D.A.A.A (Data subject) v. Anonymous Controller (Manufacture of Heart Rate Monitors and Smart Watches)

€122,000 in fines

Excerpt

Finnish DPA imposed a fine on a manufacturer for bundling consent for various purposes into one and due to lack of valid consent for the processing of personal data.

Our analysis

A heart rate monitor and smartwatch manufacturer offered its services worldwide, collecting personal data such as gender, age, height, and weight. The device would upload this information to an online service, and data subjects could analyze their training performance. The Finnish DPA received five complaints, and the Austrian DPA received one complaint, alleging four main issues. The first issue was that consent for processing heart rate data was forced onto data subjects as a condition of using the online service. The second issue was that the controller requested consent for processing personal data, such as max VO2, sleep target time, daily activity target, and gender, age, height, and weight, claiming that this information was not sensitive. Thirdly, complaints were made about the lawfulness of transferring data to third countries, and fourthly, data subjects were not given a separate consent form for processing user-generated content. The Finnish DPA was the lead supervisory authority, and after investigation, it was determined that the controller did not have a valid legal basis for processing heart rate data or raw information like max VO2 and BMI. Consent must be explicit and specific for each purpose the personal data is processed for, and cannot be conditional upon accessing a service. The Finnish DPA also found that the controller had a valid legal basis to transfer personal data to the US before November 2019 when the previous adequacy decision under Article 45 GDPR, called Privacy Shield, was in force.

Outcome

The Finnish Data Protection Authority, acting as the lead supervisory authority, has taken several actions to enforce GDPR compliance by a controller. Specifically, the DPA has directed the controller to align their processing activities with the GDPR, focusing on establishing a valid legal basis for the processing of personal data on their online service. Additionally, the DPA has reprimanded the controller for processing max VO2 and BMI data without a legal basis. Finally, the DPA has imposed a fine of €122,000 on the controller for the aforementioned GDPR violations, in accordance with Articles 58(2)(i) and 83 of the GDPR.

Parties

D.A.A.A (Data subject) and Anonymous Controller (Manufacture of Heart Rate Monitors and Smart Watches)

Case number

1198/161/2022

Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us