A faculty in Poland has been fined €4,600 ($5,200) for breaching Europe’s General Data Protection Regulation (GDPR) after it was discovered to be processing college students’ fingerprint information to confirm whether or not they had paid for college lunch. The information comes as biometric data harnessing programs around the globe spark important privacy concerns.

The unidentified college in Gdansk, a metropolis in northern Poland, processed the fingerprints of lots of of kids “without a legal basis,” in keeping with a statement by Jan Nowak, pesident of Poland’s Personal Data Protection Office (UODO). Nowak added that there have been sufficient different choices for managing college meals. According to the UODO, the first college had been utilizing a biometric reader on the cafeteria entrance since 2015 to confirm whether or not pupils had paid for his or her meals. In the present tutorial yr, the system was used on 680 kids — with 4 children utilizing “an alternative identification system.”

Students not utilizing biometric ID had been pressured to the tip of the road.

“In the opinion of the president of the UODO, such rules introduce unequal treatment of students and their unjustified differentiation, as they clearly favour students with biometric identification,” the assertion reads. “Moreover, in the authority’s view, the use of biometric data, considering the purpose for which they are processed, is significantly disproportionate.”

While parental consent was obtained for the biometric ID program, the UODO discovered that the system was “not essential for achieving the goal of identifying a child’s entitlement to receive lunch.”

Polish school hit with GDPR fine for using fingerprints to verify students’ lunch payments

The GDPR issue

The final decision cited quite a few sides of GDPR, together with recital 38, which refers to particular provisions made for information safety of kids. “It should be emphasized that children require special protection of personal data, as they may be less aware of the risks, consequences, safeguards, and rights they have in connection with the processing of personal data,” the report discovered.

Biometric information is outlined underneath GDPR as “personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person.” This consists of fingerprints, iris scans, hand geometry, voice recognition, and facial scans. Indeed, the most recent GDPR privateness fallout comes shortly after a Swedish college was fined €20,000 ($23,000) underneath GDPR for conducting a facial recognition pilot program that tracked college students’ attendance.

Last yr, the U.Ok.’s Information Commissioner’s Office (ICO) issued an enforcement discover in opposition to Her Majesty’s Revenue and Customs (HMRC), after a criticism was revamped a system it had carried out that used callers’ voices to confirm their identification. In the case of HMRC, no high-quality was imposed, nevertheless it was instructed to delete all biometric information it had collected via the voice authentication system with out express consent.

This highlights the truth that GDPR isn’t solely about imposing gargantuan fines, because it has in different high-profile circumstances. Last yr, British Airways (BA) was hit with a report $230 million high-quality by the U.Ok.’s ICO over a 2018 safety breach that compromised the non-public information of 500,000 clients, whereas Google obtained a $57 million high-quality from the French information privateness physique for a “lack of transparency, inadequate information, and lack of valid consent” relating to its advert personalization expertise.

While the high-quality imposed on the Polish main college on the heart of this newest violation is comparatively modest, the varsity has additionally been ordered to erase all private information it had gathered via its program and stop gathering all such information.


As information privateness rules take impact around the globe, together with the not too long ago carried out California Consumer Privacy Act (CCPA), we are going to probably see extra debate over how biometric information applications needs to be carried out — or whether or not they need to be used in any respect.

Under GDRP, biometric information is considered a “special category,” separate from different private information — similar to electronic mail addresses and telephone numbers — that could be gathered via digital platforms. Unlike electronic mail addresses or bank card credentials, biometric markers can’t be simply modified, which is why they’re given particular standing underneath GDPR.

“The biometric system identifies characteristics which are not subject to change, as in the case of dactyloscopic [fingerprint] data,” the UODO famous in its assertion. “Due to the unique and permanent character of biometric data, which means that they cannot change over time, the biometric data should be used with due care. Biometric data [is] unique in the light of fundamental rights and freedoms and therefore require[s] special protection. [Its] possible leakage may result in a high risk to the rights and freedoms of natural persons.”