Sports centres and gyms face a more demanding GDPR compliance landscape than is commonly perceived. The main reason is the use of biometric data — most often fingerprints — for access control. Article 9.1 of Regulation (EU) 2016/679 expressly includes 'biometric data processed for the purpose of uniquely identifying a natural person' among special categories of personal data, the processing of which is prohibited as a general rule unless one of the exceptions in Article 9.2 applies. For most gyms, the only viable legal basis is the explicit consent of the member under Article 9.2(a) of the GDPR, which means that consent must be freely given, specific, informed and unambiguous, and that a member who does not wish to provide their biometrics must be able to access the facility by an alternative means without any detriment to their rights.
The use of biometric access control systems also triggers the obligation to carry out a Data Protection Impact Assessment (DPIA) prior to the start of processing, as required by Article 35 of the GDPR. The AEPD (Agencia Española de Protección de Datos — the Spanish Data Protection Agency) has included the large-scale processing of special-category data in its list of types of processing operations that require a DPIA, and fingerprint systems deployed in sports facilities fall within that category when the volume of members is significant. A DPIA is not a form: it is a structured analysis of the risks to the rights and freedoms of members, the measures to mitigate them, and the justification that processing is necessary and proportionate to the purpose pursued. If after the assessment the residual risk remains high and the controller cannot adopt sufficient measures to reduce it, Article 36 of the GDPR requires consultation with the AEPD before processing begins.
Physical aptitude questionnaires — such as the PAR-Q or equivalent forms — represent another compliance front. These documents collect information about cardiovascular conditions, injuries, medication or contraindications to exercise, which places them within the scope of health-related data under Article 9.1 of the GDPR. Processing this information requires a specific legal basis under Article 9.2 — typically explicit consent under Article 9.2(a) — and an information clause under Article 13 of the GDPR explaining the purpose of processing, the retention period and the rights that members may exercise. It is not sufficient to attach the questionnaire to the back of the membership contract: the sports centre must ensure that the member understands they are sharing health data and that they give their consent in a separate and informed manner.
CCTV is the third critical element in sports facilities. Article 22 of the LOPDGDD (Organic Law 3/2018) governs the processing of images by security cameras: it requires the placement of informative signage in a visible location at all entrances to monitored areas, the deletion of footage within a maximum period of one month from the date of capture — unless the images are linked to criminal acts or incidents requiring their submission to the authorities or to judicial proceedings — and the guarantee that cameras do not capture areas where individuals' right to privacy would be violated. Installing cameras in changing rooms, toilets or showers constitutes a serious infringement of the GDPR and the LOPDGDD and may lead to enforcement proceedings before the AEPD.
Direct-debit mandates for monthly membership fees and members' payment data complete the processing map. Although the IBAN and payment data are not special categories, their processing requires a legal basis under Article 6 of the GDPR — typically the performance of a contract under Article 6.1(b) — and appropriate security measures commensurate with the risk under Article 32 of the GDPR, including encryption of information, internal access controls and management of contracts with processors (membership management platforms, payment processors and collection entities). Summum Consultoría guides the sports centre in identifying and documenting all these processing activities, implementing appropriate technical and organisational measures, and training staff so that compliance is effective in the day-to-day running of the facility.