FysioDanmark – Order (Denmark, 2022)

FysioDanmark, a Danish company, intended to use a facial recognition system to enable entrance to its gym by customers and employees without using cards or passwords. To do so, a camera would be set up at the gym entrance. It could scan faces and compare them with photographs already stored in the system. FysioDanmark intended the system to be voluntary and based on consent. Consent is given when the customer or employee agrees to be registered in the system and a picture of their face is taken. In addition to enabling entrance to the gym, the system was also meant to collect information about customers for statistics and business optimisation purposes. The Danish DPA issued a warning in respect of the intended use of the facial recognition system by FysioDanmark. The system would process biometric data for the purpose of uniquely identifying a natural person. Consequently, the DPA held that it could be compliant with the GDPR only if based on data subjects‘ consent under Article 9(2)(a) GDPR, Article 4(11) GDPR and Article 7 GDPR. No other legal basis under Article 9 GDPR were possible. The DPA accepted the proposed use of the system as long as it would be truly voluntary and the customers and, given the existing imbalance, especially employees could opt for access via cards or passwords instead. However, the DPA held that the customers should also be given consent specifically to their data being processed for statistical and business optimisation purposes. Normally, information about the amount of time that customers spend in the gym could be processed on the basis of Article 6 GDPR. However, here it constitutes derived information from the processing of biometric data. For this reason, such processing as well must be based on consent under Article 9(2)(a) GDPR. On this matter, the DPA emphasized that consent could not be freely given if the data subject cannot consent to different processing activities separately. Lastly, the DPA held that the system woul