'European Privacy Seal'. However, our investigation raises significant...
Australia Security Full Show Report on Jul 25, 2019
IPVM went to Australia attending the 3 days of the Australia Security Exhibition: This was held at the ICC Sydney, as shown below: In this...
New GDPR Guidelines for Video Surveillance Examined on Jul 18, 2019
The highest-level EU data protection authority has issued a new series of provisional video surveillance guidelines. While GDPR has been in...
First Video Surveillance GDPR Fine In France on Jul 08, 2019
The French government has imposed a sizeable fine on a small business for violating the GDPR after it constantly filmed employees without informing...

Most Recent Industry Reports

How Cobalt Robotics May Disrupt Security on Sep 13, 2019
While security robots have largely become a joke over the last few years, one organization, Cobalt Robotics, has raised $50+ million from top US...
Panasonic 4K Camera Tested (WV-S2570L) on Sep 13, 2019
Panasonic has released their latest generation 4K dome, the WV-S2570L, claiming "Extreme image quality allows evidence to be captured even under...
ASIS GSX 2019 Show Report Final on Sep 12, 2019
IPVM went to Chicago for ASIS GSX 2019, with many exhibitors disappointed about traffic and the exhibitor schedule changing next year. Inside we...
Installation Course - Last Chance - Register Now on Sep 12, 2019
Last Chance - Register Now - September 2019 Video Surveillance Install Course. Thursday, September 12th is your last chance to register for the...
Commend ID5 Intercom Tested on Sep 12, 2019
Commend touts the new ID5 intercom as 'timelessly elegant' and the slim body, glass front touchscreen indeed looks better than common, but ugly,...
US State Department: "Chinese Tech Giants" "Tools of the Chinese Communist Party" on Sep 12, 2019
The US State Department has called out "Chinese tech giants" for being "tools of the Chinese Communist Party" in a blunt new speech that makes...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
Yi Home Camera 3 AI Analytics Tested on Sep 10, 2019
Yi Technology is claiming "new AI features" in its $50 Home Camera 3 "eliminates 'false positives' caused by flying insects, small pets, or light...
Hanwha Announces 32MP Camera + AI Line on Sep 10, 2019
In the first rise in maximum megapixel resolution in 5 years, Hanwha has announced a 32MP / 8K camera directly competing with Avigilon's H4 30MP /...
Fingerprints for Access Control Guide on Sep 09, 2019
Users can lose badges, but they never misplace a finger, right? The most common biometric used in access are fingerprints, and it has become one...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact