VDAI (Lithuania) - UAB vs FITNESS: Difference between revisions

From GDPRhub
No edit summary
 
(2 intermediate revisions by one other user not shown)
Line 4: Line 4:
|DPA-BG-Color=background-color:#ffffff;
|DPA-BG-Color=background-color:#ffffff;
|DPAlogo=LogoLT.png
|DPAlogo=LogoLT.png
|DPA_Abbrevation=ADA (Lithuania)
|DPA_Abbrevation=VDAI (Lithuania)
|DPA_With_Country=ADA (Lithuania)
|DPA_With_Country=VDAI (Lithuania)


|Case_Number_Name=n/a
|Case_Number_Name=n/a

Latest revision as of 09:19, 17 November 2023

VDAI (Lithuania) - n/a
LogoLT.png
Authority: VDAI (Lithuania)
Jurisdiction: Lithuania
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(a) GDPR
Article 9(1) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 30 GDPR
Article 35(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 21.06.2021
Published:
Fine: 20,000
Parties: UAB VS FITNESS
National Case Number/Name: n/a
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Lithuanian
Original Source: Valstybinė duomenų apsaugos inspekcija (in LT)
Initial Contributor: n/a

The Lithuanian DPA fined a sports club approximately €20,000 for processing the biometric data of its customers and employees in violation of Articles 9(1), 13(1) and (2), 30, and 35(1) GDPR.

English Summary

Facts

The Lithuanian DPA ('VDAI') received a complaint stating that in order to use the services of a sports club (UAB VS FITNESS), fingerprint scanning is required. It then initiated an own volition investigation of a possible breach of the GDPR.

Holding

The VDAI found that the sports club had violated the following GDPR provisions:

  • It violated Article 9(1) GDPR by processing the biometric data of customers, which is special category data. The sports club had attempted to rely on the consent exception, outlined at Article 9(2), that special category data may be processed where the data subject provides their consent. However, the VDAI found that consent collected from customers did not satisfy the requirements for valid consent established in the GDPR. In particular, since consent to the biometric system was not voluntary, it was not freely given;
  • The processing of employees' fingerprints was also in breach of Article 9(1) GDPR, as the club had again attempted to rely on consent as a basis for processing. The VDAI highlighted that employee consent is generally considered invalid due to the power imbalance with an employer. Moreover, the club did not specify the purpose and legal basis of the processing of employee data, nor had it demonstrated the necessity and proportionality of this processing, in violation of Article 5(1)(c) GDPR;
  • It violated Article 13(1) and (1) GDPR, and Article 5(1) GDPR by failing to adequately inform data subject's about the processing of their data;
  • It failed to perform an assessment of the impact of the processing of biometric data, in violation of Article 35(1) GDPR;
  • It did not manage a record of its processing activities, in violation of Article 30 GDPR.

It thus issued a fine of €20,000. In determining the fine, the VDAI took into account:

  • The processing of special categories of personal data;
  • That Improper exercise of data subject's right to be informed falls into a category of more serious infringements under Article 83(5) GDPR;
  • That the club had previously been instructed on how to lawfully process biometric data at another sports club it owned, for example by making the processing of biometric data voluntary, offering an equivalent, optional alternative to identification without the use of fingerprints, and providing customers the possibility to cancel the use of fingerprints at any time should be regulated. In view of these circumstances, the VDIA considered the illegal processing of customers' personal data to be an intentional violation.
  • The club's turnover of the previous and current year, as well as circumstances indicated by the club that the activities of sports clubs were severely restricted due to the coronavirus pandemic this year.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.


    
        
                        

    
    



    
        
            
                
                                        
                        Navigation
                        Navigation
                        
                        
                        
                    
                                    
                
                    
                                        

                                                    My government
                                                BUT A
                
                
                    
                                                        
            en
            [[language]]
        
    
                
            

            
                
                    
                    Site map
                
                                                    
            en
            [[language]]
        
    
                
                    [[disabilities]]
                
            

            
                                                                    
                                                                        
                                Prime Minister
                            
                                                                                                
                                Government Office
                            
                                                                                                
                                Ministries
                            
                                                                                                
                                Institutions
                            
                                                                                                
                                E. citizen
                            
                                                                                                            
                                
                
                    For the disabled
                
            

            
        
    



    
        
            
                
            
            
                State Data Protection Inspectorate
            
        
        
    



            
            
        
    
    

    

    
                
            
            
            
        
        Navigation
    
    
        

        
            navbar
                        
        

        
            to the start
            News subscription
            
        
        
            
                

                                                                    
                        
                            
                                News
                            
                            
                                                    
                                                                    
                        
                            
                                Structure and contacts
                            
                            
                                                            
                                    
                                        
                                                                                                                                                                            
                                                
                                                
                                                    Structure
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Contacts
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    How to find us
                                                
                                                
                                                                                            
                                                                                
                                    
                                
                                                    
                                                                    
                        
                            
                                Legal information
                            
                            
                                                            
                                    
                                        
                                                                                                                                                                            
                                                
                                                
                                                    Legislation
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Draft legislation
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Legal practice
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Research and analysis
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Violations of legislation
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Monitoring of legal regulation
                                                
                                                
                                                                                            
                                                                                
                                    
                                
                                                    
                                                                    
                        
                            
                                Areas of activity
                            
                            
                                                            
                                    
                                        
                                                                                                                                                                            
                                                
                                                
                                                    Preventive inspections
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Prior consultation
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Audits
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Complaints handling
                                                
                                                
                                                                                            
                                                                                                                                                                                                                                                                        
                                                
                                                
                                                    Data security breaches
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    International cooperation
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Informing the public
                                                
                                                
                                                                                            
                                                                                
                                    
                                
                                                    
                                                                    
                        
                            
                                Corruption prevention
                            
                            
                                                    
                                                                    
                        
                            
                                Administrative information
                            
                            
                                                            
                                    
                                        
                                                                                                                                                                            
                                                
                                                
                                                    Regulations
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Planning documents
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Protection of whistleblowers
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Wage
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Incentives and awards
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Procurement
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Budget implementation report sets
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Sets of financial statements
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Supervision of economic operators
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Official passenger cars
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Activity reports
                                                
                                                
                                                                                            
                                                                                
                                    
                                
                                                    
                                                                    
                        
                            
                                Electronic and administrative services
                            
                            
                                                    
                                                                    
                        
                            
                                Links
                            
                            
                                                    
                                                                    
                        
                            
                                ADSP and DAP
                            
                            
                                                            
                                    
                                        
                                                                                                                                                                            
                                                
                                                
                                                    Data breach notification
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Data Protection Officer
                                                
                                                
                                                                                            
                                                                                
                                    
                                
                                                    
                                                                    
                        
                            
                                Protection of personal data
                            
                            
                                                    
                                                                    
                        
                            
                                useful information
                            
                            
                                                            
                                    
                                        
                                                                                                                                                                                                                                                                        
                                                
                                                
                                                    Frequently Asked Questions (FAQ)
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Recommendations, guidelines, etc.
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    COVID-19 and BDAR
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Summaries of inspection results
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    VDAI decisions (fines, instructions, etc.)
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Court decisions (according to VDAI complaints)
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    2018 data protection reform
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Public consultation before BDAR
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    SolPriPa 2 WORK project
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    SOLPriPa PROJECT
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Projects
                                                
                                                
                                                                                                    
                                                                                                                                                                    
                                                        
                                                            
                                                            
                                                                EU twinning project no. UA / 47b "Strengthening the institutional capacity of the High Commissioner for Human Rights of the Parliament of Ukraine to protect human rights and freedoms in line with European best practice"
                                                            
                                                            
                                                        
                                                                                                                                                                    
                                                        
                                                            
                                                            
                                                                Improving the qualification of civil servants and employees of the State Data Protection Inspectorate
                                                            
                                                            
                                                        
                                                                                                                                                                    
                                                        
                                                            
                                                            
                                                                Information systems interconnection and modernization project
                                                            
                                                            
                                                        
                                                                                                                                                                    
                                                        
                                                            
                                                            
                                                                Project “Increasing the cooperation between the State Data Protection Inspectorate and the Lithuanian Librarians' Association in implementing the personal data protection policy”
                                                            
                                                            
                                                        
                                                                                                        
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    For children and young people
                                                
                                                
                                                                                            
                                                                                                                                                                            
                                                
                                                
                                                    Open data
                                                
                                                
                                                                                            
                                                                                                                                                                                                                                                                        
                                                
                                                
                                                    Surveys
                                                
                                                
                                                                                            
                                                                                                                                                                                                                                                                        
                                                
                                                
                                                    Events archive
                                                
                                                
                                                                                            
                                                                                                                                                                                                                                                                        
                                                
                                                
                                                    Advertisements
                                                
                                                
                                                                                            
                                                                                
                                    
                                
                                                    
                                    
            
        
        
            
        
    




        
        
            
                
                
                
            

            

                        

    A fine has been imposed on the sports club for breaches of the General Data Protection Regulation in the processing of fingerprints of customers and employees

    
    Home
            
                                                            News
                                                
            
                                                            A fine has been imposed on the sports club for breaches of the General Data Protection Regulation in the processing of fingerprints of customers and employees
                                                
    

    
        Print
        
    

    

    
        
            
                
                    Data
                    2121 2021
                
                                    
                        Evaluation
                        

    
            11
    

                    
                            
                                

        
                                                
                                    
                            

                                                
        The State Data Protection Inspectorate (State Data Protection Inspectorate) conducted an investigation into the processing of biometric personal data in a sports club and allocated LTL 20,000 for identified violations of the General Data Protection Regulation (BDAR). Eur fine to UAB VS FITNESS. The fine is imposed for violations of Article 5 (1) (a) and (c), Article 9 (1), Article 13 (1) to (2), Article 30, Article 35 (1) of the BDAR, i.e. y. for processing biometric data without voluntary consent of data subjects, as well as failure to ensure other requirements for valid consent, improper implementation of data subjects' right to be informed about data processing, as well as found that the company did not conduct a data protection impact assessment .

The Personal Data Protection Supervisor conducted an investigation
After receiving a notification from a natural person stating that in order to use the services of a sports club belonging to the company, a fingerprint scan is necessary, there are no other alternative means of identification in the said sports club, carried out an inspection on its own initiative in accordance with the Law on Legal Protection of Personal Data. with a possible BDAR violation in the company’s processing of fingerprints.

Processing of customer biometric data
According to the BDAR, biometric data belong to special categories of data, the processing of which is prohibited by the general rule, except for the conditions provided for in Article 9 (2) of the BDAR. The company processed customer fingerprint models with the consent of the data subjects, i. y. on the basis set out in Article 9 (2) (a) BDAR. VDAI noted that if the controller relies on the data subject's consent as a condition for lawful processing, he should ensure that the data subject's consent complies with the conditions imposed on him (voluntary, specific, reasonable information, unambiguity, as well as provability and revocability). During the inspection, VDAI found that the consent given by the customers to process their fingerprint models is not voluntary, nor does it meet the other requirements for a valid consent, which led the VDAI to decide that the company is processing the binary codes of the customers' fingerprints illegally.

Processing of employee biometric data
In addition, the VDAI found that the company had illegally processed the fingerprints of employees. The SDPI noted that employee consent due to a power imbalance is generally not considered an appropriate condition for the processing of personal data. VDAI did not specify the purpose and legal basis of the processing of employees 'biometric data, did not carry out a data protection impact assessment, and did not demonstrate the necessity and proportionality of the processing of employees' fingerprints. The SDPI noted that data subjects have the right to be informed about the processing of their data. Following the inspection, VDAI found that the company did not provide the data subjects with all the information required by the BDAR.

Relevant circumstances in deciding the amount of the fine
When deciding on the imposition of an administrative fine, VDAI assessed all relevant circumstances. The VDAI took into account that the processing of special categories of data in the absence of an exception, in violation of Article 5 (1) (a) and (c) and Article 9 (1) of the BDAR, as well as improper exercise of data subjects' right to be informed the requirements of Article 83 (1) to (2) of the EC Treaty fall into the category of more serious infringements (Article 83 (5) BDAR).
Among other things, the company had previously been instructed to process biometric data at another sports club it owned. This confirmed that the company was aware of how the voluntary requirement for customers to consent to the processing of their biometric data had to be met, that an equivalent, optional alternative to identification in sports clubs (without the use of fingerprint binary codes) had to be offered. Also that the possibility for the customer to cancel the use of the fingerprint model at any time must be regulated.
In view of these circumstances, VDAI considered the illegal processing of customers' biometric data to be an intentional violation. VDAI also took into account other identified aggravating and mitigating factors of the company's liability. In deciding the amount of the fine, VDAI took into account the information provided by the company on the turnover of the previous and current year, as well as the circumstances indicated by the company that the activities of sports clubs were severely restricted due to the coronavirus pandemic this year.
This decision of VDAI has not entered into force and can be appealed to a court.








        

                                                    
                    Share
        
        
                            
                    
                
                                                    
                    
                
                                
        
    

    

    

                
        
            
        Also read
                                    Review of personal data protection supervision in Lithuania in 2020
                                                The State Data Protection Inspectorate invites the Chief Specialist of the IT department of the team to join
                                                A digital environment that benefits and is safe for children - The Organization for Economic Co-operation and Development has issued a recommendation
                                                The European Data Protection Board has announced report
                                                SURVEY OF EMPLOYERS on the protection of personal data and privacy in the context of employment relationships
                        


        

    
    
    


            

            
                Back
                
                
            
        

        
            
                
                    
                        L.Sapiegos st. 17, 10312 Vilnius (Entrance from the left), tel. (8 5) 271 28 04, (8 5) 279 1445, fax. (8 5) 261 9494, el. p. ada@ada.lt

Data on the State Data Protection Inspectorate are collected and stored in the Register of Legal Entities. Code 188607912

Consultation tel. (8 5) 212 7532, Monday to Thursday, 9 a.m. to 11 a.m. and 1pm to 3pm

                        © Government of the Republic of Lithuania
                    

                    

                    
                        
                            
                            
                                
                                                                        
                                        
                                    
                                
                                
                                    
                                        
                                    
                                
                            
                        
                    
                
                            
            
        
    

        
            
                
                    Data
                    2121 2021
                
                                    
                        Evaluation
                        

    
            11
    

                    
                            
                                

        
                                                
                                    
                            

                                                
        The State Data Protection Inspectorate (State Data Protection Inspectorate) conducted an investigation into the processing of biometric personal data in a sports club and allocated LTL 20,000 for identified violations of the General Data Protection Regulation (BDAR). Eur fine to UAB VS FITNESS. The fine is imposed for violations of Article 5 (1) (a) and (c), Article 9 (1), Article 13 (1) to (2), Article 30, Article 35 (1) of the BDAR, i.e. y. for processing biometric data without voluntary consent of data subjects, as well as failure to ensure other requirements for valid consent, improper implementation of data subjects' right to be informed about data processing, as well as found that the company did not conduct a data protection impact assessment .

The Personal Data Protection Supervisor conducted an investigation
After receiving a notification from a natural person stating that in order to use the services of a sports club belonging to the company, a fingerprint scan is necessary, there are no other alternative means of identification in the said sports club, carried out an inspection on its own initiative in accordance with the Law on Legal Protection of Personal Data. with a possible BDAR violation in the company’s processing of fingerprints.

Processing of customer biometric data
According to the BDAR, biometric data belong to special categories of data, the processing of which is prohibited by the general rule, except for the conditions provided for in Article 9 (2) of the BDAR. The company processed customer fingerprint models with the consent of the data subjects, i. y. on the basis set out in Article 9 (2) (a) BDAR. VDAI noted that if the controller relies on the data subject's consent as a condition for lawful processing, he should ensure that the data subject's consent complies with the conditions imposed on him (voluntary, specific, reasonable information, unambiguity, as well as provability and revocability). During the inspection, VDAI found that the consent given by the customers to process their fingerprint models is not voluntary, nor does it meet the other requirements for a valid consent, which led the VDAI to decide that the company is processing the binary codes of the customers' fingerprints illegally.

Processing of employee biometric data
In addition, the VDAI found that the company had illegally processed the fingerprints of employees. The SDPI noted that employee consent due to a power imbalance is generally not considered an appropriate condition for the processing of personal data. VDAI did not specify the purpose and legal basis of the processing of employees 'biometric data, did not carry out a data protection impact assessment, and did not demonstrate the necessity and proportionality of the processing of employees' fingerprints. The SDPI noted that data subjects have the right to be informed about the processing of their data. Following the inspection, VDAI found that the company did not provide the data subjects with all the information required by the BDAR.

Relevant circumstances in deciding the amount of the fine
When deciding on the imposition of an administrative fine, VDAI assessed all relevant circumstances. The VDAI took into account that the processing of special categories of data in the absence of an exception, in violation of Article 5 (1) (a) and (c) and Article 9 (1) of the BDAR, as well as improper exercise of data subjects' right to be informed the requirements of Article 83 (1) to (2) of the EC Treaty fall into the category of more serious infringements (Article 83 (5) BDAR).
Among other things, the company had previously been instructed to process biometric data at another sports club it owned. This confirmed that the company was aware of how the voluntary requirement for customers to consent to the processing of their biometric data had to be met, that an equivalent, optional alternative to identification in sports clubs (without the use of fingerprint binary codes) had to be offered. Also that the possibility for the customer to cancel the use of the fingerprint model at any time must be regulated.
In view of these circumstances, VDAI considered the illegal processing of customers' biometric data to be an intentional violation. VDAI also took into account other identified aggravating and mitigating factors of the company's liability. In deciding the amount of the fine, VDAI took into account the information provided by the company on the turnover of the previous and current year, as well as the circumstances indicated by the company that the activities of sports clubs were severely restricted due to the coronavirus pandemic this year.
This decision of VDAI has not entered into force and can be appealed to a court.








        

                                                    
                    Share