Polar Oy – €122,000 Fine (Finland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Polar Oy was fined EUR 122,000 by the Finnish DPA for forcing users to consent to data processing to access online services. Users had to agree to share health data like heart rate to use all features, which made their consent invalid. This case shows that companies can't make service access conditional on giving up privacy rights.
What happened
Polar Oy required users to consent to health data processing to use its online service, making consent invalid.
Who was affected
Customers using Polar Oy's heart rate monitors and smartwatches, who were forced to consent to data processing.
What the authority found
The Finnish DPA ruled that Polar Oy's practice of making service use conditional on consent violated GDPR's consent requirements.
Why this matters
This case warns companies against tying service access to mandatory data consent. Businesses should ensure that consent is freely given and not a condition for using their services.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller is a manufacturer of heart rate monitors and smart watches offering its services in multiple Member States in the EU and wordwide. Customers (data subjects) had to register for an online service in order to use all the features of the devices, which required personal information, such as gender, height, age and weight. The device collected heart rate, max VO2 (maximum oxygen capacity) as well as BMI (body mass index) information and uploaded them to the online service. Data subjects could use the collected information to analyse training performance. The Finnish DPA received five complaints from data subjects between 22 May 2018 and 19 February 2019. The Austrian DPA received one complaint on the same matter. The complaints addressed fours main issues. First, according to the complaints, the consent to process heart rate data was forced onto the data subjects as the controller made the use of the online service conditional upon granting consent to process heart rate data. If the data subject subseqently withdrew consent, their online service account would be frozen. However, according to the controller, the device was separate from the online service as some basic features were still usable without the online service. Second, the controller also requested consent for the processing of other personal data, such as max VO2, sleep target time and daily activity target, next to information such as gender, age, height and weight. The controller argued that it was not possible to draw conclusions about a person's health based on this 'raw' data, hence there was no processing of sensitive data other than heart rate data. Allegedly, such conclusions about health would only be possible with the help of medical exminations or additional data. Third, the complaints questioned the lawfulness of data transfers to third countries. Although the controller's servers were located in the EU, in Finland and Ireland, personal data from the controller's email s
Related Enforcement Actions (0)
No other enforcement actions found for Polar Oy in FI
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Polar Oy - Finland (2022). Retrieved from cookiefines.eu
Last updated: