Lithuanian State Data Protection Inspectorate continues to set guidelines for biometric data processing

Following an inspection, the Inspectorate found biometric data processing and other infringements of the GDPR.

In particular, the Inspectorate found that the customers' consent to the processing of their biometric data was not voluntary: when customers checked in at the self-service terminal, the only method of access to the sports club was biometric data. 

The inspection revealed that there were no other alternatives (other than the use of biometric data) for accessing the sports club, nor was there any information (an information notice) on the other possible access methods that the customer could use to enter the sports club.

According to the GDPR, biometric data are special categories of personal data, the processing of which is prohibited, except for the exceptions provided for in Article 9(2) GDPR. 

The Company processes customers' biometric data on the basis of their consent, i.e. on the basis of Article 9(2)(a) of the GDPR, and therefore customers must be provided with the conditions/means to freely give their consent to the processing of their biometric data. 

If customers (data subjects) do not have a free choice, such consent is not considered to be freely given and, accordingly, the processing of biometric data collected on the basis of such consent is considered to be unlawful.

Although the Company argued that, for example, a telephone number of the administration is provided, which, upon calling and expressing the wish to be admitted to the sports club, will issue an access card, the Inspectorate explained that every controller who processes biometric data is obliged to provide data subjects with clear information on the alternatives to the processing of biometric data.

Secondly, the inspection also revealed that no information on the processing of personal data was provided when registering as a new customer at the self-service terminal. 

It was also found that The Company has not carried out the data protection impact assessment prior to processing special categories of personal data, nor had it kept records of its activities.

Data subjects have the right to be informed about the processing of their personal data. Data The obligation to provide such information to data controllers is laid down in Articles 13 and 14 of the GDPR. This right and obligation derives from the principle of fair and transparent processing (Article 5(1)(a) GDPR). 

The GDPR does not prescribe the form or manner in which the information referred to in Article 13 of the GDPR must be provided to the data subject, but the GDPR clearly states that the controller must take appropriate measures by which the information should be provided to the data subject in order to ensure transparency. 

The controller deciding on the appropriate means and format for providing the information, should consider all the circumstances of the collection and processing.

The Company explained that it provides information to its customers about the processing of biometric data in the Privacy Policy, which is always communicated to the customer at the time of conclusion of the contract and at any time thereafter can additionally review it both in the Company's sports clubs and on its website. 

However, during the inspection, the Inspectorate's staff found that when registering at the self-service terminal as a new customer, it is not the Privacy Policy that must be accepted, but the 'Terms and Conditions'. It was not specified which these rules, nor were the rules themselves or a link to them provided.

Taking into account the fact that the Company has 4 sports clubs, which provide services in the 3 largest cities of Lithuania, and that there are a large number of customers who enter the sports clubs through the processing of their special categories of personal data (biometric), the Inspectorate concluded that the Company processes these special categories of personal data on a large scale, and is therefore obliged to carry out a data protection impact assessment. 

The Inspectorate noted that according to Article 35(1) of the GDPR, a data protection impact assessment on the processing of biometric data should have been carried out before the processing of such data, but this was not done.

The Inspectorate also found that the Company did not keep a record of its biometric data activities, although it was obliged to do so pursuant to Article 30(1) and (5) of the GDPR, which provides that the keeping of a record of data activities is mandatory where the processing is likely to result in a risk to the rights and freedoms of the data subjects, where the processing is not irregular, or where the processing of the data involves special categories of personal data, as referred to in Article 9(1) GDPR.

The Inspectorate, after carrying out an inspection and finding the above-mentioned infringements of the GDPR, imposed an administrative fine of EURO 6 000 on the Company.