gdpr

Four complainants cost gym chain SATS 1 million eur: How not to deal with complaints



Indirizzo copiato

In a recent decision, the Norwegian Data Protection Authority (DPA, Datatilsynet), has imposed a fine of NOK 10 million (approx. 1 MEUR) on SATS ASA, the largest gym chain in the Nordic region, for violations of the General Data Protection Regulation (GDPR)

Pubblicato il 9 giu 2023

Kristian  Foss

Partner kf@bull.no



edpb edps data act

The decision was based on four complaints lodged by individuals regarding the processing of their personal data.

The decision provides important insights and lessons for businesses, particularly with regards to transparency, access rights and data retention. And how not to handle complaints.

The complaints

The complaints lodged by the individuals alleged that the following breaches had taken place:

  • Access: SATS had denied timely and compliant access to the individuals’ personal data after requests.
  • Transparency: SATS had not provided sufficient information about the processing of their personal data, including the purposes of processing and the recipients of the data.
  • Data retention: SATS had retained their personal data for longer than necessary for the purposes of processing.
  • Legal basis: SATS lacked a valid legal basis for its processing.
  • The decision

The DPA found that SATS had violated several provisions of the GDPR, including articles 5 and 12 (transparency), 15 (right of access), 17 (right to erasure), and 6 (legal basis).

SATS was slow and incomplete in giving access

The DPA found that SATS had not responded to individuals’ requests for access to their personal data in a timely and compliant manner. The complainants did not receive a copy of their data, only information of the incidents and an extract of SATS’ general terms.

The fact that one of the access requests was submitted only a month after GDPR became effective, was ignored, as the violation was ongoing and the access obligation was not a new obligation invented in the GDPR.

Lack of transparency

The DPA found that SATS had not provided individuals with sufficient information about the processing of their personal data, particularly with regards to the purposes of processing, the recipients of the data and legal grounds of sharing the data with third parties.

In other words, SATS did not provide their customers with a satisfactory privacy notice.

Data retention – too long

The DPA found that SATS had retained the individuals’ personal data for longer than necessary for the purposes of processing. The data was held for five years to ensure that members expelled for two years did not reenter the gym.

The 60 months retention period, stipulated in SATS’ internal policies, was seen by Datatilsynet as «an extraordinarily long period». In addition, the duration was not informed about in the privacy policy (which was generally lacking too).

Lack of basis for processing

SATS relied on two alternative bases for processing, consent and performance of contract. However, SATS did not specify for which purposes the different legal grounds applied. In any event, parts of the processing, such as training history, was not necessary for the performance of the contract. And the consent was not valid because it was bundled in the general terms (thus not informed nor clear).

Why the high fine?

All of the above and the fact that the lack of information and basis for processing affected all of SATS’ 700 000 members explains the relatively high fine. However, the fine constitutes only 0,9% of SATS’ revenue for 2021, the DPA found.

The following circumstances (from GDPR art. 83) was weighted heavily or moderately against SATS:

  • duration
  • gravity
  • systematic breach
  • high number affected (transparency and lack of legal basis)
  • negligence
  • delicate data (even if not legally sensitive)
  • failure to report breach or address complaints

SATS’ challenging financial situation was taken into consideration.

Lessons for businesses

The decision by the Norwegian DPA provides important lessons for businesses on the importance of compliance with GDPR, particularly with regards to transparency, access rights, and data retention:

  • Reply quickly and fully to requests for access and deletion. The complainants would likely not have complained to the DPA if SATS had provided a satisfactory response early.
  • Draft a clear privacy notice, including:
    a) who the recipients of the data are
    b) clarity about which legal basis apply to which processing
  • Don’t bundle consent text in general terms
  • Minimise the data processing; do not store too much data for too long.
  • Do not stretch ‘necessity to perform a contract’ as a legal basis too far. The limit is strict.
  • Train staff to handle requests swiftly and correctly.

See the whole 45 page decision of 6 February 2023 in English here.

EU Stories - La coesione innova l'Italia

Tutti
Analisi
Video
Iniziative
Social
Programmazione europ
Fondi Europei: la spinta dietro ai Tecnopoli dell’Emilia-Romagna. L’esempio del Tecnopolo di Modena
Interventi
Riccardo Monaco e le politiche di coesione per il Sud
Iniziative
Implementare correttamente i costi standard, l'esperienza AdG
Finanziamenti
Decarbonizzazione, 4,8 miliardi di euro per progetti cleantech
Formazione
Le politiche di Coesione UE, un corso gratuito online per professionisti e giornalisti
Interviste
L’ecosistema della ricerca e dell’innovazione dell’Emilia-Romagna
Interviste
La ricerca e l'innovazione in Campania: l'ecosistema digitale
Iniziative
Settimana europea delle regioni e città: un passo avanti verso la coesione
Iniziative
Al via il progetto COINS
Eventi
Un nuovo sguardo sulla politica di coesione dell'UE
Iniziative
EuroPCom 2024: innovazione e strategia nella comunicazione pubblica europea
Iniziative
Parte la campagna di comunicazione COINS
Interviste
Marco De Giorgi (PCM): “Come comunicare le politiche di coesione”
Analisi
La politica di coesione europea: motore della transizione digitale in Italia
Politiche UE
Il dibattito sul futuro della Politica di Coesione
Mobilità Sostenibile
L’impatto dei fondi di coesione sul territorio: un’esperienza di monitoraggio civico
Iniziative
Digital transformation, l’Emilia-Romagna rilancia sulle comunità tematiche
Politiche ue
Fondi Coesione 2021-27: la “capacitazione amministrativa” aiuta a spenderli bene
Finanziamenti
Da BEI e Banca Sella 200 milioni di euro per sostenere l’innovazione di PMI e Mid-cap italiane
Analisi
Politiche di coesione Ue, il bilancio: cosa ci dice la relazione 2024
Politiche UE
Innovazione locale con i fondi di coesione: progetti di successo in Italia
Programmazione europ
Fondi Europei: la spinta dietro ai Tecnopoli dell’Emilia-Romagna. L’esempio del Tecnopolo di Modena
Interventi
Riccardo Monaco e le politiche di coesione per il Sud
Iniziative
Implementare correttamente i costi standard, l'esperienza AdG
Finanziamenti
Decarbonizzazione, 4,8 miliardi di euro per progetti cleantech
Formazione
Le politiche di Coesione UE, un corso gratuito online per professionisti e giornalisti
Interviste
L’ecosistema della ricerca e dell’innovazione dell’Emilia-Romagna
Interviste
La ricerca e l'innovazione in Campania: l'ecosistema digitale
Iniziative
Settimana europea delle regioni e città: un passo avanti verso la coesione
Iniziative
Al via il progetto COINS
Eventi
Un nuovo sguardo sulla politica di coesione dell'UE
Iniziative
EuroPCom 2024: innovazione e strategia nella comunicazione pubblica europea
Iniziative
Parte la campagna di comunicazione COINS
Interviste
Marco De Giorgi (PCM): “Come comunicare le politiche di coesione”
Analisi
La politica di coesione europea: motore della transizione digitale in Italia
Politiche UE
Il dibattito sul futuro della Politica di Coesione
Mobilità Sostenibile
L’impatto dei fondi di coesione sul territorio: un’esperienza di monitoraggio civico
Iniziative
Digital transformation, l’Emilia-Romagna rilancia sulle comunità tematiche
Politiche ue
Fondi Coesione 2021-27: la “capacitazione amministrativa” aiuta a spenderli bene
Finanziamenti
Da BEI e Banca Sella 200 milioni di euro per sostenere l’innovazione di PMI e Mid-cap italiane
Analisi
Politiche di coesione Ue, il bilancio: cosa ci dice la relazione 2024
Politiche UE
Innovazione locale con i fondi di coesione: progetti di successo in Italia

Articoli correlati

Articolo 1 di 2