Members’ updatesResourcesMarch 28, 2023Administrative fine for processing health data without the appropriate consent

 

 

 

Recent sanctions for data protection violations in Finland, an update offered by Lexia – the exclusive law firm member of PrivacyRules for the Finnish jurisdiction.  Summary from Markus Myhrberg and Erika Leinonen.

 

The Office of the Finnish Data Protection Ombudsman’s Sanctions Board imposed an administrative fine of 122,000 euros on a company for data protection violations and the company was issued a reprimand. The Sanctions Board especially noted that extensive processing of health data is a central part of the company’s core business. 

The company had asked for consent to the processing of health data in the terms of use of the service. Of the data processed, only heart rate was explicitly mentioned in the terms and conditions. In addition to heart rate, the company also processed data on maximum oxygen capacity and body mass index. According to the Data Protection Ombudsman, the company had not asked the users of the service for sufficiently specific and informed consent to the processing of health data.

The Data Protection Ombudsman found that the controller had informed the data subjects of the processing of their personal data but had not given enough information on the types of personal data being processed and the purposes of processing each type of personal data. 

 

Additional decisions by the Finnish authority:

Share