Tietosuojavaltuutetun toimisto (Finland) - 1198/161/2022: Difference between revisions

From GDPRhub
m (corrected typos)
mNo edit summary
Line 66: Line 66:
The controller is a manufacturer of heart rate monitors and smart watches offering its services in multiple Member States in the EU and wordwide. Customers (data subjects) had to register for an online service in order to use all the features of the devices, which required personal information, such as gender, height, age and weight. The device collected heart rate, max VO2 (maximum oxygen capacity) as well as BMI (body mass index) information and uploaded them to the online service. Data subjects could use the collected information to analyse training performance.  
The controller is a manufacturer of heart rate monitors and smart watches offering its services in multiple Member States in the EU and wordwide. Customers (data subjects) had to register for an online service in order to use all the features of the devices, which required personal information, such as gender, height, age and weight. The device collected heart rate, max VO2 (maximum oxygen capacity) as well as BMI (body mass index) information and uploaded them to the online service. Data subjects could use the collected information to analyse training performance.  


The Finnish DPA received five complaints from data subjects between 22 May 2018 and 19 February 2019 concerning the way the controller processed heart rate data, other sensitive data as well as how personal data was transferred to third countries. The Austrian DPA received one complaint on the same matter.  
The Finnish DPA received five complaints from data subjects between 22 May 2018 and 19 February 2019. The Austrian DPA received one complaint on the same matter. The complaints addressed fours main issues.   


'''Processing of heart rate data'''  
First, according to the complaints, the consent to process heart rate data was forced onto the data subjects as the controller made the use of the online service conditional upon granting consent to process heart rate data. If the data subject subseqently withdrew consent, their online service account would be frozen. However, according to the controller, the device was separate from the online service as some basic features were still usable without the online service.  


According to the complaints, the consent to process heart rate data was forced onto the data subjects as the controller made the use of the online service conditional upon granting consent to process heart rate data. If the data subject subseqently withdrew consent, their online service account would be frozen. However, according to the controller, the device was separate from the online service as some basic features were still usable without the online service.   
Second, the controller also requested consent for the processing of other personal data, such as max VO2, sleep target time and daily activity target, next to information such as gender, age, height and weight. The controller argued that it was not possible to draw conclusions about a person's health based on this 'raw' data, hence there was no processing of sensitive data other than heart rate data. Allegedly, such conclusions about health would only be possible with the help of medical exminations or additional data.   


'''Processing of other sensitive data'''
Third, the complaints questioned the lawfulness of data transfers to third countries. Although the controller's servers were located in the EU, in Finland and Ireland, personal data from the controller's email service would be sent to a server located in the US. For these transfers, the controller used as a legal basis consent under [[Article 49 GDPR|Article 49(1)(a) GDPR]] (prior to November 2019). The controller submitted that it had asked data subjects for consent to transfer the data to the US in order to make them more aware of the processing carried out by the company. 


On the same conditions, the controller also requested consent for the processing of other personal data, such as max VO2, sleep target time and daily activity target, next to information such as gender, age, height and weight. The controller argued that it was not possible to draw conclusions about a person's health based on this 'raw' data, hence there was no processing of sensitive data other than heart rate data. Allegedly, such conclusions about health would only be possible with the help of medical exminations or additional data. 
Fourth, the data subjects noted that while accepting the terms and conditions, they also had to consent to the controller processing "user-generated content", that is any content uploaded or transmitted to the online service (e.g. training results) apart from the information initially provided. There was no separate consent form for the processing of user-generated content. This data would be made available globally and also transferred outside the EU. If the data subject withdrew their consent, the user-generated data would not be removed. The data subject could request their deletion only by closing their account.
 
'''Personal data transfers to the US'''
 
Although the controller's servers were located in the EU, in Finland and Ireland, personal data from the controller's email service would be sent to a server located in the US. For these transfers, the controller used as a legal basis consent under [[Article 49 GDPR|Article 49(1)(a) GDPR]] (prior to November 2019). The controller submitted that it had asked data subjects for consent to transfer the data to the US in order to make them more aware of the processing carried out by the company. 
 
'''Processing of 'user-generated content''''
 
In the terms and conditions it was also mentioned that data subjects consent to the controller processing "user-generated content", that is any content uploaded or transmitted to the online service (e.g. training results) apart from the information initially provided. This data would be made available globally and also transferred outside the EU. If the data subject withdrew their consent, the generated data would not be removed. The data subject could request their deletion only by closing their account.


Because the controller operated in multiple Member States, the cooperation mechanism under [[Article 60 GDPR]] was activated. Since the controller's main establishment was located in Finland, the Finnish DPA was the lead supervisory authority [[Article 65 GDPR|(Article 65 GDPR]]), while the concerned supervisory authorities ([[Article 4 GDPR|Article 4(22) GDPR]]) were, among others, the Austrian, Belgian, Czech and Danish DPAs. After investigating the controller's processing practices as well as receiving the submissions by the concerned supervisory authorities, the Finnish DPA issued a draft decision pursuant to [[Article 60 GDPR|Article 60(3) GDPR]]. No objections were raised by concerned supervisory authorities, rendering it a binding decision on the controller.   
Because the controller operated in multiple Member States, the cooperation mechanism under [[Article 60 GDPR]] was activated. Since the controller's main establishment was located in Finland, the Finnish DPA was the lead supervisory authority [[Article 65 GDPR|(Article 65 GDPR]]), while the concerned supervisory authorities ([[Article 4 GDPR|Article 4(22) GDPR]]) were, among others, the Austrian, Belgian, Czech and Danish DPAs. After investigating the controller's processing practices as well as receiving the submissions by the concerned supervisory authorities, the Finnish DPA issued a draft decision pursuant to [[Article 60 GDPR|Article 60(3) GDPR]]. No objections were raised by concerned supervisory authorities, rendering it a binding decision on the controller.   


=== Holding ===
=== Holding ===
'''Processing of heart rate data'''
With regards to processing of heart rate data, the Finnish DPA referred to an [https://ec.europa.eu/justice/article-29/documentation/other-document/files/2015/20150205_letter_art29wp_ec_health_data_after_plenary_annex_en.pdf Article 29 Working Party Letter] to the European Commission regarding health data. The DPA explained that although a single heart rate record might not be enough to constitute personal data, according to WP29, together with other information, such as gender, age and weight, conclusions about a person's health could be drawn. Therefore, the DPA held that the heart rate data must be considered as health data within the meaning of [[Article 4 GDPR|Article 4(15) GDPR]] and [[Article 9 GDPR|Article 9(1) GDPR]]. Processing of sensitive data requires a legal basis under [[Article 9 GDPR|Article 9(2) GDPR.]] In the present case, the DPA stated that since the controller processed heart rate data for the provision of a value added service, the processing must be subject to the explicit consent of the data subject ([[Article 9 GDPR|Article 9(2)(a) GDPR]]). However, the consent given should also meet conditions of [[Article 7 GDPR]], meaning it cannot be conditional upon accessing a service. Hence, although not explicitly reitarrated by the DPA, the controller did not have a valid legal basis to process heart rate data.
 
The Finnish DPA referred to an [https://ec.europa.eu/justice/article-29/documentation/other-document/files/2015/20150205_letter_art29wp_ec_health_data_after_plenary_annex_en.pdf Article 29 Working Party Letter] to the European Commission regarding health data. The DPA explained that although a single heart rate record might not be enough to constitute personal data, according to WP29, together with other information, such as gender, age and weight, conclusions about a person's health could be drawn. Therefore, the DPA held that the heart rate data must be considered as health data within the meaning of [[Article 4 GDPR|Article 4(15) GDPR]] and [[Article 9 GDPR|Article 9(1) GDPR]]. Processing of sensitive data requires a legal basis under [[Article 9 GDPR|Article 9(2) GDPR.]] In the present case, the DPA stated that since the controller processed heart rate data for the provision of a value added service, the processing must be subject to the explicit consent of the data subject ([[Article 9 GDPR|Article 9(2)(a) GDPR]]). However, the consent given should also meet conditions of [[Article 7 GDPR]], meaning it cannot be conditional upon accessing a service. Hence, although not explicitly reitarrated by the DPA, the controller did not have a valid legal basis to process heart rate data.  
 
'''Processing of other senstive data'''
 
Similarly to the heart rate data. The DPA considered other 'raw' information collected by the service, such as max VO2 and BMI to constitute health data to the extent that it can lead to conclusions about a data subject's health when combined with other personal data uploaded on the service. The DPA stipulated that the controller must collect explicit and specific consent for each purpose the personal data is processed for. The controller did not collect explicit consent for the processing of this information, thereby violating [[Article 9 GDPR|Article 9(2) GDPR.]]
 
'''Personal data transfers to the US'''


The DPA analysed the legal basis of the controller for personal data transfers to third countries, specifically the US. However, the DPA only took into account the controller's practices prior to November 2019, when the controller's submissions in the investigation were made. The DPA concluded that the controller did not need to collect consent under Article [[Article 49 GDPR|49(1)(a) GDPR]] because, at that time, the previous adequacy decision under [[Article 45 GDPR]], called Privacy Shield, was still in force an the controller had a valid legal basis to transfer personal data to the US. The DPA did not make any further assessments on the situation after the CJEU [[CJEU - C-311/18 - Schrems II|Schrems II]] judgement, which invalidated the Privacy Shield.
Similarly to the heart rate data. The DPA considered other 'raw' information collected by the service, such as max VO2 and BMI to constitute health data to the extent that it can lead to conclusions about a data subject's health when combined with other personal data uploaded on the service. The DPA stipulated that the controller must collect explicit and specific consent for each purpose the personal data is processed for. The controller did not collect explicit consent for the processing of this information, thereby violating [[Article 9 GDPR|Article 9(2) GDPR.]]  


'''Processing of 'user-generated content''''
The DPA also analysed the legal basis of the controller for personal data transfers to third countries, specifically the US. However, the DPA only took into account the controller's practices prior to November 2019, when the controller's submissions in the investigation were made. The DPA concluded that the controller did not need to collect consent under Article [[Article 49 GDPR|49(1)(a) GDPR]] because, at that time, the previous adequacy decision under [[Article 45 GDPR]], called Privacy Shield, was still in force an the controller had a valid legal basis to transfer personal data to the US. The DPA did not make any further assessments on the situation after the CJEU [[CJEU - C-311/18 - Schrems II|Schrems II]] judgement, which invalidated the Privacy Shield.


The DPA held that merely accepting the terms and condititons of the online service could not be considered as consent to the processing of 'user-generated content'. According to [[Article 7 GDPR|Article 7(2) GDPR]], where the data subject gives consent in a written communication which also concerns other matters, the request for consent must be clearly distinguished from the other matters in an easily understandable and accessible form in clear and plain language. Moreover, in order for consent to be freely given, in line with [[Article 7 GDPR|Article 7(4) GDPR]], it cannot be conditional upon the provision of a service. The DPA held the controller had not collected valid consent from the data subjects and therefore had no valid legal basis under [[Article 6 GDPR|Article 6(1) GDPR]].  
Concerning the consent to process 'user-generated data', the DPA held that merely accepting the terms and condititons of the online service could not be considered as consent. According to [[Article 7 GDPR|Article 7(2) GDPR]], where the data subject gives consent in a written communication which also concerns other matters, the request for consent must be clearly distinguished from the other matters in an easily understandable and accessible form in clear and plain language. Moreover, in order for consent to be freely given, in line with [[Article 7 GDPR|Article 7(4) GDPR]], it cannot be conditional upon the provision of a service. The DPA held the controller had not collected valid consent from the data subjects and therefore had no valid legal basis under [[Article 6 GDPR|Article 6(1) GDPR]].  


The Finnish DPA, as lead supervisory authority, ordered the controller, pursuant to [[Article 58 GDPR|Article 58(2)(d) GDPR]], to bring its processing activities in line with the GDPR, especially with regards to finding a valid legal basis for the processing of personal data on its online service. The DPA further reprimanded the controller, pursuant to [[Article 58 GDPR|Article 58(2)(b) GDPR,]] for processing max VO2 and BMI data without a legal basis. Finally, the DPA fined the controller, pursuant to [[Article 58 GDPR|Aritcles 58(2)(i)]] and [[Article 83 GDPR|83 GDPR]], €122,000 for the afore-discussed GDPR infringements.  
The Finnish DPA, as lead supervisory authority, ordered the controller, pursuant to [[Article 58 GDPR|Article 58(2)(d) GDPR]], to bring its processing activities in line with the GDPR, especially with regards to finding a valid legal basis for the processing of personal data on its online service. The DPA further reprimanded the controller, pursuant to [[Article 58 GDPR|Article 58(2)(b) GDPR,]] for processing max VO2 and BMI data without a legal basis. Finally, the DPA fined the controller, pursuant to [[Article 58 GDPR|Aritcles 58(2)(i)]] and [[Article 83 GDPR|83 GDPR]], €122,000 for the afore-discussed GDPR infringements.  

Revision as of 15:43, 24 January 2023

Tietosuojavaltuutetun toimisto - 1198/161/2022
[[File:|center|250px]]
Authority: Tietosuojavaltuutetun toimisto (Finnland)
Jurisdiction: Finland
Relevant Law: Article 9(2)(a) GDPR
Type: Investigation
Outcome: Violation Found
Started: 22.5.2018
Decided: 27.12.2022
Published:
Fine: 122000 EUR
Parties: Polar Oy
National Case Number/Name: 1198/161/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Tietosuojavaltuutetun toimisto (in FI)
Initial Contributor: Eetu Salpaharju

In a procedure pursuant to Article 60 GDPR, the Finnish DPA imposed a €122,000 fine on a manufacturer of heart rate monitors due to lack of valid consent for the processing of personal data, including health data, on its online service.

English Summary

Facts

The controller is a manufacturer of heart rate monitors and smart watches offering its services in multiple Member States in the EU and wordwide. Customers (data subjects) had to register for an online service in order to use all the features of the devices, which required personal information, such as gender, height, age and weight. The device collected heart rate, max VO2 (maximum oxygen capacity) as well as BMI (body mass index) information and uploaded them to the online service. Data subjects could use the collected information to analyse training performance.

The Finnish DPA received five complaints from data subjects between 22 May 2018 and 19 February 2019. The Austrian DPA received one complaint on the same matter. The complaints addressed fours main issues.

First, according to the complaints, the consent to process heart rate data was forced onto the data subjects as the controller made the use of the online service conditional upon granting consent to process heart rate data. If the data subject subseqently withdrew consent, their online service account would be frozen. However, according to the controller, the device was separate from the online service as some basic features were still usable without the online service.

Second, the controller also requested consent for the processing of other personal data, such as max VO2, sleep target time and daily activity target, next to information such as gender, age, height and weight. The controller argued that it was not possible to draw conclusions about a person's health based on this 'raw' data, hence there was no processing of sensitive data other than heart rate data. Allegedly, such conclusions about health would only be possible with the help of medical exminations or additional data.

Third, the complaints questioned the lawfulness of data transfers to third countries. Although the controller's servers were located in the EU, in Finland and Ireland, personal data from the controller's email service would be sent to a server located in the US. For these transfers, the controller used as a legal basis consent under Article 49(1)(a) GDPR (prior to November 2019). The controller submitted that it had asked data subjects for consent to transfer the data to the US in order to make them more aware of the processing carried out by the company.

Fourth, the data subjects noted that while accepting the terms and conditions, they also had to consent to the controller processing "user-generated content", that is any content uploaded or transmitted to the online service (e.g. training results) apart from the information initially provided. There was no separate consent form for the processing of user-generated content. This data would be made available globally and also transferred outside the EU. If the data subject withdrew their consent, the user-generated data would not be removed. The data subject could request their deletion only by closing their account.

Because the controller operated in multiple Member States, the cooperation mechanism under Article 60 GDPR was activated. Since the controller's main establishment was located in Finland, the Finnish DPA was the lead supervisory authority (Article 65 GDPR), while the concerned supervisory authorities (Article 4(22) GDPR) were, among others, the Austrian, Belgian, Czech and Danish DPAs. After investigating the controller's processing practices as well as receiving the submissions by the concerned supervisory authorities, the Finnish DPA issued a draft decision pursuant to Article 60(3) GDPR. No objections were raised by concerned supervisory authorities, rendering it a binding decision on the controller.

Holding

With regards to processing of heart rate data, the Finnish DPA referred to an Article 29 Working Party Letter to the European Commission regarding health data. The DPA explained that although a single heart rate record might not be enough to constitute personal data, according to WP29, together with other information, such as gender, age and weight, conclusions about a person's health could be drawn. Therefore, the DPA held that the heart rate data must be considered as health data within the meaning of Article 4(15) GDPR and Article 9(1) GDPR. Processing of sensitive data requires a legal basis under Article 9(2) GDPR. In the present case, the DPA stated that since the controller processed heart rate data for the provision of a value added service, the processing must be subject to the explicit consent of the data subject (Article 9(2)(a) GDPR). However, the consent given should also meet conditions of Article 7 GDPR, meaning it cannot be conditional upon accessing a service. Hence, although not explicitly reitarrated by the DPA, the controller did not have a valid legal basis to process heart rate data.

Similarly to the heart rate data. The DPA considered other 'raw' information collected by the service, such as max VO2 and BMI to constitute health data to the extent that it can lead to conclusions about a data subject's health when combined with other personal data uploaded on the service. The DPA stipulated that the controller must collect explicit and specific consent for each purpose the personal data is processed for. The controller did not collect explicit consent for the processing of this information, thereby violating Article 9(2) GDPR.

The DPA also analysed the legal basis of the controller for personal data transfers to third countries, specifically the US. However, the DPA only took into account the controller's practices prior to November 2019, when the controller's submissions in the investigation were made. The DPA concluded that the controller did not need to collect consent under Article 49(1)(a) GDPR because, at that time, the previous adequacy decision under Article 45 GDPR, called Privacy Shield, was still in force an the controller had a valid legal basis to transfer personal data to the US. The DPA did not make any further assessments on the situation after the CJEU Schrems II judgement, which invalidated the Privacy Shield.

Concerning the consent to process 'user-generated data', the DPA held that merely accepting the terms and condititons of the online service could not be considered as consent. According to Article 7(2) GDPR, where the data subject gives consent in a written communication which also concerns other matters, the request for consent must be clearly distinguished from the other matters in an easily understandable and accessible form in clear and plain language. Moreover, in order for consent to be freely given, in line with Article 7(4) GDPR, it cannot be conditional upon the provision of a service. The DPA held the controller had not collected valid consent from the data subjects and therefore had no valid legal basis under Article 6(1) GDPR.

The Finnish DPA, as lead supervisory authority, ordered the controller, pursuant to Article 58(2)(d) GDPR, to bring its processing activities in line with the GDPR, especially with regards to finding a valid legal basis for the processing of personal data on its online service. The DPA further reprimanded the controller, pursuant to Article 58(2)(b) GDPR, for processing max VO2 and BMI data without a legal basis. Finally, the DPA fined the controller, pursuant to Aritcles 58(2)(i) and 83 GDPR, €122,000 for the afore-discussed GDPR infringements.

Comment

Share your comments here!

Further Resources

Official decision as PDF

Yle (Finnish national brodcasting company) news telling the controller name

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

The company had not asked the users of its service for individual consent to the processing of health-related types of personal data. The data protection commissioner's office imposed a penalty on the company for violating the data protection regulation, as the processing of health data is part of the company's core business. In addition, the data protection commissioner ordered the company to correct its practice in requesting consent. The Office of the Data Protection Commissioner investigated the company's operating methods in 2018–2019 based on the complaints received. The investigations revealed that the company did not have consent in accordance with the EU's General Data Protection Regulation to process data on body mass index and maximum oxygen uptake capacity. Health data belong to so-called special personal data groups and their processing is basically prohibited. Data can be processed, for example, when the data subject has given his consent. The company had asked for consent to process health-related data in general, but had not specified the data it collected and processed. The requested consent did not meet the requirements of the data protection regulation, as it was not individualized and informed. The Data Protection Commissioner considers that the data controller had informed the data subjects that their personal data would be processed, but had not provided sufficient information about the types of personal data being processed and the purpose for which each type of personal data is being processed. The disciplinary board paid special attention to the fact that the large-scale processing of health data is a key part of the company's core business. "A company whose business mainly includes the processing of personal data must always take care of all the requirements for the proper processing of personal data. In a data-intensive economy, the importance of this will grow all the time," states Data Protection Commissioner Anu Talus. The matter was dealt with in cooperation between EU countries. The company's service is also available in other EU and EEA countries, which is why the matter was dealt with in cooperation between supervisory authorities. One of the complaints had been initiated in another Member State. The company's location in Finland is responsible for the processing of personal data, and the data protection commissioner's office acted as the leading supervisory authority in the investigation. The participating supervisory authorities have accepted the decision of the Data Protection Commissioner and the Sanctions College, and the decision is also binding on them. The sanction panel of the Office of the Data Protection Commissioner imposed a fine of 122,000 euros on the company for data protection violations. In addition, a notice was issued to the company. The decisions are not yet legally binding and can be appealed to the administrative court. Decisions of the Data Protection Commissioner and Sanctions Board (pdf) More information: Data Protection Commissioner Anu Talus, anu.talus(at)om.fi, tel. 029 566 6766 The decision-making of the Sanctions Board and the legal protection of data controllers are stipulated in the National Data Protection Act. The disciplinary board consists of a data protection commissioner and two deputy data protection commissioners. The college is competent to impose administrative fines for violations of data protection legislation. The maximum amount of penalty payments is four percent of the company's turnover or 20 million euros. ​​​​​​​​​More information on the so-called about the one-stop shop mechanism in the European Data Protection Board brochure (pdf)