
Personal Data for Lunch?Food for Thought on Processing Children’s Biometric Data in Schools in Light of the GDPR
How can fingerprint-based entry to a school cafeteria lead to discrimination? The Polish Data Protection Authority (DPA) shed light on the legal limits of processing biometric data by imposing a fine of PLN 20,000 (~EUR 4,700) (~HUF 2,000,000) on a school that introduced fingerprint-based identification for children to use the school cafeteria.
The use of biometric data is becoming increasingly widespread, including in educational institutions where new technological solutions are implemented to simplify administrative tasks. However, processing children’s biometric data raises significant data protection and ethical concerns, especially under the strict regulations of the GDPR. This article examines a case involving a Polish primary school that used fingerprint-based identification for its cafeteria services. The analysis highlights the legal limitations of processing biometric data and the role of parental consent and the principle of data minimisation under relevant European regulations, most specifically the GDPR.
As for the details of the case: A Polish primary school collected biometric data, specifically fingerprints, from students to manage their access to its cafeteria services. A biometric reader installed at the cafeteria entrance identified students who had paid for their meals, thereby linking payment data provided by the parents to the respective children. According to the school, biometric data collection was based on written parental consent, and the data were to be deleted after the service contract of the lunch catering service for the cafeteria ended.
Upon review, the Polish DPA identified irregularities in the school’s data processing practices. It found that the cafeteria has publicly posted rules introduced a discriminatory practice: students without biometric identification (whose parents did not consent to the processing of their data) were disadvantaged. Specifically, according to the cafeteria’s rules, students without biometric identification had to wait at the back of the line, while those with biometric identification were allowed to enter first. After all students with biometric identification had entered, the remaining students were let in one by one. The DPA ordered the school to delete the biometric data, cease its collection, and imposed a fine of PLN 20,000 (about 4,700 EUR).
Legal Issues and Regulatory Background
The Polish case raised two fundamental data protection questions:
- Can parental consent serve as a legitimate basis for processing children’s biometric data?
- Does storing fingerprints in digital form for school cafeteria services constitute biometric data under Article 4(14) of the GDPR?
Under Article 9(1) of the GDPR, the processing of biometric data is generally prohibited unless specific exceptions apply. Article 9(2)(a) allows processing if the data subject explicitly consents, provided the consent is voluntary, specific, informed, and unambiguous.
Article 4(14) defines biometric data as personal data resulting from specific technical processing related to physical, physiological, or behavioral characteristics of a natural person that allow or confirm unique identification, such as facial images or dactyloscopic data (i.e., fingerprints).
Arguments of the Data Protection Authority
The Polish DPA argued that Polish public education laws did not authorize schools to collect biometric data. Schools are only permitted to process data necessary to achieve educational objectives.
Furthermore, the DPA asserted that processing biometric data for cafeteria services was disproportionate, as the same objectives could be achieved through less invasive or restrictive means, such as using access cards. The practice violated the principle of data minimisation (Article 5(1)(c) GDPR), as the processing was not limited to what was necessary for the stated purposes.
Court Decision
The Warsaw Regional Administrative Court (WSA) confirmed that the digital data derived from fingerprints constituted biometric data under Article 4(14) of the GDPR, as they enabled the unique identification of individuals.
The court also accepted that written parental consent satisfied the requirements of Article 9(2)(a) GDPR, being voluntary, specific, informed, and unambiguous.
However, the court disagreed with the DPA’s assessment that the principle of data minimisation had been violated. It concluded that the biometric identification served the intended purpose effectively and that the processing did not exceed what was necessary.
Legal Analysis
The GDPR places special emphasis on protecting biometric data due to its sensitivity and the risks associated with its misuse. Processing such data, being highly personal and unique, requires strict adherence to principles of lawfulness, necessity, and proportionality under the GDPR. The Polish case highlights these principles and raises questions about their application in practice, particularly in the context of school environments where consent from parents plays a key role.
In this case, the use of biometric data – specifically fingerprint-based identification for cafeteria services – does not appear to have been strictly necessary, as the same purpose, verifying student access to meals based on payment, could have been achieved through less invasive means, such as student ID cards, as it was mentioned above already. Such alternatives can perform the same function without requiring the processing of sensitive biometric data, making their absence problematic from a data minimisation perspective. Nevertheless, the court’s ruling indicates that parental consent alone can provide a sufficient legal basis for processing biometric data, even if proportionality remains questionable.
The principle of data minimisation, enshrined in Article 5(1)(c) of the GDPR, mandates that data processing be limited to what is strictly necessary for achieving the specific purpose. The court’s finding that the biometric system was proportionate may undermine this principle in practice. By accepting the use of fingerprint-based identification when less intrusive methods are available, the decision risks setting a precedent that could weaken the enforceability of the minimisation requirement. This is particularly concerning in contexts like schools, where technological convenience might overshadow the need for more privacy-preserving alternatives.
Additionally, the role of parentalconsent, particularly as a legal basis for processing children’s biometric data, is a complex issue. While the GDPR acknowledges consent as valid under Article 9(2)(a), it emphasizes that consent must be freely given, specific, and informed and is valid only if truly voluntary. In a school context, where parents may feel pressured to consent to ensure their child’s inclusion in essential services like school meals, the voluntariness of such consent can be questioned. This potential for coercion makes the reliance on consent particularly fragile in contexts involving children’s data.
This case underscores the tension between practical convenience and the GDPR’s rigorous data protection standards. While parental consent was deemed sufficient to legitimize the biometric data processing, the proportionality of the measure remains questionable, especially given the availability of less invasive alternatives. Furthermore, it highlights the importance of scrutinizing whether consent in institutional settings, such as schools, truly meets the GDPR’s criteria for validity.
The principle of data minimisation requires that only data strictly necessary for the purpose be processed. The court’s conclusion that biometric identification was proportionate does not adequately account for the availability of less invasive alternatives, such as student ID cards that can be fit for the purpose of identification to use cafeteria services as well. This case sets a potential precedent that may undermine the practical enforcement of the GDPR’s data minimisation principle.
The decision, while legally sound in acknowledging the sufficiency of consent, raises broader concerns about the practical enforcement of the GDPR’s principles of data minimisation and proportionality. Schools and similar institutions must carefully balance operational efficiency with their obligations to safeguard sensitive data, ensuring that technological solutions do not compromise fundamental privacy rights.
Deeper Constitutional Questions
The question also arises whether the status of “having consented to data processing” or “having not consented” could be considered a “protected characteristic” from the perspective of anti-discrimination law, given that the case determined that those children whose parents did not consent to biometric identification, were disadvantaged. The status of “having consented” or “not consented” is significant under GDPR and data protection law but these classifications do not inherently align with traditional “protected characteristics,” as they are based on a voluntary choice (through parental decision) and not on an inherent personal attribute.
Anti-discrimination laws focus on “protected characteristics” that affect individuals’ dignity and equality, such as race, gender, religion, age, disability, or other comparable circumstances. Discrimination typically involves treating individuals differently based on this protected characteristic, resulting in a disadvantage that is unjustified or disproportionate. In this case, the distinction was based on whether the students’ parents consented to the processing of biometric data, a decision made within their rights as defined by the GDPR. This distinction, however, is not tied to an inherent attribute of the students, nor is it a legally recognized protected characteristic. Consequently, it may result in a disadvantaged position, but it does not fall under traditional anti-discrimination protections.
Although students with and without biometric identification have indeed been treated differently under the school policy to allow entry into the cafeteria, the impact of this distinction was limited. Students without biometric identification faced a procedural inconvenience: they had to wait at the back of the line and were manually admitted to the cafeteria after biometric students, a process likely intended to simplify and expedite the flow of students using the biometric system while ensuring that non-biometric students could still be verified individually to maintain the integrity of payment tracking and access control. However, they ultimately received the same meal as their peers, with no difference in quality or access to the service itself. The inconvenience, while noticeable, was minor and temporary, and did not result in a denial of service or a significant disadvantage.
Additionally, for a claim of discrimination to succeed, it must be shown that the differential treatment lacked reasonable justification. In this case, the school implemented the biometric system to streamline cafeteria operations and ensure the efficient handling of meal payments. This is a legitimate aim, and the minor delays experienced by non-biometric students were a proportionate consequence of accommodating parental rights under GDPR. Furthermore, the school provided an alternative method for those who opted out, respecting the parents’ decision not to consent to the use of biometric data.
It is also important to note that the rights of students without biometric identification were not infringed upon. They were not excluded from the cafeteria, and their ability to access meals was preserved. The procedural delay was a logistical byproduct of balancing the rights of parents who did not consent against the operational benefits of the biometric system, rather than an act of deliberate exclusion or prejudice.
However, the broader interpretation of “other status” in anti-discrimination law may apply if the distinction leads to systematic disadvantage or imposes unjustified and disproportionate burdens. The DPA’s findings were based on the argument that the disadvantage arose not from the ultimate outcome (students received the same meals) but from the process, which placed an undue burden on students without biometric identification.
In contrast, the court did not classify the school’s actions as discriminatory. The focus of their decision was on data protection concerns, particularly the GDPR principles of data minimisation and proportionality, rather than anti-discrimination violations. The inconvenience faced by non-biometric students, while worth addressing for practical reasons, did not rise to the level of discrimination.
Therefore, the distinction between biometrically identifiable students and those who cannot be identified this way does not constitute discrimination. The differential treatment was based on a lawful exercise of parental choice, resulted in no significant disadvantage, and was justified to achieve legitimate logistical objectives. While the process might be critiqued for its lack of inclusivity, it did not violate anti-discrimination principles.
Key Takeaways
In Hungary, educational institutions must comply with GDPR and national regulations, including the Infotv. (Privacy Act) and the Public Education Act. This Polish case highlights the importance of careful data management, particularly concerning children’s personal data, including biometric information.
The principles of data minimisation and proportionality are critical; data processing must always be justified, especially when less invasive alternatives are available. Hungarian schools should develop transparent and lawful data management policies that undergo regular review. Furthermore, institutions must ensure that consent is genuinely voluntary and not coerced. In Hungary, instances of non-inclusivity in educational settings have been documented, particularly concerning the segregation of Romani children. Despite legal frameworks promoting equal treatment, research indicates that Romani students often face structural discrimination and racial segregation within the educational system. In 2020 the Kuria (Supreme Court) said in its final ruling that a Hungarian school unlawfully segregated minority Roma students for years, granting HUF 100,000,000 (EUR 310,000) in compensation to the children’s families.
The Polish example underscores that non-compliance can lead to significant fines, making strict adherence to GDPR a priority for Hungarian schools as well.
This case illustrates the challenges associated with processing children’s biometric data and raises broader constitutional and anti-discrimination concerns. While the Polish court provided legally sound reasoning for its decision, the proportionality and practical enforcement of data minimisation remain contentious. Schools and other institutions should exercise caution and consider alternative solutions when implementing technological innovations to comply with GDPR requirements.
Vanda Nagy is a Commercial Paralegal at CMS CEE, dealing with data protection issues, and a fifth-year Law Student at Eötvös Loránd University. Besides she also works as a junior researcher for the MCC Public Law Center in Budapest. She became world champion in the most prestigious media law debate contest, the Monroe E. Price Media Law Moot Court Competition thanks to which she studied law at the University of Oxford. She spent her internship at the Constitutional Court of Hungary beside the Vice-President. She is currently conducting research regarding the human rights of bullied minors.
References:
The case and the Polish Regional Court’s decision
Articles:
https://www.errc.org/news/hungary-new-research-reveals-the-stubborn-persistence-of-segregation-of-romani-pupilshttps://www.reuters.com/article/world/hungarian-top-court-confirms-roma-unlawfully-segregated-awards-damages-idUSKBN22O2F7