usatoday24
The Spanish Data Protection Agency (AEPD) has imposed A sanction of 96,000 euros to the gyms chain exceeds to violate the data protection of its customers. The reason? Have imposed facial recognition as the only method of access to your gyms. The facts were denounced by Facua in 2023 and now the resolution has been known.
What happened? On August 4, 2023, a claim was filed to SIDECU, a company based in A Coruña in charge of the gyms. According to the document (PDF), the Sports Center exceeds Entrepuentes in Seville was “denying access to the facilities” because a new access method had been implemented through a facial recognition system. “
The complainant considered that this access was “invasive about his intimacy” and “excessive for access to said establishment.” Until the implementation of the facial recognition system, which had not been notified to the partners and was mandatory, it was possible to enter the gym using a card. This claim was added two more and, finally, in September 2023, Facua denounced SIDECU.
The defense. Sidec defended himself wielding that he did not store images of the users, but generated a facial pattern through an algorithm patented by the company that developed the system. According to the gyms chain, this “template” was not enough to identify users or deduce their physical characteristics. For SIDECU, this was enough for the system to meet the RGPDbut the truth is that no.
The first error. Misunderstand the regulations, thus breaking article 9 of the RGPD. Article 4.14 of the RGPD establishes that biometric data are “personal data obtained from a specific technical treatment, related to the physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification of said person, such as facial images or dactyloscopic data.” According to article 9 of the same regulation, the treatment of “biometric data aimed at uniquely identifying a natural person” is prohibited.
Image | Ryan Hoffman
The second error. Impose the system and not warn, thus breaking article 13 of the RGP. Not only did it not warn users, but facial recognition was the only way to access the establishments and there was no other real option, thus entering the game: consent was not free. It is true that the company ended up implementing an alternative access system (teaching the ID at the door), but its arrival was later to claims. Do not warn users breaches article 13 of the GDPR.
The third terror. Do not evaluate the risks, finally breaking article 35 of the RGPD. According to the sentence, SIDEC did not justify why it was necessary to implement this system, above all, less invasive and equally effective alternatives. The AEPD states that the company did not carry out the impact assessment in the protection of personal data (when it was not dealing with personal data) and that it acted without fraud, but negligently and without “the special diligence that is enforceable to this type of treatments.”
The sanctions. Three, one for each article violated: 80,000 euros for violating article 9 of the RGPD, 30,000 euros for not having informed users in advance (article 35) and 50,000 euros for not having prepared the impact assessment on personal data protection (article 9). In total, a penalty of 160,000 euros that, due to the recognition of the responsibility and the Sidecu’s soon lamp, has remained at 96,000 euros.
Cover image | Gold’s Gym Nepal
GIPHY App Key not set. Please check settings