Finnish data protection authority has imposed 122,000 euro fine on an organization for processing data subject’s personal health data without obtaining its consent. The company was processing personal heath data like maximum oxygen uptake and body mass index without informing data subjects hence the data protection authority found that consent was not individualized and informed.
As per DPA the controller has informed data subject that his/her personal data data is being processed but the controller has failed to inform types of personal data being processed and purpose for which it is processed.
Therefore organization must sufficiently inform the data subject what type of personal data is being processed and the purpose behind such processing.