In the field of data protection, consent is of central importance, but it is not always the appropriate ‘legal basis’.
This point was recently reiterated by the Italian DPA (‘Garante’), which sanctioned a well-known university that was using a facial recognition system for the purposes of identifying students and verifying attendance at a distance-learning course.
The Authority deemed this processing unlawful, despite the university having obtained the students’ consent.
In accordance with the Garante’s established guidance, in fact, when carrying out activities aimed at pursuing public interests, even when performed by private-law entities, personal data may only be processed where this is necessary to fulfil the public-interest tasks entrusted to the data controller or for compliance with a legal obligation to which the controller is subject.
In the case in question, the consent obtained would in any event have been invalid, given that the relationship between students and the university is not symmetrical and, therefore, does not allow the former to give truly free consent, which could constitute a suitable legal basis.
