SIDECU S.A. – €96,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
SIDECU S.A. was fined for implementing a facial recognition system at its sports centers without informing its members. This decision was made despite complaints from users who found the system invasive. It serves as a warning for companies to communicate changes that affect user privacy.
What happened
SIDECU S.A. introduced a mandatory facial recognition system without informing or consulting its members.
Who was affected
Members of SIDECU S.A. who were subjected to the facial recognition system without prior notice.
What the authority found
The Spanish Data Protection Authority ruled that SIDECU violated data protection rules by failing to obtain consent and not informing users about the facial recognition system.
Why this matters
This case illustrates the critical importance of transparency and user consent in data processing. Companies must engage with their users when implementing new technologies that affect privacy.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
SIDECU S.A. (the controller) is a company that operates and manages sports centres. The controller replaced its method of access of cards or fingerprints system with a mandatory facial recognition system. This was implemented without informing or consulting its members. The data subject refused to use the new system, arguing that it is invasive and excessive. In response, the controller refused to grant the data subject access. The case involves nine complaints presented by different data subjects. The first complaint was filed in August 2023, and the other complaints were joined by the DPA during its investigations. The DPA also received a complaint by FACUA (a consumer association). The controller argued that it could install the facial recognition systems without prior consent of the members. According to the controller, it was not processing any data at all (including sensitive data), because the facial recognition systems did not identify the person at any moment. According to the controller, a 2020 report by the DPA supported their argument, as it stated that not all biometric data falls under the definition of sensitive data under Article 9 GDPR. It is important to note here that the controller used this reasoning to argue that it did not process any data at all. The controller argued that it had carried out a risk assessment before implementing facial recognition, and that the new system did not pose any risks because there was no processing of personal data. This meant that is was also unnecessary to carry out a data protection impact assessment (DPIA). Finally, the controller argued that it had included signs in the sports centres, allowing the members to be informed of the data protection implications of the new system. First, the DPA found a violation of Article 9 GDPR. Biometric data is personal data when it is processed for the purpose of allowing or confirming the unique identity of a person (Article 4(14) GDPR). The DPA stated that there was no d
Related Enforcement Actions (0)
No other enforcement actions found for SIDECU S.A. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
26 June 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€96,000
About this data
Cite as: Cookie Fines. SIDECU S.A. - Spain (2025). Retrieved from cookiefines.eu
Last updated: