SIDECU S.A. – €96,000 Fine (Spain, 2025)

SIDECU S.A. (the controller) is a company that operates and manages sports centres. The controller replaced its method of access of cards or fingerprints system with a mandatory facial recognition system. This was implemented without informing or consulting its members. The data subject refused to use the new system, arguing that it is invasive and excessive. In response, the controller refused to grant the data subject access. The case involves nine complaints presented by different data subjects. The first complaint was filed in August 2023, and the other complaints were joined by the DPA during its investigations. The DPA also received a complaint by FACUA (a consumer association). The controller argued that it could install the facial recognition systems without prior consent of the members. According to the controller, it was not processing any data at all (including sensitive data), because the facial recognition systems did not identify the person at any moment. According to the controller, a 2020 report by the DPA supported their argument, as it stated that not all biometric data falls under the definition of sensitive data under Article 9 GDPR. It is important to note here that the controller used this reasoning to argue that it did not process any data at all. The controller argued that it had carried out a risk assessment before implementing facial recognition, and that the new system did not pose any risks because there was no processing of personal data. This meant that is was also unnecessary to carry out a data protection impact assessment (DPIA). Finally, the controller argued that it had included signs in the sports centres, allowing the members to be informed of the data protection implications of the new system. First, the DPA found a violation of Article 9 GDPR. Biometric data is personal data when it is processed for the purpose of allowing or confirming the unique identity of a person (Article 4(14) GDPR). The DPA stated that there was no d