Overview
- The higher court held that processing biometric data for face recognition during online exams violates GDPR when consent is not truly voluntary.
- The ruling arises from University of Erfurt’s 2020 remote exams, where students had to submit reference photos and undergo ongoing identity checks.
- The court found students lacked a real choice to refuse, and it said pandemic-related interests did not require biometric processing that intrudes on informational self-determination.
- The case focused on Wiseflow, which performed face recognition and forwarded biometric data to Amazon Web Services, a practice the court deemed unlawful.
- The decision in second instance overturns a 2024 lower-court dismissal, grants the plaintiff €200 in damages, and is viewed by GFF as a signal for universities and potential workplace surveillance.