The Spanish Data Protection Agency has imposed sanctions on two gyms in Barcelona for the improper use of biometric data. Supera must pay 160,000 euros and Metropolitan 27,000 euros after collecting fingerprints and using facial recognition systems to control user access, a practice considered punishable under the General Data Protection Regulation.
Legal Requirements and Expert Warnings
The lawyer Miguel Recio, from the TMC department of CMS Albiñana & Suárez de Lezo, emphasizes the need to adopt additional safeguards such as a data protection impact assessment before implementing these types of technologies. European regulations require that any processing of personal data, especially biometric data, be accompanied by measures to prevent unauthorized access and that the explicit consent of the data subject be obtained.
"It is necessary to adopt additional guarantees such as carrying out a data protection impact assessment" - Miguel Recio, CMS Albiñana & Suárez de Lezo
The use of personal images to obtain animations through platforms like OpenAI also requires the user's express consent. Recio warns that losing control over personal data is one of the main risks of converting images to other digital formats.
Hotels, accommodations, and traveler registration
On the Costa Brava and other tourist areas of Girona and Tarragona, the Spanish Data Protection Agency has reminded accommodations that they cannot demand ID card scans from guests. The affected party can request the intervention of the AEPD if they believe their data has been improperly processed. The request for the document must be limited to verifying the necessary data and carried out with guarantees to protect personal information.
"It is important that we know if our ID card will be used to verify the necessary data or if it will be scanned, which would lead to improper processing" - Miguel Recio, CMS Albiñana & Suárez de Lezo
Penalties for GDPR non-compliance can reach €20 million or 4% of global annual turnover
Dissemination and recording of sensitive data
The dissemination of images, audio, or videos of a sexual or violent nature that allow a person to be identified without their consent is considered unlawful processing of personal data. The AEPD can initiate sanctioning procedures and, in serious cases, impose fines of up to 600,000 euros. Furthermore, these actions can lead to criminal and civil liabilities, including prison sentences of six months to two years for offenses against moral integrity
In July, the Supreme Court declared a violation of residents' right to privacy due to the use of a digital peephole in a community. The court recalled that these devices must comply with data protection regulations if they allow the processing of personal information.
Work and Educational Environment
In March, the Supreme Court ordered a law firm to pay an employee 3,000 euros in compensation for unlawful interference with the right to privacy after accessing a digital folder containing sensitive data. To claim compensation for a violation of data protection regulations, three cumulative requirements must be met: the existence of unlawful processing, the occurrence of damages, and a causal link between the two.
The AEPD has a specific guide for labor relations that addresses the limits in data processing, employee identification, and work time recording. In the educational environment, centers in Barcelona, Girona, and Tarragona that offer regulated education must appoint a data protection officer and report any detected risks regarding students' personal information.
Liability and Claims
The Court of Justice of the European Union rules that the data controller is responsible for data managed on their behalf, but not if the processor uses it for their own purposes. In case of moral or economic damage due to unlawful processing, legal proceedings can be initiated in civil jurisdiction to claim compensation
In serious situations of physical or psychological bullying in the educational environment, the recommendation is to report the incidents to the Prosecutor's Office and contact the helpline 900 018 018.
- Supera sanctioned with 160,000 euros for fingerprint use
- Metropolitan fined 27,000 euros for facial recognition
- Sanctions for non-compliance with GDPR can reach 20 million euros or 4% of annual turnover
- The AEPD can impose fines of up to 600,000 euros for recording images without permission