AEPD (Spain) - EXP202405320

Summary

Spain's data protection authority (AEPD) fined Universidad Europea de Valencia €160,000 for processing biometric data without valid consent when implementing facial recognition to monitor students during online exams. The DPA found violations of GDPR Articles 9 and 35, citing that consent was not freely given due to time pressure (requested one day before exams) and that no Data Protection Impact Assessment was conducted before processing began. The university later provided exam alternatives, indicating less intrusive monitoring methods existed but were not initially considered.

Full text

Help AEPD (Spain) - EXP202405320: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 15:41, 10 April 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators551 edits Tag: submission [1.0] (No difference) Latest revision as of 15:41, 10 April 2026 AEPD - EXP202405320 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 4(14) GDPR Article 9(1) GDPR Article 9(2) GDPR Article 9(2)(a) GDPR Article 35 GDPR Type: Complaint Outcome: Upheld Started: 18.03.2024 Decided: Published: 08.04.2026 Fine: 160,000 EUR Parties: UNIVERSIDAD EUROPEA DE VALENCIA, S.L. National Case Number/Name: EXP202405320 European Case Law Identifier: n/a Appeal: Not appealed Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: ap The DPA fined a university €160,000 for failing to obtain valid consent from students to verify their identity when taking online exams through a system that used facial recognition. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts UNIVERSIDAD EUROPEA DE VALENCIA, S.L. (the controller) is a university. In 2024, the controller implemented a system to monitor students taking exams online. This system used facial recognition to verify students’ identities and detect any possible suspicious behaviour (video and audio) throughout the exam. The controller stopped using this system after a trial period, however, the system processed the personal data of 153 data subjects. The controller sent the data subjects an email with a consent form prior to the exam date, offering the possibility of taking the exams without facial recognition at a later date if they did not consent (however, the system would still monitor them). A data subject brought a complaint to the DPA. During its investigations, the DPA found that the controller had not proven it had obtained consent from data subjects to process their data through the exam monitoring system at the moment of enrolment. In addition, the controller did not conduct a Data Protection Impact Assessment (DPIA) until after the monitored exams had taken place. The controller argued that while it processed biometric personal data, this had a low impact as it aimed to verify the data subject and not identify them. Furthermore, the controller argued that its processing activities were lawful under Article 9(2)(a) GDPR, as they had obtained consent from the data subjects. Holding The DPA first clarified that the university was the controller, as it determined the means and purpose of processing. In addition, it explained that the controller processed biometric personal data within the meaning of Article 4(14) GDPR, as its purpose was to identify or authenticate a data subject. The DPA found a violation of Article 9 GDPR. Article 9(1) GDPR prohibits the processing of biometric personal data for the purpose of uniquely identifying a data subject unless an exception under Article 9(2) GDPR applies. The DPA stated that while the controller did obtain consent, it did not meet the requirements under the GDPR for it to be considered valid. The controller requested consent from the data subjects and informed them of the alternative exam dates the day before the exam itself. This time pressure affects the decision of the data subject, meaning the consent was not freely given. The DPA also noted that the information given at the time of enrolment was vague and did not mention processing of personal data through facial recognition. The DPA also found a violation of Article 35 GDPR. The DPA stated that the controller had the obligation to conduct a DPIA before starting the processing activities if they are likely to result in a high risk for data subjects’ rights and freedoms. In this case, the controller carried out this DPIA after the processing activities had began, and it was not signed. The DPA emphasised that processing biometric data is not trivial or low risk, and therefore the controller should have considered the necessity and proportionality of processing this data. According to the DPA, the fact that the controller later provided an alternative to facial recognition monitoring meant that it failed to consider less intrusive means of monitoring exams. The DPA fined the controller €200,000 in total: €50,000 for the violation of Article 9 GDPR and €150,000 for the violation of Article 35 GDPR. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the DPA informed the controller that it may make a voluntary payment of the proposed fine and waive their right to appeal. This action reduces the imposed fine by 20%. The controller opted to make a voluntary payment and reduced the fine by 20%, paying the reduced sanction amount of €160,000. While the controller processed sensitive categories of personal data (Article 9 GDPR), the DPA also considered that authentication had a lower risk towards data subjects’ rights compared to identification. In addition, the DPA considered the controller’s efforts in processing data under a valid legal basis. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1/58 • Case No.: EXP202405320 TABLE OF CONTENTS BACKGROUND..........................................................................................................2 ESTIMATED FACTS................................................................................................30 LEGAL BASIS.................................................................................30 I. Jurisdiction and Procedure................................................................................30 II. Preliminary Issues...............................................................................................31 II.1. Personal Data Subject to Processing.........................................................31 II.2. Processing Operations...........................................................................36 II.3. Data Controller and Processor......................................................37 III. Breach of Obligation. Processing of special categories of personal data (Article 9 of the GDPR)...............................................................................................38 IV. Classification of the infringement of Article 9 of the GDPR and its classification for the purposes of the statute of limitations..............................................................................................................46 V. Penalty for the infringement of Article 9 of the GDPR................................................47 VI. Obligation not fulfilled. Data Protection Impact Assessment (Article 35 of the GDPR).............................................................................................50 VII Classification of the infringement of Article 35 of the GDPR and qualification for the purposes of the statute of limitations..............................................................................................................54 VIII Sanction for the infringement of Article 35 of the GDPR...........................................55 IX Voluntary payment and termination of the proceedings................................................56 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 2/58 RESOLUTION ON THE TERMINATION OF SANCTIONING PROCEEDINGS DUE TO VOLUNTARY PAYMENT From the proceedings initiated by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On 18/03/2024, a complaint was filed with the Spanish Data Protection Agency regarding a possible infringement attributable to EUROPEAN UNIVERSITY OF VALENCIA, S.L., with T

Entities