The Personal Data Protection Board (“Board”) evaluated a complaint regarding the processing of blood type information - which falls under the scope of the special categories of personal data - without the data subject's explicit consent by the data controller fitness center, in its decision dated 23.12.2022 and numbered 2022/1357.
The complaint subject to the decision is that the fitness center processes health data, biometric data, and camera images of the customers without presenting a privacy notice, obtaining explicit consent, and taking necessary security measures to ensure the protection of personal data within the scope of the Law No. 6698 on the Protection of Personal Data (“DPL”).
The Board made the following explanations regarding the complaint;
The fitness center also processes the data subject's blood type information in the contract signed for being a member. No explicit consent text is presented for this category of special personal data which can be processed with explicit consent.
The allegations that a fingerprint, which is biometric data, is taken at the entrance of the fitness center in addition to data such as fat and weight performance measurements, frequency of hospital visits, height, etc., could not be proven. Therefore, no evaluation could be made.
The allegations that the data subject's information cards are easily accessible by everyone in the fitness center, not stored properly and are lost from time to time, and the security camera footage in the fitness center can be accessed by unauthorized persons could not be proven. Therefore, no evaluation could be made.
The e-mail sent by the data subject to the data controller was not responded to. Thus, the data controller violated the obligation to respond to the data subject requests.
In this regard, the Board adopted the following decision;
Considering that for fitness center membership the blood type information, which is a special category of personal data, is processed and explicit consent is not obtained, it has been decided to impose an administrative fine of TRY 100.000 (approx. EUR 3.377) on the data controller for not fulfilling the obligations stipulated in Article 12 of the DPL.
The data controller is instructed to present the privacy notice and explicit consent separately to comply with the DPL and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation of Clarification.
Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş