On 6 February 2023 the Norwegian Data Protection Authority (“Datatilsynet“) issued an administrative fine in the amount of approx. EUR 860,000 against the Norwegian fitness company SATS ASA (“SATS“), for violation of GDPR through unlawful collection and processing of the members’ data.
This blog post examines two particularly interesting aspects of the 45-page decision: one aspect relates to the choice of the appropriate legal basis for processing, and the other to the question of whether the same action may violate both a general principle of the GDPR and a specific obligation for adherence to that principle.
SATS is a leading provider of fitness and training services in the Nordics with over 270 clubs, close to 9000 employees and over 700.000 members. It is headquartered in Norway, but also operates fitness clubs also in Denmark, Finland and Sweden. Datatilsynet had received several complaints from current and former members of SATS concerning alleged infringements of their rights, particular in connection with the SATS’ handling of the data subjects’ requests. Following the investigation, Datatilsynet found that SATS had violated GDPR by (1) failing to timely act upon two separate access requests, (2) failing to take prompt action and erase certain personal data without undue delay pursuant to three separate erasure requests, (3) failing to duly inform data subjects about its data retention policy concerning the personal data of banned members, and the relevant legal basis for the processing; and (4) by failing to rely on a valid lawful basis to process the training history data of the members of its fitness centres.
Relevant legal basis is the one communicated to the data subjects
Datatilsynet stated that the legal basis for processing must be identified and communicated to data subjects at the outset of the processing, and it is not possible for the controller to “fix” the legal basis ex post. On theses grounds, Datatilsynet’s assessment of the appropriateness of the legal basis focused on consent and performance of a contract, the only legal bases featuring in SATS’ privacy policy and terms and conditions.
The privacy policy provided that SATS’ legal basis for the processing of personal data of its customers was generally the “performance of a contract” and in some cases consent, but without specifying which purposes were covered by each of these legal bases.
On the other hand, the SATS’ terms and conditions provided that “the Member agrees that SATS can save training history data in order to be able to monitor Member activities and facilitate Member training” and also that “the Member can withdraw consent to their training history and request that such be deleted”. This indicated that SATS considered consent to be the legal basis for processing of the members training history data.
SATS claimed that the term “consent” in the general terms and conditions should not be interpreted as “consent” for GDPR purposes. Datatilsynet did not accept that view, as this term was included in the general terms and conditions under the heading which exclusively dealt with data protection and privacy matters. Moreover, the English version of that section expressly stated that consent could be withdrawn, which further confirmed that the terms and conditions used the term “consent” in accordance with the GDPR.
Neither the privacy policy nor the terms and conditions mentioned the legitimate interest as a legal basis for the processing of personal data. However, during the correspondence with one of the data subjects pursuant to a complaint, SATS stated that the legal basis for the processing of training history data was “Article 6(1)(b) and (f)”, i.e. performance of a contract and legitimate interest, respectively.
Datatilsynet refused to examine applicability of the legitimate interest as a legal basis for the processing. The only relevant bases were, in the view of Datatilsynet, those communicated by SATS to data subjects (in the privacy policy and in the terms and conditions).
Consent invalid because “bundled”; processing not necessary to perform the contract
Consent as a legal basis for the processing of data related to training history was not appropriate, as it was bundled with the acceptance of SATS terms and conditions for the use of the main service. Under those circumstances, consent could not be considered to be freely given and informed.
Datatilsynet found that the processing of the members’ training history by SATS was not invariably and objectively necessary to perform the contract, at least with regard to those members who intended to make only a basic use of SATS’ training facilities. The fact that the consent for the processing could have been withdrawn confirmed that the processing of training history data was objectively not necessary to provide SATS’ services. In this regard, Datatilsynet invoked the authority of the European Data Protection Board (EDPB), which analysed the concept of “necessity” for performance of the contract in its Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (“Guidelines“). In the Guidelines, EDPB stated that “Article 6(1)(b) will not cover processing which is useful but not objectively necessary for performing the contractual service or for taking relevant pre-contractual steps at the request of the data subject, even if it is necessary for the controller’s other business purposes” (para. 25). SATS stated that the processing of such data is “relevant to offer its services”, but it failed to explain or show how such processing would be necessary to perform the contract with its members.
SATS challenged what in its view was “strict” interpretation of Article 6(1)(b) without basis in the GDPR. Datatilsynet dismissed that argument, citing the case law of the CJEU on the notion of ‘necessity of processing personal data’, where the CJEU has repeatedly found that “derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary” (Case C-13/16, Rīgas satiksme).
For the purpose of easier self-assessment of data controllers and processors to what is necessary for the performance of a contract, EDPB designed the following guidance questions within the scope of the Guidelines (para. 33):
- What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?
- What is the exact rationale of the contract (i.e. its substance and fundamental object)?
- What are the essential elements of the contract?
- What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?
Ne bis in idem and violation of several GDPR articles through the same conduct
SATS claimed that the finding of breaches of several GDPR articles by virtue of the same conduct would violate the ne bis in idem principle. Datatilsynet disagreed.
In one example, Datatilsynet found that SATS violated both Article 12(3) and Article 15. In another example, Datatilsynet found violations of Articles 5(1)(a), 12(1), 13(1)(c), and 13(2)(a) of the GDPR.
Datatilsynet concluded that the principle ne bis in idem is not applicable in situations in which several penalties are imposed in a single decision, even if those penalties are imposed for the same actions. This is even specifically envisaged in Article 83(3) GDPR, which provides that if a controller or processor “for the same or linked processing operations, infringes several provisions of GDPR”, the total amount of the administrative fine may not exceed the amount specified for the gravest infringement.
In the first example invoked by SATS, Articles 12(3) and 15 of GDPR may in the opinion of Datatilsynet be cumulatively violated, because the first provision regulates the timeframe within which the data controller must provide information on action taken on an access request, whereas the second provision establishes what kind of information must the data controller provide in response to such a request.
SATS also argued that the breaches of Article 13 (Information to be provided where personal data are collected from the data subject), 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), and 5 (Principles relating to processing of personal data), should not be cumulated, because all violations of Article 13 automatically constitute a breach of Article 12, and a breach of a specific obligation of GDPR also represents a breach of one of the data processing principles from Article 5.
In response, Datatilsynet invoked the EDPB’s Binding decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland under Article 65(1)(a) GDPR, adopted on 28 July 2021. The main question analysed by the EDPB in the WhatsApp decision was in which situations a violation of specific obligations from GDPR will also amount to violation of a general principle. The short answer is – not always, depending on the circumstances of the case. In the WhatsApp decision, the EDPB concluded that there had been a breach of Article 13(1)(c) and the transparency principle under Article 5(1)(a), in light of the gravity and the overarching nature and impact of the infringements, which had a significant negative impact on all of the processing carried out by WhatsApp Ireland. The main reason for this finding was that the information provided by WhatsApp Ireland to data subjects was so inadequate that it was not possible for the data subjects to identify either the specific processing operations taking place or the purpose of those processing operations, or the legal basis being relied upon to ground those processing operations.
In the SATS decision, Datatilsynet did not analyse in detail how the infringement of specific obligations amounted to infringement of Article 5(1)(a) of GDPR. Datatilsynet only noted that by failing to provide sufficient information about the relevant storage periods and legal basis for the processing, SATS violated both the specific information requirements laid down in Article 13(1)(c) and (2)(a) GDPR, and the Article 5(a)(a) principle requiring the processing of personal data in a transparent manner.
Key takeaways
When designing its data protection and privacy policies, data controllers must carefully choose the appropriate legal basis for processing, before communicating the basis to data subjects and before any processing takes place. If the controllers consider necessity for performance of the contract as a legal basis, they should carefully assess whether that basis satisfies the strict necessity test. If it does not, they should consider another legal basis for processing. If more than one legal basis for processing is invoked, controllers should be clear as to which basis applies to which processing activity.
With respect to the violation of more than one obligation and/or general principle under GDPR, data controllers faced with investigations by data protection authorities should not take for granted that violation of a specific GDPR obligation automatically amounts to violation of a general principle from GDPR Article 5. For a principle to be violated, the breach of one or more specific obligations under GDPR must reach a certain level of gravity, which depends on the specific circumstances in the given case.