SATS Norway AS – €870,000 Fine (Norway, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Norway's Datatilsynet fined SATS Norway AS EUR 870,000 for mishandling personal data of its gym members. The company failed to respond to data access and erasure requests and transferred data without a legal basis. This case underscores the importance of respecting user rights and having clear data handling practices.
What happened
SATS Norway AS mishandled personal data by not responding to access and erasure requests and transferring data without a legal basis.
Who was affected
Members of SATS Norway AS whose personal data was not properly managed.
What the authority found
The Norwegian DPA fined SATS Norway AS for failing to comply with GDPR requirements on data handling and user rights.
Why this matters
This fine emphasizes the need for companies to handle personal data responsibly and respond to user requests promptly. It serves as a warning to businesses to ensure compliance with GDPR, especially regarding data transfers and user rights.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Entities Involved
The company SATS ASA (the controller) is a provider of fitness and training services. It has its headquarters in Norway and is also active in Denmark, Finland and Sweden. The company has over 270 clubs, about 9,000 employees and more than 700,000 members. According to one of these members (data subject 1), the controller had transferred their personal data to other companies within its corporate group in May 2018. The controller had also transferred data to Facebook, which was located outside the EU/EEA, without a proper legal ground. This data subject further claimed that an access request, submitted on 29 August 2018, had remained unanswered. Data subject 1 filed a complaint at the Norwegian DPA (Datatilsynet) on 2 October 2018. Another member (data subject 2), who had already terminated their membership, claimed that the controller had not responded to an access request (Article 15 GDPR), which was submitted on 25 February 2019. The controller had also refused to comply with an erasure request (Article 17 GDPR) submitted on the same date. Data subject 2 filed a complaint at the DPA on 1 March 2019. Another member (data subject 3), who had also terminated their membership, claimed that the controller had refused to comply with an erasure request (Article 17 GDPR), which was submitted on 05 October 2019. Data subject 3 filed a complaint at the DPA on 07 October 2019. On 7 September 2021 and 5 October 2021, the DPA formally approached the controller and asked the company to express its views on the issues raised in Complaint No 2 and Complaint No 3. The controller replied on 1 December 2021. On 8 December 2021, the DPA received yet another complaint from a member (data subject 4) concerning the controller’s refusal to comply with an erasure request (Article 17 GDPR), submitted on 6 August 2021. On 23 March 2022, the DPA sent further questions to the controller on all of the above complaints and received the controller’s response on 28 April 2022. Despite receivi
Related Enforcement Actions (0)
No other enforcement actions found for SATS Norway AS in NO
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
6 February 2023
Authority
Datatilsynet (Norway)
Fine Amount
€870,000
10,000,000 NOK
GDPRhub ID
gdprhub-5677About this data
Cite as: Cookie Fines. SATS Norway AS - Norway (2023). Retrieved from cookiefines.eu
Last updated: