In a ruling dated January 29, 2026, the Italian Data Protection Authority fined a university 50,000 euros for unlawfully processing the biometric data of numerous participants in online teacher certification courses. The university used a facial recognition system to verify identity and attendance during classes, based on the creation of biometric models derived from students’ facial images and identification documents.

The Authority found that there was no suitable legal basis to justify the use of biometric technologies, which, as they pertain to special categories of data, require strict conditions and enhanced safeguards, especially given the availability of less invasive alternative solutions for attendance monitoring. It also emerged that a Data Protection Impact Assessment (DPIA) had not been conducted prior to the system’s activation, despite the very high number of data subjects involved—over 450 students per class.

During the investigation, the system remained partially in use, with corrective measures deemed inadequate, until its final deactivation. In determining the amount of the fine, the Data Protection Authority took into account, as a mitigating factor, the university’s cooperation and the voluntary cessation of processing.