Company – €122,000 Fine (Finland, 2022)

€122,000Tietosuojavaltuutetun toimisto27 December 2022Finland
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The Finnish Data Protection Authority fined a company EUR 122,000 for mishandling health data. The company didn't clearly inform users about how different types of health data were processed, making user consent invalid. This case highlights the importance of transparency in data processing, especially for sensitive information like health data.

What happened

A company processed health data without a clear and valid legal basis, failing to inform users about specific data uses.

Who was affected

Users of the company's products, whose health data such as heart rate and body mass index were processed without proper consent.

What the authority found

The Finnish DPA found that the company lacked a valid legal basis for processing health data, as user consent was not informed and specific.

Why this matters

This decision emphasizes the need for companies to provide detailed information on how they use sensitive data. Businesses handling health information must ensure they have clear user consent for each type of data processed.

GDPR Articles Cited

AI-verified

Art. 9 GDPR
Art. 6(1) GDPR
View original scraped data
Art. 9 GDPR

Original data from scraper before AI verification against source document.

Source verified 6 March 2026
articles corrected
date discrepancy
Finland enforcementTietosuojavaltuutetun toimisto actionsAll Company actions
Full Legal Summary
Detailed

The Finnish DPA has imposed a fine of EUR 122,000 on a company with products that process health data, such as heart rate, etc. The DPA had received several complaints regarding the processing of health data from data subjects. During its investigation, the DPA found that the company did not have a sufficient legal basis to process various types of health data. While the company had informed users of the products about the processing of personal health data in general, it had failed to provide information for each of the different types of health data (e.g., body mass index or oxygen capacity), such as the purpose of the processing. Accordingly, the DPA found that the users' consent could not be valid since it was not given on an individual basis and with full knowledge of the facts.

Related Enforcement Actions (1)

Other enforcement actions involving Company in FI

Current
Dec 2022

Fine

€122K

Fine
Sept 2023· Tietosuojavaltuutetun toimisto

The Finnish DPA has imposed a fine of EUR 1,600 on a company providing psychotherapy services. A customer had submitted a request for access to their ...

€2K

Details

Fine Date

27 December 2022

Authority

Tietosuojavaltuutetun toimisto

Fine Amount

€122,000

Enforcement Tracker ID

ETid-1583

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Company - Finland (2022). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: