Tietosuojavaltuutetun toimisto (Finland) - 1198/161/2022: Difference between revisions

From GDPRhub
(Added details)
No edit summary
 
(7 intermediate revisions by 2 users not shown)
Line 5: Line 5:
|DPAlogo=
|DPAlogo=
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto
|DPA_Abbrevation=Tietosuojavaltuutetun toimisto
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finnland)
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finland)


|Case_Number_Name=1198/161/2022
|Case_Number_Name=1198/161/2022
Line 59: Line 59:
}}
}}


Finnish DPA imposed a fine of 122,000 euros on a company handling health-related types of personal data without proper consent.
In a procedure pursuant to [[Article 60 GDPR]], the Finnish DPA imposed a €122,000 fine on a manufacturer of heart rate monitors due to lack of valid consent for the processing of personal data, including health data, on its online service.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
Polar Oy is manufacturer of heart rate monitors and smart watches. Finnish DPA has received  five complaints for Polar Oy way to handle special categories of personal data between 22.5.2018 and 19.2.2019. Austrian DPA has received a complaint for the same matter.  
The controller is a manufacturer of heart rate monitors and smart watches offering its services in multiple Member States in the EU and wordwide. Customers (data subjects) had to register for an online service in order to use all the features of the devices, which required personal information, such as gender, height, age and weight. The device collected heart rate, max VO2 (maximum oxygen capacity) as well as BMI (body mass index) information and uploaded them to the online service. Data subjects could use the collected information to analyse training performance.  


When a customer purchase a Polar smart watch or heart rate monitor device, it is necessary to register a online service to use the devices all features. Even though a smart watch is separate from the online service. Some basic features are usable without the online service. Data subject enters some information , such as sex, height, age and weight, into the online service. The device used collects heart rate and Max VO2 information and uploads them to the online service.
The Finnish DPA received five complaints from data subjects between 22 May 2018 and 19 February 2019. The Austrian DPA received one complaint on the same matter. The complaints addressed fours main issues.    


When registering to the online service data subject must give consent for following statement "I accept that company can collect and process sensitive personal information, such as heart rate and other sensitive health-related data. I also agree with Polar terms and conditions.". If data subject does not give consent for that, he cannot register online service. If data subject withdraws his consent his account in online service is frozen and the system cannot be used. After six months the account and all the data related to it is deleted. If user give consent again, he can continue to use the online service.
First, according to the complaints, the consent to process heart rate data was forced onto the data subjects as the controller made the use of the online service conditional upon granting consent to process heart rate data. If the data subject subseqently withdrew consent, their online service account would be frozen. However, according to the controller, the device was separate from the online service as some basic features were still usable without the online service.


In Polar's terms and conditions is mentioned that some data may be transferred outside of EU. According to the processor main servers are located in Finland and Ireland. The processor use email services located in US as well as monitoring services located in US. Some data - such as data subject's email address and user ID - is transferred to those services. Data transfer is based on Article 49 Paragraph 1 Subsection a.  
Second, the controller also requested consent for the processing of other personal data, such as max VO2, sleep target time and daily activity target, next to information such as gender, age, height and weight. The controller argued that it was not possible to draw conclusions about a person's health based on this 'raw' data, hence there was no processing of sensitive data other than heart rate data. Allegedly, such conclusions about health would only be possible with the help of medical exminations or additional data.


In terms and conditions is also mentioned that user gives controller right to use and transfer "user generated content" in their systems. If user withdraws consent user generated data is not removed. User can remove the data himself before removing his account. In this context user generated content is training results a data subject could share to other users as well as messages data subject can publish. This content has been made available globally and so transferred outside of EU.
Third, the complaints questioned the lawfulness of data transfers to third countries. Although the controller's servers were located in the EU, in Finland and Ireland, personal data from the controller's email service would be sent to a server located in the US. For these transfers, the controller used as a legal basis consent under [[Article 49 GDPR|Article 49(1)(a) GDPR]] (prior to November 2019). The controller submitted that it had asked data subjects for consent to transfer the data to the US in order to make them more aware of the processing carried out by the company.


According to the controller, the United Kingdom's Information Commissioner's Office (ICO) has received a complaint and hold that Polar does not violate GPDR. That complaint was made because Polar asked consent from data subjects already using the online service. Until that Polar processed personal data based on contract (Article 6 Paragraph 1 Subsection b) and changed that to consent (Article 6 Paragraph 1 Subsection a). ICO hold that it was legal to change lawfulness of the processing and asking consent from data subjects was necessary. The processing itself did not change.
Fourth, the data subjects noted that while accepting the terms and conditions, they also had to consent to the controller processing "user-generated content", that is any content uploaded or transmitted to the online service (e.g. training results) apart from the information initially provided. There was no separate consent form for the processing of user-generated content. This data would be made available globally and also transferred outside the EU. If the data subject withdrew their consent, the user-generated data would not be removed. The data subject could request their deletion only by closing their account.
 
Because the controller operated in multiple Member States, the cooperation mechanism under [[Article 60 GDPR]] was activated. Since the controller's main establishment was located in Finland, the Finnish DPA was the lead supervisory authority [[Article 65 GDPR|(Article 65 GDPR]]), while the concerned supervisory authorities ([[Article 4 GDPR|Article 4(22) GDPR]]) were, among others, the Austrian, Belgian, Czech and Danish DPAs. After investigating the controller's processing practices as well as receiving the submissions by the concerned supervisory authorities, the Finnish DPA issued a draft decision pursuant to [[Article 60 GDPR|Article 60(3) GDPR]]. No objections were raised by concerned supervisory authorities, rendering it a binding decision on the controller.  


=== Holding ===
=== Holding ===
DPA has considered following legal matters in this case.
With regards to processing of heart rate data, the Finnish DPA referred to an [https://ec.europa.eu/justice/article-29/documentation/other-document/files/2015/20150205_letter_art29wp_ec_health_data_after_plenary_annex_en.pdf Article 29 Working Party Letter] to the European Commission regarding health data. The DPA explained that although a single heart rate record might not be enough to constitute personal data, according to WP29, together with other information, such as gender, age and weight, conclusions about a person's health could be drawn. Therefore, the DPA held that the heart rate data must be considered as health data within the meaning of [[Article 4 GDPR|Article 4(15) GDPR]] and [[Article 9 GDPR|Article 9(1) GDPR]]. Processing of sensitive data requires a legal basis under [[Article 9 GDPR|Article 9(2) GDPR.]] In the present case, the DPA stated that since the controller processed heart rate data for the provision of a value added service, the processing must be subject to the explicit consent of the data subject ([[Article 9 GDPR|Article 9(2)(a) GDPR]]). However, the consent given should also meet conditions of [[Article 7 GDPR]], meaning it cannot be conditional upon accessing a service. Hence, although not explicitly reitarrated by the DPA, the controller did not have a valid legal basis to process heart rate data.
 
i) Should controller has ask consent to process heart-rate data
 
Holding: According to Article 9 Paragraph 2 Subsection a controller should have ask for consent for specific personal data types.
 
 
ii) Should controller inform customer about data processing when he is purchasing a smart watch or a heart rate monitor
 
Holding: Such procedure is not required.
 
 
iii) Does controller process other than heart rate data from special categories of personal data
 
Holding: Controller process also other sensitive data such as VO2max and BMI.
 
 
iv) Has data transfer to third countries been lawful
 
Holding: Controller had lawful right to transfer data to the third countries (US). To be noted that DPA considered transfers happened when Privacy Shield was still valid. Because of Privacy Shield, specific consent was not needed.  
 


v) Has consent for process "user generated content" been lawful
Similarly to the heart rate data. The DPA considered other 'raw' information collected by the service, such as max VO2 and BMI to constitute health data to the extent that it can lead to conclusions about a data subject's health when combined with other personal data uploaded on the service. The DPA stipulated that the controller must collect explicit and specific consent for each purpose the personal data is processed for. The controller did not collect explicit consent for the processing of this information, thereby violating [[Article 9 GDPR|Article 9(2) GDPR.]]


Holding: Consent does not comply Article 4 Paragraph 11 and Article 7 Paragraph 2 and 4.
The DPA also analysed the legal basis of the controller for personal data transfers to third countries, specifically the US. However, the DPA only took into account the controller's practices prior to November 2019, when the controller's submissions in the investigation were made. The DPA concluded that the controller did not need to collect consent under Article [[Article 49 GDPR|49(1)(a) GDPR]] because, at that time, the previous adequacy decision under [[Article 45 GDPR]], called Privacy Shield, was still in force an the controller had a valid legal basis to transfer personal data to the US. The DPA did not make any further assessments on the situation after the CJEU [[CJEU - C-311/18 - Schrems II|Schrems II]] judgement, which invalidated the Privacy Shield.  


Concerning the consent to process 'user-generated data', the DPA held that merely accepting the terms and condititons of the online service could not be considered as consent. According to [[Article 7 GDPR|Article 7(2) GDPR]], where the data subject gives consent in a written communication which also concerns other matters, the request for consent must be clearly distinguished from the other matters in an easily understandable and accessible form in clear and plain language. Moreover, in order for consent to be freely given, in line with [[Article 7 GDPR|Article 7(4) GDPR]], it cannot be conditional upon the provision of a service. The DPA held the controller had not collected valid consent from the data subjects and therefore had no valid legal basis under [[Article 6 GDPR|Article 6(1) GDPR]].


DPA looks that controller has violated provision mentioned on Article 83 Paragraph 5. DPA imposed fine of 122000 EUR to the controller. In the resolution DPA says that handling sensitive personal data is essential part of the controllers business. That's why there should be administrative fine for the violation. DPA counts as extenuating circumstances that purpose of processing health data is mentioned to be beneficial to a data subject and controller's profit is not based on processing such data.  
The Finnish DPA, as lead supervisory authority, ordered the controller, pursuant to [[Article 58 GDPR|Article 58(2)(d) GDPR]], to bring its processing activities in line with the GDPR, especially with regards to finding a valid legal basis for the processing of personal data on its online service. The DPA further reprimanded the controller, pursuant to [[Article 58 GDPR|Article 58(2)(b) GDPR,]] for processing max VO2 and BMI data without a legal basis. Finally, the DPA fined the controller, pursuant to [[Article 58 GDPR|Aritcles 58(2)(i)]] and [[Article 83 GDPR|83 GDPR]], €122,000 for the afore-discussed GDPR infringements.  


== Comment ==
== Comment ==

Latest revision as of 15:52, 11 December 2023

Tietosuojavaltuutetun toimisto - 1198/161/2022
[[File:|center|250px]]
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 9(2)(a) GDPR
Type: Investigation
Outcome: Violation Found
Started: 22.5.2018
Decided: 27.12.2022
Published:
Fine: 122000 EUR
Parties: Polar Oy
National Case Number/Name: 1198/161/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Tietosuojavaltuutetun toimisto (in FI)
Initial Contributor: Eetu Salpaharju

In a procedure pursuant to Article 60 GDPR, the Finnish DPA imposed a €122,000 fine on a manufacturer of heart rate monitors due to lack of valid consent for the processing of personal data, including health data, on its online service.

English Summary

Facts

The controller is a manufacturer of heart rate monitors and smart watches offering its services in multiple Member States in the EU and wordwide. Customers (data subjects) had to register for an online service in order to use all the features of the devices, which required personal information, such as gender, height, age and weight. The device collected heart rate, max VO2 (maximum oxygen capacity) as well as BMI (body mass index) information and uploaded them to the online service. Data subjects could use the collected information to analyse training performance.

The Finnish DPA received five complaints from data subjects between 22 May 2018 and 19 February 2019. The Austrian DPA received one complaint on the same matter. The complaints addressed fours main issues.

First, according to the complaints, the consent to process heart rate data was forced onto the data subjects as the controller made the use of the online service conditional upon granting consent to process heart rate data. If the data subject subseqently withdrew consent, their online service account would be frozen. However, according to the controller, the device was separate from the online service as some basic features were still usable without the online service.

Second, the controller also requested consent for the processing of other personal data, such as max VO2, sleep target time and daily activity target, next to information such as gender, age, height and weight. The controller argued that it was not possible to draw conclusions about a person's health based on this 'raw' data, hence there was no processing of sensitive data other than heart rate data. Allegedly, such conclusions about health would only be possible with the help of medical exminations or additional data.

Third, the complaints questioned the lawfulness of data transfers to third countries. Although the controller's servers were located in the EU, in Finland and Ireland, personal data from the controller's email service would be sent to a server located in the US. For these transfers, the controller used as a legal basis consent under Article 49(1)(a) GDPR (prior to November 2019). The controller submitted that it had asked data subjects for consent to transfer the data to the US in order to make them more aware of the processing carried out by the company.

Fourth, the data subjects noted that while accepting the terms and conditions, they also had to consent to the controller processing "user-generated content", that is any content uploaded or transmitted to the online service (e.g. training results) apart from the information initially provided. There was no separate consent form for the processing of user-generated content. This data would be made available globally and also transferred outside the EU. If the data subject withdrew their consent, the user-generated data would not be removed. The data subject could request their deletion only by closing their account.

Because the controller operated in multiple Member States, the cooperation mechanism under Article 60 GDPR was activated. Since the controller's main establishment was located in Finland, the Finnish DPA was the lead supervisory authority (Article 65 GDPR), while the concerned supervisory authorities (Article 4(22) GDPR) were, among others, the Austrian, Belgian, Czech and Danish DPAs. After investigating the controller's processing practices as well as receiving the submissions by the concerned supervisory authorities, the Finnish DPA issued a draft decision pursuant to Article 60(3) GDPR. No objections were raised by concerned supervisory authorities, rendering it a binding decision on the controller.

Holding

With regards to processing of heart rate data, the Finnish DPA referred to an Article 29 Working Party Letter to the European Commission regarding health data. The DPA explained that although a single heart rate record might not be enough to constitute personal data, according to WP29, together with other information, such as gender, age and weight, conclusions about a person's health could be drawn. Therefore, the DPA held that the heart rate data must be considered as health data within the meaning of Article 4(15) GDPR and Article 9(1) GDPR. Processing of sensitive data requires a legal basis under Article 9(2) GDPR. In the present case, the DPA stated that since the controller processed heart rate data for the provision of a value added service, the processing must be subject to the explicit consent of the data subject (Article 9(2)(a) GDPR). However, the consent given should also meet conditions of Article 7 GDPR, meaning it cannot be conditional upon accessing a service. Hence, although not explicitly reitarrated by the DPA, the controller did not have a valid legal basis to process heart rate data.

Similarly to the heart rate data. The DPA considered other 'raw' information collected by the service, such as max VO2 and BMI to constitute health data to the extent that it can lead to conclusions about a data subject's health when combined with other personal data uploaded on the service. The DPA stipulated that the controller must collect explicit and specific consent for each purpose the personal data is processed for. The controller did not collect explicit consent for the processing of this information, thereby violating Article 9(2) GDPR.

The DPA also analysed the legal basis of the controller for personal data transfers to third countries, specifically the US. However, the DPA only took into account the controller's practices prior to November 2019, when the controller's submissions in the investigation were made. The DPA concluded that the controller did not need to collect consent under Article 49(1)(a) GDPR because, at that time, the previous adequacy decision under Article 45 GDPR, called Privacy Shield, was still in force an the controller had a valid legal basis to transfer personal data to the US. The DPA did not make any further assessments on the situation after the CJEU Schrems II judgement, which invalidated the Privacy Shield.

Concerning the consent to process 'user-generated data', the DPA held that merely accepting the terms and condititons of the online service could not be considered as consent. According to Article 7(2) GDPR, where the data subject gives consent in a written communication which also concerns other matters, the request for consent must be clearly distinguished from the other matters in an easily understandable and accessible form in clear and plain language. Moreover, in order for consent to be freely given, in line with Article 7(4) GDPR, it cannot be conditional upon the provision of a service. The DPA held the controller had not collected valid consent from the data subjects and therefore had no valid legal basis under Article 6(1) GDPR.

The Finnish DPA, as lead supervisory authority, ordered the controller, pursuant to Article 58(2)(d) GDPR, to bring its processing activities in line with the GDPR, especially with regards to finding a valid legal basis for the processing of personal data on its online service. The DPA further reprimanded the controller, pursuant to Article 58(2)(b) GDPR, for processing max VO2 and BMI data without a legal basis. Finally, the DPA fined the controller, pursuant to Aritcles 58(2)(i) and 83 GDPR, €122,000 for the afore-discussed GDPR infringements.

Comment

Share your comments here!

Further Resources

Official decision as PDF

Yle (Finnish national brodcasting company) news telling the controller name

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

The company had not asked the users of its service for individual consent to the processing of health-related types of personal data. The data protection commissioner's office imposed a penalty on the company for violating the data protection regulation, as the processing of health data is part of the company's core business. In addition, the data protection commissioner ordered the company to correct its practice in requesting consent. The Office of the Data Protection Commissioner investigated the company's operating methods in 2018–2019 based on the complaints received. The investigations revealed that the company did not have consent in accordance with the EU's General Data Protection Regulation to process data on body mass index and maximum oxygen uptake capacity. Health data belong to so-called special personal data groups and their processing is basically prohibited. Data can be processed, for example, when the data subject has given his consent. The company had asked for consent to process health-related data in general, but had not specified the data it collected and processed. The requested consent did not meet the requirements of the data protection regulation, as it was not individualized and informed. The Data Protection Commissioner considers that the data controller had informed the data subjects that their personal data would be processed, but had not provided sufficient information about the types of personal data being processed and the purpose for which each type of personal data is being processed. The disciplinary board paid special attention to the fact that the large-scale processing of health data is a key part of the company's core business. "A company whose business mainly includes the processing of personal data must always take care of all the requirements for the proper processing of personal data. In a data-intensive economy, the importance of this will grow all the time," states Data Protection Commissioner Anu Talus. The matter was dealt with in cooperation between EU countries. The company's service is also available in other EU and EEA countries, which is why the matter was dealt with in cooperation between supervisory authorities. One of the complaints had been initiated in another Member State. The company's location in Finland is responsible for the processing of personal data, and the data protection commissioner's office acted as the leading supervisory authority in the investigation. The participating supervisory authorities have accepted the decision of the Data Protection Commissioner and the Sanctions College, and the decision is also binding on them. The sanction panel of the Office of the Data Protection Commissioner imposed a fine of 122,000 euros on the company for data protection violations. In addition, a notice was issued to the company. The decisions are not yet legally binding and can be appealed to the administrative court. Decisions of the Data Protection Commissioner and Sanctions Board (pdf) More information: Data Protection Commissioner Anu Talus, anu.talus(at)om.fi, tel. 029 566 6766 The decision-making of the Sanctions Board and the legal protection of data controllers are stipulated in the National Data Protection Act. The disciplinary board consists of a data protection commissioner and two deputy data protection commissioners. The college is competent to impose administrative fines for violations of data protection legislation. The maximum amount of penalty payments is four percent of the company's turnover or 20 million euros. ​​​​​​​​​More information on the so-called about the one-stop shop mechanism in the European Data Protection Board brochure (pdf)