A Fitness Center Processing Data Subject’s Blood Type

15.08.2023

The Personal Data Protection Board (“Board”) evaluated a complaint regarding the processing of blood type information - which falls under the scope of the special categories of personal data - without the data subject's explicit consent by the data controller fitness center, in its decision dated 23.12.2022 and numbered 2022/1357.

The complaint subject to the decision is that the fitness center processes health data, biometric data, and camera images of the customers without presenting a privacy notice, obtaining explicit consent, and taking necessary security measures to ensure the protection of personal data within the scope of the Law No. 6698 on the Protection of Personal Data (“DPL”).

The Board made the following explanations regarding the complaint;

  • The fitness center also processes the data subject's blood type information in the contract signed for being a member. No explicit consent text is presented for this category of special personal data which can be processed with explicit consent.

  • The allegations that a fingerprint, which is biometric data, is taken at the entrance of the fitness center in addition to data such as fat and weight performance measurements, frequency of hospital visits, height, etc., could not be proven. Therefore, no evaluation could be made.

  • The allegations that the data subject's information cards are easily accessible by everyone in the fitness center, not stored properly and are lost from time to time, and the security camera footage in the fitness center can be accessed by unauthorized persons could not be proven. Therefore, no evaluation could be made.

  • The e-mail sent by the data subject to the data controller was not responded to. Thus, the data controller violated the obligation to respond to the data subject requests.

In this regard, the Board adopted the following decision;

  • Considering that for fitness center membership the blood type information, which is a special category of personal data, is processed and explicit consent is not obtained, it has been decided to impose an administrative fine of TRY 100.000 (approx. EUR 3.377) on the data controller for not fulfilling the obligations stipulated in Article 12 of the DPL.

  • The data controller is instructed to present the privacy notice and explicit consent separately to comply with the DPL and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation of Clarification.


Tagged withÖzdağıstanli Ekici Attorney PartnershipBurak Özdağıstanli, Bensu ÖzdemirEbru GümüşData Protection & PrivacyThe Personal Data Protection Board

This website is available “as is. Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.

The content and materials published on this website are provided for informational purposes only and should not be used as a legal opinion in any way. This website and the information contained are not intended to establish an attorney-client relationship.
th
Ready to stay ahead of the curve?
Share your interest anonymously and let us guide you through the informative articles on the hottest legal topics.
|
Successful Your message has been sent