The Vouliagmeni Nautical Club (NOB) was found to have violated the principles of lawfulness, necessity, and proportionality in processing biometric data without proper legal basis and without conducting a required impact assessment.
NOB collected biometric data based on the geometry of the face, which is considered a special category of personal data under GDPR. This data was processed through an algorithm to generate a unique code for each user, which was stored digitally on NOB's server. NOB claimed the legal basis for processing was the explicit consent of the members, as well as legitimate interest under Article 6 and exceptions under Article 9 of the GDPR.
However, the Authority found that:
- The consent obtained was not properly informed or freely given, as members were not adequately informed about the processing and were coerced into providing their biometric data.
- The principle of necessity and proportionality was not met, as NOB did not demonstrate that less intrusive methods could not achieve the same purpose.
- NOB did not conduct a Data Protection Impact Assessment (DPIA) as required under Article 35 of the GDPR. The Authority found this to be a significant oversight, given the high risk associated with processing biometric data.
- NOB failed to provide adequate information to its members about the processing of their biometric data. Additionally, there was no alternative method for entry provided to members who did not consent to the biometric system, which was a violation of the principles of fairness and transparency.
- The President of NOB's Board of Directors was appointed as the Data Protection Officer, which created a conflict of interest. The DPO must perform their duties independently and should not hold a position that determines the purposes and means of processing personal data.
Based on these findings, the Authority imposed the following sanctions on NOB:
- A fine of €28,000 for violating the principle of legality (Article 5(1)(a) GDPR).
- A fine of €14,000 for failing to carry out an impact assessment (Article 35 GDPR).
- An order to conduct an impact assessment study and to stop processing biometric data until the study is completed.
- A fine of €14,000 for violating Article 38(3) GDPR regarding the appointment of a Data Protection Officer.
The Authority's decision was based on the need to uphold the principles of GDPR, including lawfulness, fairness, transparency, necessity, and proportionality. The lack of proper consent, failure to conduct a DPIA, inadequate information provided to members, and the conflict of interest in the DPO appointment were all critical factors in the decision. The sanctions aimed to ensure compliance and protect the fundamental rights and freedoms of the data subjects.
The information presented is based on the data available at the time of writing. There is no commitment to update or modify the text after the initial publication. The user bears full responsibility for assessing and using the information. Provision of legal advice or assumption of liability towards third parties is limited to clients who have entered into a relevant cooperation with the office.
