Tietosuojavaltuutetun toimisto (Finland) - 1198/161/2022: Difference between revisions

From GDPRhub
(→‎Further Resources: Added official decision)
(Added details)
Line 7: Line 7:
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finnland)
|DPA_With_Country=Tietosuojavaltuutetun toimisto (Finnland)


|Case_Number_Name=Dnro 1198/161/2022
|Case_Number_Name=1198/161/2022
|ECLI=
|ECLI=


Line 21: Line 21:
|Type=Investigation
|Type=Investigation
|Outcome=Violation Found
|Outcome=Violation Found
|Date_Started=
|Date_Started=22.5.2018
|Date_Decided=27.12.2022
|Date_Decided=27.12.2022
|Date_Published=
|Date_Published=
Line 45: Line 45:
|National_Law_Link_2=
|National_Law_Link_2=


|Party_Name_1=
|Party_Name_1=Polar Oy
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=
|Party_Name_2=
Line 59: Line 59:
}}
}}


Finnish Authority imposed a fine of 122,000 euros on a company handling health-related types of personal data without proper consent.
Finnish DPA imposed a fine of 122,000 euros on a company handling health-related types of personal data without proper consent.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
Unnamed company had not asked the users of its service for individual consent to the processing of health-related types of personal data.
Polar Oy is manufacturer of heart rate monitors and smart watches. Finnish DPA has received  five complaints for Polar Oy way to handle special categories of personal data between 22.5.2018 and 19.2.2019. Austrian DPA has received a complaint for the same matter.
 
When a customer purchase a Polar smart watch or heart rate monitor device, it is necessary to register a online service to use the devices all features. Even though a smart watch is separate from the online service. Some basic features are usable without the online service. Data subject enters some information , such as sex, height, age and weight, into the online service. The device used collects heart rate and Max VO2 information and uploads them to the online service.
 
When registering to the online service data subject must give consent for following statement "I accept that company can collect and process sensitive personal information, such as heart rate and other sensitive health-related data. I also agree with Polar terms and conditions.". If data subject does not give consent for that, he cannot register online service. If data subject withdraws his consent his account in online service is frozen and the system cannot be used. After six months the account and all the data related to it is deleted. If user give consent again, he can continue to use the online service.
 
In Polar's terms and conditions is mentioned that some data may be transferred outside of EU. According to the processor main servers are located in Finland and Ireland. The processor use email services located in US as well as monitoring services located in US. Some data - such as data subject's email address and user ID - is transferred to those services. Data transfer is based on Article 49 Paragraph 1 Subsection a.
 
In terms and conditions is also mentioned that user gives controller right to use and transfer "user generated content" in their systems. If user withdraws consent user generated data is not removed. User can remove the data himself before removing his account. In this context user generated content is training results a data subject could share to other users as well as messages data subject can publish. This content has been made available globally and so transferred outside of EU.
 
According to the controller, the United Kingdom's Information Commissioner's Office (ICO) has received a complaint and hold that Polar does not violate GPDR. That complaint was made because Polar asked consent from data subjects already using the online service. Until that Polar processed personal data based on contract (Article 6 Paragraph 1 Subsection b) and changed that to consent (Article 6 Paragraph 1 Subsection a). ICO hold that it was legal to change lawfulness of the processing and asking consent from data subjects was necessary. The processing itself did not change.


=== Holding ===
=== Holding ===
Data subjects was asked general consent for handling data, but it was not detailed enough to handle special data groups, such as health-related information.
DPA has considered following legal matters in this case.
 
i) Should controller has ask consent to process heart-rate data
 
Holding: According to Article 9 Paragraph 2 Subsection a controller should have ask for consent for specific personal data types.
 
 
ii) Should controller inform customer about data processing when he is purchasing a smart watch or a heart rate  monitor
 
Holding: Such procedure is not required.
 
 
iii) Does controller process other than heart rate data from special categories of personal data
 
Holding: Controller process also other sensitive data such as  VO2max and BMI.
 
 
iv) Has data transfer to third countries been lawful
 
Holding: Controller had lawful right to transfer data to the third countries (US). To be noted that DPA considered transfers happened when Privacy Shield was still valid. Because of Privacy Shield, specific consent was not needed.
 
 
v) Has consent for process "user generated content" been lawful
 
Holding: Consent does not comply Article 4 Paragraph 11 and Article 7 Paragraph 2 and 4.
 
 
DPA looks that controller has violated provision mentioned on Article 83 Paragraph 5. DPA imposed fine of 122000 EUR to the controller. In the resolution DPA says that handling sensitive personal data is essential part of the controllers business. That's why there should be administrative fine for the violation. DPA counts as extenuating circumstances that purpose of processing health data is mentioned to be beneficial to a data subject and controller's profit is not based on processing such data.  


== Comment ==
== Comment ==
Line 74: Line 111:
== Further Resources ==
== Further Resources ==
[https://tietosuoja.fi/documents/6927448/146469002/Tietosuojavaltuutetun+ja+seuraamuskollegion+p%C3%A4%C3%A4t%C3%B6s_1198.161.2022.pdf Official decision as PDF]
[https://tietosuoja.fi/documents/6927448/146469002/Tietosuojavaltuutetun+ja+seuraamuskollegion+p%C3%A4%C3%A4t%C3%B6s_1198.161.2022.pdf Official decision as PDF]
[https://yle.fi/a/74-20012360 Yle (Finnish national brodcasting company) news telling the controller name]


== English Machine Translation of the Decision ==
== English Machine Translation of the Decision ==

Revision as of 18:59, 19 January 2023

Tietosuojavaltuutetun toimisto - 1198/161/2022
[[File:|center|250px]]
Authority: Tietosuojavaltuutetun toimisto (Finnland)
Jurisdiction: Finland
Relevant Law: Article 9(2)(a) GDPR
Type: Investigation
Outcome: Violation Found
Started: 22.5.2018
Decided: 27.12.2022
Published:
Fine: 122000 EUR
Parties: Polar Oy
National Case Number/Name: 1198/161/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Tietosuojavaltuutetun toimisto (in FI)
Initial Contributor: Eetu Salpaharju

Finnish DPA imposed a fine of 122,000 euros on a company handling health-related types of personal data without proper consent.

English Summary

Facts

Polar Oy is manufacturer of heart rate monitors and smart watches. Finnish DPA has received five complaints for Polar Oy way to handle special categories of personal data between 22.5.2018 and 19.2.2019. Austrian DPA has received a complaint for the same matter.

When a customer purchase a Polar smart watch or heart rate monitor device, it is necessary to register a online service to use the devices all features. Even though a smart watch is separate from the online service. Some basic features are usable without the online service. Data subject enters some information , such as sex, height, age and weight, into the online service. The device used collects heart rate and Max VO2 information and uploads them to the online service.

When registering to the online service data subject must give consent for following statement "I accept that company can collect and process sensitive personal information, such as heart rate and other sensitive health-related data. I also agree with Polar terms and conditions.". If data subject does not give consent for that, he cannot register online service. If data subject withdraws his consent his account in online service is frozen and the system cannot be used. After six months the account and all the data related to it is deleted. If user give consent again, he can continue to use the online service.

In Polar's terms and conditions is mentioned that some data may be transferred outside of EU. According to the processor main servers are located in Finland and Ireland. The processor use email services located in US as well as monitoring services located in US. Some data - such as data subject's email address and user ID - is transferred to those services. Data transfer is based on Article 49 Paragraph 1 Subsection a.

In terms and conditions is also mentioned that user gives controller right to use and transfer "user generated content" in their systems. If user withdraws consent user generated data is not removed. User can remove the data himself before removing his account. In this context user generated content is training results a data subject could share to other users as well as messages data subject can publish. This content has been made available globally and so transferred outside of EU.

According to the controller, the United Kingdom's Information Commissioner's Office (ICO) has received a complaint and hold that Polar does not violate GPDR. That complaint was made because Polar asked consent from data subjects already using the online service. Until that Polar processed personal data based on contract (Article 6 Paragraph 1 Subsection b) and changed that to consent (Article 6 Paragraph 1 Subsection a). ICO hold that it was legal to change lawfulness of the processing and asking consent from data subjects was necessary. The processing itself did not change.

Holding

DPA has considered following legal matters in this case.

i) Should controller has ask consent to process heart-rate data

Holding: According to Article 9 Paragraph 2 Subsection a controller should have ask for consent for specific personal data types.


ii) Should controller inform customer about data processing when he is purchasing a smart watch or a heart rate monitor

Holding: Such procedure is not required.


iii) Does controller process other than heart rate data from special categories of personal data

Holding: Controller process also other sensitive data such as VO2max and BMI.


iv) Has data transfer to third countries been lawful

Holding: Controller had lawful right to transfer data to the third countries (US). To be noted that DPA considered transfers happened when Privacy Shield was still valid. Because of Privacy Shield, specific consent was not needed.


v) Has consent for process "user generated content" been lawful

Holding: Consent does not comply Article 4 Paragraph 11 and Article 7 Paragraph 2 and 4.


DPA looks that controller has violated provision mentioned on Article 83 Paragraph 5. DPA imposed fine of 122000 EUR to the controller. In the resolution DPA says that handling sensitive personal data is essential part of the controllers business. That's why there should be administrative fine for the violation. DPA counts as extenuating circumstances that purpose of processing health data is mentioned to be beneficial to a data subject and controller's profit is not based on processing such data.

Comment

Share your comments here!

Further Resources

Official decision as PDF

Yle (Finnish national brodcasting company) news telling the controller name

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

The company had not asked the users of its service for individual consent to the processing of health-related types of personal data. The data protection commissioner's office imposed a penalty on the company for violating the data protection regulation, as the processing of health data is part of the company's core business. In addition, the data protection commissioner ordered the company to correct its practice in requesting consent. The Office of the Data Protection Commissioner investigated the company's operating methods in 2018–2019 based on the complaints received. The investigations revealed that the company did not have consent in accordance with the EU's General Data Protection Regulation to process data on body mass index and maximum oxygen uptake capacity. Health data belong to so-called special personal data groups and their processing is basically prohibited. Data can be processed, for example, when the data subject has given his consent. The company had asked for consent to process health-related data in general, but had not specified the data it collected and processed. The requested consent did not meet the requirements of the data protection regulation, as it was not individualized and informed. The Data Protection Commissioner considers that the data controller had informed the data subjects that their personal data would be processed, but had not provided sufficient information about the types of personal data being processed and the purpose for which each type of personal data is being processed. The disciplinary board paid special attention to the fact that the large-scale processing of health data is a key part of the company's core business. "A company whose business mainly includes the processing of personal data must always take care of all the requirements for the proper processing of personal data. In a data-intensive economy, the importance of this will grow all the time," states Data Protection Commissioner Anu Talus. The matter was dealt with in cooperation between EU countries. The company's service is also available in other EU and EEA countries, which is why the matter was dealt with in cooperation between supervisory authorities. One of the complaints had been initiated in another Member State. The company's location in Finland is responsible for the processing of personal data, and the data protection commissioner's office acted as the leading supervisory authority in the investigation. The participating supervisory authorities have accepted the decision of the Data Protection Commissioner and the Sanctions College, and the decision is also binding on them. The sanction panel of the Office of the Data Protection Commissioner imposed a fine of 122,000 euros on the company for data protection violations. In addition, a notice was issued to the company. The decisions are not yet legally binding and can be appealed to the administrative court. Decisions of the Data Protection Commissioner and Sanctions Board (pdf) More information: Data Protection Commissioner Anu Talus, anu.talus(at)om.fi, tel. 029 566 6766 The decision-making of the Sanctions Board and the legal protection of data controllers are stipulated in the National Data Protection Act. The disciplinary board consists of a data protection commissioner and two deputy data protection commissioners. The college is competent to impose administrative fines for violations of data protection legislation. The maximum amount of penalty payments is four percent of the company's turnover or 20 million euros. ​​​​​​​​​More information on the so-called about the one-stop shop mechanism in the European Data Protection Board brochure (pdf)