Norwegian DPA: Ålesund municipality fined for use of Strava

13 May 2021 Norway

The Norwegian Data Protection Authority has fined Ålesund municipality EUR 5,000 (NOK 50,000) for its use of the fitness app Strava.

Strava is a fitness app, which logs users’ training sessions and enables them to analyse and compare their data with their own previous performance or others’ training logs. Strava, Inc. stores the data generated by the app. This data must be considered personal data.

We underline that the problem is not Strava itself, but rather Ålesund municipal council’s procedures for the app’s use in schools.

Background
At two schools in Ålesund, teachers required pupils to download the fitness app Strava for use during physical education lessons. The pupils were then given tasks, while the teachers used the app’s tracking function to check that all the pupils had completed the tasks set.

Downloading the app was mandatory, and it was downloaded to the pupils’ private mobile phones. The use of the tracking function must be considered processing of personal data relating to the individual pupil. 

Strava was used in a situation where the teachers had to go to extraordinary lengths to provide appropriate teaching in a pandemic situation. However, this is no excuse for the council’s inadequate control of the use of various apps in school.

Our assessment
The fitness app Strava started being used without a risk assessment having been carried out. The Data Protection Authority considers that use of the fitness app Strava will involve activities requiring a Data Protection Impact Assessment (DPIA) to be performed.

Use of the fitness app involves the processing of the pupils’ location data. Particular categories of personal data may also have been processed, if the pupils themselves have entered such data into the app. Furthermore, the fitness app will process personal data by systematically monitoring physical exertion and performance. The purpose of using the fitness app was to see whether pupils performed the tasks, but it can also measure performance levels against those of others.

This case shows that the council does not have procedures in place to determine which apps are to be used for school-related purposes. Nor are there clear procedures for the downloading of apps, such as a requirement for a risk assessment before they start being used.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.