Gomera Trail Paradise – €15,000 Fine (Spain, 2024)

The organiser of the "Gomera Paradise Trail" race, the data controller, required participants (the data subjects) to submit proof of full COVID-19 vaccination, proof of past infection, or a negative PCR test taken within 48 hours before the event in order for them to participate. This requirement was communicated to participants via email on August 19, 2021, shortly after the registration period closed. The email instructed participants to upload the required documents to their private participant area on the event’s official website, accessible via their registration ID and email. A second email sent on August 24, 2021, clarified that submission of these documents was not mandatory, but encouraged as a measure to ensure event safety. Despite this, many participants uploaded their health data to the platform (690 participants out of 1,350 in total). The Spanish DPA (AEPD) initiated an investigation following a complaint filed on September 8, 2021, questioning the legality of collecting such sensitive health data under the GDPR. The initial investigation expired due to procedural deadlines, but a new proceeding was initiated. The AEPD found that the controller lacked a valid legal basis for processing health data, failed to provide adequate information to participants, and did not maintain a proper record of processing activities. The Spanish Data Protection Agency (AEPD) held that the event organiser processed health data by collecting COVID-19 vaccination certificates, proof of past infection, or negative test results. The AEPD found that while the organiser relied on explicit consent under Article 9(1)(a) GDPR, they failed to ensure it was freely given, explicit, and informed as participants felt pressured to provide their health data to take part in the race. The organiser did not clearly explain that sharing this information was optional until days after, very close to the race day. Many participants may have believed it was a requirement, invalidating thei