School Fined for Unlawful Biometric Data Processing

An Italian high school was fined by the data protection authority for using a fingerprint-based attendance system for administrative staff. The authority found the system lacked a legal basis and that employee consent was not a valid justification due to the power imbalance between employer and employee.


Following a complaint, the Italian Supervisory Authority (SA) - Garante found out that a high school adopted a biometric recognition system that, in order to detect presence in office and prevent damage and vandalism, required the use of administrative staff's fingerprints. The workers involved were those who had given their consent and did not wish to use traditional methods of attesting their presence at the office.

The Italian SA recalled that, according to the GDPR and the Italian Data Protection Code, the use of biometric data in the workplace requires a clear legal provision and specific guarantees for the rights of the data subjects. But the national provisions that provided for the introduction of biometric presence detection systems in the public sector were repealed in 2020. 

Regarding the consent given by the workers to the school, the Italian SA considered that, in the light of the asymmetry between employees and employers, consent is not a valid legal basis for the lawfulness of the processing of personal data in the employment context, both in the public and private sector.

The Italian SA fined the high school 4 000 EUR.

(source: edpb.europa.eu/ photo freepik.com)

Comments

Post a Comment

Popular posts from this blog

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Image
The European Ombudsman inquiry into the Commission’s handling of a request for text messages between its President and the CEO of a pharmaceutical company is a wake-up call for all EU institutions about ensuring accountability in an era of instant messaging. One year after the initial request by a journalist, the Commission has still not clarified whether messages reported to concern major vaccine procurement deals exist and whether the public is entitled to see them. The Ombudsman had asked the Commission, in a finding of maladministration in January, to conduct a more thorough search for the text messages. The Commission’s recent response failed to say whether it had looked directly and correctly for the text messages and if not, why not. While the response recognised that work-related text messages can be EU documents, it reiterated that the Commission’s internal policy is, in effect, not to register text messages. The Ombudsman has closed  the inquiry  and upheld...
Read more

Fully-funded PhD position in AI, Law and Public Power

Image
Erasmus University Rotterdam School of Law, department Law & Markets, is looking for a fulltime PhD researcher in AI, Law and Public Power (4,5 years with 20% teaching tasks). PhD AI, Law and Public Power Are you curious about how artificial intelligence is changing state actor powers? Do you want to conduct critical and in-depth legal research at the intersection of technology, law and power? And would you like to combine that with academic teaching? Then this PhD position at Erasmus School of Law is for you. Within the Law & Markets team, you will spend 4.5 years researching the legal regulation of AI in the public sector. How do we protect fundamental rights when algorithms help decide on who receives public benefits, how to perform enforcement or how to enact environmental policy? What is the role of the state, and where is the limit of government power in a data-driven society? You will have plenty of space to choose your own research angle and work in a multidisci...
Read more

Harassment During Job Interviews Under Cyprus Law

Image
By Giorgos Kazoleas, LL.M., Lawyer, Managing Partner at Legal Experts Cyprus Harassment or bullying during a job interview can now legally be considered workplace harassment. This is explicitly provided for in recent Cypriot legislation regarding workplace harassment, which widens the scope of application to include candidates for employment. The Legal Framework in Cyprus: Law 42(I)/2025 Law 42(I)/2025 (The Prevention and Combating of Violence and Harassment at Work Law), which came into force on April 11, 2025, explicitly extends protection against harassment and violence to the recruitment process and employment negotiations before a contract is signed. According to the interpretation of terms in Article 2 of the Law, the definition of an "employee" includes, among others, a person: "Whose employment relationship has not yet begun, in cases where the violation of the provisions of this Law has been committed during the recruitment process or at another stage of...
Read more

The Delivery Delay Clause in Residential Construction Contracts: Consumer Protection in Cyprus and Europe

Image
By Giorgos Kazoleas, LL.M., Lawyer, Managing Partner at Legal Experts Cyprus The purchase or construction of a new residence is one of the most significant financial and personal decisions a consumer can make. Residential construction contracts or agreements for the sale of property under construction are a crucial and defining element of the entire process, as certain terms they may contain can be detrimental to the buyer. One of the most critical aspects is the contractual delivery time of the project and the provision for delay, through the so-called delivery delay clause. The Delivery Delay Clause: Its Role and Legal Nature The delivery delay clause (also known as a penalty clause in the event of default) is a term usually included in the contract that specifies a predetermined compensation amount that the contractor or seller must pay to the buyer for every day, week, or month of delay beyond the agreed delivery date. The purpose of the clause is twofold: -Compensatory: ...
Read more

'Ne bis in idem' principle can preclude the arrest, within the Schengen Area and the European Union, of a person who is the subject of an Interpol notice (ECJ)

Image
ECJ - Judgment in Case C-505/19 WS v Bundesrepublik Deutschland (12.5.2021): The principle prohibiting the duplication of proceedings can preclude the arrest, within the Schengen Area and the European Union, of a person who is the subject of an Interpol notice. This is the case where the competent authorities are aware of a final judicial decision, taken in a State that is a party to the Schengen Agreement or a Member State, which establishes that that principle applies. In 2012, the International Criminal Police Organisation (Interpol) published, at the request of the United States and on the basis of an arrest warrant issued by the authorities of that country, a red notice in respect of WS, a German national, with a view to his potential extradition. Where a person who is the subject of such a notice is located in a State affiliated to Interpol, that State must, in principle, provisionally arrest that person or monitor or restrict his or her movements. However, even before that ...
Read more

MiCAR’s enforcement: An innovative crypto-friendly regulatory landscape

Image
 Written by Efi Thoma, Lawyer Does the highly anticipated rise of cryptos in the US under Trump administration align with MiCAR’s (Markets in Crypto-Assets EU Regulation) enforcement in the EU regulatory landscape? Even after the collapse of FTX illustrating the dire need for imposing strong regulations to protect investors in crypto assets, the current crypto regulatory progress in the U.S. is ambiguous and remains stalled. This outcome leads to the exacerbation of the lack of faith in the crypto ecosystem by highlighting the unaccountability of the crypto actors with regard to money laundering, financing of terrorism and other illegal activities. In 2023 the International Organization of Securities Commissions has laid out specific recommendations with the aim of imposing some global ground rules on the crypto and digital assets, given the global transactional activities on the crypto sector and the increasing need for the protection of investors in crypto assets. While the f...
Read more

ECHR Rules on Employee Data Privacy: The Guyvan v. Ukraine Judgment

Image
This case before the European Court of Human Rights (ECHR) primarily concerned a complaint under Article 8 (Right to respect for private and family life) of the European Convention on Human Rights, specifically regarding the processing of data from an applicant's work mobile telephone by his employer. Facts The applicant, was an employee whose work mobile phone was also used for private calls. In the context of an internal investigation related to the use of the phone, his employer, P. company, obtained detailed information from the mobile phone operator. This information included the date, time, and type of communication (incoming/outgoing), and details about international roaming services. The employer requested this data to verify the applicant's presence at his workplace. The applicant subsequently lodged a civil claim against the company, arguing that the collection and processing of his personal data were unlawful and requesting that the company be ordered to provid...
Read more