Spain’s AEPD Fines Gym Chain for Invasive Facial Recognition Practices

The  Spanish Data Protection Agency (AEPD)  has imposed a hefty  sanction of €96,000  on the gym chain SIDECU following violations of customer data protection standards. This enforcement action stems from allegations that the gyms utilized  facial recognition technology  as the only method of access, compromising  privacy rights  without proper notification or consent. The reports of this misconduct were initially lodged by the consumer advocacy group  Facua  in  2023 , bringing to light critical issues surrounding data privacy in the fitness industry.

The Incident Unfolds

The controversy unfolded on  August 4, 2023 , when a complaint was filed against SIDECU, a gym operator based in  A Coruña , Spain. The claim specifically pointed out that the  Entrepuentes Sports Center  in  Seville  was denying patrons access unless they used the new facial recognition system implemented by the chain. The complainant described the system as not just  invasive , but also  excessive  for its intended purpose—accessing a gym.

Previously, patrons could enter the facilities with a traditional membership card, a method that respected user privacy. However, the sudden implementation of facial recognition left customer no option but to comply, leading to two more complaints being added before Facua officially escalated the matter to the AEPD in  September 2023 .

Defense Claims: Misunderstanding Data Regulations

In its defense, SIDECU argued that it did not  store images  of users. Instead, the platform generated a  facial pattern  using an algorithm developed by the system’s creators—claims that the company believed would satisfy the requirements of the  General Data Protection Regulation (GDPR) . The gym chain reassured users that these  templates  did not allow for personal identification or reveal any physical attributes.

However, this position appears fundamentally flawed when examined against the stipulations of the  GDPR . Article 4.14 categorizes  biometric data —including facial images and fingerprints—as personal data, and Article 9 expressly prohibits the processing of biometric information intended for unique identification. By failing to grasp these regulations, SIDECU appears to have contravened the law significantly.

Violation of GDPR Articles

The first major error noted was a blatant disregard for Article 9 of the GDPR. SIDECU’s facial recognition system unequivocally collects biometric data aimed at uniquely identifying individuals, constituting a serious breach of legal boundaries.

Image | Ryan Hoffman

The second major error involved imposing this facial recognition system without prior notification to users, which violates Article 13 of the GDPR. Not only was there no advance warning, but this system was the  sole option  for accessing the gym, thereby nullifying any possibility of *freely given consent.* Although SIDECU introduced an alternative access method at a later stage (showing an ID), this change came only after user complaints.

The third major error was failing to perform a required risk assessment, violating Article 35 of the GDPR. According to the AEPD’s findings, SIDECU did not sufficiently justify the necessity of the facial recognition system when less invasive, equally effective alternatives existed. The AEPD criticized the gym chain for neglecting to conduct an  impact assessment  regarding personal data protection, deeming its actions negligent rather than fraudulent.

Sanction and Accountability

The final outcomes of the investigation led to three distinct sanctions against SIDECU for violating specific articles of the GDPR:  €80,000  for violating Article 9,  €30,000  for failing to inform users as required by Article 13, and  €50,000  for neglecting the necessary risk assessment as stipulated in Article 35. Although these violations could have resulted in a total fine of  €160,000 , the amount was reduced to  €96,000  due to SIDECU’s acknowledgment of its  responsibility  and prompt actions to remediate the situation.

This case showcases significant concerns regarding user consent and data privacy within the fitness industry, as  technological advancements  continue to challenge traditional privacy boundaries. The AEPD’s rulings send a clear message: compliance with data protection laws is mandatory, and any failure to do so can result in severe financial penalties.



General News – 2