VDAI (Lithuania) - UAB vs FITNESS: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
| Line 59: | Line 59: | ||
| | | | ||
}} | }} | ||
The Lithuanian DPA fined a sports club approximately €5700 (LTL 20,000) for processing the biometric data of its customers and employees in violation of Articles 9(1), 13(1) and (2), 30, and 35(1) GDPR. | |||
== English Summary == | == English Summary == | ||
Revision as of 09:44, 7 July 2021
| ADA (Lithuania) - UAB VS FITNESS | |
|---|---|
 | |
| Authority: | ADA (Lithuania) |
| Jurisdiction: | Lithuania |
| Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(a) GDPR Article 9(1) GDPR Article 13(1) GDPR Article 13(2) GDPR Article 30 GDPR Article 35(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 21.06.2021 |
| Published: | |
| Fine: | n/a |
| Parties: | UAB VS FITNESS |
| National Case Number/Name: | UAB VS FITNESS |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Lithuanian |
| Original Source: | Valstybinė duomenų apsaugos inspekcija (in LT) |
| Initial Contributor: | n/a |
The Lithuanian DPA fined a sports club approximately €5700 (LTL 20,000) for processing the biometric data of its customers and employees in violation of Articles 9(1), 13(1) and (2), 30, and 35(1) GDPR.
English Summary
Facts
The Lithuanian DPA ('VDAI') received a complaint stating that in order to use the services of a sports club (UAB VS FITNESS), fingerprint scanning is required. It then initiated an own volition investigation of a possible breach of the GDPR.
Holding
The VDAI found that the sports club had violated the following GDPR provisions:
- It violated Article 9(1) GDPR by processing the biometric data of customers, which is special category data. The sports club had attempted to rely on the consent exception, outlined at Article 9(2), that special category data may be processed where the data subject provides their consent. However, the VDAI found that consent collected from customers did not satisfy the requirements for valid consent established in the GDPR. In particular, since consent to the biometric system was not voluntary, it was not freely given;
- The processing of employees' fingerprints was also in breach of Article 9(1) GDPR, as the club had again attempted to rely on consent as a basis for processing. The VDAI highlighted that employee consent is generally considered invalid due to the power imbalance with an employer. Moreover, the club did not specify the purpose and legal basis of the processing of employee data, nor had it demonstrated the necessity and proportionality of this processing, in violation of Article 5(1)(c) GDPR;
- It violated Article 13(1) and (1) GDPR, and Article 5(1) GDPR by failing to adequately inform data subject's about the processing of their data;
- It failed to perform an assessment of the impact of the processing of biometric data, in violation of Article 35(1) GDPR;
- It did not manage a record of its processing activities, in violation of Article 30 GDPR.
It thus issued a fine of approximately €5700 (LTL 20,000). In determining the fine, the VDAI took into account:
- The processing of special categories of personal data;
- That Improper exercise of data subject's right to be informed falls into a category of more serious infringements under Article 83(5) GDPR;
- That the club had previously been instructed on how to lawfully process biometric data at another sports club it owned, for example by making the processing of biometric data voluntary, offering an equivalent, optional alternative to identification without the use of fingerprints, and providing customers the possibility to cancel the use of fingerprints at any time should be regulated. In view of these circumstances, the VDIA considered the illegal processing of customers' personal data to be an intentional violation.
- The club's turnover of the previous and current year, as well as circumstances indicated by the club that the activities of sports clubs were severely restricted due to the coronavirus pandemic this year.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.
Navigation
Navigation
My government
BUT A
en
[[language]]
Site map
en
[[language]]
[[disabilities]]
Prime Minister
Government Office
Ministries
Institutions
E. citizen
For the disabled
State Data Protection Inspectorate
Navigation
navbar
to the start
News subscription
News
Structure and contacts
Structure
Contacts
How to find us
Legal information
Legislation
Draft legislation
Legal practice
Research and analysis
Violations of legislation
Monitoring of legal regulation
Areas of activity
Preventive inspections
Prior consultation
Audits
Complaints handling
Data security breaches
International cooperation
Informing the public
Corruption prevention
Administrative information
Regulations
Planning documents
Protection of whistleblowers
Wage
Incentives and awards
Procurement
Budget implementation report sets
Sets of financial statements
Supervision of economic operators
Official passenger cars
Activity reports
Electronic and administrative services
Links
ADSP and DAP
Data breach notification
Data Protection Officer
Protection of personal data
useful information
Frequently Asked Questions (FAQ)
Recommendations, guidelines, etc.
COVID-19 and BDAR
Summaries of inspection results
VDAI decisions (fines, instructions, etc.)
Court decisions (according to VDAI complaints)
2018 data protection reform
Public consultation before BDAR
SolPriPa 2 WORK project
SOLPriPa PROJECT
Projects
EU twinning project no. UA / 47b "Strengthening the institutional capacity of the High Commissioner for Human Rights of the Parliament of Ukraine to protect human rights and freedoms in line with European best practice"
Improving the qualification of civil servants and employees of the State Data Protection Inspectorate
Information systems interconnection and modernization project
Project “Increasing the cooperation between the State Data Protection Inspectorate and the Lithuanian Librarians' Association in implementing the personal data protection policy”
For children and young people
Open data
Surveys
Events archive
Advertisements
A fine has been imposed on the sports club for breaches of the General Data Protection Regulation in the processing of fingerprints of customers and employees
Home
News
A fine has been imposed on the sports club for breaches of the General Data Protection Regulation in the processing of fingerprints of customers and employees
Print
Data
2121 2021
Evaluation
11
The State Data Protection Inspectorate (State Data Protection Inspectorate) conducted an investigation into the processing of biometric personal data in a sports club and allocated LTL 20,000 for identified violations of the General Data Protection Regulation (BDAR). Eur fine to UAB VS FITNESS. The fine is imposed for violations of Article 5 (1) (a) and (c), Article 9 (1), Article 13 (1) to (2), Article 30, Article 35 (1) of the BDAR, i.e. y. for processing biometric data without voluntary consent of data subjects, as well as failure to ensure other requirements for valid consent, improper implementation of data subjects' right to be informed about data processing, as well as found that the company did not conduct a data protection impact assessment .
The Personal Data Protection Supervisor conducted an investigation
After receiving a notification from a natural person stating that in order to use the services of a sports club belonging to the company, a fingerprint scan is necessary, there are no other alternative means of identification in the said sports club, carried out an inspection on its own initiative in accordance with the Law on Legal Protection of Personal Data. with a possible BDAR violation in the company’s processing of fingerprints.
Processing of customer biometric data
According to the BDAR, biometric data belong to special categories of data, the processing of which is prohibited by the general rule, except for the conditions provided for in Article 9 (2) of the BDAR. The company processed customer fingerprint models with the consent of the data subjects, i. y. on the basis set out in Article 9 (2) (a) BDAR. VDAI noted that if the controller relies on the data subject's consent as a condition for lawful processing, he should ensure that the data subject's consent complies with the conditions imposed on him (voluntary, specific, reasonable information, unambiguity, as well as provability and revocability). During the inspection, VDAI found that the consent given by the customers to process their fingerprint models is not voluntary, nor does it meet the other requirements for a valid consent, which led the VDAI to decide that the company is processing the binary codes of the customers' fingerprints illegally.
Processing of employee biometric data
In addition, the VDAI found that the company had illegally processed the fingerprints of employees. The SDPI noted that employee consent due to a power imbalance is generally not considered an appropriate condition for the processing of personal data. VDAI did not specify the purpose and legal basis of the processing of employees 'biometric data, did not carry out a data protection impact assessment, and did not demonstrate the necessity and proportionality of the processing of employees' fingerprints. The SDPI noted that data subjects have the right to be informed about the processing of their data. Following the inspection, VDAI found that the company did not provide the data subjects with all the information required by the BDAR.
Relevant circumstances in deciding the amount of the fine
When deciding on the imposition of an administrative fine, VDAI assessed all relevant circumstances. The VDAI took into account that the processing of special categories of data in the absence of an exception, in violation of Article 5 (1) (a) and (c) and Article 9 (1) of the BDAR, as well as improper exercise of data subjects' right to be informed the requirements of Article 83 (1) to (2) of the EC Treaty fall into the category of more serious infringements (Article 83 (5) BDAR).
Among other things, the company had previously been instructed to process biometric data at another sports club it owned. This confirmed that the company was aware of how the voluntary requirement for customers to consent to the processing of their biometric data had to be met, that an equivalent, optional alternative to identification in sports clubs (without the use of fingerprint binary codes) had to be offered. Also that the possibility for the customer to cancel the use of the fingerprint model at any time must be regulated.
In view of these circumstances, VDAI considered the illegal processing of customers' biometric data to be an intentional violation. VDAI also took into account other identified aggravating and mitigating factors of the company's liability. In deciding the amount of the fine, VDAI took into account the information provided by the company on the turnover of the previous and current year, as well as the circumstances indicated by the company that the activities of sports clubs were severely restricted due to the coronavirus pandemic this year.
This decision of VDAI has not entered into force and can be appealed to a court.
Share
Also read
Review of personal data protection supervision in Lithuania in 2020
The State Data Protection Inspectorate invites the Chief Specialist of the IT department of the team to join
A digital environment that benefits and is safe for children - The Organization for Economic Co-operation and Development has issued a recommendation
The European Data Protection Board has announced report
SURVEY OF EMPLOYERS on the protection of personal data and privacy in the context of employment relationships
Back
L.Sapiegos st. 17, 10312 Vilnius (Entrance from the left), tel. (8 5) 271 28 04, (8 5) 279 1445, fax. (8 5) 261 9494, el. p. ada@ada.lt
Data on the State Data Protection Inspectorate are collected and stored in the Register of Legal Entities. Code 188607912
Consultation tel. (8 5) 212 7532, Monday to Thursday, 9 a.m. to 11 a.m. and 1pm to 3pm
© Government of the Republic of Lithuania
Data
2121 2021
Evaluation
11
The State Data Protection Inspectorate (State Data Protection Inspectorate) conducted an investigation into the processing of biometric personal data in a sports club and allocated LTL 20,000 for identified violations of the General Data Protection Regulation (BDAR). Eur fine to UAB VS FITNESS. The fine is imposed for violations of Article 5 (1) (a) and (c), Article 9 (1), Article 13 (1) to (2), Article 30, Article 35 (1) of the BDAR, i.e. y. for processing biometric data without voluntary consent of data subjects, as well as failure to ensure other requirements for valid consent, improper implementation of data subjects' right to be informed about data processing, as well as found that the company did not conduct a data protection impact assessment .
The Personal Data Protection Supervisor conducted an investigation
After receiving a notification from a natural person stating that in order to use the services of a sports club belonging to the company, a fingerprint scan is necessary, there are no other alternative means of identification in the said sports club, carried out an inspection on its own initiative in accordance with the Law on Legal Protection of Personal Data. with a possible BDAR violation in the company’s processing of fingerprints.
Processing of customer biometric data
According to the BDAR, biometric data belong to special categories of data, the processing of which is prohibited by the general rule, except for the conditions provided for in Article 9 (2) of the BDAR. The company processed customer fingerprint models with the consent of the data subjects, i. y. on the basis set out in Article 9 (2) (a) BDAR. VDAI noted that if the controller relies on the data subject's consent as a condition for lawful processing, he should ensure that the data subject's consent complies with the conditions imposed on him (voluntary, specific, reasonable information, unambiguity, as well as provability and revocability). During the inspection, VDAI found that the consent given by the customers to process their fingerprint models is not voluntary, nor does it meet the other requirements for a valid consent, which led the VDAI to decide that the company is processing the binary codes of the customers' fingerprints illegally.
Processing of employee biometric data
In addition, the VDAI found that the company had illegally processed the fingerprints of employees. The SDPI noted that employee consent due to a power imbalance is generally not considered an appropriate condition for the processing of personal data. VDAI did not specify the purpose and legal basis of the processing of employees 'biometric data, did not carry out a data protection impact assessment, and did not demonstrate the necessity and proportionality of the processing of employees' fingerprints. The SDPI noted that data subjects have the right to be informed about the processing of their data. Following the inspection, VDAI found that the company did not provide the data subjects with all the information required by the BDAR.
Relevant circumstances in deciding the amount of the fine
When deciding on the imposition of an administrative fine, VDAI assessed all relevant circumstances. The VDAI took into account that the processing of special categories of data in the absence of an exception, in violation of Article 5 (1) (a) and (c) and Article 9 (1) of the BDAR, as well as improper exercise of data subjects' right to be informed the requirements of Article 83 (1) to (2) of the EC Treaty fall into the category of more serious infringements (Article 83 (5) BDAR).
Among other things, the company had previously been instructed to process biometric data at another sports club it owned. This confirmed that the company was aware of how the voluntary requirement for customers to consent to the processing of their biometric data had to be met, that an equivalent, optional alternative to identification in sports clubs (without the use of fingerprint binary codes) had to be offered. Also that the possibility for the customer to cancel the use of the fingerprint model at any time must be regulated.
In view of these circumstances, VDAI considered the illegal processing of customers' biometric data to be an intentional violation. VDAI also took into account other identified aggravating and mitigating factors of the company's liability. In deciding the amount of the fine, VDAI took into account the information provided by the company on the turnover of the previous and current year, as well as the circumstances indicated by the company that the activities of sports clubs were severely restricted due to the coronavirus pandemic this year.
This decision of VDAI has not entered into force and can be appealed to a court.
Share
