The President of the Personal Data Protection Office has imposed a fine of PLN 20k in connection with a breach concerning the processing of biometric data of children who used a school’s canteen.
The school processed special categories of data (biometric data) of 680 children without a legal basis, whereas in fact it could have used other forms of student identification.
In addition, the President of the Personal Data Protection Office ordered the erasure of the personal data processed in the form of digital information on the specific fingerprints of the children and the cessation of any further collection of personal data.
Following ex officio administrative proceedings, the President of the UODO has established that the school uses a biometric reader at the entrance to the school canteen that identifies the children in order to verify the payment of the meal fee.
The proceedings have shown that the school obtains the data and processes them on the basis of the written consent of the parents or legal guardians. The solution has been in place since 1 April 2015. In the school year 2019/2020, 680 pupils use the biometric reader, and four pupils an alternative identification system.
In this case, it is important to stress that the processing of biometric data is not essential for achieving the goal of identifying a child’s entitlement to receive lunch. The school may carry out the identification by other means that do not interfere so much in the child’s privacy. Moreover, the school makes it possible to use the services of the school canteen not only by means of fingerprints verification, but also electronic cards, or by giving the name and contract number. Thus, in the school, there are alternative forms of identification of the child’s entitlement to receive lunch.
The President emphasised that children require special protection of personal data. Moreover, in the present case, the processed data constitute the data of special categories. The biometric system identifies characteristics which are not subject to change. Due to the unique and permanent character of biometric data, which means that they cannot change over time, the biometric data should be used with due care. Biometric data are unique in the light of fundamental rights and freedoms and therefore require special protection. Their possible leakage may result in a high risk to the rights and freedoms of natural persons.
