The Swedish Data Protection Authority (DPA) has served a municipality in northern Sweden the country’s first GDPR fine — amounting to almost €19,000 (200,000 SEK) — for using facial recognition technology to monitor the attendance of students in school.

The high school in Skellefteå conducted a pilot program last fall where the attendance of 22 students over a period of three weeks was taken with the help of facial recognition technology, instead of good ol’ fashioned roll call, according to Computer Sweden.

Not so surprisingly, the Swedish DPA found that the program violated several GDPR articles — the EU’s new robust privacy regulation. The school failed to consult the Swedish DPA before launching its program and didn’t do a proper impact assessment.

This is an incredibly serious offense as the school unlawfully processed sensitive biometric data on its students, but it seems to have gotten off ‘lightly’ considering the maximum fine could amount to almost €1 million.

The school maintains it had its students’ consent, but the DPA found there was no valid legal basis for this as there’s a “clear imbalance between the data subject and the controller.”

While the Swedish DPA’s ruling is not big compared to other GDPR fines, it’s a clear marker that GDPR enforcement is picking up across the continent — as was expected in 2019. It’s also an example of Europeans waking up to the woes that might come with increased facial recognition technology, and the EU is reportedly looking into ways to imposing stricter limits on it than it already is under GDPR.

Read next: Instagram tests Threads app for 'intimate sharing' with close friends