Is your gym spying on you?

Gym membership: Too much information?

Stock image of a gym. Credit: adriaticfoto/

How far can gyms go in monitoring their members? The crossover of privacy and technology in fitness centres is a growing concern, particularly when biometric data is involved.

Club Metropolitan Santander Aqua faced a €27,000 penalty for breaching the General Data Protection Regulation (GDPR), as announced by a Spanish consumer rights organization, FACUA.

This occurred after the Spanish Data Protection Agency (AEPD) found violations stemming from the gym’s requirement for members to use fingerprints for access.

The fine was imposed for contravening three specific GDPR articles, highlighting the critical balance between security measures and personal privacy.

The rise of fitness tech

The allure of gym memberships in Spain saw a significant increase in 2023, with a surge of 16.5 per cent, a four per cent increase from the previous year. This surge is attributed to a Statista survey on the fitness sector, reflecting an ever-growing interest in health and fitness.

Technological advancements have played a pivotal role, offering members enhanced services like virtual sessions and exercise tutorials. Access control has evolved too, with gyms employing bracelets, key cards, and even biometric systems for a streamlined entry process.

Privacy at the gym

Yet, the convenience of these technologies raises important questions about privacy. FACUA’s recent announcement sheds light on a contentious issue, the AEPD’s decision to fine Club Metropolitan for its fingerprint requirement.

The imposition of such measures, according to FACUA, infringes upon articles 13, 9.1, and 6.1 of the GDPR, which set strict guidelines for handling biometric data due to its sensitive and unique nature.

A cautionary tale

The incident began when a member objected to the new access protocol requiring fingerprints, leading to her membership termination. Metropolitan’s stance was firm, emphasising the security benefits of biometric access.

However, the AEPD’s investigation revealed a lack of initial consent and insufficient data protection, highlighting a failure to delete the complainant’s biometric data upon cancellation.

This oversight, alongside the unnecessary collection of fingerprints for gym access, culminated in the substantial fine. The AEPD’s verdict underscores the importance of data adequacy, relevance, and the potential for less intrusive alternatives in ensuring privacy.

This case serves as a reminder of the delicate balance between leveraging technology for convenience and respecting individual privacy rights.

Thank you for taking the time to read this article. Do remember to come back and check The Euro Weekly News website for all your up-to-date local and international news stories and remember, you can also follow us on Facebook and Instagram.

Written by

John Ensor

Originally from Doncaster, Yorkshire, John now lives in Galicia, Northern Spain with his wife Nina. He is passionate about news, music, cycling and animals.