Four complainants cost gym chain SATS 1 million EUR: How not to deal with complaints

The decision was based on four complaints lodged by individuals regarding the processing of their personal data.

The decision provides important insights and lessons for businesses, particularly with regards to transparency, access rights and data retention. And how not to handle complaints.

The complaints

The complaints lodged by the individuals alleged that the following breaches had taken place:

1. Access: SATS had denied timely and compliant access to the individuals’ personal data after requests.
2. Transparency: SATS had not provided sufficient information about the processing of their personal data, including the purposes of processing and the recipients of the data.
3. Data retention: SATS had retained their personal data for longer than necessary for the purposes of processing.
4. Legal basis: SATS lacked a valid legal basis for its processing.

The decision

The DPA found that SATS had violated several provisions of the GDPR, including articles 5 and 12 (transparency), 15 (right of access), 17 (right to erasure), and 6 (legal basis).

SATS was slow and incomplete in giving access

The DPA found that SATS had not responded to individuals' requests for access to their personal data in a timely and compliant manner. The complainants did not receive a copy of their data, only information of the incidents and an extract of SATS’ general terms.

The fact that one of the access requests was submitted only a month after GDPR became effective, was ignored, as the violation was ongoing and the access obligation was not a new obligation invented in the GDPR.

Lack of transparency

The DPA found that SATS had not provided individuals with sufficient information about the processing of their personal data, particularly with regards to the purposes of processing, the recipients of the data and legal grounds of sharing the data with third parties.

In other words, SATS did not provide their customers with a satisfactory privacy notice.

Data retention - too long

The DPA found that SATS had retained the individuals' personal data for longer than necessary for the purposes of processing. The data was held for five years to ensure that members expelled for two years did not reenter the gym.

The 60 months retention period, stipulated in SATS’ internal policies, was seen by Datatilsynet as «an extraordinarily long period». In addition, the duration was not informed about in the privacy policy (which was generally lacking too).

Lack of basis for processing

SATS relied on two alternative bases for processing, consent and performance of contract. However, SATS did not specify for which purposes the different legal grounds applied. In any event, parts of the processing, such as training history, was not necessary for the performance of the contract. And the consent was not valid because it was bundled in the general terms (thus not informed nor clear).

Why the high fine?

All of the above and the fact that the lack of information and basis for processing affected all of SATS’ 700 000 members explains the relatively high fine. However, the fine constitutes only 0,9% of SATS’ revenue for 2021, the DPA found.

The following circumstances (from GDPR art. 83) was weighted heavily or moderately against SATS:

• duration
• gravity
• systematic breach
• high number affected (transparency and lack of legal basis)
• negligence
• delicate data (even if not legally sensitive)
• failure to report breach or address complaints

SATS’ challenging financial situation was taken into consideration.

Lessons for businesses

The decision by the Norwegian DPA provides important lessons for businesses on the importance of compliance with GDPR, particularly with regards to transparency, access rights, and data retention:

1. Reply quickly and fully to requests for access and deletion. The complainants would likely not have complained to the DPA if SATS had provided a satisfactory response early.
2. Draft a clear privacy notice, including:
   
   a) who the recipients of the data are
   b) clarity about which legal basis apply to which processing
   
3. Don’t bundle consent text in general terms
4. Minimise the data processing; do not store too much data for too long.
5. Do not stretch ‘necessity to perform a contract’ as a legal basis too far. The limit is strict.
6. Train staff to handle requests swiftly and correctly.

See the whole 45 page decision of 6 February 2023 in English here.