
Background information
- Date of final decision: 16 September 2021
- Cross-border case or national case: National case
- Controller: “Luigi Bocconi” University in Milan
- Legal Reference: GDPR: Article 5 para. 1, letters a), c) and e) (lawfulness, fairness, transparency; data minimisation; storage limitation); Article 6 (Lawful processing); Article 9 (Special category data); Article 13 (Information); Article 25 (Privacy by default and by design); Article 35 (DPIA); Articles 44 and 46 (Transfers of personal data to a third country); Italian DP Code: Section 2-e (Processing of special category data)
- Decision: Finding of infringements of GDPR; imposition of administrative fine and corrective measures
- Key words: Processing of data and university exams; biometric data; cross-border data transfers; profiling; proctoring; Covid-19; SARS-CoV-2
Summary of the Decision
Origin of the case
The case originated from a student’s complaint against alleged infringements by the University, which had relied on a proctoring system for online exams based on processing biometric data from students’ facial images. The students’ consent had been obtained as part of administering the written examination tests; the system had been deployed in connection with the SARS-CoV-2 emergency and was meant to verify students’ conduct during the exams.
Key Findings
The IT SA found that the university had processed biometric data without a lawful legal basis pursuant to Article 9 GDPR. The students’ consent could not be relied upon by the university since the processing in question was performed with a view to issuing legally recognised diplomas. Additionally, the students’ consent could not be considered to be ‘freely given’ in the light of the unbalance existing between students and controller. Nor could the processing in question be regarded as necessary for a purpose in the public interest, as this was not envisaged in any piece of primary or secondary legislation.
Additional infringements could be found such as the inappropriate information provided to students; non-compliance with data protection by design and by default, data minimisation and storage limitation principles; non-compliance with the requirements for transferring personal data to the third country (USA) where the University’s service provider was located; and a flawed DPIA.
Decision
An EUR 200,000 fine was imposed on the University in the light of the findings made and the infringements found by the SA; a limitation on the processing was also imposed since the system at issue was found to be still in operation. Accordingly, the University was banned from further processing the students’ biometric data along with the data relied upon for profiling purposes and was prohibited from transferring data subjects’ personal data to the USA.
For further information: decision in national language Ordinanza ingiunzione nei confronti di Università Commerciale “Luigi Bocconi” di Milano - 16 settembre