First GDPR Facial Recognition Fine For Sweden School

By: Charles Rollet, Published on Aug 22, 2019

A school in Sweden has been fined $20,000 for using facial recognition to keep attendance in what is Sweden's first GDPR fine. Notably, the fine is also the EU's first GDPR fine for facial recognition, adding some clarity to use of the technology in the GDPR era.

sweden gdpr fine school face recognition

In this post, we examine the fine and its impact, including:

  • First Sweden GDPR fine ever
  • First GPDR facial recognition
  • What happened at the school
  • How the school justified it
  • The role of a data protection impact assessment
  • How the fine was calculated
  • Warning for further use
  • GDPR compliance for facial recognition
  • Negative market impact of such precedent
  • UPDATE: school will appeal

* ****** ** ****** has **** ***** $**,*** for ***** ****** *********** to **** ********** ** what ** ******'* ***** GDPR ****. *******, *** fine ** **** *** EU's ***** **** **** for ****** ***********, ****** some ******* ** *** of *** ********** ** the **** ***.

sweden gdpr fine school face recognition

** **** ****, ** examine *** **** *** its ******, *********:

  • ***** ****** **** **** ever
  • ***** **** ****** ***********
  • **** ******** ** *** school
  • *** *** ****** ********* it
  • *** **** ** * data ********** ****** **********
  • *** *** **** *** calculated
  • ******* *** ******* ***
  • **** ********** *** ****** recognition
  • ******** ****** ****** ** such *********
  • ******: ****** **** ******

[***************]

First ****** **** **** ****

**** ** *** ***** GDPR **** ** ****** ever, ** ****** ** the****** *******:

First **** ****** *********** **** ****

********* ** ** **** review ** **** *****, including ******* *** *************** *********** *******, **** ** *** first **** * **** fine *** **** ****** for ****** ***********.

What ********

*********** * ************** ** ********** **** ********** ********* ('Datainspektionen'), ** ******** ** Anderstorp’s ***** ********* ****** in*********å *************** ***** ********** ******** via ****** *********** *** a * **** ***** period ** ****. **** was **** ****** ** a ************ ****** ***** at *** ******** ** a *********; ***** **** no ******* ***** *** camera's ***** ** **** software *** ****.

********* ** *** ********, the ****** ****** *** system *** ** **** time ******** ********, ***** takes ** **** **,*** working ***** *** ****:

** ******** ********** ********* to *** **** ******, a *********** *** ***** 10 ******* *** ****** and ** ***** **** recognition ********** *** ********** control ** *****, ********* to *** ****** *****, save **,*** ***** * year ** *** ******* school.

** ** *** **** how ******** **** **, though *** ****** ******* said ****** ********** *** each ****** ********, *******, whether ** **** ** minutes *** ***** ****** is *******.

Legal ***** *** **********: *******

*** *******' **** ***** for ********** *** *******, as *** ******** ******** had ****** ******* *****. The ****'******** ***** ********** ********** ****** for * *** **********, including "******** *******" **** data ********.

GDPR ******** ** ******* *** *****

******'* *** ***** ******* major **** **********. *******, it ********** **** *** Article * ******* ************* was *** *****, ***** there ** ** ******* balance ** ***** ******* the ****** *** *** students, **** ******* ***** not **"****** *****":

** *******, ** ** clear **** *** ******* is ** * ********* position ** *** ****** in ***** ** ******, funding, *********, *** **** future **** ** ***** opportunities.

Other **** *********: ****************

*** ****'******** ******* **** ******** **** collection ** "********, ******** and ******* ** **** is *********" *** *** purpose ** **********. *******, the *** ****** ***** facial *********** ******* ****** in * "********** ********" ** *** school *** "**************** ** relation ** *** *******" of *** **********, ******:

********** ****** *** ** done ** ***** **** that *** ******* ******* violation *** ********.

No **** ********** ****** **********

*** ***** **** ********* was **** *** **** school, ***** ** ******* out * **** **********, did *** ******* * Data ********** ****** ********** as ********** ******** ** the****'* ******* **.

***** *** ******** **** any ********** "***** *** technologies" **** ******** "********** on * ***** ***** of ******* ********** ** data" [*.*. **********]. ***** must ******* ******** ************ of ********* "***** ** the ****** *** ********" and * "********* *** proportionality" **********.

***********, *******'* ******* ********** **** *********** "******* the *********** *********" ***** to ********** ** *** DPIA ********* ** "***** result ** * **** risk" ******* ********** ********.

*** **** ****** *** not ******* * **** nor ******* **** ******'* DPA, ********* ******** ** and **.

How *** **** *** **********

*** ******* *** ********** the ************* "***********" *********** that "*** ********* *** ******** sensitive ******** **** ********** children *** ***** * ********** ******** in ******** ** *** high ******." ************, ********* Articles * *** * was ********** "**** *******" than ***** **** ********.********** ******* ******** **** only ** ******** **** involved *** *** **** period *** ******* (* weeks).

****, * **** ** 200,000 ******* *****, ** slightly **** **** $**,***, was **********. *** **** school ***** *** ****** the ****.

******* *** ******* ***

***********, *** ****** ******** says **** **** ** continue ** *** **, prompting *** ******* **** Protection ********* ** ******* a *******:

*** **** ****** ***** of *********å ************ *** stated **** **** ****** to ******** *** **** recognition *** ********' ******** control. ***** ********** **** similarly ******* *** ********** of **** ********** **********. Due ** *** **** of ****** ********** ** In ********** **** *** planned **********, * ******* is *** *****

UPDATE */*/**: ****** *********

*** **** *** ******** by *** ****** ** September *,********* ** ** *******************, * ******* ***** for ***** ***** ********, which ******** *** ******:

*** ******** *********å'* ******** to ******. ** **** be ** *********** ** deepen *** ******* *** Data ************'* ******** *** conclusions. ** ******** ******** and ******* ** *** members' ******* *** ****** development ** * ******* age, **** ***** *********, Director ** *** ********** of ************ ** ***.

**** **** ***** **** appeal *** ****** **** it ** *******.

******** ****** ******

******* *** *** ** the ******* ****** ******* for ****** *********** ****** the *****. **** ****** could **** * ******** effect ** ***** ******* that *** ** *********** using ****** *********** *** increases *** ********** *** risks ** ******* ****** to **** ****** *********** to *******.

**** ***********

**** *********** *******:

  • ** ****** *********** ****** on *******, ** **** be "********" *** "****** given" ** ********** ** the ****. ** ***** is * ***** ********** in *** ******* ** power ******* *** ********** and *** **** *******, Data ********** *********** *** not ******** ** *****.
  • ***** *** **** ********* for *** *** ** facial *********** ***** ***** result "** * **** risk ** *** ****** and ******** ** ******* persons". ***** **** ******'* DPA *** ********* **** filming ******** *** ********** constitutes **** * ****, this ***** *** *** can ** ***** ****** reached.
  • ***** ** ****** *********** must ******** ******* **'* proportionate - *** *******, is ***** * ****** way ** ** **** without **** ** ********* technology?
  • ****** *********** **** ***** are ****** ** ** higher **** ***** ****, with *** ******* *** explicitly ****** **** ** fines ******* * (*.*. biometrics) ***** **** *******.

Comments (22)

**** * ******* ****** providing **** ******* ** this ******:

** ****** * ********** upper ********* ******. ************ those **** ** ******* have ********* **** **** attendance. ****** *** ********* between **-** ***** ** age *** * *** less ********* ******** ** students ******** **** *********** and **********/******* *********** ***************. What * ** ****** to *** ** **** attendance ****** ***** ********** be * *********. ********** is **** ********* ** a ******** (********** ** federal ***** ** *** US) ***** ********* ** approx. *** ******* * month. ****’* *** ********** checks *** *********.

******* ***** *** *** class – ** * here? ***/*** ******* ***** say. “***, *** ****** now.” *** **** * doesn’t **** **. ******** that ***** *** **-** students ** * ***** - ** ******* ***** quite **********.

*** ******* ***** ******* interviewing *** ** ******* of *** ******, *** ********:

*** **** ******'* ** strategist ***** ******** ** surprised *** *** **** expecting ****** ******* ** was * ***** ******* project.

- * ** *** understand ***** ********** *****, moreover ** *** **** out ** ** ******** were **, *** ****** did *** ****** *** approval, ******** ***** ********.

*** ************ *** *** yet ******* ******* ** will ****** ******* *** authority's ********.

*** ** ** ******** were **, *** ****** did *** ****** *** approval, ******** ***** ********.

*'* ** ******... ******* ********** ** ******** * pretty ****** ***** *** appeal ***...

*** **** ************'* ******** of '********** ** ******* of *****' ** ******** undermined ** *** ***** from **. ******** *****.

#***********

*** ****** *** *** submit *** ********

****, ** *** ****** did *** ****** *** approval, **** *** **** make ** ***** ***** GDPR? ******* ******* ** required *** ********* ********** unless ***** ** ****** interest, ***** **** *** apply ****. ***/**, *******?

* **** ***** ** saying **** *** * students *** *** *** 'opt **' **** *** used ** *** *****....

* ***'* **** **** that *****, *** *'* like ** **** *** explanation *** *** *** 7 **** ********, *** if ** *** **** this ** ** *** case * ***** ** has ****** ******* *** appealing *** *********.

* ***** **** *** pursued ********* ******* ***** ignored *** *****-******** *** guidelines ********* **** ** has ** **** **** before ******** *** *** technology - ***** ** didn't **.

**** ************ ******** *******

* ***** **** **** means ** **** ** out ** ** ******** signed ******* *****, **** the **** ****** ***, i.e. ***** * **** not ******** ********** ** all. ** ***** *** IT *******'* ******** ***** is: '***, ** *** students *** *** ** this, *** **** ***, but ** ***** *** sanctioned'.

*******, **** ******* **** students ***** *** *** no **** ****** ***** the ****. *** **** issue *********** ** *** data ********** ********* ** the ***** ********* ******* students *** *** ****** ("** ** ***** **** the ******* ** ** a ********* ******** [** the ******]"), ******* ******* cannot ** "****** *****." There ** ******* ** the **** ******** **** factor **** ******* **** data ******** ****** ** opt ***. ******* ******:

** ***** ** ****** that ******* ** ****** given, ******* ****** *** provide * ***** ***** ground *** *** ********** of ******** **** ** a ******** **** ***** there ** * ***** imbalance ******* *** **** subject *** *** **********, in ********** ***** *** controller ** * ****** authority

***** * **** *** facially ********** ** ***

**, *** **** **** work ************? ** *** camera *** ** ** such * *** **** the ******** *** ***** out *** ********** ***** the **** **** *** facial *********** ****** ** covering?

***** * **** *** opted *** **** *** being ******** ********** ** the ***** **** **** did *** ******* *******/********* that ******* *** ******** to ***** **** *** record ***** **********, ** was **** **** *** other ** ****, *** the ******* *** ******:

*** *********** **** *** been ********** *********** **** ** *** form ** ****** ****** as **** ** ***** and **** *****.

** ***** * **** never ******** ***** **** to ** **** ** the ******. *** ****** was *** * **** controller ** ***** ********** information. **** **** **** not * ***** ** the ****.

*******, ***'** ******* **** if ***** * **** were ************ ***** ****** by * ************ ******, even ** **** ****'* provide ***** **** ********** and **** **** *** being *******, **'* ***** considered ********** ********** **** requires ***** *******, ** we *** **** ****** ** ************ *** *********** ***** states **** **** ******* need ******* **** ******** being ******, *** **** the ****:

*** *** ***** ****'* unclear **** *** ******* DPA's ****** ** ******* there *** * ************ camera ** *** ********* recording *** *** ********, or ** ******-******* **** system **** ********** **** student ************ (*** ******* via * ****** *********** terminal):

** ** *** ** access *******-**** ******, ***** would ** ** **** issue **** ***** * students *** *** *** consent, ** **** ***** easily ***** ***** ****** altogether. *******, ** ***** was * ************ ****** filming *** ***** *********, for ** ** ** fully **** *********, ** would **** ** ***** filming *** ***-********** ******** - ****** ** ******** them **** *** ******'* FoV ** ***** **** kind ** ******* ******.

*'** ******** ** **** the ******* *** ****** what **** ** ****** was ** *** *** will ****** **** ******* upon ********.

"** ***** ** ****** that ******* ** ****** given, ******* ****** *** provide * ***** ***** ground *** *** ********** of ******** **** ** a ******** **** ***** there ** * ***** imbalance ******* *** **** subject *** *** **********, in ********** ***** *** controller ** * ****** authority"

"*** **** ***** *********** by *** **** ********** authority ** *** ***** imbalance ******* ******** *** the ******"

*** *** *** *********** agencies ********* ****** *** EU **** ******* *** facial *********** ***** ***************** * ***** ********* of ***** ** ********?

**** ** * **** question *** *** *** correct **** ***** ** always * **** ********* of ***** ******* ** individual *** * ****** force. *******, ** *********** are **** ***** ** this, ***** ** *** they ***** ***** *** the "*******" ************* **** the ****'******** *- ******* **** *** the "*********** ****** ********" justification, ***** ** ****** separate *** *****:

*** **** **** *** cover *** *** ** personal **** *** *** enforcement ********. ***** ** a ******** ***** ********** that ****** **** ****** the *** *********** *********.

***'** ******* ******, ***** about ** ******* *********** #1. ****** *** ****'******** *('******** *****') ********** ******** law ***********:

****** *********** ************* ******* ******* ********** of ******** **** **** facial ***********, ******* ** is *********

***** ** ******* **** where ******** *********, ******* to *********** ********** *** the ****** *** ******** of *** **** *******

*** ********** **** **** meet *** ** *** three ********* **********:

****** ***, ** **** for ** ****** ** obtain ******* *** ****** recognition.

** * ***...

*** ********** *** ** used ** *** ***********, but *** ****** ****.

**** ****** ****.

***** ** ***** * need ** ** ***** about ******* (******** *****) and ************* **** *** law ***********, **** **** sure **** ****** ******. Transparency **** * **** way ** ******* **** of ***** ******. ** someone *** *** ******** this ********** (**) *** over ** ***** (********* in ******** ** ****), we ******* ***** ******* long ***.

**** **** ** ** are ********* ** ** that ********** *** ****** its ********** ** *** GDPR **** *** ********** Consumer ******* *** ** the ***** ** *** FCC’s *********** ** *** Neutrality **** *** ********* of *** **** **** Internet *****. *’* *** saying ****** ** ***** laws *** *** ‘** all’ ‘*** ***’ ******** toward ******** *** ****** privacy **********, *** ** least **** *** ** and ********** ********** ***** was ** ***** *** both *** ****** **** faith ******* ****** ********** address *** ****** ******* protection.


**** ** ********** ** more ******* ****** ********* Net ********** *** *** current ***’* ******* ** acknowledge, *** ***** *******, the ******’* ****** ********* Internet ******. *** ******* FCC, ***** *** ************ of **** ***, ****** Verizon ******, *** ******* developed * ******* **** of ******* ** ****** the **************, ******* *********, redlining, ********, **********, **** prioritization (“************** *** *** purposes ** ****** *****, not *** ****** ****** or *** *********** ********”), and **** ****-****** — “the ******** ** ********* certain ***** ** ******* from ******** ******* * data *** (***** ***** an ********* ******* *** ISP *** *** ********)” to ******** *** **** Open ******** ***** ***** the ****** *** ************ Tom *******.

***** ** ** **** Face *** ** ****** among ********** ** *** fact **** *** ********* signal, ****** *** ****, is ****** ** ******* 24/7. ** **** ** would ** ********** ** it ****'*.

** *** *** ****** about **** *******? *** iris *** ******, **** protection ***** *****. *** isn't * **** ******* taken *** ********' **********? License? ******** ** ************ all *** ****? **** is *** ***** ** penalties *** *** ************ data ** ******** ** safeguard?

****, ** *** **** place */* *** ********* of *** ********** ***** identified *** ***. **** most ***** ********** ***** is ******* * ***** interaction. **** ***** ** another *** ***** ** could ** **** */* user ******* ** *** taking *****. **** ** why ****** *** ************ about *** ****** ** surveillance *******. *** **** issues ***** ** *** use ** ******** ****, including **********, ** ** just *** **** **** the ** *** **** can **** ********* *********** realities. ** **** **** opt-in ***** **** ****** as ****'* * **** in *** ******* **** assessment.

*** ********* ** **** sure *** ****** **** in*****

******: ** *'** **** added ** *** ****, the **** *** **** appealed ** *** ****** on ********* *,********* ** ** *******************, * ******* ***** for ***** ***** ********, which ****:

*** ******** *********å'* ******** to ******. ** **** be ** *********** ** deepen *** ******* *** Data ************'* ******** *** conclusions. ** ******** ******** and ******* ** *** members' ******* *** ****** development ** * ******* age, ********* *********,******** ** *** ********** of ************ ** ***.

**** **** ***** **** and ****** **** ** is *******.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on GDPR

Ireland National Children's Hospital Chooses Hikvision End-to-End With Facial Recognition on Dec 05, 2019
The world's most expensive hospital project ever, the New Children's Hospital in Ireland, has chosen an all-Hikvision surveillance system including...
Ultinous European Analytics Startup Company Profile on Dec 04, 2019
European analytics-startup Ultinous pitches customers to "Have your own video analysis service!" We spoke to Ultinous to better understand their...
Arcules CEO Retracts False GDPR Claim + Dahua and Milestone Claims Examined on Dec 03, 2019
Arcules CEO has retracted a false claim about his organization being a "fully compliant GDPR company" after IPVM reporting (Arcules CEO Threatens...
Arcules CEO Threatens Over "Security Breach" on Nov 25, 2019
An Arcules employee called out a recent 'security breach', however, Arcules CEO disputed this as 'inaccurate' and threatened to sue IPVM. Inside...
France Declares School Facial Recognition Illegal Due to GDPR on Oct 31, 2019
France is the latest European country to effectively prohibit facial recognition as a school access control solution, even with the consent of...
Milestone XProtect 2019 R3 Tested on Oct 30, 2019
Milestone has had problems over the last few years releasing significant new software. Now, in XProtect 2019 R3, Milestone is touting "one search...
Milestone Has Problems on Oct 01, 2019
Milestone has problems. While the company previously excelled in the shift to IP cameras, as IP has matured and competitive differentiation has...
Mobotix First CNPP CCTV Cybersecurity Certification Examined on Sep 05, 2019
Mobotix recently became the first video surveillance manufacturer to receive the CNPP cybsersecurity certification for its cameras, in which they...
UK Facewatch GDPR Compliance Questioned on Aug 27, 2019
Even as the GDPR strictly regulates biometrics, a UK company called Facewatch is selling anti-shoplifter facial recognition systems to hundreds of...

Most Recent Industry Reports

IP Camera Browser Support: Who's Broken / Who Works on Dec 10, 2019
For many years, IP cameras depended on ActiveX control, whose secure flaws have been known for more than a decade. The good news is that this is...
Acquisitions - Winner and Losers on Dec 10, 2019
Most major manufacturers have been acquired over the last decade. But which have been good deals or not? In this report, we analyze the...
IP Camera Installability Shootout 2019 - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, Uniview, Vivotek on Dec 09, 2019
What are the best and worst cameras to install? Which manufacturers make it the hardest or easiest to install their cameras? We tested 35 total...
Viisights Raises $10 Million, Behavior Analytics Company Profile on Dec 09, 2019
Viisights, an Israeli AI analytics startup marketing "Behavioral Understanding Systems", announced $10 million Series A funding. We spoke to...
Disruptor Wyze Releases Undisruptive Smartlock on Dec 06, 2019
While Wyze has disrupted the consumer IP camera market with ~$20 cameras, its entrance into smart locks is entirely undisruptive. We have...
Bosch Budget 3000i Cameras Tested on Dec 05, 2019
Bosch has long had a hole in its lineup for, as it describes, "competitively-priced cameras". Now, Bosch has released its 3000i series cameras...
Anixter Resisting Takeover From Competitor on Dec 05, 2019
Mega distributor Anixter is going to be acquired but by whom? Initially, Anixter planned to go private, being bought by a private equity firm....
Security Sales Course 2020 - Last Chance Save $50 on Dec 05, 2019
This sales course is customized for the current needs and challenges specific to professionals selling video surveillance and access control...
Ireland National Children's Hospital Chooses Hikvision End-to-End With Facial Recognition on Dec 05, 2019
The world's most expensive hospital project ever, the New Children's Hospital in Ireland, has chosen an all-Hikvision surveillance system including...
AVTech ~$70 IP Cameras Tested Vs Dahua and Hikvision on Dec 04, 2019
Taiwanese manufacturer Avtech is taking direct aim at low cost leaders Dahua and Hikvision with ~$70 starlight and white light illuminator...