In the public and education sector, DPAs from 17 different countries (+4 in comparison to the ETR 2020) have imposed 78 fines (+49 in comparison to the ETR 2020) on representatives of local governments (such as mayors), police officers, schools, universities and other public bodies or educational institutions amounting to a total of nearly EUR 5 million (+1.8 million in comparison to the ETR 2020).
Consistent with the overall distribution of GDPR fines in the Enforcement Tracker, fines related to insufficient legal bases for data processing (35 fines in total) and insufficient technical and organisational measures (21 fines in total) cover the majority of fines in the public and education sector.
Let's take a closer look:
- During the Covid-19 pandemic, some examinations at universities took place online, for example in the form of video conferences. When using such technologies, personal data collected, e.g. recordings of examinations and identification data, must be stored in an appropriately secured manner and must not be stored for longer than is necessary for the initial purpose. In this context, the Medical University of Silesia (Poland) (ETid-527) was fined EUR 5,500 after recordings of examinations were available not only to examinees, but also to other persons who were able to access the records and the documents of the students presented during identification via a direct link. In addition, the university also failed to report the data breach to the DPA and to notify the data subjects.
- In other cases, fines have been imposed on schools that have processed special types of personal data such as biometric information (e.g. using facial recognition technology for monitoring student attendance, see ETid-67). While the use of biometric data is not prohibited in general, it is necessary to ensure that (a) the use of the data is appropriate, (b) consent may be given voluntarily, which is not the case if there are no alternatives other than to consent, and (c) the data are protected by sufficient technical and organisational measures to ensure information security.
- The highest fine in the public and education sector to date was issued by the Data Protection Commission of Bulgaria, which in 2019 sanctioned the National Revenue Agency (ETid-71) with a fine of EUR 2.6 million for a leakage of personal data in a hacking attack due to inadequate technical and organisational measures resulting in access to personal data concerning around 6 million people.
- The second highest fine was imposed on Roma Municipality (ETid-531) at the end of 2020 in the amount of EUR 500,000 for using a booking system that violated general data protection provisions of Art. 5 GDPR.
Public authorities have a special position of trust that requires particularly strict compliance with data protection laws and an outstandingly high level of data security. The same applies to schools and other educational establishments that process personal data of minors. Data protection authorities appear to have increased scrutiny of the public and education sector since the ETR 2020, in particular in connection with the use of technology during the Covid-19 pandemic. We consider it likely that this trend will continue in the coming years. In 2021, topics such as digital vaccination cards and coronavirus tracing are already and will continue to be of particular relevance.