A heart rate monitor and smartwatch manufacturer offered its services worldwide, collecting personal data such as gender, age, height, and weight. The device would upload this information to an online service, and data subjects could analyze their training performance. The Finnish DPA received five complaints, and the Austrian DPA received one complaint, alleging four main issues. The first issue was that consent for processing heart rate data was forced onto data subjects as a condition of using the online service. The second issue was that the controller requested consent for processing personal data, such as max VO2, sleep target time, daily activity target, and gender, age, height, and weight, claiming that this information was not sensitive. Thirdly, complaints were made about the lawfulness of transferring data to third countries, and fourthly, data subjects were not given a separate consent form for processing user-generated content. The Finnish DPA was the lead supervisory authority, and after investigation, it was determined that the controller did not have a valid legal basis for processing heart rate data or raw information like max VO2 and BMI. Consent must be explicit and specific for each purpose the personal data is processed for, and cannot be conditional upon accessing a service. The Finnish DPA also found that the controller had a valid legal basis to transfer personal data to the US before November 2019 when the previous adequacy decision under Article 45 GDPR, called Privacy Shield, was in force.