The Swedish data protection agency has issued the country's first GDPR fine of 200,000 Swedish Krona (approximately $21,000) against a school found to be improperly using facial recognition technology to monitor the attendance of its students.
Although it was only a test, it violated "several articles in the GDPR" as the school had processed biometric data unlawfully and did not do an adequate risk assessment, which would include consulting the Swedish data protection agency.
The school said that the process had been consensual, but the Swedish watchdog argued that a consensual agreement could not have a valid legal basis because of the imbalance of power between the data subject and the controller.
