Finland

Company

122,000 €

GDPR enforcement action by Deputy Data Protection Ombudsman on 2022-12-27.

Rank · Sector

#73

of 597 in Industry and Commerce

Rank · Finland

#11

of 27

Rank · All fines

#431

of 3,050

Case details

Authority: Deputy Data Protection Ombudsman
Date: 2022-12-27
Controller / Processor: Company
Sector: Industry and Commerce
Quoted Articles: Art. 9 GDPR
Type of violation: Insufficient legal basis for data processing

Summary

The Finnish DPA has imposed a fine of EUR 122,000 on a company with products that process health data, such as heart rate, etc.
The DPA had received several complaints regarding the processing of health data from data subjects. During its investigation, the DPA found that the company did not have a sufficient legal basis to process various types of health data. While the company had informed users of the products about the processing of personal health data in general, it had failed to provide information for each of the different types of health data (e.g., body mass index or oxygen capacity), such as the purpose of the processing. Accordingly, the DPA found that the users' consent could not be valid since it was not given on an individual basis and with full knowledge of the facts.

Open original source Links to the regulator's original publication or another source.