Correct. The said vending machine was collecting data without users consent. And because it was facial recognition data it means that the collected data can be tied to an individual.
It would have been different if the collected data was just a counter which indcated the number of users of that machine. These kind of data could not have been tied to a specific individual.
That is correct. Switzerland is not a part of the European Union. The manufacturer, Invenda, is located in Switzerland. That is where their headquarters are. It might be possible that their vending machines are produced within the EU (another country where production costs are lower). It might be possible that these specific models (those who offer data collection) are designed for markets outside of EU.
They advertise their product as "Made in EU" (see brochure). This could be made on purpose to implicate that their data collection meets GDPR requirements, leading to believe that everything is compliant with the law.
Bad news, the manufacturer is located in Switzerland and, as stated in the brochure, they advertise their product as "Made in EU". Probably to implicate that any data which will be collected and processed will be under the terms of GDPR.
I haven't looked up the terms regarding GDPR, but I assume that their data collection is somewhat "compliant" with GDPR, which does not necessaryly mean anything. It can just mean that data is not stored locally, albeit it will be send to the manufacturer (but probably entcrypted). However, under GDPR you can enforce your right of deletion of the collected data - that is, if you know that data about you has been collected.
What makes this issue so severe is that it would have never been detected that data has been collected and processed, if it weren't for a malfunction.
Edit: grammar, spelling
The worst part of all is that no one would think of the fact that a vending machine is performing facial recognition techniques, because in general it is assumed that a vending machine is a mechanical device, as it has been in the past. There is not any user benefit in that.
I researched the manufacuter and in their brochure (see page 6) of a similar vending machine it is revealed what data can be processed:
Among the worst data sets are:
Bonus: on page 7 of the product brochure they introduce an app which allows the customer to make purchases directly from their smatphone, with features like
"What do customers get?"
Finally! I always thought that payment is not fun enough. What a time to be alive.
Twelve fingers and eleven toes.
But Keighleeeigh will happily pay for it.
You will not be able to connect it directly to a computer. In marketing, this will be to meet rigorous water safety standards.
Making devices water-proof is also a marketing scheme to avoid replaceable batteries :
Some manufacturers are already eyeing an exemption for batteries used in "wet conditions" to opt out electric toothbrushes and possibly wearables like earbuds and smartwatches. The exemption is "based on unfounded safety claims," states Thomas Opsomer, policy engineer for iFixit, in Repair.EU's post.
Despite the coming up regulation on batteries and waste batteries by the EU Council batteries in water-proof devices will probably be exempt from being replceable, because the water proof feature of the device cannot be guaranteed. This undermines the right to repair and manufacturers can hope that customers replace their entire devices soon. Making phones water-proof is a loophole to seal off the device so that it is not to be repaired, at least without keeping the water-proof features after repairing.
There is an eerie resemblence between the smallest neuron and the largest structure in the universe - Galaxy Filament