De Litouwse privacytoezichthouder heeft onderzoek gedaan naar verwerking van biometrische persoonsgegevens in een sportclub en heeft VS FITNESS UAB een boete van 20.000 euro opgelegd voor de geconstateerde overtredingen van de Algemene Verordening Gegevensbescherming (AVG). De sportclub verplichtte klanten en werknemers tot het scannen van hun vingerafdrukken.
The State Data Protection Inspectorate (SDPI) has carried out an investigation into processing of biometric personal data in a sports club and imposed a fine in the amount of EUR 20,000 on VS FITNESS UAB for the identified infringements of the General Data Protection Regulation (GDPR). The fine was imposed for infringements of the provisions of Article 5(1)(a), Article 5(1)(c). Article 9(1), Article 13(1), Article 13(2), Article 30, Article 35(1) of the GDPR, i.e. processing of biometric data without voluntary consent of the data subjects and a failure to ensure other requirements for the valid consent, improper implementation of the data subjects’ right to be informed of data processing; it has also been determined that the company has not carried out an assessment of the impact of data processing on data protection, has failed to maintain records of activities.
The personal data protection supervisory authority has conducted an investigation
Having received a notification from a natural person stating that in order to use the services of the sports club belonging to the company, fingerprint scanning is mandatory, there are no other alternative ways of identification in the aforementioned sports club, the SDPI carried out an inspection in relation to a possible infringement of the GDPR as the company processed fingerprints in accordance with the procedure prescribed in the Republic of Lithuania Law on Legal Protection of Personal Data.
Processing of the customers’ biometric data
According to the GDPR, biometric data is classified as a special category of data the processing of which, as a general rule, is prohibited except for the terms and conditions provided for in Article 9(2) of the GDPR. The company processed the customers’ fingerprint models on the basis of the data subject’s consent, i.e. on the grounds set forth in Article 9(2)(a) of the GDPR. The SDPI has noted that if the data controller relies on the data subject’s consent as a condition of lawful data processing, it should ensure that the data subject’s consent met the set conditions (voluntary specific, reasonable, informed, unambiguous, provable and withdrawable consent). Having carried out an investigation, the SDPI has determined that the consent to processing of fingerprint models given by the customers is not voluntary and does not satisfy other requirements for the valid consent; therefore, the SDPI has decided that the company unlawfully processes the binary codes of the customers’ fingerprints.
Processing of biometric data of the employees
Furthermore, the SDPI has established that the company also unlawfully processed the employees’ fingerprints. The SDPI has pointed out that, as a rule, an employee’s consent should not be considered as an appropriate personal data processing condition due to imbalance of power. The company has not specified the purpose for which and the legal basis on which it processes its employees’ biometric data to the SDPI, has failed to carry out an assessment of the impact on data protection, has failed to prove the necessity for and proportionality of processing the employees’ fingerprints to the SDPI. The SDPI has pointed out that the data subjects are entitled to be informed of processing of their data. Having carried out the inspection, the SDPI has determined that the company does not provide the data subjects with full information as required by the GDPR.
Circumstances relevant to determination of the amount of the fine
When deciding on imposition of an administrative fine the SDPI has evaluated all relevant circumstances. The SDPI took into consideration the fact that processing of special categories of data without an exception allowing such processing, thus, violating the requirements of Article 5(1)(a) and Article 5(1)(c) and Article 9(1) of the GDPR and inappropriate implementation of the data subjects’ right to be informed of data processing, thus, violating the requirements of Article 13(1) and Article 13(2) of the GDPR should, by its nature, be classified as a more serious infringement (Article 83(5) of the GDPR).
Furthermore, the company has already been issued with an instruction on processing of biometric data in another sports club belonging to it. This suggests that the company was aware how the requirement of voluntary basis should be ensured in relation to the customers’ consent to processing of their biometric data, that an equivalent, optional alternative of identification in sports clubs (without using binary codes of fingerprints) should be offered. Furthermore, the above suggests that the company was aware that a possibility for the customer to withdraw use of his/her fingerprint model at any time must be regulated.
In the light of the aforementioned circumstances, the SDPI has assessed unlawful processing of the customers’ data by the company as an intentional infringement. The SDPI has also took into consideration other identified factors aggravating and mitigating the company’s liability. When deciding on the amount of the fine, the SDPI has taken into consideration the information on the turnover of the previous and current years provided by the company and the circumstances that this year the activities of the sports clubs have been significantly restricted due to the Coronavirus pandemic as specified by the company.
The aforementioned decision of the SDPI may be appealed against to the court.