On August 21, 2019, the Swedish Data Protection Authority (the “Swedish DPA”) imposed its first fine since the EU General Data Protection Regulation (“GDPR”) came into effect in May, 2018. The Swedish DPA fined a school 200,000 Swedish Kroner for creating a facial recognition program in violation of the GDPR.

Although the Swedish school obtained consent from the students and their parents to collect the sensitive personal data as part of the facial recognition program, the Swedish DPA said that the consent was not freely given because there was a “significant imbalance” between the students and the school district. The Swedish DPA also noted that the school processed more personal data than necessary for the purposes for which it was collected (to determine whether students attended classes).

Read the decision (in Swedish).