Spain’s AEPD Fines Gym Chain for Invasive Facial Recognition Practices
The Spanish Data Protection Agency (AEPD) has imposed a hefty sanction of €96,000 on the gym chain SIDECU following violations of customer data protection standards. This enforcement action stems from allegations that the gyms utilized facial recognition technology as the only method of access, compromising privacy rights without proper notification or consent. The reports of this misconduct were initially lodged by the consumer advocacy group Facua in 2023 , bringing to light critical issues surrounding data privacy in the fitness industry.
The Incident Unfolds
The controversy unfolded on August 4, 2023 , when a complaint was filed against SIDECU, a gym operator based in A Coruña , Spain. The claim specifically pointed out that the Entrepuentes Sports Center in Seville was denying patrons access unless they used the new facial recognition system implemented by the chain. The complainant described the system as not just invasive , but also excessive for its intended purpose—accessing a gym.
Previously, patrons could enter the facilities with a traditional membership card, a method that respected user privacy. However, the sudden implementation of facial recognition left customer no option but to comply, leading to two more complaints being added before Facua officially escalated the matter to the AEPD in September 2023 .
Defense Claims: Misunderstanding Data Regulations
In its defense, SIDECU argued that it did not store images of users. Instead, the platform generated a facial pattern using an algorithm developed by the system’s creators—claims that the company believed would satisfy the requirements of the General Data Protection Regulation (GDPR) . The gym chain reassured users that these templates did not allow for personal identification or reveal any physical attributes.
However, this position appears fundamentally flawed when examined against the stipulations of the GDPR . Article 4.14 categorizes biometric data —including facial images and fingerprints—as personal data, and Article 9 expressly prohibits the processing of biometric information intended for unique identification. By failing to grasp these regulations, SIDECU appears to have contravened the law significantly.
Violation of GDPR Articles
The first major error noted was a blatant disregard for Article 9 of the GDPR. SIDECU’s facial recognition system unequivocally collects biometric data aimed at uniquely identifying individuals, constituting a serious breach of legal boundaries.
Image | Ryan Hoffman
The second major error involved imposing this facial recognition system without prior notification to users, which violates Article 13 of the GDPR. Not only was there no advance warning, but this system was the sole option for accessing the gym, thereby nullifying any possibility of *freely given consent.* Although SIDECU introduced an alternative access method at a later stage (showing an ID), this change came only after user complaints.
The third major error was failing to perform a required risk assessment, violating Article 35 of the GDPR. According to the AEPD’s findings, SIDECU did not sufficiently justify the necessity of the facial recognition system when less invasive, equally effective alternatives existed. The AEPD criticized the gym chain for neglecting to conduct an impact assessment regarding personal data protection, deeming its actions negligent rather than fraudulent.
Sanction and Accountability
The final outcomes of the investigation led to three distinct sanctions against SIDECU for violating specific articles of the GDPR: €80,000 for violating Article 9, €30,000 for failing to inform users as required by Article 13, and €50,000 for neglecting the necessary risk assessment as stipulated in Article 35. Although these violations could have resulted in a total fine of €160,000 , the amount was reduced to €96,000 due to SIDECU’s acknowledgment of its responsibility and prompt actions to remediate the situation.
This case showcases significant concerns regarding user consent and data privacy within the fitness industry, as technological advancements continue to challenge traditional privacy boundaries. The AEPD’s rulings send a clear message: compliance with data protection laws is mandatory, and any failure to do so can result in severe financial penalties.

