Geen DPIA bij gebruik fitness app: boete voor Noorse school
De Noorse AP (Datatilsynet) heeft een gemeente een boete van € 4.900 opgelegd omdat leerlingen verplicht werden om tijdens het sporten gebruik te maken van de Strava fitness app.
Daarmee overtrad de gemeente de wet omdat er voor de ingebruikname van Strava geen DPIA is uitgevoerd. Ook waren er onvoldoende beveiligings maatregelen getroffen en kon de gemeente niet aantonen dat deze verwerking plaats vond in overeenstemming met de AVG. De gemeente overtrad hiermee Art. 32(1)(b) en Art. 5, Art. 35 en Art. 24(1) AVG.
Lees hier verder de Engelstalige samenvatting.
Facts
Teachers at two junior high schools in Alesund municipality required their students to download the fitness app Strava for use in gym classes during the COVID-19 pandemic. The teachers used the app's tracking capabilities to validate that the students had conducted required exercises at home, for example bicycling a certain distance.
The teachers, schools, nor the municipality, conducted a risk assessment or a Data Protection Impact Assessment (DPIA) before deciding to use Strava in this way.
Dispute
Was this use of Strava a breach of the GDPR?
Holding
The DPA (Datatilsynet) held that the municipality had several breaches as per the GDPR: 1) For the lack of routines for technical and organisational security measures necessary to secure and demonstrate that the processing was in line with the GDPR, cf. Article 24(1). 2) For not having sufficient technical and organisational security measures in place to achieve a level of protection suitable for ensuring confidentiality, integrity and robustness, and for not having conducted a risk assessment for the use of the app, cf. Article 32(1)(b), cf. Article 5. 3) For not conducting a Data Protection Impact Assessment (DPIA), cf. Article 35 (which the DPA assessed was necessary for this specific case).
For these breaches, the municipality was fined NOK 50 000,-.
Comment
The DPA notes that Strava Inc. usually is considered the controller for the personal data they process in the app. However, in this case they determine that the municipality is the controller, because the teachers/schools were the ones deciding on both the means and the purpose for processing the students' personal data.
(Further) Resources
Datatilsynet - DT-20/02147 - GDPRhub