Centros deportivos

Biometric data in gyms and the GDPR

Gyms and sports centres bring together a combination of particularly sensitive personal data processing activities: biometric data for fingerprint-based access control — a special category under Article 9 of the GDPR — health questionnaires containing medical information, direct-debit mandates for membership fees, and CCTV systems throughout the premises. Few service sectors accumulate so many high-risk data categories in their day-to-day relationship with members. Summum Consultoría guides gyms and sports centres through full compliance with Regulation (EU) 2016/679 (GDPR) and Spain's LOPDGDD (Organic Law 3/2018): we diagnose every processing activity, prepare the mandatory Data Protection Impact Assessment (DPIA) for biometric systems, and implement the non-biometric access alternative required by the data minimisation principle.

Applicable lawGDPR (EU) 2016/679 · LOPDGDD (Organic Law 3/2018)
Special-category dataBiometrics and health history — art. 9 GDPR
Supervisory authorityAEPD — Spanish Data Protection Agency

Sports centres and gyms face a more demanding GDPR compliance landscape than is commonly perceived. The main reason is the use of biometric data — most often fingerprints — for access control. Article 9.1 of Regulation (EU) 2016/679 expressly includes 'biometric data processed for the purpose of uniquely identifying a natural person' among special categories of personal data, the processing of which is prohibited as a general rule unless one of the exceptions in Article 9.2 applies. For most gyms, the only viable legal basis is the explicit consent of the member under Article 9.2(a) of the GDPR, which means that consent must be freely given, specific, informed and unambiguous, and that a member who does not wish to provide their biometrics must be able to access the facility by an alternative means without any detriment to their rights.

The use of biometric access control systems also triggers the obligation to carry out a Data Protection Impact Assessment (DPIA) prior to the start of processing, as required by Article 35 of the GDPR. The AEPD (Agencia Española de Protección de Datos — the Spanish Data Protection Agency) has included the large-scale processing of special-category data in its list of types of processing operations that require a DPIA, and fingerprint systems deployed in sports facilities fall within that category when the volume of members is significant. A DPIA is not a form: it is a structured analysis of the risks to the rights and freedoms of members, the measures to mitigate them, and the justification that processing is necessary and proportionate to the purpose pursued. If after the assessment the residual risk remains high and the controller cannot adopt sufficient measures to reduce it, Article 36 of the GDPR requires consultation with the AEPD before processing begins.

Physical aptitude questionnaires — such as the PAR-Q or equivalent forms — represent another compliance front. These documents collect information about cardiovascular conditions, injuries, medication or contraindications to exercise, which places them within the scope of health-related data under Article 9.1 of the GDPR. Processing this information requires a specific legal basis under Article 9.2 — typically explicit consent under Article 9.2(a) — and an information clause under Article 13 of the GDPR explaining the purpose of processing, the retention period and the rights that members may exercise. It is not sufficient to attach the questionnaire to the back of the membership contract: the sports centre must ensure that the member understands they are sharing health data and that they give their consent in a separate and informed manner.

CCTV is the third critical element in sports facilities. Article 22 of the LOPDGDD (Organic Law 3/2018) governs the processing of images by security cameras: it requires the placement of informative signage in a visible location at all entrances to monitored areas, the deletion of footage within a maximum period of one month from the date of capture — unless the images are linked to criminal acts or incidents requiring their submission to the authorities or to judicial proceedings — and the guarantee that cameras do not capture areas where individuals' right to privacy would be violated. Installing cameras in changing rooms, toilets or showers constitutes a serious infringement of the GDPR and the LOPDGDD and may lead to enforcement proceedings before the AEPD.

Direct-debit mandates for monthly membership fees and members' payment data complete the processing map. Although the IBAN and payment data are not special categories, their processing requires a legal basis under Article 6 of the GDPR — typically the performance of a contract under Article 6.1(b) — and appropriate security measures commensurate with the risk under Article 32 of the GDPR, including encryption of information, internal access controls and management of contracts with processors (membership management platforms, payment processors and collection entities). Summum Consultoría guides the sports centre in identifying and documenting all these processing activities, implementing appropriate technical and organisational measures, and training staff so that compliance is effective in the day-to-day running of the facility.

The Biometric data in gyms and the GDPR process.

The process · four stages
01

Processing audit and initial diagnosis

We analyse all personal data processing activities at the sports centre: biometric access control system, physical aptitude questionnaires, CCTV, member management, direct-debit mandates and marketing communications. We identify the applicable legal bases, compliance gaps and risk level for each processing activity, with particular attention to special-category data under Article 9 of the GDPR.

02

Data Protection Impact Assessment (DPIA) and non-biometric alternative

We prepare the Data Protection Impact Assessment required by Article 35 of the GDPR for the biometric access control system, documenting identified risks, their assessment and mitigation measures. In parallel, we design and implement the non-biometric access alternative — membership card, PIN code or QR code — for those who do not wish to provide their fingerprint, ensuring that refusal entails no penalty or differential treatment.

03

Documentation, information clauses and processor agreements

We draft and update the Record of Processing Activities (art. 30 GDPR), the Article 13 GDPR information clauses for each data collection point (enrolment, biometrics, health questionnaire, CCTV and marketing), privacy policies on-site and on the website, and data processing agreements with processors (membership management platforms, payment processors and system maintenance companies).

04

Training, implementation and periodic review

We train the sports centre's team — reception, instructors and management — on data collection procedures, responding to members' rights requests, security incident management and CCTV rules. We establish an annual review schedule to keep compliance up to date in light of regulatory changes, facility expansions or the introduction of new digital services.

What is included

What Biometric data in gyms and the GDPR includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Biometric access system compliance

    Review of the legal basis for processing (art. 9.2 GDPR), design of explicit consent clauses, technical security measures for the device, and procedure for erasing biometric data when a member cancels their membership or withdraws consent.

  • Data Protection Impact Assessment (DPIA)

    Preparation of the risk analysis and DPIA report required by Article 35 of the GDPR before starting or continuing biometric data processing: identification of risks, assessment of likelihood and impact, and documented mitigation measures.

  • Non-biometric access alternative

    Design and implementation of an alternative access system (membership card, PIN code or QR code) for those who do not consent to biometric processing, ensuring that refusal entails no penalty or reduction in the contracted service.

  • Management of health questionnaires (PAR-Q and equivalents)

    Adapting physical aptitude forms to the GDPR: explicit consent for health data (art. 9.2(a)), Article 13 information clauses, justified retention period and deletion procedure when processing is no longer necessary.

  • CCTV in compliance with Article 22 LOPDGDD

    Review of camera placement — permitted and prohibited areas —, informative signage at entrances, maximum one-month retention period for footage, contracts with the security company, and channel for exercising rights regarding recordings.

  • Record of activities, processor agreements and privacy policy

    Full documentation of the Record of Processing Activities (art. 30 GDPR), agreements with processors (membership management platforms, POS terminals and payment entities) and updating of the website privacy policy and on-site information.

Frequently asked questions about Biometric data in gyms and the GDPR.

Is it legal to use fingerprints to control access to a gym?

Yes, but under strict conditions. A fingerprint is biometric data processed for the purpose of uniquely identifying a natural person and falls within the special categories of Article 9.1 of the GDPR, the processing of which is generally prohibited. The most common exception for gyms is the explicit consent of the member under Article 9.2(a) of the GDPR: that consent must be freely given — which requires offering a non-biometric alternative —, specific, informed and unambiguous. Moreover, before putting the system into operation it is mandatory to carry out a Data Protection Impact Assessment (DPIA) in accordance with Article 35 of the GDPR. The AEPD has published specific guidance on biometric data processing that sports centres must take into account in their compliance process.

Is it mandatory to offer a fingerprint-free access alternative?

Yes. If the legal basis for processing fingerprints is consent under Article 9.2(a) of the GDPR, that consent must be genuinely free: a member cannot be forced to provide it in order to access the service. If no access alternative exists, consent cannot be considered freely given and the processing would lack a valid legal basis. Sports centres must offer at least one alternative identification method — membership card, PIN code, QR code or equivalent — enabling access to the facility without providing biometric data, and without the choice of this alternative entailing any disadvantage, additional cost or differential treatment for the member.

What is a DPIA and when is it mandatory for a gym?

A Data Protection Impact Assessment (DPIA) is a prior analysis of the risk that a processing activity may pose to the rights and freedoms of individuals, regulated in Article 35 of the GDPR. It is mandatory when processing is likely to result in a high risk, and the AEPD considers that the large-scale processing of special-category data — such as biometric or health data — requires a DPIA. In practice, any gym that uses fingerprints for access control must carry out this assessment before deploying the system. The DPIA documents the identified risks, the measures to mitigate them and the conclusion as to whether processing can proceed with the safeguards adopted.

Are the PAR-Q questionnaires completed by members at enrolment considered health data?

Yes. Physical aptitude questionnaires completed prior to sporting activity — such as the PAR-Q or equivalent forms — collect information about cardiovascular conditions, injuries, medication or other health conditions. These data fall within the special category of health-related data under Article 9.1 of the GDPR. Processing them requires a legal basis under Article 9.2, typically the member's explicit consent (art. 9.2(a)), and a specific information clause under Article 13 of the GDPR explaining the purpose — safety in sporting activity —, the retention period and the rights that the member may exercise.

How long may footage from the gym's security cameras be retained?

Article 22 of the LOPDGDD (Organic Law 3/2018) provides that images captured by CCTV cameras must be deleted within a maximum period of one month from the date of capture. The only exception is where the images are related to criminal offences, conduct that must be reported to law enforcement authorities, or incidents requiring their retention to evidence relevant facts before the authorities or in judicial proceedings. In addition, cameras may not be installed in areas where individuals' right to privacy would be violated: their installation in changing rooms, toilets and showers is expressly prohibited.

What penalties can the AEPD impose on a gym for non-compliance with the GDPR?

The sanctions regime under Article 83 of the GDPR distinguishes two tiers depending on the severity of the infringement. The most serious infringements — such as processing biometric or health data without a valid legal basis under Article 9.2 of the GDPR, or processing data without respecting the principles of Article 5 — fall under the framework of Article 83.5: fines of up to 20 million euros or 4% of total worldwide annual turnover, whichever is higher. Other infringements relating to technical measures, DPIAs or processor agreements may fall under Article 83.4, with a ceiling of 10 million euros or 2% of turnover. The AEPD treats the controller's diligence, the adoption of corrective measures and cooperation with the regulator as mitigating circumstances.