Details:
| Summary | The Italian DPA (Garante) has imposed a fine of EUR 200,000 on Bocconi University. A student had filed a complaint with the DPA about possible GDPR violations related to the use of a monitoring system during written exams. In the context of the emergency situation triggered by the Covid-19 pandemic, the university had equipped itself with the remote monitoring software Respondus provided by the American company Respondus Inc. to ensure the normal running of the exams, since it was not possible to take the exams live and in person as usual. The software was able to monitor the behavior of the students through video recordings and snapshots taken at random intervals. In addition, the exam was audio-visually recorded and a photograph was taken of each examinee at the beginning of the exam. At the end of the exam, the system processed the video, inserted warning signals regarding possible indications of incorrect behavior, and, among other things, assigned a so-called ‘review priority’ so that the examiner could subsequently assess whether an unauthorized act had been committed during the exam. In its investigation the DPA found that students were not properly informed of the processing of their personal data involved in the use of Respondus. For instance they were not informed that they would be audiovisually recorded and that the images would subsequently be processed. In addition, students were not provided with information regarding specific retention periods for personal data. Nor had they received sufficient information about the fact that their personal data would be transferred to the United States; instead, they were only informed in general terms that personal data would be processed both within and outside the territory of the European Union. Furthermore, the DPA found that the little information the students had received was presented in a fragmented and disorganized manner in various documents. The DPA considered this to be a violation of the principles of lawfulness, fairness and transparency. The DPA also found that the university had processed the personal data without a valid legal basis. Thus, consent to the processing of personal data was a prerequisite to participate in the exams in the first place. As an alternative to online exams, the option of an in-person exam was proposed. However, in the light of the pandemic, this also meant an increased health risk. Students were also concerned that refusing to take the online exams would negatively impact their grades. Consequently, the DPA concluded that the students’ consent could not be considered voluntary. Further, the DPA found that the university retained the data for 12 months, although this would not have been necessary for the purpose of ensuring that the exams were properly carried out. Eventually, the DPA found violations related to the transfer of data to Respondus. The processing agreement between the University and Respondus was based on the data protection agreement between the EU and the USA, known as the Privacy Shield, although it had been declared invalid by the Schrems II ruling of the Court of Justice of the European Union (CJEU). For this reason, the DPA found that the university transferred personal data to a third country, even though this transfer was not in compliance with the conditions set forth in Chapter V of the GDPR. |
| Link: | link |
| Related articles: | Art. 5 (1) a), c), e) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 35 GDPR, Art. 44 GDPR, Art. 46 GDPR, Art. Art. 2-sexies Codice della Privacy |
| Type: | Non-compliance with general data processing principles |
| Fine: | EUR 200,000 |
| Sector | Public Sector and Education |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/