Lithuanian DPA Imposes Fine on a Sports Club for Use of Fingerprints
The State Data Protection Inspectorate (SDPI) has carried out an investigation into processing of biometric personal data in a sports club and imposed a fine in the amount of EUR 20,000 on VS FITNESS UAB for the identified infringements of the General Data Protection Regulation (GDPR).
The fine was imposed for infringements of the provisions of Article 5(1)(a), Article 5(1)(c). Article 9(1), Article 13(1), Article 13(2), Article 30, Article 35(1) of the GDPR, i.e. processing of biometric data without voluntary consent of the data subjects and a failure to ensure other requirements for the valid consent, improper implementation of the data subjects’ right to be informed of data processing; it has also been determined that the company has not carried out an assessment of the impact of data processing on data protection, has failed to maintain records of activities.
Source: Lithuanian DPA: Fine Imposed on a Sports Club for Infringements of the GDPR in Processing of Fingerprints of the Customers and Employees | European Data Protection Board