Background information

Date of final decision: 16 September 2021
Cross-border case or national case: National case
Controller: “Luigi Bocconi” University in Milan
Legal Reference: GDPR: Article 5 para. 1, letters a), c) and e) (lawfulness, fairness, transparency; data minimisation; storage limitation); Article 6 (Lawful processing); Article 9 (Special category data); Article 13 (Information); Article 25 (Privacy by default and by design); Article 35 (DPIA); Articles 44 and 46 (Transfers of personal data to a third country); Italian DP Code: Section 2-e (Processing of special category data)
Decision: Finding of infringements of GDPR; imposition of administrative fine and corrective measures
Key words: Processing of data and university exams; biometric data; cross-border data transfers; profiling; proctoring; Covid-19; SARS-CoV-2

Summary of the Decision

Origin of the case

The case originated from a student’s complaint against alleged infringements by the University, which had relied on a proctoring system for online exams based on processing biometric data from students’ facial images. The students’ consent had been obtained as part of administering the written examination tests; the system had been deployed in connection with the SARS-CoV-2 emergency and was meant to verify students’ conduct during the exams.

Key Findings

The IT SA found that the university had processed biometric data without a lawful legal basis pursuant to Article 9 GDPR. The students’ consent could not be relied upon by the university since the processing in question was performed with a view to issuing legally recognised diplomas. Additionally, the students’ consent could not be considered to be ‘freely given’ in the light of the unbalance existing between students and controller. Nor could the processing in question be regarded as necessary for a purpose in the public interest, as this was not envisaged in any piece of primary or secondary legislation.

Additional infringements could be found such as the inappropriate information provided to students; non-compliance with data protection by design and by default, data minimisation and storage limitation principles; non-compliance with the requirements for transferring personal data to the third country (USA) where the University’s service provider was located; and a flawed DPIA.

Decision

An EUR 200,000 fine was imposed on the University in the light of the findings made and the infringements found by the SA; a limitation on the processing was also imposed since the system at issue was found to be still in operation. Accordingly, the University was banned from further processing the students’ biometric data along with the data relied upon for profiling purposes and was prohibited from transferring data subjects’ personal data to the USA.

For further information: decision in national language Ordinanza ingiunzione nei confronti di Università Commerciale “Luigi Bocconi” di Milano - 16 settembre

Italian SA finds monitoring system for online university exams to be in breach of privacy, fines university

Background information

Summary of the Decision

Origin of the case

Key Findings

Decision

L'EDPB adotta una dichiarazione sull'attuazione della direttiva sul codice di prenotazione (PNR)

Finnish SA: loan comparison provider Sambla Group issued administrative fine for data security neglect

Icelandic SA: administrative fine imposed on the Primary Health Care of the Capital area for the unlawful processing in relation to the integration of medical record systems.

CEF 2025: Avvio di un'applicazione coordinata del diritto alla cancellazione

EDPB publishes CSC biannual report and work programme 2025-2026