A primary school in Gdańsk, Poland, has been fined PLN 20,000 (about €4,600) for collecting biometric data from its students without a legal basis.
The GDPR (General Data Protection Regulation) defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person”.
Lack of legal basis
The biometric fingerprint data was collected from 680 students as a method of verifying whether they had paid for lunch. The school canteen’s biometric reader has been in use since 2015.
While consent was obtained from the students’ parents/guardians, the president of Poland’s data protection authority (UODO), Jan Nowak, said that the processing of the students’ sensitive biometric data wasn’t necessary for the purpose of verifying whether they had paid for lunch. The school was also found to favour students using the biometric reader by forcing those who didn’t use it to the back of the lunch queue.
Breach of the GDPR
In his decision, Nowak noted that since biometric data isn’t something that changes over time, a leak of such special category data would result in a “high risk of violating [their] rights and freedoms”. He also said that “children require special protection of personal data because they may be less aware of the risks, consequences, safeguards and rights they have in connection with the processing of personal data”.
Understand what it takes to comply with the GDPR
Ensure you know your data protection and privacy requirements by reading EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide.
The third edition of this essential guide explains in simple terms the steps you must follow to meet the GDPR’s requirements. It covers everything you need to know about the Regulation, including:
- Data subjects’ rights;
- How to gain lawful consent;
- Managing consent withdrawal;
- Fulfilling DSARs (data subject access requests);
- How to complete DPIAs (data protection impact assessments); and
- Whether you need to appoint a DPO (data protection officer).