The Open University of Catalonia has been fined by the Generalitat with a penalty of €20,000 for the use of facial recognition in its virtual exams.

You have surely heard about the latest news regarding facial recognition, where the Generalitat fined the Open University of Catalonia (Universitat Oberta de Catalunya – UOC) €20,000 because the university uses facial recognition to conduct virtual exams.

According to the Catalan Data Protection Authority (l’Autoritat Catalana de Protecció de Dades – APDCat), the processing of biometric data, such as the facial recognition that the UOC uses in relation to exams and its students, is not included in any of the exceptions from the Data Protection Regulation, which would consider a violation of data protection right, assuming a high risk for the interested parties.

Faced with the statements of the APDCat, the UOC has counter-alleged that this is a measure used for the first time with the pandemic and the state of alarm, and which was very successful and allowed all students to proceed with their courses, degrees, masters, etc., without any kind of impediment. According to the UOC, facial recognition is still a way to check the identity of students to confirm, using students´ pictures and their identity documents, that it is the same person. In addition, they report on the legality of the system, making it clear that every student who registers is aware of the type of exams in terms of taking them virtually and in terms of facial recognition, so he/she is given the choice of whether the option proposed by said university is the most suitable based on student’s needs. They also point out that this data is deleted three months after the virtual test is ended.

This facial recognition is not only used by the UOC for its exams, but other universities have also implemented this tool in order to identify users, to verify that they do not move from their workplace during the test and to identify anomalous behavior in students while taking the exam.

However, we find other situations in everyday life where we are exposed to facial or fingerprints recognition techniques or to treatments of other types of biometric data, for example in the world of banking.

In the case of Andorra, for example, the new UNNIC Casino, recently opened in the center of the capital, will use biometric data processing, as users will have to register to access it, and will have to go through a facial recognition so that those individuals who are prohibited from entering can be identified.

It must therefore be taken into account that the use of basic recognition techniques, considering that they involve the processing of biometric data and that the same constitutes an intrusion into the fundamental rights of respect for private and family life and data protection, must be considered as a treatment of special categories of data, so it will only fit within the framework of the exceptions to article 9.2 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27 of 2016, relating to the protection of private individual with regard to the processing of personal data: explicit consent of the interested party; necessary for the fulfillment of the obligations of the data controller; necessary to protect vital interests; manifestly public data; necessary for preventive medicine purposes; necessary for reasons of public interest; others. Therefore, the person in charge of the operation will have to carefully study how to comply with the requirements regarding the rights of the interested parties before putting any facial recognition technology into operation, it is being necessary to carry out an impact assessment on data protection, as well as paying special attention to the security of the process by ensuring that the system complies with the relevant rules based on data protection by design and by default.