Datatilsynet (Denmark) - 2023-31-0028

From GDPRhub
Datatilsynet - 2023-31-0028
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 4(14) GDPR
Article 9(1) GDPR
Article 9(2)(a) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 03.07.2024
Fine: n/a
Parties: Sporting Health Club
National Case Number/Name: 2023-31-0028
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: fb

The DPA held that explicit consent to the usage of facial recognition for a fitness centre’s access system is not freely given if the data subject has no alternative option that does not include the processing of biometric data.

English Summary

Facts

The data subject was a member of a fitness centre (the controller) opened 24/7. Previously, access to this fitness centre was granted with a key chip. However, the controller decided to dismiss the key chip system and introduce facial recognition as the only access system during the centre's unmanned hours.

Therefore, the consequence of not consenting to the use of facial recognition was that the use of the membership was limited to staffed opening hours.

The data subject refused to use such a system and to provide their biometric data to the controller. The controller replied that it would investigate what other access options would be available in alternative to facial recognition. However, it never came back to the data subject.

Therefore, the data subject lodged a complaint with the DPA. They argued that consent could only be considered valid consent if it is given without pressure and without the negative consequences of refusing to give it. According to the data subject that was not the case, since without the facial recognition system they could use the fitness centre only during the limited staffed opening hours, even though they decided to be member of this centre because it was open 24/7.

First, the controller pointed out that it informed its members about the use of personal data in connection with facial recognition via its privacy policy.

Moreover, it argued that it made available alternative forms of access for members who do not wish to use facial recognition. More specifically, the data subject could either call the support service and ask them to generate a one-time code to use to open the door or simply ask the support to open the door for them.

Holding

First, the DPA pointed out that in a previous case (FysioDanmark) it held that the use of facial recognition as access control for fitness centres cannot in itself be considered contrary to the fundamental principles set by Article 5 GDPR, including the requirements for proportionality.

Thus, the DPA found that the controller, provided that the conditions for lawful processing are otherwise met, could similarly use facial recognition as access control for its fitness centres.

Secondly, the DPA noted that facial images used to identify a person are biometric data according to Article 4(14) GDPR. Therefore, under Article 9(1) GDPR, the controller cannot use data obtained through the use of facial recognition unless an exception provided for by Article 9(2) GDPR applies. In this case, the DPA pointed out that the most appropriate one should be explicit consent pursuant to Article 9(2)(a) GDPR.

Furthermore, as for the use of consent in connection with facial recognition, the DPA held that – in accordance with what is stated in EDPB Guidelines 3/2019 on processing of personal data through video devices – that, in this case, the requirement that consent needs to be “freely given” implies that the controller must offer an alternative solution that does not include the processing of biometric data.

According to the DPA, this alternative does not have to be identical, but must not impose significant restrictions or costs on the data subject. The DPA noted that the alternative options in the case at hand (generating a code or calling support) provide the same access to the centre as consent to facial recognition. Moreover, the alternative options do not imply significant limitations.

Moreover, the DPA noted that consent must also be informed. In the case at hand, this means that the data subject must be informed of the alternatives to consent to facial recognition. The DPA verified that the controller has made some efforts to do this, putting a notice on the information screens at the entrance to the fitness centres and in its privacy policy.

On the other hand, the DPA noted that the information about the alternatives provided by the controller appears to a certain extent to be fragmented. For example, the data subject must read the privacy policy to get more information about the possible alternatives. Moreover, of the word “code” contained in the info screens was unclear.

Regarding the general voluntariness of consent, the DPA noted that the data subject was told by an employee of the controller that if member does not wish to consent to facial recognition, it is only possible to access the centre during manned opening hours. The DPA believed that this gave the data subject a justified perception that there would be no alternatives to facial recognition.

According to the DPA, this means that the consent that was attempted to be obtained from the complainant at that time would not be valid.

Under these circumstances, the DPA issued a reprimand to the controller.

However, the DPA found that at the time of the decision the data subject could be considered to be sufficiently informed about the possible alternatives. This is why a valid consent can now be obtained.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Skip the main navigation

Search

Consent for facial recognition in gym was valid

Date: 03-07-2024

Decision Private companies Criticism Complaint Access control Handled by the Data Council Basic principles

The Danish Data Protection Authority has made a decision in a case about a gym's use of facial recognition, including whether the gym's other access options could be considered sufficient alternatives.

Journal number: 2023-31-0028.

Summary

The Danish Data Protection Authority received a complaint from a citizen that the Sporting Health Club (SHC) gym had introduced facial recognition in connection with SHC's gyms. The citizen pointed out, among other things, that there were not sufficient and equivalent alternatives for facial recognition.

It emerged from the case that users of the fitness center who do not wish to consent to facial recognition can be admitted by the reception during staffed opening hours. Outside staffed opening hours, users can contact 24-hour support, who can either open the door remotely or generate a code for the door.

In a previous case concerning FysioDanmark Hillerød, the Danish Data Protection Authority has assessed that the use of facial recognition as an access option to fitness centers does not in itself contravene the basic principles of Article 5 of the Data Protection Regulation, including the requirements for proportionality.

The present case therefore primarily raised questions about the requirements for consent, including whether the possible alternatives in the specific case could be considered to constitute a real alternative.

The Danish Data Protection Authority found – after the case has been dealt with at a meeting of the Data Council – that SHC can obtain a valid consent, which can constitute an exception to the ban on the processing of special categories of information, provided that SHC ensures that the consent is informed and correctly obtained .

The Danish Data Protection Authority expresses criticism

The Danish Data Protection Authority, however, found grounds to express criticism of the consent that the fitness center had specifically tried to obtain from the complainants, since the complainants had been informed that there were no alternatives to facial recognition.

Decision 

The Danish Data Protection Authority hereby returns to the case where the complainant complained to the supervisory authority on 19 February 2023 about Sporting Health Club Scandinavia ApS' (SHC) use of facial recognition, including SHC's collection of consent to process personal data.

The Danish Data Protection Authority notes for the sake of order that with this decision the supervisory authority has only dealt with the issues referred to in the decision.

1. Decision

The Danish Data Protection Authority finds – after the case has been dealt with at a meeting of the Data Council – that SHC, if SHC ensures that the consent that SHC obtains is informed, obtains a valid consent, which according to the data protection regulation, article 9, subsection 2, letter a, may constitute an exception to the ban on the processing of special categories of information.

However, the Danish Data Protection Authority finds that there are grounds for expressing criticism that the consent that SHC specifically tried to obtain from complainants was not voluntary and thus not valid.

2. The circumstances of the case

2.1.

On 19 February 2023, the Danish Data Protection Authority received a complaint that the fitness center SHC has introduced facial recognition as access control to the company's fitness centres.

In the complaint of 19 February 2023, it is stated that:

"I hereby file a complaint about the use of facial recognition and improper handling of consent in the Sporting Health Club gym.

Sporting Health Club Scandinavia has opened 24/7. Until now, there has been access with a key chip, but that option no longer exists, and facial recognition is thus the only access key during the centre's unmanned hours. The consequence of not giving consent for facial recognition is that the possibility of using the center is restricted.

Since there are no alternatives to facial scanning as an access key, I am critical of whether the circumstances for consent meet the conditions for free consent, whether there is valid legal authority to administer consent in this way, and whether the use of biometric data is therefore legal.

[…]

The center is open 24/7 for members. There are manned opening hours on weekdays and Saturdays, but outside the manned opening hours (late evening, Sundays and public holidays) you can enter with a key.[…]

Until the summer of 2022, the key was a chip. In the summer of 2022, the center began to introduce facial recognition, which from the summer of 2022 until now has worked alongside the key chip.

SCH announced at the beginning of February 2023 that it will no longer be possible to use the chip, and that from now on you can only enter using facial recognition. If you do not consent to the use of facial recognition, the use of the membership will be limited to the staffed opening hours.

[…]

I want to make use of the center without restrictions. A consent can only be perceived as a real consent if it is given without pressure and without negative consequences of refusing to give consent. I am a member of this particular center because they have access 24/7.”

The complaint of 19 February 2023 also states about the course of the case:

"In July 2022, I was verbally told by the center's day-to-day manager that the chip key would be replaced by facial recognition and that I would have to be registered in the system for it, which I refused. I was told that the chip key would work for some time and they would investigate what other access options there would be after that when you would not consent to facial recognition. Later that week I wrote to remind the question. I got no response and therefore assumed that SHC had reconsidered the situation and decided to have the two systems side by side. The chip reader continued to be used and I heard nothing more about the matter.

February 2023 [the] center [wrote] an email to members stating that the chip feature would not be in use after March 1, 2023. I asked for an answer on how they would deal with members who would not consent to facial recognition and reminded that I had made a clear objection before. February 2023 in the evening I visited the center and discovered that the chip reader had been taken down and that my access to the center had thus been restricted. SHC's notice was therefore not complied with, moreover a shorter notice than the 75 days stated in the membership conditions."

As an attachment to the complaint of 19 February 2023, the complainant has attached an email correspondence with SHC. In the correspondence, an employee at SHC states that: "If a member does not want to give consent to facial recognition, it is only possible to train in our centers during staffed opening hours. If you train in Scandinavia, for example, you must use the doorbell where the receptionist will then open for you”.

2.2.

On 11 May 2023, the Danish Data Protection Authority requested SHC for an opinion for the processing of the case, including in relation to the issue of consent, which the law firm Elmann sent on behalf of SHC on 8 June 2023. The opinion states:

"A.D. 1. SHC IS ASKED TO REFER TO WHAT THE COMPLAINT HAS STATED IN HIS COMPLAINT.

By letter of 19 February 2023 ("Complaint"), the complainant has complained about SHC's processing of her personal data.

There are several factual matters in the Complaint that are not correct.

As you know, the complainant is a member of SHC.

Until 1 March 2023, SHC used a key fob as access control to the center together with a facial recognition/scanning access system provided by Justface ApS.

Since 1 March 2023, the facial recognition/scanning system has acted as access control to the centre, together with the possibility of either personal check-in at reception, personal check-in via 24-hour telephone support, or by using a code.

It can thus be rejected that face recognition/scanning is the only access option to the centre. This applies both during and outside reception opening hours.

Since entering into cooperation with Justface, SHC has made alternative forms of access available to members who do not wish to use facial recognition/scanning as access control.

SHC also informs its members about the use of personal data in connection with facial recognition/scanning via their personal data policy. SHC's personal data policy is available on SHC's website […].

Code:

If a member does not wish to use facial recognition/scanning, it is possible to open the door using a code.

The individual member can generate a code by calling support. This code must be generated anew on each visit and thus cannot be reused due to the risk of fraud. It is possible to have a code issued to the center at all hours of the day (24/7).

Door opening via support:

Members can call support at all hours of the day (24/7), who can open the door if the member is found in the member database. The support number is clearly visible at the entrance to the centre.

Check-in via reception:

During the reception's opening hours, you can check in at the reception via personal service.

Image [1]: Screenshot of the access solution in SHC Scandinavia, where the code alternative is clearly visible under the face scan button:

[…]

Image [2]: Access solution installed to the right of the entrance lock in SHC Scandinavia with a clear reference to support:

[…]

Justface face scan

SHC uses a system licensed from Justface ApS for facial recognition/scanning.

Consent

The Justface system is consent-based. It works in such a way that SHC's members have the option of choosing to use a facial scan if consent has been given. A tablet has been set up at the entrance to the fitness centre.

If a member has consented to this during creation, the member uploads a picture in the system so that the system can recognize the person when he or she later chooses to be scanned by the camera in the tablet at the entrance to the gym.

Members who have not given consent to use the Justface system and/or persons who revoke their consent can use another form of access control, e.g. manual personal check-in, check-in at reception or use of password, cf. above.

Activation

The facial recognition/scanning system consists of placing a tablet at the entrance door to the gym, which is in "passive mode" and must be activated by pressing the screen.

The camera is set in such a way that, when activated, it can only record the person who did the activation. Thus, there is no facial scanning of members or other persons walking to the entrance of the fitness center until the member himself takes an active action to activate facial scanning.

If the person does not want to be face scanned, the person can use an alternative access method, e.g. password, check in at reception or manual check-in via the 24-hour telephone. This can, among other things, seen on tablet screen and stickers.

Members who do not wish to be scanned have a real option to avoid facial scanning by using telephone support for check-in or reception.

The system for facial recognition/scanning is designed so that the system must be activated in order for a scan to be carried out, e.g. by pressing a key.

[…]

The purpose of using the system - and the resulting processing of personal data - is, firstly, to offer members to use the system as access control for increased security, so that only members have access to the centre, and to offer members a better user experience. The processing of biometric information (face recognition) in connection with access control is based on the member's consent, cf. the data protection regulation, article 9, subsection 2, letter a. Consent is given when the member is to be created in the system - either physically in the center or online.

In this connection, a picture of the person's face is uploaded to the system. In addition, the person in question consents via an electronic consent form that the processing may take place.

In addition to access control, the system is used to collect the check-in time of customers for statistics, e.g. of staff allocation in relation to the gym's peak load periods (as is also known from other types of access systems with e.g. chip or key card). Information regarding the number, type and time of check-in is collected solely for statistical purposes and for business optimization, in accordance with the data protection regulation, article 6, subsection 1, letter f.

[…]

SHC does not process members' personal data, including biometric data, unless the data subject has specifically and expressly consented to its processing, cf. the data protection regulation, article 6, subsection 1, letter a and Article 9, subsection 2, letter a.

In accordance with the data protection regulation, article 4, no. 11 and article 7, the following is noted regarding the declaration of consent used (image of declaration of consent can be found below):

The declaration of consent is presented on the on-boarding page, where the member must log in (image of the on-boarding page can be found below). The declaration of consent is drawn up in an easy-to-understand and easily accessible form and in clear and simple language, so that the member can distinguish the consent from other circumstances and understands how and for what purposes the collected personal data is processed. It follows from the declaration of consent that consent is given voluntarily. The member thus has the option of choosing to give his consent or not. There are no negative consequences associated with not giving consent, as the member can instead choose one of the other earning options, including manually via reception/24-hour support or by using a password. The member is adequately informed in the declaration of consent about the specific purposes of the consent and must tick separate consent boxes for each purpose. Consent is thus given by an active action and reflects an express expression of will from the member. It follows from the declaration of consent that the data subject has the right to revoke his consent at any time. Revocation of consent requires contacting the specified Justface support email, which ensures that revocation of consent is as easy for the member as giving consent. The declaration of consent is also stored by SHC in accordance with the data protection regulation, article 5, subsection 1, letter e, Article 5, subsection 2 and Article 7, so that SHC can demonstrate that the data subject has given consent to the processing of his personal data.

Based on the above, SHC assesses that obtaining consent from SHC's members meets the validity requirements in Article 4, No. 11, Article 6, Article 7 and Article 9 of the Data Protection Regulation.”

2.3.

On 12 July 2023, the complainant presented his comments on the SHC's statement. It appears from this:

"SHC writes that there is and has always been the option to opt out of consent to facial recognition without affecting access to the centre. I need to see documentation that SHC has communicated this to all members in a timely manner. SHC's personal data policy in the link in the letter of 8 June is from May 2023.

As stated in my complaint of February 19, there was no information in the emails and consent form about options other than facial recognition. I was told both verbally and in writing that there would only be access during reception opening hours […].

From February until now, I have come to the center 3-4 times a week. Each time I have called and been let in by the staff. I have mainly met the same 3-4 people, including the day-to-day manager of the centre. None of them informed me that I had other options, not even the times I had to call on the phone to get in touch. In the spring, the center's opening hours were shortened on Fridays, and the general manager kindly made me aware of this, precisely so that I would not go in vain, as I did not have facial recognition. SHC explains that they have always been able to get in 24/7 using JustFace's support. I have not been informed of this, the staff did not know this, and the explanation therefore seems to me to be an afterthought. […]

SHC's response implies that all gym users must use JustFace unless limited access is accepted. You have to call JustFace support, who can either unlock or send a code, based on membership information passed on from SHC to JustFace.

This gives rise to a new problem: Is the refusal to accept the use of biometrics a (sensitive) personal data in itself, which you as a citizen can demand does not fall into the hands of companies that precisely base their business model on facial recognition?

[…]

There is no proportionality between method and purpose in using facial recognition/biometrics to regulate access to a gym.

SHC has a reasonable need to control access to their centres. That need was previously solved with a key chip and video surveillance. It is not likely that there is an extended need for security (it is a gym, not a societal high-risk facility) that could possibly justify the use of biometric data…”

2.4.

On 8 November 2023, the law firm Elmann appeared on behalf of SHC with the last submission in the case. It appears from this:

"As stated in SHC's response to the Complainant's request to the Danish Data Protection Authority, which was forwarded on 8 June 2008, the consent given is specific and unequivocal. As mentioned, the link to the consent form is part of the registration procedure and the Complainant was also requested under the same consent conditions to state whether the Complainant wanted to give consent. See link to "onboarding" sent to Klager by email of 1 February 2023.

It is specifically stated both on the first page of the description of the "onboarding" process and in the declaration of consent itself sent to the Complainant that this is a voluntary consent which can be revoked at any time.

It is therefore a mistake when the SHC employee in question stated in an email to the Complainant on 6 February 2023 that it will only be possible to train during the reception's opening hours if a member does not consent to facial recognition.

If a member does not wish to consent to the use of facial recognition, SHC, as previously mentioned, gives members several alternative options to gain access to SHC's premises, including using a code, remote opening via 24-hour support and check-in via reception during staffing hours. This is - and has always been - evident both from the control panel at the entrance door and from information from the staff, who are happy to open the door for members during the reception's opening hours.

Information on this can also be found in the personal data policy published by SHC […], where it is stated:

"If it is not desired that biometric information is saved, people can enter by calling JustFace 24/7 service 76741265"

It is correct (as also stated by the Complainant) that the personal data policy is regularly updated, and was most recently updated in May 2023. However, the above information is not new, and the information about access using a code on a tablet at the entrance door and check-in via staff during reception opening hours has been available since the implementation of the JustFace access system on 1 March 2023, which also appears from section 7.3 in the personal data policy.

In addition, since the implementation of the JustFace access system, SHC has continuously trained its staff on the processing of personal data, including, among other things, the company's personal data policy and the rules for consent.

In light of the pending appeal and the erroneous information sent to the Complainant, SHC has now emphasized to its staff that members who do not wish to use facial recognition as access control must always be informed of the alternative ways in which it can be achieved access to SHC's premises.

This is evident, firstly, from the attached FAQ, which the employees received in March 2023 and which the employees can send on request to the members who want this. It is stated here:

"Do I have to use a face scan? Only if you give your consent yourself. There is always an alternative on the training center's tablet, such as using a code. Contact your center if you want to hear more."

Furthermore, it now appears from SHC's personnel/training handbook that there are alternative access methods, so that correct information about this from the employees to the members is ensured to the greatest extent possible:

"If access is not desired via facial recognition (that biometric information is stored), it is possible for the member to call the JustFace 24-hour service on tel. 76741265. Via the JustFace 24-hour service, the door is opened or a one-time code is provided to the member who wants access. This is only possible if the member has an active membership, without arrears, suspension or other conditions that lead to inactivity of an SHC membership."

It must therefore be concluded that there are alternative usable forms of access for access control besides the facial recognition system.

SHC therefore continues to assess that the facial recognition system and the processes in connection with giving consent are an expression that consent is given voluntarily...

[…]

In order to counter the principle of proportionality, the system is set up in such a way that the system is only "activated" when the customer or the employee who wants a face scan to be carried out has activated the system. Members who do not want to be scanned have a real option to avoid face scanning”

3. The Data Protection Authority's reasoning

3.1. Relevant legal regulations

According to Article 2, the Data Protection Regulation finds 1, application to processing of personal data that is carried out in whole or in part by means of automatic data processing, and to other non-automatic processing of personal data that is or will be contained in a register.

Of the data protection regulation, article 6, subsection 1, it appears that processing is only lawful if and to the extent that at least one of the conditions in letter a-f of the provision applies. Processing is, for example, lawful, cf. letter a of the provision, if the data subject has given consent to the processing of his personal data for one or more specific purposes.

According to the data protection regulation, article 9, subsection 1, a prohibition applies to the processing of special categories of information, including the processing of biometric data for the purpose of uniquely identifying a natural person.

According to Article 4, No. 14 of the Data Protection Regulation, biometric data means personal data which, as a result of specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, enables or confirms a unique identification of the person concerned, e.g. facial image or fingerprint information.

With a consent as referred to in the data protection regulation, article 6, subsection 1, letter a, and Article 9, subsection 2, letter a, according to Article 4, no. 11, is understood as any voluntary, specific, informed and unequivocal declaration of intent by the data subject, whereby the data subject consents by declaration or clear confirmation to personal data relating to the person concerned being made the subject of treatment.

Article 7 of the Data Protection Regulation contains a number of conditions for consent. It appears from this:

Paragraph 1. If processing is based on consent, the data controller must be able to demonstrate that the data subject has given consent to the processing of his personal data. Paragraph 2. If the data subject's consent is given in a written statement that also relates to other matters, a request for consent must be submitted in a way that is clearly distinguishable from the other matters, in an easily understandable and easily accessible form and in clear and simple language . Any part of such declaration which constitutes a breach of this Regulation shall not be binding. Paragraph 3. The data subject has the right to withdraw his consent at any time. Withdrawal of consent does not affect the lawfulness of the processing based on consent prior to the withdrawal. Before consent is given, the data subject must be informed that consent can be withdrawn. It should be as easy to withdraw consent as it is to give it. Paragraph 4. When assessing whether consent has been given freely, the greatest possible consideration is given to, among other things on the fulfillment of a contract, including on a service, is made conditional on consent to the processing of personal data that is not necessary for the fulfillment of this contract.

Any processing of personal data must – in addition to having a basis in Articles 6 & 9 of the Data Protection Regulation – take place in accordance with the principles for processing personal data in Article 5. This means that personal data must:

processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency") collected for expressly stated and legitimate purposes and may not be further processed in a manner incompatible with these purposes; further processing for archival purposes in the interest of society, for scientific or historical research purposes or for statistical purposes in accordance with Article 89, subsection 1, must not be considered incompatible with the original purposes ("purpose limitation") be sufficient, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization") be correct and if necessary updated ; every reasonable step must be taken to ensure that personal data that are incorrect in relation to the purposes for which they are processed are immediately deleted or rectified ("accuracy") stored in such a way that it is not possible to identify the data subjects for a longer period of time than is necessary for the purposes for which the personal data in question is processed; personal data may be stored for a longer period of time if the personal data is only processed for archival purposes in the interest of society, for scientific or historical research purposes or for statistical purposes in accordance with Article 89, subsection 1, provided that the appropriate technical and organizational measures required by this Regulation are implemented to ensure the data subject's rights and freedoms ("storage limitation") are processed in a way that ensures sufficient security for the personal data in question, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures ("integrity and confidentiality").

3.2. The Danish Data Protection Authority's practice

In the spring of 2022, the Danish Data Protection Authority has, in a previous case, made a decision about a fitness center's use of facial recognition (DATAtilsynet's j.nr. 2021-431-0145). In the decision, the Data Protection Authority stated, among other things:

” When personal data in the form of images is processed in connection with face scanning, biometric data is processed, cf. Article 4, No. 14 of the Data Protection Regulation.

FysioDanmark has stated that the system works in such a way that a camera is set up at the entrance to the Fitness Centre, which can scan the customer's face, after which the result is compared to images already uploaded in the system.

Biometric information about the customer in question (collected at the time of identification) is thus compared with a number of biometric templates stored in a database.

Thus, one or more match processes take place, and it is therefore a matter of processing biometric data with the aim of uniquely identifying a natural person.

It is basically prohibited to process such information, cf. the data protection regulation's article 9, subsection 1, unless an exception to this prohibition can be identified in subsection (1) of the provision. 2.

In this connection, the Danish Data Protection Authority agrees with FysioDanmark that the customer's express consent, cf. the data protection regulation's article 9, subsection 2, letter a, is the most appropriate exception to the ban, as none of the other exceptions in the Data Protection Regulation, Article 9, paragraph 2, is seen to be applicable.

The Danish Data Protection Authority assumes that FysioDanmark, when using the customer's express consent, will observe the obligations according to Article 7 of the regulation, and as a result, the Danish Data Protection Authority finds no basis for overriding FysioDanmark's assessment that the consent given by the data subject in that connection complies with to the rules for consent in the data protection regulation, including the requirement that consent must be voluntary in the regulation's article 4, no. 11.

The Danish Data Protection Authority has thereby placed emphasis on the design and content of the submitted declaration of consent, and that it is optional for the customer whether he or she wishes to use facial recognition as access control, as the customer – if he or she does not wish to use facial recognition – can instead use an access card and code.”

The Danish Data Protection Authority's decision can be found in its entirety on the Danish Data Protection Authority's website by searching for "FysioDanmark".

3.3. Guidance from the Danish Data Protection Authority and the European Data Protection Board (EDPB)

3.3.1. The Norwegian Data Protection Authority's guidance on consent

From the Danish Data Protection Authority's guidance on consent from May 2021, which is based on the EDPB's guidelines 5/2020, it appears about the requirement for voluntariness that:

"Consent must be voluntary. The purpose of a consent is to give the registered a choice and, not least, control over personal data about themselves. Consent is therefore not considered to have been given voluntarily if the data subject does not have a real or free choice. A consent must e.g. not be submitted under duress. This applies regardless of whether it is the data controller or others who exercise coercion against the data subject.

Any form of inappropriate pressure or influence on the data subject's free will results in the consent being invalid. "

Furthermore, the requirement for voluntariness states that:

"A data controller can to a certain extent motivate the registered to give consent by the fact that there is an advantage associated with consenting. Enrollment in a business benefit program can, for example, involve discounts which motivate the customer to consent to receiving advertising material from the business. The discount or the benefits that a consent to a benefits program entails do not exclude that the consent can be considered voluntary.

However, it is important to be aware of whether a lack of consent entails negative consequences for the data subject who does not want to give consent – e.g. in the form of additional costs…”

Regarding the requirement to be informed, it appears that:

"Consent must be informed. This means that the data subject must be aware of what consent is given to. The data controller must provide the data subject with a range of information to ensure that the data subject can make his decision on an informed basis. There are no formal requirements for how this information must be provided. It is therefore possible to fulfill the requirement both in writing, orally or digitally.”

The Danish Data Protection Authority's guidance on consent can be found in its entirety on the Danish Data Protection Authority's website.

3.3.2. EDPB's guidelines on the use of video equipment for the processing of personal data

From the EDPB's guidelines 3/2019 on the use of video equipment for the processing of personal data, it appears about consent to the processing of biometric data:

"Finally, when consent is required in accordance with Article 9 of the GDPR, the data controller must not make access to its services conditional on acceptance of the biometric processing. In other words, and especially when the biometric processing is used for authentication purposes, the data controller must offer an alternative solution that does not include biometric processing - without restrictions or additional costs for the data subject. This alternative solution is also necessary for persons who do not meet the requirements for the biometric equipment (registration or reading of the biometric data impossible, disability makes its use difficult, etc.), and if the biometric equipment is not available (e.g. at a error in the device). In those cases, an "alternative solution" must be used to ensure the continuity of the intended service, which is however limited to exceptional use. In special cases, there may be a situation where the processing of biometric data is the central activity of a service contract, e.g. if a museum organizes an exhibition demonstrating the use of a facial recognition system. In that case, the data subjects will not be able to reject the processing of biometric data if they wish to visit the exhibition. The consent required under Article 9 is then still valid if the requirements of Article 7 are met.”

3.4. The Danish Data Protection Authority's assessment of the specific case

The case concerns that the fitness center SHC has introduced facial recognition as access control to the company's fitness centers, including SHC's obtaining consent for the processing of personal data in that connection.

In the aforementioned case of FysioDanmark (indirectly), the Danish Data Protection Authority has assessed that the use of facial recognition as access control to fitness centers cannot in itself be considered contrary to the basic principles of Article 5 of the Data Protection Regulation, including the requirements for proportionality.

Consequently, the Danish Data Protection Authority finds that SHC – provided the conditions for legal processing are otherwise met – can similarly use facial recognition as access control to its fitness centres.

The Danish Data Protection Authority has also emphasized that the processing takes place on the basis of consent, cf. below, and that the data subject therefore has a choice in relation to – and control over – whether facial recognition takes place and the associated processing of information.

In this connection, the case raises a number of general questions about the requirements for consent, including whether the possible alternatives in the specific case can be considered to constitute a real alternative. Next, the case raises questions about consent in relation to complaints.

3.4.1. Is the consent generally valid?

When personal data is processed in the form of images in connection with face scanning, biometric data is processed, cf. Article 4, No. 14 of the Data Protection Regulation.

It appears from the case that the system works in such a way that a camera is set up which can scan the customer's face, after which the result is compared to images already uploaded into the system.

Biometric information about the customer in question (collected at the time of identification) is thus compared with a number of biometric templates stored in a database.

Thus, one or more match processes take place, and it is therefore a matter of processing biometric data with the aim of uniquely identifying a natural person.

It is basically prohibited to process such information, cf. the data protection regulation's article 9, subsection 1, unless an exception to this prohibition can be identified in subsection (1) of the provision. 2.

The Danish Data Protection Authority has noted that SHC has set up the system in such a way that the system must be activated in order for a scan to be carried out, e.g. by keystroke, and that there is therefore no (illegal) processing of information about persons who have not consented to facial recognition.

The Norwegian Data Protection Authority agrees with SHC that express consent, cf. the data protection regulation's article 9, subsection 2, letter a, is the most appropriate exception to the ban, as none of the other exceptions in the data protection regulation, article 9, paragraph 2, is seen to be applicable.

In order to expressly consent in accordance with the Data Protection Regulation, Article 9, subsection 2, letter a, and Article 6, subsection 1, letter a, is valid, according to the data protection regulation article 4, no. 11, it must be i.a. voluntarily.  

A consent cannot be considered voluntary if the procedure for obtaining consent does not give the data subject the opportunity to give separate consent for different processing purposes regarding personal data, and the data subject is thus forced to consent to all purposes. A consent must therefore be granulated (divided)[1].

It is stated for the matter that SHC – in addition to processing biometric data in connection with access control – collects information via the system for use in statistics, including the check-in time of customers. In this connection, SHC has stated that this processing takes place on the basis of the so-called balancing of interests rule in the data protection regulation, Article 6, subsection 1, letter f.

In this connection, the Danish Data Protection Authority agrees with SHC that the information about when a customer checks in is in itself information that is only covered by Article 6 of the Data Protection Regulation.

However, the Danish Data Protection Authority is of the opinion that this information is of the nature of "derived" information, as the information (depending on the circumstances) is provided through the use of facial recognition.

This processing is therefore also processing of biometric data with the aim of unambiguously identifying a natural person covered by the prohibition in Article 9, paragraph 1 of the Data Protection Regulation. 1.

In order for a consent to be valid, SHC must thereby have granulated the consent so that consent can be given both to the processing of biometric data as part of access to the fitness center and to the use of facial scans to keep the statistics in question.

In this connection, the Danish Data Protection Authority has noted that SHC gives the possibility to consent to both "use of face scan as an access method" and "use of face scan to keep track of the use of the fitness centre".

On this basis, the Danish Data Protection Authority finds that the consent that SHC obtains is sufficiently granular. However, SHC should consider clarifying in the declaration of consent what "statistics on the use of the fitness center" covers.

In addition to this, the Danish Data Protection Authority finds reason to note that SHC – regardless of whether SHC bases its processing on Article 6, subsection 1, letter f – cannot use "derived" information, which is provided by using facial recognition, if SHC does not have express consent to this in accordance with Article 9, paragraph 2, letter a.

When it comes to the use of consent in connection with facial recognition, the Danish Data Protection Authority is also of the opinion – in accordance with what is stated in the EDPB's guidelines 3/2019 – that the requirement for voluntariness in a case like this implies that data controllers – in this case SHC – must offer an alternative solution that does not include the processing of biometric information.

This alternative does not have to be identical, but must not involve not insignificant restrictions or costs for the data subject.

It is the Danish Data Protection Authority's assessment that the fact that you have the option of checking in at the reception via personal service during the reception's opening hours cannot in itself be considered a similar alternative, as you are thereby limited in your access to the center compared to if you consent to facial recognition.

As SHC has explained, if you do not want to consent to facial recognition, SHC gives you the option - in addition to the option of checking in at the reception via personal service - to call support, who can open the door, and to generate a code by calling support.

Since the alternative options (generate a code or call support) provide the same access to the center as consent to facial recognition, and since the alternative options are not associated with significant limitations or financial costs, the Danish Data Protection Authority considers that SHC offers sufficient alternatives.

In this connection, the Danish Data Protection Authority assumes that there are real alternatives, including that you do not have to wait an unreasonably long time to get through to support in order to generate a code or be let in. 

Since the case in relation to the issue to which this case relates (access for customers) does not, in addition, give the Danish Data Protection Authority reason to question the voluntariness of the consent, the Danish Data Protection Authority finds that SHC obtains a voluntary consent.

The Danish Data Protection Authority notes in this connection that the question of possible consent from employees is not part of this case, which is why the Danish Data Protection Authority has not taken a position on this. The Norwegian Data Protection Authority can refer to the Norwegian Data Protection Authority's decision in the case of FysioDanmark for considerations in this regard.  

In addition to being voluntary, consent must also be informed. This means that the data subject must be aware of what consent is given to. This implies that the data controller must provide the data subject with a range of information to ensure that the data subject can make his decision on an informed basis.

In a situation such as the present one, the Danish Data Protection Authority is of the opinion that the requirement that a consent must be informed implies that the registered person must be informed about the alternatives that are available for consent to facial recognition.

The Danish Data Protection Authority has established that SHC has made certain efforts to do this, i.a. on the info screens at the entrance to the fitness centers and in the company's personal data policy.

As the case has been disclosed, however, it is the Danish Data Protection Authority's assessment that the information about the alternatives that SHC provides appears fragmented to a certain extent. For example, the data subject himself is seen in the personal data policy to have to find detailed information about the possible alternatives, just as the data subject himself must derive what the "code" and the reference to support cover on the info screens at the entrance to the fitness centres.

In any case, the Danish Data Protection Authority is of the opinion that it would be best in line with the requirements for informed consent if, in connection with obtaining the consent – already in the declaration of consent itself – it appears that there are alternatives and where you can read more about them. It is noted in this connection that this is seen to be a relatively simple procedure.

Based on the above overall, the Danish Data Protection Authority finds that SHC, if SHC ensures that the consent that SHC obtains is informed, obtains a valid consent, which according to the data protection regulation's article 9, subsection 2, letter a, may constitute an exception to the ban on the processing of special categories of information. Consequently, the consent will also be able to form the basis for processing in accordance with the data protection regulation, article 6, subsection 1, letter a.

What is otherwise stated in the case, including whether the refusal to give consent is in itself a special category of personal data, cannot lead to a different assessment of the validity of the consent or the legality of the processing in general.

3.4.2. Consent in relation to complaints?

It is - regardless of the above regarding the general voluntariness of consent - the Danish Data Protection Authority's opinion that the fact that complaints from an employee were told that "[i]f [a] member does not want to give consent to facial recognition, it is only possible to train in our centers during manned opening hours”, must be assumed to have given the complainant a justified perception that there would be no alternatives to facial recognition.

According to the Danish Data Protection Authority's assessment, this is equivalent to the fact that there would be no alternatives. This means that the consent which was attempted to be obtained from the complainant at that time would not be valid.

Under these circumstances, the Danish Data Protection Authority finds grounds for expressing criticism that the consent that SHC specifically tried to obtain from complainants was not voluntary and thus not valid.

However, the complainant must be considered to be sufficiently informed about the possible alternatives at the present time, which is why it will be possible to obtain a valid consent.

 

[1] European Data Protection Board Guidelines 5/2020 on consent under Regulation 2016/679 (version 1.1, adopted on 4 May 2020), page 13.  

 

The Norwegian Data Protection Authority

Carl Jacobsens Vej 35
2500 Valby
Tel. 33 19 32 00
dt@datatilsynet.dk

About us

About the Norwegian Data Protection AuthorityPresseHome pagePrivacy policyAvailability statement

Shortcuts

Guidance on GDPRCall usNewsletterThe National Whistleblower Scheme

Follow us

The Norwegian Data Protection Authority on LinkedIn

Consent for facial recognition in gym was valid

Date: 03-07-2024

Decision Private companies Criticism Complaint Access control Handled by the Data Council Basic principles

The Danish Data Protection Authority has made a decision in a case about a gym's use of facial recognition, including whether the gym's other access options could be considered sufficient alternatives.

Journal number: 2023-31-0028.

Summary

The Danish Data Protection Authority received a complaint from a citizen that the Sporting Health Club (SHC) gym had introduced facial recognition in connection with SHC's gyms. The citizen pointed out, among other things, that there were not sufficient and equivalent alternatives for facial recognition.

It emerged from the case that users of the fitness center who do not wish to consent to facial recognition can be admitted by the reception during staffed opening hours. Outside staffed opening hours, users can contact 24-hour support, who can either open the door remotely or generate a code for the door.

In a previous case concerning FysioDanmark Hillerød, the Danish Data Protection Authority has assessed that the use of facial recognition as an access option to fitness centers does not in itself contravene the basic principles of Article 5 of the Data Protection Regulation, including the requirements for proportionality.

The present case therefore primarily raised questions about the requirements for consent, including whether the possible alternatives in the specific case could be considered to constitute a real alternative.

The Norwegian Data Protection Authority found – after the matter has been dealt with at a meeting of the Data Council – that SHC can obtain a valid consent, which can constitute an exception to the ban on the processing of special categories of information, provided that SHC ensures that the consent is informed and correctly obtained .

The Danish Data Protection Authority expresses criticism

The Danish Data Protection Authority, however, found grounds to express criticism of the consent that the fitness center had specifically tried to obtain from the complainants, since the complainants had been informed that there were no alternatives to facial recognition.

Decision 

The Danish Data Protection Authority hereby returns to the case where the complainant complained to the supervisory authority on 19 February 2023 about Sporting Health Club Scandinavia ApS' (SHC) use of facial recognition, including SHC's collection of consent to process personal data.

The Danish Data Protection Authority notes for the sake of order that with this decision the supervisory authority has only dealt with the issues referred to in the decision.

1. Decision

The Danish Data Protection Authority finds – after the case has been dealt with at a meeting of the Data Council – that SHC, if SHC ensures that the consent that SHC obtains is informed, obtains a valid consent, which according to the data protection regulation, article 9, subsection 2, letter a, may constitute an exception to the ban on the processing of special categories of information.

However, the Danish Data Protection Authority finds that there are grounds for expressing criticism that the consent that SHC specifically tried to obtain from complainants was not voluntary and thus not valid.

2. The circumstances of the case

2.1.

On 19 February 2023, the Danish Data Protection Authority received a complaint that the fitness center SHC has introduced facial recognition as access control to the company's fitness centres.

In the complaint of 19 February 2023, it is stated that:

"I hereby file a complaint about the use of facial recognition and improper handling of consent in the Sporting Health Club gym.

Sporting Health Club Scandinavia has opened 24/7. Until now, there has been access with a key chip, but that option no longer exists, and facial recognition is thus the only access key during the centre's unmanned hours. The consequence of not giving consent for facial recognition is that the possibility of using the center is restricted.

Since there are no alternatives to facial scanning as an access key, I am critical of whether the circumstances for consent meet the conditions for free consent, whether there is valid legal authority to administer consent in this way, and whether the use of biometric data is therefore legal.

[…]

The center is open 24/7 for members. There are manned opening hours on weekdays and Saturdays, but outside the manned opening hours (late evening, Sundays and public holidays) you can enter with a key.[…]

Until the summer of 2022, the key was a chip. In the summer of 2022, the center began to introduce facial recognition, which from the summer of 2022 until now has worked alongside the key chip.

SCH announced at the beginning of February 2023 that it will no longer be possible to use the chip, and that from now on you can only enter using facial recognition. If you do not consent to the use of facial recognition, the use of the membership will be limited to the staffed opening hours.

[…]

I want to make use of the center without restrictions. A consent can only be perceived as a real consent if it is given without pressure and without negative consequences of refusing to give consent. I am a member of this particular center because they have access 24/7.”

The complaint of 19 February 2023 also states about the course of the case:

"In July 2022, I was verbally told by the center's day-to-day manager that the chip key would be replaced by facial recognition and that I would have to be registered in the system for it, which I refused. I was told that the chip key would work for some time and they would investigate what other access options there would be after that when you would not consent to facial recognition. Later that week I wrote to remind the question. I got no response and therefore assumed that SHC had reconsidered the situation and decided to have the two systems side by side. The chip reader continued to be used and I heard nothing more about the matter.

February 2023 [the] center [wrote] an email to members stating that the chip feature would not be in use after March 1, 2023. I asked for an answer on how they would deal with members who would not consent to facial recognition and reminded that I had made a clear objection before. February 2023 in the evening I visited the center and discovered that the chip reader had been taken down and that my access to the center had thus been restricted. SHC's notice was therefore not complied with, moreover a shorter notice than the 75 days stated in the membership conditions."

As an attachment to the complaint of 19 February 2023, the complainant has attached an email correspondence with SHC. In the correspondence, an employee at SHC states that: "If a member does not want to give consent to facial recognition, it is only possible to train in our centers during staffed opening hours. If you train in Scandinavia, for example, you must use the doorbell where the receptionist will then open for you”.

2.2.

On 11 May 2023, the Danish Data Protection Authority requested SHC for an opinion for the processing of the case, including in relation to the issue of consent, which the law firm Elmann sent on behalf of SHC on 8 June 2023. The opinion states:

"A.D. 1. SHC IS ASKED TO REFER TO WHAT THE COMPLAINT HAS STATED IN HIS COMPLAINT.

By letter of 19 February 2023 ("Complaint"), the complainant has complained about SHC's processing of her personal data.

There are several factual matters in the Complaint that are not correct.

As you know, the complainant is a member of SHC.

Until 1 March 2023, SHC used a key fob as access control to the center together with a facial recognition/scanning access system provided by Justface ApS.

Since 1 March 2023, the facial recognition/scanning system has acted as access control to the centre, together with the possibility of either personal check-in at reception, personal check-in via 24-hour telephone support, or by using a code.

It can thus be rejected that facial recognition/scanning is the only access option to the centre. This applies both during and outside reception opening hours.

Since entering into cooperation with Justface, SHC has made alternative forms of access available to members who do not wish to use facial recognition/scanning as access control.

SHC also informs its members about the use of personal data in connection with facial recognition/scanning via their personal data policy. SHC's personal data policy is available on SHC's website […].

Code:

If a member does not wish to use facial recognition/scanning, it is possible to open the door using a code.

The individual member can generate a code by calling support. This code must be generated again on each visit and thus cannot be reused due to the risk of fraud. It is possible to have a code issued to the center at all hours of the day (24/7).

Door opening via support:

Members can call support at all hours of the day (24/7), who can open the door if the member is found in the member database. The support number is clearly visible at the entrance to the centre.

Check-in via reception:

During the reception's opening hours, you can check in at the reception via personal service.

Image [1]: Screenshot of the access solution in SHC Scandinavia, where the code alternative is clearly visible under the face scan button:

[…]

Image [2]: Access solution installed to the right of the entrance lock in SHC Scandinavia with a clear reference to support:

[…]

Justface face scan

SHC uses a system licensed from Justface ApS for facial recognition/scanning.

Consent

The Justface system is consent-based. It works in such a way that SHC's members have the option of choosing to use a facial scan if consent has been given. A tablet has been set up at the entrance to the fitness centre.

If a member has consented to this during creation, the member uploads a picture in the system so that the system can recognize the person when he or she later chooses to be scanned by the camera in the tablet at the entrance to the gym.

Members who have not given consent to use the Justface system and/or persons who revoke their consent can use another form of access control, e.g. manual personal check-in, check-in at reception or using a password, cf. above.

Activation

The face recognition/scanning system consists of placing a tablet at the entrance door to the gym, which is in "passive mode" and must be activated by pressing the screen.

The camera is set in such a way that, when activated, it can only record the person who did the activation. Thus, there is no facial scanning of members or other persons walking to the entrance of the fitness center until the member himself takes an active action to activate facial scanning.

If the person does not want to be face scanned, the person can use an alternative access method, e.g. password, check in at reception or manual check-in via the 24-hour telephone. This can, among other things, seen on tablet screen and stickers.

Members who do not wish to be scanned have a real option to avoid facial scanning by using telephone support for check-in or reception.

The system for facial recognition/scanning is designed so that the system must be activated in order for a scan to be carried out, e.g. by pressing a key.

[…]

The purpose of using the system - and the resulting processing of personal data - is, firstly, to offer members to use the system as access control for increased security, so that only members have access to the centre, and to offer members a better user experience. The processing of biometric information (face recognition) in connection with access control is based on the member's consent, cf. the data protection regulation, article 9, subsection 2, letter a. Consent is given when the member is to be created in the system - either physically in the center or online.

In this connection, a picture of the person's face is uploaded to the system. In addition, the person in question consents via an electronic consent form that the processing may take place.

In addition to access control, the system is used to collect the check-in time of customers for statistics, e.g. of staff allocation in relation to the gym's peak load periods (as is also known from other types of access systems with e.g. chip or key card). Information regarding the number, type and time of check-in is collected solely for statistical purposes and for business optimization, in accordance with the data protection regulation, article 6, subsection 1, letter f.

[…]

SHC does not process members' personal data, including biometric data, unless the data subject has specifically and expressly given his consent to its processing, cf. the data protection regulation, article 6, subsection 1, letter a and Article 9, subsection 2, letter a.

In accordance with the data protection regulation, article 4, no. 11 and article 7, the following is noted regarding the declaration of consent used (image of declaration of consent can be found below):

The declaration of consent is presented on the on-boarding page, where the member must log in (image of the on-boarding page can be found below). The declaration of consent is drawn up in an easy-to-understand and easily accessible form and in clear and simple language, so that the member can distinguish the consent from other circumstances and understands how and for what purposes the collected personal data is processed. It follows from the declaration of consent that consent is given voluntarily. The member thus has the option of choosing to give his consent or not. There are no negative consequences associated with not giving consent, as the member can instead choose one of the other earning options, including manually via reception/24-hour support or by using a password. The member is adequately informed in the declaration of consent about the specific purposes of the consent and must tick separate consent boxes for each purpose. Giving consent thus takes place through an active action and reflects an express expression of will from the member. It follows from the declaration of consent that the data subject has the right to revoke his consent at any time. Revocation of consent requires contacting the specified Justface support email, which ensures that revocation of consent is as easy for the member as giving consent. The declaration of consent is also stored by SHC in accordance with the data protection regulation, article 5, subsection 1, letter e, Article 5, subsection 2 and Article 7, so that SHC can demonstrate that the data subject has given consent to the processing of his personal data.

Based on the above, SHC assesses that obtaining consent from SHC's members meets the validity requirements in Article 4, No. 11, Article 6, Article 7 and Article 9 of the Data Protection Regulation.”

2.3.

On 12 July 2023, the complainant presented his comments on the SHC's statement. It appears from this:

"SHC writes that there is and has always been the option to opt out of consent to facial recognition without affecting access to the centre. I need to see documentation that SHC has communicated this to all members in a timely manner. SHC's personal data policy in the link in the letter of 8 June is from May 2023.

As stated in my complaint of February 19th, there was no information in the emails and consent form about options other than facial recognition. I was told both verbally and in writing that there would only be access during reception opening hours […].

From February until now I have come to the center 3-4 times a week. Each time I have called and been let in by the staff. I have mainly met the same 3-4 people, including the day-to-day manager of the centre. None of them informed me that I had other options, not even the times I had to call on the phone to get in touch. In the spring, the center's opening hours were shortened on Fridays, and the general manager kindly made me aware of this, precisely so that I would not go in vain, as I did not have facial recognition. SHC explains that they have always been able to get in 24/7 using JustFace's support. I have not been informed of this, the staff did not know this, and the explanation therefore seems to me to be an afterthought. […]

SHC's response implies that all gym users must use JustFace unless limited access is accepted. You have to call JustFace support, who can either unlock or send a code, based on membership information passed on from SHC to JustFace.

This gives rise to a new problem: Is the refusal to accept the use of biometrics a (sensitive) personal data in itself, which you as a citizen can demand does not fall into the hands of companies that precisely base their business model on facial recognition?

[…]

There is no proportionality between method and purpose in using facial recognition/biometrics to regulate access to a gym.

SHC has a reasonable need to control access to their centres. That need was previously solved with a key chip and video surveillance. It is not likely that there is an extended need for security (it is a gym, not a societal high-risk facility) that could possibly justify the use of biometric data…”

2.4.

On 8 November 2023, the law firm Elmann appeared on behalf of SHC with the last submission in the case. It appears from this:

"As stated in SHC's response to the Complainant's request to the Danish Data Protection Authority, which was forwarded on 8 June 2008, the consent given is specific and unequivocal. As mentioned, the link to the consent form is included in the registration procedure and the Complainant was also requested under the same consent conditions to indicate whether the Complainant wanted to give consent. See link to "onboarding" sent to Klager by email of 1 February 2023.

It is specifically stated both on the first page of the description of the "onboarding" process and in the declaration of consent itself sent to the Complainant that this is a voluntary consent which can be revoked at any time.

It is therefore a mistake when the SHC employee in question stated in an email to the Complainant on 6 February 2023 that it will only be possible to train during the reception's opening hours if a member does not consent to facial recognition.

If a member does not wish to consent to the use of facial recognition, SHC, as previously mentioned, gives members several alternative options for accessing SHC's premises, including using a code, remote opening via 24-hour support and check-in via reception during staffing hours. This is - and has always been - evident both from the control panel at the entrance door and from information from the staff, who are happy to open the door for members during the reception's opening hours.

Information on this can also be found in the personal data policy published by SHC […], where it is stated:

"If it is not desired that biometric information is saved, people can enter by calling the JustFace 24-hour service 76741265"

It is correct (as also stated by the Complainant) that the personal data policy is regularly updated, and was most recently updated in May 2023. However, the above information is not new, and the information about access by using a code on a tablet at the entrance door and check-in via staff during reception opening hours has been available since the implementation of the JustFace access system on 1 March 2023, which also appears from section 7.3 in the personal data policy.

In addition, since the implementation of the JustFace access system, SHC has continuously trained its staff on the processing of personal data, including, among other things, the company's personal data policy and the rules for consent.

In light of the pending appeal and the erroneous information sent to the Complainant, SHC has now emphasized to its staff that members who do not wish to use facial recognition as access control must always be informed of the alternative ways in which it can be achieved access to SHC's premises.

This is evident, firstly, from the attached FAQ, which the employees received in March 2023 and which the employees can send on request to the members who want this. It is stated here:

"Do I have to use a face scan? Only if you give your consent yourself. There is always an alternative on the training center's tablet, such as using a code. Contact your center if you want to hear more."

Furthermore, it now appears from SHC's personnel/training handbook that there are alternative access methods, so that correct information about this from the employees to the members is ensured to the greatest extent possible:

"If access is not desired via facial recognition (that biometric information is saved), it is possible for the member to call the JustFace 24-hour service on tel. 76741265. Via the JustFace 24-hour service, the door is opened or a one-time code is provided to the member who wants access. This is only possible if the member has an active membership, without arrears, suspension or other conditions that lead to inactivity of an SHC membership."

It must therefore be concluded that there are alternative usable forms of access for access control besides the facial recognition system.

SHC therefore continues to assess that the facial recognition system and the processes in connection with giving consent are an expression that consent is given voluntarily...

[…]

In order to counter the principle of proportionality, the system is set up in such a way that the system is only "activated" when the customer or the employee who wants a face scan to be carried out has activated the system. Members who do not want to be scanned have a real opportunity to avoid facial scanning”

3. The Data Protection Authority's reasoning

3.1. Relevant legal regulations

The Data Protection Regulation finds, according to Article 2, paragraph 1, application to processing of personal data that is carried out in whole or in part by means of automatic data processing, and to other non-automatic processing of personal data that is or will be contained in a register.

Of the data protection regulation, article 6, subsection 1, it appears that processing is only lawful if and to the extent that at least one of the conditions in letter a-f of the provision applies. Processing is, for example, lawful, cf. letter a of the provision, if the data subject has given consent to the processing of his personal data for one or more specific purposes.

According to the data protection regulation's article 9, subsection 1, a prohibition applies to the processing of special categories of information, including the processing of biometric data for the purpose of uniquely identifying a natural person.

According to Article 4, No. 14 of the Data Protection Regulation, biometric data means personal data which, as a result of specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, enables or confirms a unique identification of the person concerned, e.g. facial image or fingerprint information.

With a consent as referred to in the data protection regulation, article 6, subsection 1, letter a, and Article 9, subsection 2, letter a, according to Article 4, no. 11, is understood as any voluntary, specific, informed and unequivocal declaration of intent by the data subject, whereby the data subject, by declaration or clear confirmation, consents to personal data relating to the person concerned being made the subject of treatment.

Article 7 of the Data Protection Regulation contains a number of conditions for consent. It appears from this:

Paragraph 1. If processing is based on consent, the data controller must be able to demonstrate that the data subject has given consent to the processing of his personal data. Paragraph 2. If the data subject's consent is given in a written statement that also relates to other matters, a request for consent must be submitted in a way that is clearly distinguishable from the other matters, in an easily understandable and easily accessible form and in clear and simple language . Any part of such declaration which constitutes a breach of this Regulation shall not be binding. Paragraph 3. The data subject has the right to withdraw his consent at any time. Withdrawal of consent does not affect the lawfulness of the processing based on consent prior to the withdrawal. Before consent is given, the data subject must be informed that consent can be withdrawn. It should be as easy to withdraw consent as it is to give it. Paragraph 4. When assessing whether consent has been given freely, the greatest possible consideration is given to, among other things on the fulfillment of a contract, including on a service, is made conditional on consent to the processing of personal data that is not necessary for the fulfillment of this contract.

Any processing of personal data must – in addition to having a basis in Articles 6 & 9 of the Data Protection Regulation – take place in accordance with the principles for processing personal data in Article 5. This means that personal data must:

processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency") collected for expressly stated and legitimate purposes and may not be further processed in a manner incompatible with these purposes; further processing for archival purposes in the interest of society, for scientific or historical research purposes or for statistical purposes in accordance with Article 89, subsection 1, must not be considered incompatible with the original purposes ("purpose limitation") be sufficient, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization") be correct and if necessary updated ; every reasonable step must be taken to ensure that personal data that are incorrect in relation to the purposes for which they are processed are immediately deleted or rectified ("accuracy") stored in such a way that it is not possible to identify the data subjects for a longer period of time than is necessary for the purposes for which the personal data in question is processed; personal data may be stored for a longer period of time if the personal data is only processed for archival purposes in the interest of society, for scientific or historical research purposes or for statistical purposes in accordance with Article 89, subsection 1, provided that the appropriate technical and organizational measures required by this Regulation are implemented to ensure the data subject's rights and freedoms ("storage limitation") are processed in a way that ensures sufficient security for the personal data in question, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures ("integrity and confidentiality").

3.2. The Danish Data Protection Authority's practice

In the spring of 2022, the Danish Data Protection Authority has, in a previous case, made a decision about a fitness center's use of facial recognition (DATAtilsynet's j.nr. 2021-431-0145). In the decision, the Data Protection Authority stated, among other things:

” When personal data in the form of images is processed in connection with face scanning, biometric data is processed, cf. Article 4, No. 14 of the Data Protection Regulation.

FysioDanmark has stated that the system works in such a way that a camera is set up at the entrance to the Fitness Centre, which can scan the customer's face, after which the result is compared to images already uploaded in the system.

Biometric information about the customer in question (collected at the time of identification) is thus compared with a number of biometric templates stored in a database.

Thus, one or more match processes take place, and it is therefore a matter of processing biometric data with the aim of uniquely identifying a natural person.

It is basically prohibited to process such information, cf. the data protection regulation's article 9, subsection 1, unless an exception to this prohibition can be identified in subsection (1) of the provision. 2.

In this connection, the Danish Data Protection Authority agrees with FysioDanmark that the customer's express consent, cf. the data protection regulation's article 9, subsection 2, letter a, is the most appropriate exception to the ban, as none of the other exceptions in the data protection regulation, article 9, paragraph 2, is seen to be applicable.

The Danish Data Protection Authority assumes that FysioDanmark, when using the customer's express consent, will observe the obligations according to Article 7 of the regulation, and as a result, the Danish Data Protection Authority finds no basis for overriding FysioDanmark's assessment that the consent given by the data subject in that connection complies with to the rules for consent in the data protection regulation, including the requirement that consent must be voluntary in the regulation's article 4, no. 11.

The Danish Data Protection Authority has thereby emphasized the design and content of the submitted declaration of consent, and that it is optional for the customer whether they wish to use facial recognition as access control, as the customer – if they do not wish to use facial recognition – can instead use an access card and code.”

The Danish Data Protection Authority's decision can be found in its entirety on the Danish Data Protection Authority's website by searching for "PhysioDanmark".

3.3. Guidance from the Danish Data Protection Authority and the European Data Protection Board (EDPB)

3.3.1. The Norwegian Data Protection Authority's guidance on consent

From the Danish Data Protection Authority's guidance on consent from May 2021, which is based on the EDPB's guidelines 5/2020, it appears about the requirement for voluntariness that:

"Consent must be voluntary. The purpose of a consent is to give the registered a choice and, not least, control over personal data about themselves. Consent is therefore not considered to have been given voluntarily if the data subject does not have a real or free choice. A consent must e.g. not be submitted under duress. This applies regardless of whether it is the data controller or others who exercise coercion against the data subject.

Any form of inappropriate pressure on or influence on the data subject's free will results in the consent being invalid. "

Furthermore, the requirement for voluntariness states that:

"A data controller can to a certain extent motivate the registered to give consent by the fact that there is an advantage associated with consenting. Enrollment in a business benefit program can, for example, involve discounts which motivate the customer to consent to receiving advertising material from the business. The discount or the benefits that a consent to a benefits program entails do not exclude that the consent can be considered voluntary.

However, it is important to be aware of whether a lack of consent entails negative consequences for the data subject who does not want to give consent – e.g. in the form of additional costs…”

Regarding the requirement to be informed, it appears that:

"A consent must be informed. This means that the data subject must be aware of what consent is given to. The data controller must provide the data subject with a range of information to ensure that the data subject can make his decision on an informed basis. There are no formal requirements for how this information must be provided. It is therefore possible to fulfill the requirement both in writing, orally or digitally.”

The Danish Data Protection Authority's guidance on consent can be found in its entirety on the Danish Data Protection Authority's website.

3.3.2. EDPB's guidelines on the use of video equipment for the processing of personal data

From the EDPB's guidelines 3/2019 on the use of video equipment for the processing of personal data, it appears about consent to the processing of biometric data:

"Finally, when consent is required in accordance with Article 9 of the GDPR, the data controller must not make access to its services conditional on acceptance of the biometric processing. In other words, and especially when the biometric processing is used for authentication purposes, the data controller must offer an alternative solution that does not include biometric processing - without restrictions or additional costs for the data subject. This alternative solution is also necessary for persons who do not meet the requirements for the biometric equipment (registration or reading of the biometric data impossible, disability makes its use difficult, etc.), and if the biometric equipment is not available (e.g. at a error in the device). In those cases, an "alternative solution" must be used to ensure the continuity of the intended service, which is however limited to exceptional use. In special cases, there may be a situation where the processing of biometric data is the central activity of a service contract, e.g. if a museum organizes an exhibition demonstrating the use of a facial recognition system. In that case, the data subjects will not be able to reject the processing of biometric data if they wish to visit the exhibition. The consent required under Article 9 is then still valid if the requirements of Article 7 are met.”

3.4. The Danish Data Protection Authority's assessment of the specific case

The case concerns that the fitness center SHC has introduced facial recognition as access control to the company's fitness centers, including SHC's obtaining consent for the processing of personal data in that connection.

In the aforementioned case of FysioDanmark (indirectly), the Danish Data Protection Authority has assessed that the use of facial recognition as access control to fitness centers cannot in itself be considered contrary to the basic principles of Article 5 of the Data Protection Regulation, including the requirements for proportionality.

Consequently, the Danish Data Protection Authority finds that SHC – provided the conditions for legal processing are otherwise met – can similarly use facial recognition as access control to its fitness centres.

The Danish Data Protection Authority has also emphasized that the processing takes place on the basis of consent, cf. below, and that the data subject therefore has a choice in relation to – and control over – whether facial recognition takes place and the associated processing of information.

In this connection, the case raises a number of general questions about the requirements for consent, including whether the possible alternatives in the specific case can be considered to constitute a real alternative. Next, the case raises questions about consent in relation to complaints.

3.4.1. Is the consent generally valid?

When personal data is processed in the form of images in connection with face scanning, biometric data is processed, cf. Article 4, No. 14 of the Data Protection Regulation.

It appears from the case that the system works in such a way that a camera is set up which can scan the customer's face, after which the result is held up against images already uploaded into the system.

Biometric information about the customer in question (collected at the time of identification) is thus compared with a number of biometric templates stored in a database.

Thus, one or more match processes take place, and it is therefore a matter of processing biometric data with the aim of uniquely identifying a natural person.

It is basically prohibited to process such information, cf. the data protection regulation's article 9, subsection 1, unless an exception to this prohibition can be identified in subsection (1) of the provision. 2.

The Danish Data Protection Authority has noted that SHC has set up the system in such a way that the system must be activated in order for a scan to be carried out, e.g. by keystroke, and that there is therefore no (illegal) processing of information about persons who have not consented to facial recognition.

The Norwegian Data Protection Authority agrees with SHC that express consent, cf. the data protection regulation's article 9, subsection 2, letter a, is the most appropriate exception to the ban, as none of the other exceptions in the data protection regulation, article 9, paragraph 2, is seen to be applicable.

In order to expressly consent in accordance with the Data Protection Regulation, Article 9, subsection 2, letter a, and Article 6, subsection 1, letter a, is valid, according to the data protection regulation article 4, no. 11, it must be i.a. voluntarily.  

A consent cannot be considered voluntary if the procedure for obtaining consent does not give the data subject the opportunity to give separate consent for different processing purposes regarding personal data, and the data subject is thus forced to consent to all purposes. A consent must therefore be granulated (divided)[1].

It is stated for the matter that SHC – in addition to processing biometric data in connection with access control – collects information via the system for use in statistics, including the check-in time of customers. In this connection, SHC has stated that this processing takes place on the basis of the so-called balancing of interests rule in the data protection regulation, Article 6, subsection 1, letter f.

In this connection, the Danish Data Protection Authority agrees with SHC that the information about when a customer checks in is in itself information that is only covered by Article 6 of the Data Protection Regulation.

It is, however, the Danish Data Protection Authority's opinion that this information is of the nature of "derived" information, as the information (depending on the circumstances) is provided through the use of facial recognition.

This processing is therefore also processing of biometric data with the aim of unambiguously identifying a natural person covered by the prohibition in Article 9, paragraph 1 of the Data Protection Regulation. 1.

In order for a consent to be valid, SHC must thereby have granulated the consent so that consent can be given both to the processing of biometric data as part of access to the fitness center and to the use of facial scans to keep the statistics in question.

In this connection, the Danish Data Protection Authority has noted that SHC gives the possibility to give consent to both "use of face scan as an access method" and "use of face scan to keep track of the use of the fitness centre".

On this basis, the Danish Data Protection Authority finds that the consent that SHC obtains is sufficiently granular. However, SHC should consider clarifying in the declaration of consent what "statistics on the use of the fitness center" covers.

In addition, the Danish Data Protection Authority finds reason to note that SHC – regardless of whether SHC bases its processing on Article 6, subsection 1, letter f - cannot use "derived" information, which is provided by using facial recognition, if SHC does not have express consent to this in accordance with Article 9, paragraph 2, letter a.

When it comes to the use of consent in connection with facial recognition, the Danish Data Protection Authority is also of the opinion – in accordance with what is stated in the EDPB's guidelines 3/2019 – that the requirement for voluntariness in a case like this implies that data controllers – in this case SHC – must offer an alternative solution that does not include the processing of biometric information.

This alternative does not have to be identical, but must not involve not insignificant restrictions or costs for the data subject.

It is the Danish Data Protection Authority's assessment that the fact that you have the option to check in at the reception via personal service during the reception's opening hours cannot in itself be considered a similar alternative, as you are thereby limited in your access to the center compared to if you consent to facial recognition.

As SHC has explained, if you do not want to consent to facial recognition, SHC gives you the option - in addition to the option of checking in at the reception via personal service - to call support, who can open the door, and to generate a code by calling support.

Since the alternative options (generate a code or call support) provide the same access to the center as consent to facial recognition, and since the alternative options are not associated with significant limitations or financial costs, the Danish Data Protection Authority considers that SHC offers sufficient alternatives.

In this connection, the Danish Data Protection Authority assumes that there are real alternatives, including that you do not have to wait an unreasonably long time to get through to support in order to generate a code or be let in. 

Since the case in relation to the issue to which this case relates (access for customers) does not, in addition, give the Danish Data Protection Authority reason to question the voluntariness of the consent, the Danish Data Protection Authority finds that SHC obtains a voluntary consent.

The Danish Data Protection Authority notes in this connection that the question of possible consent from employees is not part of this case, which is why the Danish Data Protection Authority has not taken a position on this. The Norwegian Data Protection Authority can refer to the Norwegian Data Protection Authority's decision in the case of FysioDanmark for considerations in this regard.  

In addition to being voluntary, consent must also be informed. This means that the data subject must be aware of what consent is given to. This implies that the data controller must provide the data subject with a range of information to ensure that the data subject can make his decision on an informed basis.

In a situation such as the present one, the Danish Data Protection Authority is of the opinion that the requirement that a consent must be informed implies that the registered person must be informed about the alternatives that are available for consent to facial recognition.

The Danish Data Protection Authority has established that SHC has made certain efforts to do this, i.a. on the info screens at the entrance to the fitness centers and in the company's personal data policy.

As the case has been disclosed, however, it is the Danish Data Protection Authority's assessment that the information about the alternatives that SHC provides appears fragmented to a certain extent. For example, the data subject himself is seen in the personal data policy to have to find detailed information about the possible alternatives, just as the data subject himself must derive what the "code" and the reference to support cover on the info screens at the entrance to the fitness centres.

In any case, the Danish Data Protection Authority is of the opinion that it would be best in line with the requirements for informed consent if, in connection with obtaining the consent – already in the declaration of consent itself – it appears that there are alternatives and where you can read more about them. It is noted in this connection that this is seen to be a relatively simple procedure.

Based on the above overall, the Danish Data Protection Authority finds that SHC, if SHC ensures that the consent that SHC obtains is informed, obtains a valid consent, which according to the data protection regulation's article 9, subsection 2, letter a, may constitute an exception to the ban on the processing of special categories of information. Consequently, the consent will also be able to form the basis for processing in accordance with the data protection regulation, article 6, subsection 1, letter a.

What is otherwise stated in the case, including whether the refusal to give consent is in itself a special category of personal data, cannot lead to a different assessment of the validity of the consent or the legality of the processing in general.

3.4.2. Consent in relation to complaints?

It is - regardless of the above regarding the general voluntariness of consent - the Danish Data Protection Authority's opinion that the fact that complaints from an employee were told that "[i]f [a] member does not want to give consent to facial recognition, it is only possible to train in our centers during manned opening hours”, must be assumed to have given the complainant a justified perception that there would be no alternatives to facial recognition.

According to the Danish Data Protection Authority's assessment, this is equivalent to the fact that there would be no alternatives. This means that the consent which was attempted to be obtained from the complainant at that time would not be valid.

Under these circumstances, the Danish Data Protection Authority finds grounds for expressing criticism that the consent that SHC specifically tried to obtain from complainants was not voluntary and thus not valid.

However, the complainant must be considered to be sufficiently informed about the possible alternatives at the present time, which is why it will be possible to obtain a valid consent.

 

[1] European Data Protection Board Guidelines 5/2020 on consent under Regulation 2016/679 (version 1.1, adopted on 4 May 2020), page 13.