Why the Privacy Guarantor condemned Bocconi

Why the Privacy Guarantor condemned Bocconi

The Privacy Guarantor fines Bocconi University for using a "proctoring" software from the American Respondus for remote exams

Maxi fine to Bocconi for violation of the GDPR regarding the processing of personal data.

The Guarantor for the protection of personal data imposed a fine of € 200,000 on Bocconi for illegally processing the personal data of its students.

In particular, two software from the American company Respondus Inc., namely Respondus monitor and LockDown Browsers, ended up in the sights of the Privacy Guarantor: the two proctoring systems that Bocconi University used in the pandemic phase to guarantee the regularity of lessons and exams. at a distance.

Proctoring refers to software that automatically performs surveillance during online exams.

But for the authority chaired by Pasquale Stanzione the information on personal data is incomplete and the legal basis for the processing of biometric data is insufficient.

All the details.


To raise the question to the Guarantor, as reported by MilanoToday , was Joseph Donat Bolton, a 21-year-old English student who graduated last July. The student turned to the Authority in 2020 when the university introduced the software for remote monitoring and control of students.


With provision number 317 of 16 September , the Guarantor found “the unlawfulness of the processing carried out by the“ Luigi Bocconi ”University of Milan. Therefore he declared "the unusability of the data processed in violation of the relevant regulations on the processing of personal data".


In fact, during the investigation by the Guarantor it emerged that "the University uses a remote supervision system for the written exams, called" Respondus "and provided by the company Respondus Inc. (established in the United States of America ), structured in the components "LockDown Browser" and "Respondus Monitor" to allow, in the context of the epidemiological emergency from SARS-CoV-2, the carrying out of university exams at a distance with the aim of ensuring guarantees as much as possible equivalent to those foreseen for face-to-face exams ".


The Respondus Monitor software captures video images and the student's screen by identifying and marking with a flag the moments in which unusual and / or suspicious behaviors are detected through video recording and snapshots taken at random intervals to track abnormal behaviors such as: non-gaze facing the monitor, face partially absent from the photo, face missing.

At the end of the test, the system processes the video, inserting warning signals regarding possible indices of incorrect behavior (so-called "flag") and assigning, among other things, a so-called "Review Priority", so that the teacher (supervisor user ) can then assess whether an action not permitted during the test has actually been committed.


As the Guarantor explains, Lockdown browser behaves like a web browser because it displays the pages that are loaded and prohibits opening other pages or windows; it prevents, for example, the copy and paste operation. It also prevents the test from running unless all other applications are closed first.


"From the examination of the documentation in progress – underlines the Guarantor – it appears that the information on the processing of personal data provided to students does not contain all the information required by the Regulations to ensure correct and transparent treatment".

Furthermore, "always from the point of view of the correctness and transparency of the processing, the information does not mention that personal data are transferred to the United States of America" ​​highlights the authority.

"This aspect appears even more critical in light of the content of the Schrems II Sentence, which made the so-called Privacy Shield invalid, considering that the treatments carried out in the United States do not comply with the European regulatory provisions (unless the same additional guarantees provided by the GDPR, such as Standard Contractual Clauses) ” commented the privacy expert Marina Rita Carbone.


Therefore, the Privacy Guarantor has established that "the processing carried out by the University cannot be considered compliant with the principle of lawfulness, transparency and correctness, since all the information required by the Regulation [Gdpr] has not been provided".


Hence the decision to impose a 200 thousand euro fine on Bocconi University and to order a stop to the use of the aforementioned software.


In its defense brief, the Milanese university had explained that the information for students with regard to the dispute relating to the incompleteness of the information given to students, the University highlights that "the same contested document refers to the complete information [ …] Through a specific hypertext link […] ”. However, still in its memorandum, Bocconi acknowledged that "the information could potentially lack transparency, since a specific retention period is not indicated".

This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/innovazione/perche-il-garante-della-privacy-ha-condannato-la-bocconi/ on Fri, 01 Oct 2021 05:51:50 +0000.