Last year we reported on the first penalty imposed by the President of UODO for processing biometric data in violation of the GDPR rules by a school that introduced fingerprint verification of students using the canteen (https://www.dudkowiak.pl/blog/ochrona-danych-osobowych-kara-puodo-dla-szko%C5%82y-za-przetwarzanie-danych-biometrycznych-uczni%C3%B3w.html). After the school appealed against the decision, it was overruled by the WSA.
principle of data minimization
In the justification of the verdict, the court presented a different position on the data minimisation principle referred to in Article 5(1)(c) of the GDPR than taken by the President of UODO. According to him, the data minimisation principle means the necessity to limit the scope of collected data only to a necessary minimum, and to process only such data, without which it would be impossible to achieve the objective of the controller.
In the opinion of the court, such a perception of the minimisation principle is too strict, because it does not take into account other principles of personal data processing indicated in Article 5(1) of the RODO, i.e. the principles of adequacy and relevance, which are equally important. Adequacy of data processing manifests itself in the necessity to process only those data which are necessary for the realization of a specific purpose - i.e. data which are adequate and compatible, whose scope is not excessive or disproportionate.
As a result, processing of personal data which are required for a specific purpose (e.g. because they can help to achieve the purpose quicker) does not violate the minimisation principle even if the purpose could be achieved without the data.
UODO does not agree with the verdict of the WSA and announced to file a cassation complaint in this case. According to the office, such an interpretation of the rules of personal data processing allows for processing an unlimited scope of data under the pretext of its usefulness.
Strict approach to biometric data processing
The decision of the President of UODO is in line with the practice of other European supervisory authorities, which are sceptical about the processing of biometric data, especially of entities that are not on an equal footing with the controller (e.g. students, employees) and thus their consent to the processing of such data may not be voluntary. Similar penalties have been imposed by the supervisory bodies in Sweden (for facial recognition system introduced at a school) and Romania (for system of access to premises using fingerprints of employees).