Tietosuojavaltuutetun toimisto (Finland) - 1198/161/2022

From GDPRhub
Revision as of 19:32, 19 January 2023 by Ex4ex4 (talk | contribs)
Tietosuojavaltuutetun toimisto - 1198/161/2022
[[File:|center|250px]]
Authority: Tietosuojavaltuutetun toimisto (Finnland)
Jurisdiction: Finland
Relevant Law: Article 9(2)(a) GDPR
Type: Investigation
Outcome: Violation Found
Started: 22.5.2018
Decided: 27.12.2022
Published:
Fine: 122000 EUR
Parties: Polar Oy
National Case Number/Name: 1198/161/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Tietosuojavaltuutetun toimisto (in FI)
Initial Contributor: Eetu Salpaharju

Finnish DPA imposed a fine of 122,000 euros on a company handling health-related types of personal data without proper consent.

English Summary

Facts

Polar Oy is manufacturer of heart rate monitors and smart watches. Finnish DPA has received five complaints for Polar Oy way to handle special categories of personal data between 22.5.2018 and 19.2.2019. Austrian DPA has received a complaint for the same matter. Because the controller operates in multiple member states, cooperation defined on Article 60 is taken place. DPAs of Italy, Belgium, Chezh, France, Denmark, Greece, Germany, Hungary, the Netherlands, Norway, Slovakia, Slovenia, Sweden, Luxemburg, Spain and Polish are supervisory authority concerned.

When a customer purchase a Polar smart watch or heart rate monitor device, it is necessary to register a online service to use the devices all features. According to complaits Polar forces it's customer to give consent. According to the controller a device is separate from the online service. Some basic features are usable without the online service.

When using all features, data subject enters some information, such as sex, height, age and weight, into the online service. The device collects heart rate and Max VO2 information and uploads them to the online service. User can use collected information to analyse training performance.

When registering to the online service data subject must give consent for "collect and process sensitive personal information, such as heart rate and other sensitive health-related data." and also agree with Polar terms and conditions. If data subject does not give consent for that, he cannot register online service. If data subject withdraws his consent his account in online service is frozen and the system cannot be used. After six months the account and all the data related to it is deleted. If user give consent again, he can continue to use the online service.

In Polar's terms and conditions is mentioned that some data may be transferred outside of EU. According to the processor main servers are located in Finland and Ireland. The processor use email services located in US as well as monitoring services located in US. Some data - such as data subject's email address and user ID - is transferred to those services. Data transfer is based on Article 49 Paragraph 1 Subsection a.

In terms and conditions is also mentioned that user gives controller right to use and transfer "user generated content" in their systems. If user withdraws consent user generated data is not removed. User can remove the data himself before removing his account. In this context user generated content is training results a data subject could share to other users as well as messages data subject can publish. This content has been made available globally and so transferred outside of EU.

According to the controller, the United Kingdom's Information Commissioner's Office (ICO) has received a complaint and hold that Polar does not violate GPDR. That complaint was made because Polar asked consent from data subjects already using the online service. Until that Polar processed personal data based on contract (Article 6 Paragraph 1 Subsection b) and changed that to consent (Article 6 Paragraph 1 Subsection a). ICO hold that it was legal to change lawfulness of the processing and asking consent from data subjects was necessary. The processing itself did not change.

Holding

DPA has considered following legal matters in this case.

i) Should controller has ask consent to process heart-rate data

Holding: According to Article 9 Paragraph 2 Subsection a controller should have ask for consent for specific personal data types.


ii) Should controller inform customer about data processing when he is purchasing a smart watch or a heart rate monitor

Holding: Such procedure is not required.


iii) Does controller process other than heart rate data from special categories of personal data

Holding: Controller process also other sensitive data such as VO2max and BMI.


iv) Has data transfer to third countries been lawful

Holding: Controller had lawful right to transfer data to the third countries (US). To be noted that DPA considered transfers happened when Privacy Shield was still valid. Because of Privacy Shield, specific consent was not needed.


v) Has consent for process "user generated content" been lawful

Holding: Consent does not comply Article 4 Paragraph 11 and Article 7 Paragraph 2 and 4.


DPA looks that controller has violated provision mentioned on Article 83 Paragraph 5. DPA imposed fine of 122000 EUR to the controller. In the resolution DPA says that handling sensitive personal data is essential part of the controllers business. That's why there should be administrative fine for the violation. DPA counts as extenuating circumstances that purpose of processing health data is mentioned to be beneficial to a data subject and controller's profit is not based on processing such data.

Comment

Share your comments here!

Further Resources

Official decision as PDF

Yle (Finnish national brodcasting company) news telling the controller name

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

The company had not asked the users of its service for individual consent to the processing of health-related types of personal data. The data protection commissioner's office imposed a penalty on the company for violating the data protection regulation, as the processing of health data is part of the company's core business. In addition, the data protection commissioner ordered the company to correct its practice in requesting consent. The Office of the Data Protection Commissioner investigated the company's operating methods in 2018–2019 based on the complaints received. The investigations revealed that the company did not have consent in accordance with the EU's General Data Protection Regulation to process data on body mass index and maximum oxygen uptake capacity. Health data belong to so-called special personal data groups and their processing is basically prohibited. Data can be processed, for example, when the data subject has given his consent. The company had asked for consent to process health-related data in general, but had not specified the data it collected and processed. The requested consent did not meet the requirements of the data protection regulation, as it was not individualized and informed. The Data Protection Commissioner considers that the data controller had informed the data subjects that their personal data would be processed, but had not provided sufficient information about the types of personal data being processed and the purpose for which each type of personal data is being processed. The disciplinary board paid special attention to the fact that the large-scale processing of health data is a key part of the company's core business. "A company whose business mainly includes the processing of personal data must always take care of all the requirements for the proper processing of personal data. In a data-intensive economy, the importance of this will grow all the time," states Data Protection Commissioner Anu Talus. The matter was dealt with in cooperation between EU countries. The company's service is also available in other EU and EEA countries, which is why the matter was dealt with in cooperation between supervisory authorities. One of the complaints had been initiated in another Member State. The company's location in Finland is responsible for the processing of personal data, and the data protection commissioner's office acted as the leading supervisory authority in the investigation. The participating supervisory authorities have accepted the decision of the Data Protection Commissioner and the Sanctions College, and the decision is also binding on them. The sanction panel of the Office of the Data Protection Commissioner imposed a fine of 122,000 euros on the company for data protection violations. In addition, a notice was issued to the company. The decisions are not yet legally binding and can be appealed to the administrative court. Decisions of the Data Protection Commissioner and Sanctions Board (pdf) More information: Data Protection Commissioner Anu Talus, anu.talus(at)om.fi, tel. 029 566 6766 The decision-making of the Sanctions Board and the legal protection of data controllers are stipulated in the National Data Protection Act. The disciplinary board consists of a data protection commissioner and two deputy data protection commissioners. The college is competent to impose administrative fines for violations of data protection legislation. The maximum amount of penalty payments is four percent of the company's turnover or 20 million euros. ​​​​​​​​​More information on the so-called about the one-stop shop mechanism in the European Data Protection Board brochure (pdf)