Privacy Guarantor sanctions eCampus on facial recognition in online training

The Privacy Guarantor has sanctioned the eCampus University for having unlawfully processed the biometric data of numerous participants in online teaching qualification courses. The University - the Authority explained in its newsletter - used a facial recognition system to verify the identity and presence of participants in the lessons.

From the verifications, the Authority found that there was no legal basis to justify the use of biometric systems, for which enhanced guarantees are provided by the data protection rules, given also the availability of alternative and less invasive tools for verifying course attendance. It also emerged that the university had not carried out a data protection impact assessment prior to the implementation of the facial recognition system.

The violations affected a very high number of participants, more than 450 trainees per lesson. In the course of the investigation, the system continued to be used only partially with some corrective measures, which were in any case not deemed sufficient to overcome the criticalities detected, until its final deactivation. In determining the amount of the sanction, the Garante nevertheless took into account the cooperation provided by the university and the voluntary interruption of the processing.