The State Data Protection Inspectorate (VDAI) conducted an inspection regarding the processing of biometric personal data in the sports club and in 2022. December 22 6 thousand for the identified violations of the General Data Protection Regulation (GDPR). EUR fine to UAB “Praktiškas” (hereinafter – the Company), which manages sports clubs “SportGates”.
The company was fined for processing biometric data of data subjects (customers) without their voluntary consent, improper implementation of the data subjects’ right to be informed about data processing, it was also established that the Company, before starting to process biometric data, did not carry out an impact assessment on data protection, did not manage and activity records (ie for GDPR Article 5 d.1 a p., Article 9 d.1, Article 13 d.1-2, Article 30 d.1 and 3, Article 35 d.1 and 3 violations of the provisions of paragraph d.b).
VDAI, having received a notification from a natural person, which indicated that one of the sports clubs belonging to the Company does not provide an alternative identification option (biometric data is used for identification) and for this reason, if the person refuses to give consent to the processing of biometric data, he cannot use the services provided by the sports club, carried out an inspection related to a possible violation of the GDPR on its own initiative.
Management of customers’ biometric data
According to the GDPR, biometric data is classified as special categories of personal data, the processing of which is prohibited, except for Article 9 of the GDPR. 2 d. an exception is provided. The company processes customers’ biometric data on the basis of their consent, that is, on the basis established in Article 9 of the GDPR. 2 d. a p., therefore, customers must be given the conditions (ways) to express their consent to the processing of their biometric data of their own free will. If customers (data subjects) do not have a free choice, such consent is not considered to be given freely, accordingly, the processing of biometric data collected on the basis of consent is considered illegal.
The VDAI, after carrying out the inspection, found that the consent given by customers to process their biometric data was not voluntary: when customers register for access to the sports club at the self-service terminal, the only method of access to the sports club is indicated – biometric data. During the inspection, it was established that there were no other alternatives (except for the use of biometric data) for entering the sports club, and there was also no information (informative message) about other possible alternatives for entering the sports club that the customer could use. Although the Company argued that, for example, the telephone number of the administration is specified, and upon calling and expressing a desire, an access card is issued to the sports club, but VDAI explains that every data controller who processes biometric data must clearly provide data subjects with information about other alternatives to the processing of biometric data.
Informing customers about the processing of personal data
GDPR, Article 13. it is regulated what information the data controller must provide to the data subject at the time of data acquisition, when personal data is collected from him. The company argued that information about the processing of biometric data for customers is provided in the Privacy Policy, which is always introduced to customers during the conclusion of the contract. During the on-site inspection of the sports club regarding the processing of biometric data, it was found that when registering at the self-service terminal as a new customer, it is mandatory to agree to the Rules of Use of the sports club (information about the Privacy Policy was not provided).
Significant circumstances when deciding on the amount of the fine
When deciding on the imposition of an administrative fine and the amount of the fine, the VDAI took into account the fact that the Company processes special categories of personal data, and the processing of such data is subject to higher GDPR application standards for data controllers. It also took into account the fact that the violation is continuous and systemic, i.e. not related to a single person, in addition, some of the violations determined against the Company are classified as more serious violations (GDPR Article 83, d. 5, p. a and b). The VDAI also assessed Article 83 of the GDPR. 2 d. specified factors that must be taken into account when imposing an administrative fine, as well as the information provided by the Company about the turnover of the previous year and the Company’s explanations.