UAB VS FITNESS – €20,000 Fine (Lithuania, 2021)

The Lithuanian DPA ('VDAI') received a complaint stating that in order to use the services of a sports club (UAB VS FITNESS), fingerprint scanning is required. It then initiated an own volition investigation of a possible breach of the GDPR. The VDAI found that the sports club had violated the following GDPR provisions: * It violated Article 9(1) GDPR by processing the biometric data of customers, which is special category data. The sports club had attempted to rely on the consent exception, outlined at Article 9(2), that special category data may be processed where the data subject provides their consent. However, the VDAI found that consent collected from customers did not satisfy the requirements for valid consent established in the GDPR. In particular, since consent to the biometric system was not voluntary, it was not freely given; * The processing of employees' fingerprints was also in breach of Article 9(1) GDPR, as the club had again attempted to rely on consent as a basis for processing. The VDAI highlighted that employee consent is generally considered invalid due to the power imbalance with an employer. Moreover, the club did not specify the purpose and legal basis of the processing of employee data, nor had it demonstrated the necessity and proportionality of this processing, in violation of Article 5(1)(c) GDPR; * It violated Article 13(1) and (1) GDPR, and Article 5(1) GDPR by failing to adequately inform data subject's about the processing of their data; * It failed to perform an assessment of the impact of the processing of biometric data, in violation of Article 35(1) GDPR; * It did not manage a record of its processing activities, in violation of Article 30 GDPR. It thus issued a fine of €20,000. In determining the fine, the VDAI took into account: * The processing of special categories of personal data; * That Improper exercise of data subject's right to be informed falls into a category of more serious infringements under Article