Finnish DPA imposed a fine on a manufacturer for bundling consent for various purposes into one and due to lack of valid consent for the processing of personal data.
Excerpt
Our analysis
A heart rate monitor and smartwatch manufacturer offered its services worldwide, collecting personal data such as gender, age, height, and weight. The device would upload this information to an online service, and data subjects could analyze their training performance. The Finnish DPA received five complaints, and the Austrian DPA received one complaint, alleging four main issues. The first issue was that consent for processing heart rate data was forced onto data subjects as a condition of using the online service. The second issue was that the controller requested consent for processing personal data, such as max VO2, sleep target time, daily activity target, and gender, age, height, and weight, claiming that this information was not sensitive. Thirdly, complaints were made about the lawfulness of transferring data to third countries, and fourthly, data subjects were not given a separate consent form for processing user-generated content. The Finnish DPA was the lead supervisory authority, and after investigation, it was determined that the controller did not have a valid legal basis for processing heart rate data or raw information like max VO2 and BMI. Consent must be explicit and specific for each purpose the personal data is processed for, and cannot be conditional upon accessing a service. The Finnish DPA also found that the controller had a valid legal basis to transfer personal data to the US before November 2019 when the previous adequacy decision under Article 45 GDPR, called Privacy Shield, was in force.
Outcome
The Finnish Data Protection Authority, acting as the lead supervisory authority, has taken several actions to enforce GDPR compliance by a controller. Specifically, the DPA has directed the controller to align their processing activities with the GDPR, focusing on establishing a valid legal basis for the processing of personal data on their online service. Additionally, the DPA has reprimanded the controller for processing max VO2 and BMI data without a legal basis. Finally, the DPA has imposed a fine of €122,000 on the controller for the aforementioned GDPR violations, in accordance with Articles 58(2)(i) and 83 of the GDPR.
Parties
D.A.A.A (Data subject) and Anonymous Controller (Manufacture of Heart Rate Monitors and Smart Watches)
Case number
1198/161/2022
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Related laws
Outlines the rules and restrictions surrounding the processing of sensitive personal data.