VDAI (Lithuania) - UAB vs FITNESS: Difference between revisions
(Corrected fine) |
No edit summary |
||
Line 76: | Line 76: | ||
* It did not manage a record of its processing activities, in violation of Article 30 GDPR. | * It did not manage a record of its processing activities, in violation of Article 30 GDPR. | ||
It thus issued a fine of | It thus issued a fine of €20,000. In determining the fine, the VDAI took into account: | ||
* The processing of special categories of personal data; | * The processing of special categories of personal data; |
Revision as of 10:09, 9 September 2021
ADA (Lithuania) - n/a | |
---|---|
Authority: | ADA (Lithuania) |
Jurisdiction: | Lithuania |
Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(a) GDPR Article 9(1) GDPR Article 13(1) GDPR Article 13(2) GDPR Article 30 GDPR Article 35(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 21.06.2021 |
Published: | |
Fine: | 20,000 |
Parties: | UAB VS FITNESS |
National Case Number/Name: | n/a |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Lithuanian |
Original Source: | Valstybinė duomenų apsaugos inspekcija (in LT) |
Initial Contributor: | n/a |
The Lithuanian DPA fined a sports club approximately €20,000 for processing the biometric data of its customers and employees in violation of Articles 9(1), 13(1) and (2), 30, and 35(1) GDPR.
English Summary
Facts
The Lithuanian DPA ('VDAI') received a complaint stating that in order to use the services of a sports club (UAB VS FITNESS), fingerprint scanning is required. It then initiated an own volition investigation of a possible breach of the GDPR.
Holding
The VDAI found that the sports club had violated the following GDPR provisions:
- It violated Article 9(1) GDPR by processing the biometric data of customers, which is special category data. The sports club had attempted to rely on the consent exception, outlined at Article 9(2), that special category data may be processed where the data subject provides their consent. However, the VDAI found that consent collected from customers did not satisfy the requirements for valid consent established in the GDPR. In particular, since consent to the biometric system was not voluntary, it was not freely given;
- The processing of employees' fingerprints was also in breach of Article 9(1) GDPR, as the club had again attempted to rely on consent as a basis for processing. The VDAI highlighted that employee consent is generally considered invalid due to the power imbalance with an employer. Moreover, the club did not specify the purpose and legal basis of the processing of employee data, nor had it demonstrated the necessity and proportionality of this processing, in violation of Article 5(1)(c) GDPR;
- It violated Article 13(1) and (1) GDPR, and Article 5(1) GDPR by failing to adequately inform data subject's about the processing of their data;
- It failed to perform an assessment of the impact of the processing of biometric data, in violation of Article 35(1) GDPR;
- It did not manage a record of its processing activities, in violation of Article 30 GDPR.
It thus issued a fine of €20,000. In determining the fine, the VDAI took into account:
- The processing of special categories of personal data;
- That Improper exercise of data subject's right to be informed falls into a category of more serious infringements under Article 83(5) GDPR;
- That the club had previously been instructed on how to lawfully process biometric data at another sports club it owned, for example by making the processing of biometric data voluntary, offering an equivalent, optional alternative to identification without the use of fingerprints, and providing customers the possibility to cancel the use of fingerprints at any time should be regulated. In view of these circumstances, the VDIA considered the illegal processing of customers' personal data to be an intentional violation.
- The club's turnover of the previous and current year, as well as circumstances indicated by the club that the activities of sports clubs were severely restricted due to the coronavirus pandemic this year.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.
Navigation Navigation My government BUT A en [[language]] Site map en [[language]] [[disabilities]] Prime Minister Government Office Ministries Institutions E. citizen For the disabled State Data Protection Inspectorate Navigation navbar to the start News subscription News Structure and contacts Structure Contacts How to find us Legal information Legislation Draft legislation Legal practice Research and analysis Violations of legislation Monitoring of legal regulation Areas of activity Preventive inspections Prior consultation Audits Complaints handling Data security breaches International cooperation Informing the public Corruption prevention Administrative information Regulations Planning documents Protection of whistleblowers Wage Incentives and awards Procurement Budget implementation report sets Sets of financial statements Supervision of economic operators Official passenger cars Activity reports Electronic and administrative services Links ADSP and DAP Data breach notification Data Protection Officer Protection of personal data useful information Frequently Asked Questions (FAQ) Recommendations, guidelines, etc. COVID-19 and BDAR Summaries of inspection results VDAI decisions (fines, instructions, etc.) Court decisions (according to VDAI complaints) 2018 data protection reform Public consultation before BDAR SolPriPa 2 WORK project SOLPriPa PROJECT Projects EU twinning project no. UA / 47b "Strengthening the institutional capacity of the High Commissioner for Human Rights of the Parliament of Ukraine to protect human rights and freedoms in line with European best practice" Improving the qualification of civil servants and employees of the State Data Protection Inspectorate Information systems interconnection and modernization project Project “Increasing the cooperation between the State Data Protection Inspectorate and the Lithuanian Librarians' Association in implementing the personal data protection policy” For children and young people Open data Surveys Events archive Advertisements A fine has been imposed on the sports club for breaches of the General Data Protection Regulation in the processing of fingerprints of customers and employees Home News A fine has been imposed on the sports club for breaches of the General Data Protection Regulation in the processing of fingerprints of customers and employees Print Data 2121 2021 Evaluation 11 The State Data Protection Inspectorate (State Data Protection Inspectorate) conducted an investigation into the processing of biometric personal data in a sports club and allocated LTL 20,000 for identified violations of the General Data Protection Regulation (BDAR). Eur fine to UAB VS FITNESS. The fine is imposed for violations of Article 5 (1) (a) and (c), Article 9 (1), Article 13 (1) to (2), Article 30, Article 35 (1) of the BDAR, i.e. y. for processing biometric data without voluntary consent of data subjects, as well as failure to ensure other requirements for valid consent, improper implementation of data subjects' right to be informed about data processing, as well as found that the company did not conduct a data protection impact assessment . The Personal Data Protection Supervisor conducted an investigation After receiving a notification from a natural person stating that in order to use the services of a sports club belonging to the company, a fingerprint scan is necessary, there are no other alternative means of identification in the said sports club, carried out an inspection on its own initiative in accordance with the Law on Legal Protection of Personal Data. with a possible BDAR violation in the company’s processing of fingerprints. Processing of customer biometric data According to the BDAR, biometric data belong to special categories of data, the processing of which is prohibited by the general rule, except for the conditions provided for in Article 9 (2) of the BDAR. The company processed customer fingerprint models with the consent of the data subjects, i. y. on the basis set out in Article 9 (2) (a) BDAR. VDAI noted that if the controller relies on the data subject's consent as a condition for lawful processing, he should ensure that the data subject's consent complies with the conditions imposed on him (voluntary, specific, reasonable information, unambiguity, as well as provability and revocability). During the inspection, VDAI found that the consent given by the customers to process their fingerprint models is not voluntary, nor does it meet the other requirements for a valid consent, which led the VDAI to decide that the company is processing the binary codes of the customers' fingerprints illegally. Processing of employee biometric data In addition, the VDAI found that the company had illegally processed the fingerprints of employees. The SDPI noted that employee consent due to a power imbalance is generally not considered an appropriate condition for the processing of personal data. VDAI did not specify the purpose and legal basis of the processing of employees 'biometric data, did not carry out a data protection impact assessment, and did not demonstrate the necessity and proportionality of the processing of employees' fingerprints. The SDPI noted that data subjects have the right to be informed about the processing of their data. Following the inspection, VDAI found that the company did not provide the data subjects with all the information required by the BDAR. Relevant circumstances in deciding the amount of the fine When deciding on the imposition of an administrative fine, VDAI assessed all relevant circumstances. The VDAI took into account that the processing of special categories of data in the absence of an exception, in violation of Article 5 (1) (a) and (c) and Article 9 (1) of the BDAR, as well as improper exercise of data subjects' right to be informed the requirements of Article 83 (1) to (2) of the EC Treaty fall into the category of more serious infringements (Article 83 (5) BDAR). Among other things, the company had previously been instructed to process biometric data at another sports club it owned. This confirmed that the company was aware of how the voluntary requirement for customers to consent to the processing of their biometric data had to be met, that an equivalent, optional alternative to identification in sports clubs (without the use of fingerprint binary codes) had to be offered. Also that the possibility for the customer to cancel the use of the fingerprint model at any time must be regulated. In view of these circumstances, VDAI considered the illegal processing of customers' biometric data to be an intentional violation. VDAI also took into account other identified aggravating and mitigating factors of the company's liability. In deciding the amount of the fine, VDAI took into account the information provided by the company on the turnover of the previous and current year, as well as the circumstances indicated by the company that the activities of sports clubs were severely restricted due to the coronavirus pandemic this year. This decision of VDAI has not entered into force and can be appealed to a court. Share Also read Review of personal data protection supervision in Lithuania in 2020 The State Data Protection Inspectorate invites the Chief Specialist of the IT department of the team to join A digital environment that benefits and is safe for children - The Organization for Economic Co-operation and Development has issued a recommendation The European Data Protection Board has announced report SURVEY OF EMPLOYERS on the protection of personal data and privacy in the context of employment relationships Back L.Sapiegos st. 17, 10312 Vilnius (Entrance from the left), tel. (8 5) 271 28 04, (8 5) 279 1445, fax. (8 5) 261 9494, el. p. ada@ada.lt Data on the State Data Protection Inspectorate are collected and stored in the Register of Legal Entities. Code 188607912 Consultation tel. (8 5) 212 7532, Monday to Thursday, 9 a.m. to 11 a.m. and 1pm to 3pm © Government of the Republic of Lithuania Data 2121 2021 Evaluation 11 The State Data Protection Inspectorate (State Data Protection Inspectorate) conducted an investigation into the processing of biometric personal data in a sports club and allocated LTL 20,000 for identified violations of the General Data Protection Regulation (BDAR). Eur fine to UAB VS FITNESS. The fine is imposed for violations of Article 5 (1) (a) and (c), Article 9 (1), Article 13 (1) to (2), Article 30, Article 35 (1) of the BDAR, i.e. y. for processing biometric data without voluntary consent of data subjects, as well as failure to ensure other requirements for valid consent, improper implementation of data subjects' right to be informed about data processing, as well as found that the company did not conduct a data protection impact assessment . The Personal Data Protection Supervisor conducted an investigation After receiving a notification from a natural person stating that in order to use the services of a sports club belonging to the company, a fingerprint scan is necessary, there are no other alternative means of identification in the said sports club, carried out an inspection on its own initiative in accordance with the Law on Legal Protection of Personal Data. with a possible BDAR violation in the company’s processing of fingerprints. Processing of customer biometric data According to the BDAR, biometric data belong to special categories of data, the processing of which is prohibited by the general rule, except for the conditions provided for in Article 9 (2) of the BDAR. The company processed customer fingerprint models with the consent of the data subjects, i. y. on the basis set out in Article 9 (2) (a) BDAR. VDAI noted that if the controller relies on the data subject's consent as a condition for lawful processing, he should ensure that the data subject's consent complies with the conditions imposed on him (voluntary, specific, reasonable information, unambiguity, as well as provability and revocability). During the inspection, VDAI found that the consent given by the customers to process their fingerprint models is not voluntary, nor does it meet the other requirements for a valid consent, which led the VDAI to decide that the company is processing the binary codes of the customers' fingerprints illegally. Processing of employee biometric data In addition, the VDAI found that the company had illegally processed the fingerprints of employees. The SDPI noted that employee consent due to a power imbalance is generally not considered an appropriate condition for the processing of personal data. VDAI did not specify the purpose and legal basis of the processing of employees 'biometric data, did not carry out a data protection impact assessment, and did not demonstrate the necessity and proportionality of the processing of employees' fingerprints. The SDPI noted that data subjects have the right to be informed about the processing of their data. Following the inspection, VDAI found that the company did not provide the data subjects with all the information required by the BDAR. Relevant circumstances in deciding the amount of the fine When deciding on the imposition of an administrative fine, VDAI assessed all relevant circumstances. The VDAI took into account that the processing of special categories of data in the absence of an exception, in violation of Article 5 (1) (a) and (c) and Article 9 (1) of the BDAR, as well as improper exercise of data subjects' right to be informed the requirements of Article 83 (1) to (2) of the EC Treaty fall into the category of more serious infringements (Article 83 (5) BDAR). Among other things, the company had previously been instructed to process biometric data at another sports club it owned. This confirmed that the company was aware of how the voluntary requirement for customers to consent to the processing of their biometric data had to be met, that an equivalent, optional alternative to identification in sports clubs (without the use of fingerprint binary codes) had to be offered. Also that the possibility for the customer to cancel the use of the fingerprint model at any time must be regulated. In view of these circumstances, VDAI considered the illegal processing of customers' biometric data to be an intentional violation. VDAI also took into account other identified aggravating and mitigating factors of the company's liability. In deciding the amount of the fine, VDAI took into account the information provided by the company on the turnover of the previous and current year, as well as the circumstances indicated by the company that the activities of sports clubs were severely restricted due to the coronavirus pandemic this year. This decision of VDAI has not entered into force and can be appealed to a court. Share