Tietosuojavaltuutetun toimisto (Finland) - 1198/161/2022
Tietosuojavaltuutetun toimisto - 1198/161/2022 | |
---|---|
[[File:|center|250px]] | |
Authority: | Tietosuojavaltuutetun toimisto (Finnland) |
Jurisdiction: | Finland |
Relevant Law: | Article 9(2)(a) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 22.5.2018 |
Decided: | 27.12.2022 |
Published: | |
Fine: | 122000 EUR |
Parties: | Polar Oy |
National Case Number/Name: | 1198/161/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Finnish |
Original Source: | Tietosuojavaltuutetun toimisto (in FI) |
Initial Contributor: | Eetu Salpaharju |
Finnish DPA imposed a fine of 122,000 euros on a company handling health-related types of personal data without proper consent.
English Summary
Facts
The controller is a manufacturer of heart rate monitors and smart watches offering its services in multiple Member States in the EU and wordwide. When a customer purchased a smart watch or heart rate monitor device, it was necessary to register an online service to use all the features of the device. In order to use all the features, the online service user (data subject) must enter personal information, such as sex, height, age and weight, into the online service. The device collects heart rate as well as Max VO2 (maximum oxygen capacity) information and uploads them to the online service. Data subjects can use collected information to analyse training performance.
The Finnish DPA received five complaints from data subjects between 22 May 2018 and 19 February 2019 concerning the way the controller processed heart rate data, other sensitive data and whether it lawfully transferred personal data to third countries. The Austrian DPA received a complaint for the same matter. Because the controller operates in multiple Member States, the cooperation mechanism under Article 60 GDPR was activated. Since the controller's main establishment was located in Finland, the Finnish DPA was the Lead Supervisory Authority in this case (Article 65 GDPR), while the concerned supervisory authorities (Article 4(22) GDPR) were, among others, the Austrian, Belgian, Czech and Danish DPAs. After an investigating the controller's practices as well as receiving the submissions by the concerned supervisory authorities, the Finnish DPA issued a draft decision pursuant to Article 60(3) GDPR, which was not objected to by any concerned SA, rendering it a binding decision on the controller. The decision concerned the following issues and established factual circumstances.
Processing of heart rate data
According to the complaints, the consent to process heart rate data was forced onto the data subjects as the controller made the use of the service conditional upon granting consent to process heart rate data. If the data subject subseqently withdrew consent, their online service account would be frozen. However, according to the controller the device was separate from the online service as some basic features were still usable without the online service.
Processing of other sensitive data
On the same conditions, the controller also requested consent for the processing of other personal data, such as max VO2, sleep target time and daily activity target, next to information such as gender, age, height and weight. The controller argued thatit is not possible to draw conclusions about a person's health based on this data, hence there was no processing of sensitive data other than heart rate data. Allegedly, such conclusions would only be possible with the held medical exminations or additional data.
Personal data transfers ot the US
Although the controller's servers were located in the EU, in Finland and Ireland, personal data from the controller's email service would be sent to a server located in the US. For these transfers, the controller used as a legal basis consent under Article 49(1)(a) GDPR and reportedly standard contractual clauses under Article 46 GDPR. The controller submitted that it had asked data subjects for consent to transfer the data to the US in order to make them more aware of the processing carried out by the company.
Processing of 'user-generated content'
In the terms and conditions it was also mentioned that data subjects consent to the controller processing "user-generated content", that is any content uploaded or transmitted to the online service (e.g. training results) apart from the information initially provided. This data would be made available globally and also transferred outside EU. If the data subject withdrew their consent, the generated data would not be removed. The data subject could request their deletion only by closing their account.
Holding
DPA has considered following legal matters in this case.
i) Should controller has ask consent to process heart-rate data
Holding: According to Article 9 Paragraph 2 Subsection a controller should have ask for consent for specific personal data types.
ii) Should controller inform customer about data processing when he is purchasing a smart watch or a heart rate monitor
Holding: Such procedure is not required.
iii) Does controller process other than heart rate data from special categories of personal data
Holding: Controller process also other sensitive data such as VO2max and BMI.
iv) Has data transfer to third countries been lawful
Holding: Controller had lawful right to transfer data to the third countries (US). To be noted that DPA considered transfers happened when Privacy Shield was still valid. Because of Privacy Shield, specific consent was not needed.
v) Has consent for process "user generated content" been lawful
Holding: Consent does not comply Article 4 Paragraph 11 and Article 7 Paragraph 2 and 4.
DPA looks that controller has violated provision mentioned on Article 83 Paragraph 5. DPA imposed fine of 122000 EUR to the controller. In the resolution DPA says that handling sensitive personal data is essential part of the controllers business. That's why there should be administrative fine for the violation. DPA counts as extenuating circumstances that purpose of processing health data is mentioned to be beneficial to a data subject and controller's profit is not based on processing such data.
Comment
Share your comments here!
Further Resources
Yle (Finnish national brodcasting company) news telling the controller name
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
The company had not asked the users of its service for individual consent to the processing of health-related types of personal data. The data protection commissioner's office imposed a penalty on the company for violating the data protection regulation, as the processing of health data is part of the company's core business. In addition, the data protection commissioner ordered the company to correct its practice in requesting consent. The Office of the Data Protection Commissioner investigated the company's operating methods in 2018–2019 based on the complaints received. The investigations revealed that the company did not have consent in accordance with the EU's General Data Protection Regulation to process data on body mass index and maximum oxygen uptake capacity. Health data belong to so-called special personal data groups and their processing is basically prohibited. Data can be processed, for example, when the data subject has given his consent. The company had asked for consent to process health-related data in general, but had not specified the data it collected and processed. The requested consent did not meet the requirements of the data protection regulation, as it was not individualized and informed. The Data Protection Commissioner considers that the data controller had informed the data subjects that their personal data would be processed, but had not provided sufficient information about the types of personal data being processed and the purpose for which each type of personal data is being processed. The disciplinary board paid special attention to the fact that the large-scale processing of health data is a key part of the company's core business. "A company whose business mainly includes the processing of personal data must always take care of all the requirements for the proper processing of personal data. In a data-intensive economy, the importance of this will grow all the time," states Data Protection Commissioner Anu Talus. The matter was dealt with in cooperation between EU countries. The company's service is also available in other EU and EEA countries, which is why the matter was dealt with in cooperation between supervisory authorities. One of the complaints had been initiated in another Member State. The company's location in Finland is responsible for the processing of personal data, and the data protection commissioner's office acted as the leading supervisory authority in the investigation. The participating supervisory authorities have accepted the decision of the Data Protection Commissioner and the Sanctions College, and the decision is also binding on them. The sanction panel of the Office of the Data Protection Commissioner imposed a fine of 122,000 euros on the company for data protection violations. In addition, a notice was issued to the company. The decisions are not yet legally binding and can be appealed to the administrative court. Decisions of the Data Protection Commissioner and Sanctions Board (pdf) More information: Data Protection Commissioner Anu Talus, anu.talus(at)om.fi, tel. 029 566 6766 The decision-making of the Sanctions Board and the legal protection of data controllers are stipulated in the National Data Protection Act. The disciplinary board consists of a data protection commissioner and two deputy data protection commissioners. The college is competent to impose administrative fines for violations of data protection legislation. The maximum amount of penalty payments is four percent of the company's turnover or 20 million euros. More information on the so-called about the one-stop shop mechanism in the European Data Protection Board brochure (pdf)