Administrative fine imposed on company for processing health information without the appropriate consent

The company had not asked the users of its service for their specific consent to the processing of health-related personal data. The Office of the Data Protection Ombudsman imposed an administrative fine on the company for violating the General Data Protection Regulation since the processing of health data is part of the company's core business. In addition, the Data Protection Ombudsman ordered the company to rectify its practices for requesting consent.

The Office of the Data Protection Ombudsman investigated the company's practices based on complaints made in 2018–2019. The investigations revealed that the company did not have the consent required by the GDPR for processing data on body mass indices and maximal oxygen uptake.

Health data belongs to 'special categories of personal data' and its processing is generally not permitted. Such data can be processed in certain cases, however, such as if the data subject has given their consent to the processing. The company had asked for consent to the processing of health data in general but had not specified which data it was collecting and processing. The consent requested did not meet the requirements of the GDPR as it was not specific and informed.

The Data Protection Ombudsman finds that the controller had informed the data subjects of the processing of their personal data but had nevertheless not provided sufficient information on the types of personal data being processed and the purposes of processing each type. 

The Sanctions Board especially pointed out that the extensive processing of health data is part of the company's core business.

”When the processing of personal data is a core element of a company's business, the company must meticulously ensure that all requirements for appropriate processing are met. This is becoming more and more important in our data-intensive economy”, says Data Protection Ombudsman Anu Talus.

The case was processed together by several Member States

The company's service is also available in other EU and EEA Member States, so the matter was processed in cooperation by their supervisory authorities. One of the complaints had been instituted in another Member State.

The company's office in Finland is responsible for the processing of personal data, and the Office of the Data Protection Ombudsman served as the lead supervisory authority in the investigation. The supervisory authorities involved have accepted the decision of the Data Protection Ombudsman and the Sanctions Board and are also bound by it.

The Office of the Data Protection Ombudsman's Sanctions Board imposed an administrative fine of EUR 122,000 on the company for data protection violations. The company was also issued a reprimand.

The decisions are not yet final and can be appealed in the Administrative Court.

The decisions of the Data Protection Ombudsman and the Sanctions Board (pdf, in Finnish)

Further information:

Data Protection Ombudsman Anu Talus, anu.talus(at)om.fi, tel. +358 29 566 6766

The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.