UAB VS FITNESS: Non-compliance with general data processing principles

The Lithuanian DPA (VDAI) has imposed a fine of EUR 20,000 on UAB VS FITNESS. After receiving a notification from an individual stating that scanning a fingerprint was necessary to use the services of a sports club owned by the controller, the DPA started an investigation against the controller. The DPA's review found that the consent given by customers to have their fingerprint patterns processed was not voluntary as there were no other identification measures. In addition, the DPA found that the controller also unlawfully processed employees' fingerprints. The controller also failed to set out for what purpose and on what legal basis it processed the employees' biometric data. It also did not conduct a data protection impact assessment and did not demonstrate the necessity and proportionality of the processing of the employees' fingerprints. Furthermore, the DPA finds that the controller did not comply with its information obligations pursuant to Art. 13 GDPR.

GDPR Articles: Art. 5 (1) a), c) GDPR, Art. 9 (1) GDPR, Art. 13 (1), (2) GDPR, Art. 30 GDPR, Art. 35 (1) GDPR
Industry: Industry and Commerce