This article is a translation of and corresponds to the Norwegian press release published on February 8th 2023. Due to a delay, the English version of the article was not published until December 7th. In other words, this article is not to be regarded as a new update in the case, and we apologize for any misunderstandings.
– Our conclusion is that SATS has violated several provisions of the General Data Protection Regulation that apply to the data subjects’ right to information, access and erasure, as well as the company’s lack of a legal basis for processing certain personal data, says Line Coll, Director General of the Norwegian Data Protection Authority.
Background to the case
The Data Protection Authority received several complaints about SATS during the period 2018 to 2021. The complaints concerned alleged infringements of the complainants’ rights under the General Data Protection Regulation as customers of the fitness chain. The complaints concerned the company’s failure to comply with access and erasure requests.
– As the complaints against SATS were similar in many respects, we chose to consider all the complaints together as one case, says Coll.
Failure to comply with the data subjects’ rights in several respects
After looking into all the complaints, the Data Protection Authority has concluded that SATS has failed to satisfactorily respect the data subjects’ rights of access and erasure. Furthermore, the fitness chain has not had a legal basis for processing data about customers’ training history.
– The Data Protection Authority has investigated the company’s compliance with several provisions of the General Data Protection Regulation. Ensuring that companies fulfil their obligations relating to user rights is key to good data protection. We therefore take a serious view of the shortcomings we have uncovered in our investigation, says Coll.
The imposition of administrative fines shall be effective, proportionate and dissuasive.
SATS is the biggest fitness chain in the Nordic region, with gyms in Norway, Sweden, Denmark and Finland. The company is headquartered in Norway, and the Norwegian Data Protection Authority has therefore dealt with the case in cooperation with several supervisory authorities through what is known as the one-stop-shop mechanism. As the lead supervisory authority, the Norwegian Data Protection Authority has had primary responsibility for investigating, considering and making a decision in the case.