AEPD (Spain) - EXP202309454
From GDPRhub
| AEPD - EXP202309454 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(e) GDPR Article 7(1) GDPR Article 28(3) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 30.05.2023 |
| Decided: | 24.02.2025 |
| Published: | 24.04.2025 |
| Fine: | 36000 EUR |
| Parties: | SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L. |
| National Case Number/Name: | EXP202309454 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | aepd (in ES) |
| Initial Contributor: | Eleonora van Koppen |
The DPA fined a fitness franchise €36,000 for recording gym members' images without valid consent, storing images indefinitely, and a failure to formalise a proper processor agreement between the local gym and the fitness franchise.
English Summary
Facts
The data subject was a gym member at a fitness franchise (School Fitness), which allegedly acted as a joint controller together with the local gym. On 7 February 2021, the data subject filed a complaint through the controller’s website as they were unhappy about being filmed during fitness classes without consent.
In its reply, the controller asserted that the data subject had given consent by signing the membership contract. The contract contained a clause stating that by signing, the member authorised the company to use all images, photographs, videos, voice recordings, graphics, etc., in which they appeared.
On 9 May 2023, the data subject noticed that a phone was recording the class, despite their repeated objections to being filmed. The data subject believed that the contractual clause referred to in the email exchange was abusive and, on 30 May 2023, filed a complaint with the AEPD (Spanish DPA).
Upon receiving the claim from the DPA, the controller denied the allegations. It asserted that members who signed the contract expressly consented to being recorded and to the dissemination of the recorded material for promotional purposes. It also claimed that verbal consent was obtained during classes.
During the investigation, three main issues arose: first, whether the clause in the membership contract validly obtained consent for recording; second, whether the controller complied with the GDPR principles for processing images; and third, whether there was a properly formalised data processing agreement between the franchise and the local gym concerning the handling of images. Additionally, the data retention policy indicated that images would be kept indefinitely.
Holding
The DPA found that the combination of a clause in a subscription contract and verbal consent did not meet the standards under Article 7(1) GDPR. Freedom of consent could not be demonstrated through the contracts signed by data subjects. It lacked a specific, clearly separated clause dedicated to the use of images. The acceptance of image processing was not distinguishable from acceptance of general and specific contractual terms. Furthermore, the administrative file contained no evidence to demonstrate that such verbal consent had been effectively requested and obtained. The DPA held that the controller thereby violated Article 7(1) GDPR.
Furthermore, the DPA found that the controller breached the principle of storage limitation. The company's internal records indicated that images and videos were retained indefinitely. They did not give a specific storage period nor assessed the necessity based on the original purpose. They thereby failed to establish and observe a defined data retention period. Therefore, the DPA also found a breach of Article 5(1)(e) GDPR
Finally, the DPA was critical of the arrangement between the fitness franchise and its local gym operator. They claimed to function as joint controllers, but this was not the case in actuality. According to EDPB Guidelines 07/2020, joint controllership must be based on a factual analysis of actual influence over the processing purposes and means. In practice, the fitness franchise exclusively determined the way in which personal data was processed. The local gym carried out instructions without real decision-making power. Since the local gym did not share control over the data processing operations, it should have been qualified as a processor rather than a joint controller. Accordingly, the DPA ruled that the fitness franchise violated Article 28(3) GDPR
Consequently, the DPA imposed a fine of €36,000 on the controller. Following recognition of responsibility and prompt payment, this amount was reduced to €21,600. The controller was also ordered to implement corrective measures. They needed to ensure that the recording and publication of images and videos of data subjects is carried out with a correct legal basis. Second, comply with data retention periods, and to formalise a compliant processor agreement.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/45
File No.: EXP202309454
RESOLUTION TERMINATING THE PROCEDURE FOR RECOGNITION OF LIABILITY AND VOLUNTARY PAYMENT
From the procedure initiated by the Spanish Data Protection Agency and based on the following
BACKGROUND
FIRST: On February 24, 2025, the Presidency of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against SCHOOL
FITNESS HOLIDAY & FRANCHISING, S.L. (hereinafter, SCHOOL FITNESS),
through the agreement transcribed below:
<<
File No.: EXP202309454
AGREEMENT TO INITIATE SANCTIONING PROCEDURE
Regarding the actions taken by the Spanish Data Protection Agency and based on the following
FACTS
FIRST: On May 30, 2023, a complaint was filed with the Spanish Data Protection Agency for a potential infringement attributable to SCHOOL
FITNESS HOLIDAY & FRANCHISING, S.L. with NIF B82887514 (hereinafter,
SCHOOL FITNESS).
The facts brought to the attention of this authority were as follows:
(…) the complainant states that he is a client of HOLIDAY FIT TRES CANTOS, a gym,
where the instructors who teach classes at its facilities make recordings
of the class sessions, without informing or obtaining the appropriate
consent from the participants.
He states that, on May 9, 2023, he noticed a cell phone
next to the window of one of the rooms, in what he believes was a location chosen by
the instructor to record the class being taught.
He indicates that he has repeatedly objected to the collection and use of his image
in the classes in which he participates, but that his actions are ignored. He also explained the problem by email to the entity against whom the complaint was filed, which informed him of a general clause in the entity's contracts stating that, upon signing the corresponding contract for the use of the entity's facilities, the client is authorized to be recorded on the premises. The complainant considered that this circumstance, without including the possibility of objecting, is contrary to data protection regulations.
Along with the complaint, he submitted the following documentation:
- Copy of the contract signed between the complainant and SCHOOL FITNESS HOLIDAY & FRANCHISIN, S.L., dated September 1, 2016, for a period of 365 days. The copy contains two signatures: that of "The Member" ((…)
Claimant), which corresponds to an alphanumeric membership code ((…)),
and that of SCHOOL FITNESS, with a handwritten signature.
The following clause regarding personal data protection appears in the "General Conditions" section:
"Eleventh.- In accordance with the provisions of Organic Law 15/1999 on the Protection of Personal Data (LOPD), the data provided by the member, including those corresponding to the biometric pattern, will be incorporated into the "clients and suppliers" file owned by SCHOOL
FITNESS HOLIDAY FRANCHISING, S.L.U., with registered office in Las Rozas
(28290) Las Rozas, Madrid, Calle Rozabella No. 6, Parque Europa Empresarial.
For this purpose, the data provided by the member is deemed to be true.
The biometric pattern data will be used as confirmation for the acceptance of the contract as well as for access to the gym. The biometric reading does not imply the recording of the fingerprint, and the data obtained cannot, under any circumstances, be processed as a fingerprint. The purpose of this file is to provide
Fulfillment of the services contracted by the member, as well as commercial management and the sending or communication of advertising or commercial information or satisfaction surveys by any means. If the member does not wish to receive advertising or commercial information, they must check the corresponding box to accept the contract.
☐ I do not wish to receive advertising.
(…).
(…).
- Copy of the contract signed between (…) the complainant and HOLIDAY FIT TRES CANTOS, S.L. (hereinafter, HOLIDAY FIT), dated October 13, 2022, for a validity of 12 months. The copy contains two signatures: that of "The
member" ((…) complainant), which corresponds to an alphanumeric member code ((…)), and that of HOLIDAY FIT TRES CANTOS, S.L. with a handwritten signature.
- The complaint includes the plain text of an email that, according to (…) the complainant, he received from the email address “No
replay Holiday Gym (…)”, on February 8, 2021, at 2:51 p.m., in response to the complaint he submitted through the gym's website. The content is as follows:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/45
“A.A.A.
Thank you for contacting us through suggestions.
We have forwarded your request to the corresponding department for review (we have forwarded your contract, which specifies the section you are referring to).
TWELFTH. By signing this contract, the partner grants authorization for the company to use all images, photographs, videos, voice files, graphic material, etc. (hereinafter, the images) in which they appear or are part of them.
Likewise, the partner authorizes the communication or transfer of the images to the
persons the company deems appropriate, for the same purpose indicated in the previous section, expressly informing you that in some cases, international data transfers will be made for said transfer. Specifically, this data may be disclosed to third parties without any additional consent from you, provided that this disclosure is limited to this purpose. The partner grants this authorization for a broad territorial and temporal scope, so the company may use the images, or part of them, throughout Spain and in all countries around the world without any geographical limitation. The partner grants this authorization for
the use of the images in which they appear, or part thereof, within the scope and for the purposes of both communication and dissemination of the company's activities, as well as any other project, understood in its broadest sense, intended, by way of example, but not limited to, the promotion of
the company's activities, in its own centers, its website, and in
any other medium that the company deems appropriate. They may be exploited in
all media currently known and those that may be developed
in the future, with the sole exception and limitation of those
uses or applications that may violate the right to honor, morality, and/or public order, under the terms established by current legislation
in each country. This authorization is understood to be granted free of charge. As a result of the transfer, the partner expressly exempts the company from all
liability for any use that a third party may make of the
images outside the territorial, temporal, and material scope of this contract. All of this is in accordance with the provisions of Organic Law 1/1982, of May 5, on Civil Protection of the Right to Honor, Personal and Family Privacy, and the Right to One's Own Image, as well as EU Regulation 2016/679, of April 27, 2016, and other applicable data protection regulations. Thank you for being part of the Holiday Gym family.
We inform you that this email account is for sending emails only. The inbox of this account does not receive emails.
To contact us, you can do so through the Suggestion Form on our website or APP.
Best regards, B.B.B.
Holiday Gym Customer Service Department
The content of the complaint addressed in the previous communication is as follows:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/45
“The above is an abusive clause or response, knowing that I have very clearly and repeatedly communicated that I do not consent to being recorded or to the use of recordings in which I appear.
Therefore, it can be deduced that they are also breaking the law by illegally trafficking my data.
(…)
I once again request that you delete all videos, photos, or images from the (…)
since it is impossible to know whether I have been recorded or not (even if it is part of my body or even if my face is not in focus). It will always be their word against mine, since I cannot access the recorded videos.
I request that you delete all my data and my fingerprint, which is used to access the center. Data deletion also means that you will not send me any type of advertising. Even though I am not allowed to enter the gym and they have unilaterally terminated the contract, you continue to send me advertising by electronic means.
(…)
SECOND: In accordance with Article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), on July 6, 2023, this complaint was forwarded to
SCHOOL FITNESS, so that it could analyze it and inform this Agency within one month of the actions taken to comply with the requirements set forth in the data protection regulations.
The transfer, which was carried out in accordance with the regulations established in the LPACAP
through electronic notification, was not received by the responsible party within the provision period, and was deemed rejected in accordance with the provisions of Article 43.2 of the LPACAP on July 17, 2023, as recorded in the certificate in the file.
Although the notification was validly made electronically, and the procedure was deemed to have been carried out in accordance with the provisions of Article 41.5 of the LPACAP, for informational purposes, a copy was sent by postal mail and duly notified on July 20, 2023. In this notification, the party was reminded of its obligation to interact electronically with the Administration and informed of the means of accessing said notifications, reiterating that, from now on, it would be notified exclusively by electronic means; The result was notified on July 25, 2023.
On August 7, 2023, this Agency received a response letter from SCHOOL FITNESS, in which it denied the facts of the complaint and the incident of May 9, 2023, and made the following statements:
- Regarding the recording of images, "in the subscription contract, the members expressly consent to the recording and dissemination of images in individual and group sessions, and the interested party's verbal consent is also requested" and "Recordings of sessions are not stored or published without the user's consent."
- Regarding the exercise of rights by (...) the complainant, "there is no basis for the data protection claim for the simple reason that no image of her has been obtained, nor has it been stored, so there is nothing to cancel."
- Regarding the adoption of measures, "The company understands that no action is necessary in this regard, although after receiving this communication, a meeting was held with the customer service department to review the specific case and inform employees of the latest developments regarding data protection."
Along with the letter, the following documentation was provided:
- Document No. 1 "Claim Date 7221.pdf". Complaint filed by (...)
complainant ((...). Client. Tres Cantos), on February 7, 2021, through the HOLIDAY FIT TRES CANTOS website. Its content sets forth (i)
the complaint regarding the alleged recording of images of clients without their consent, (ii) the discomfort and consequences that the complainant is suffering as a result, and (iii) that they do not consent or authorize
the taking of photos or videos at any of their centers or in general.
- Document No. 2 "Response Date 8221.pdf". Response issued by the
Holiday Gym Customer Service Department, on February 8, 2021, to the complaint filed by (...) complainant. The header of the document
shows "02/08/2021 (...) Email sent to the customer" and the following content:
"A.A.A.,
We inform you that, as we have indicated in previous complaints,
no one is ever recorded who does not authorize being recorded for the promotion of the center's activities by the brand. Again, if there has been any
confusion regarding this matter, we apologize, as we never focus on
any user who does not wish to be recorded, emphasizing this.
Thank you for being part of the Holiday Gym family.
This email account is for sending emails only. The
inbox of this account does not receive emails. To contact
us, you can do so through the Suggestion Form on our website
or APP.
Best regards, B.B.B.
Holiday Gym Customer Service Department"
- Document "Refund Cancellation Contract.pdf". Its contents include:
a Copy of the contract signed between (...) the claimant and HOLIDAY
FIT TRES CANTOS, S.L., dated September 13, 2022, for a
validity of 12 months. The copy contains two signatures: that of "The member"
((...) the claimant), which corresponds to an alphanumeric member code ((...)), and that of HOLIDAY FIT TRES CANTOS, S.L. with a
handwritten signature.
o Copy of the termination agreement of (…) claimant, dated May 18, 2023, signed solely by HOLIDAY FIT TRES CANTOS, S.L., with the following content:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/45
“(…)”
The following clause regarding personal data protection appears in the “Annex” section:
“2. At this time, when you request termination, we remind you that you may exercise your rights of access, rectification, cancellation, or opposition by contacting School Fitness Holiday Franchising (to the attention of the Legal Department) as the person responsible for the File at the email address: ***EMAIL.1, or at the following postal address:
***ADDRESS.1”
o Copy of the bank statement regarding the collection of the fee and the partial refund after termination to (…) complainant, with "print date August 7, 2023."
THIRD: On August 30, 2023, in accordance with Article 65 of the LOPDGDD (General Data Protection Act), the complaint was admitted for processing.
FOURTH: The Subdirectorate General for Data Inspection proceeded to carry out preliminary investigations to clarify the facts in question, pursuant to the functions assigned to supervisory authorities in Article 57.1 and the powers granted in Article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VIII of the LOPDGDD.
As a result of the actions taken, the following matters have been learned:
Due to the nature of the case, it was deemed necessary to conduct an on-site inspection to reliably verify the existence of recording cameras, the taking of images of clients, and other related aspects.
Likewise, to verify the existing protocols and operations in this regard on-site, in the area where the alleged events allegedly occurred.
Two on-site inspections were conducted; the first inspection took place on November 22, 2023, while the second was conducted on December 19, 2023.
This was due to the fact that the first inspection requested authorization solely for the purpose of conducting investigative actions from SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L., and the second from the other entity under investigation, HOLIDAY FIT TRES CANTOS S.L., which is the entity that manages the physical establishment of the gym. Taking action AT/03558/2023 as a reference, which ordered the transfer of the complaint to SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L., it was this same entity that responded to the request for information and did not at any time indicate any different organizational circumstances.
However, during the course of the first inspection, based on the statements provided by the entity's representatives and the review of the documentation submitted in the complaint, the business framework within which the investigated entities and the organization of the commercial group were located became clear, as will be detailed later.
The results obtained in both inspections were similar, and the main representative of the entities, acting as attorney, was the same person in both cases.
The inspection consisted of two parts, as reflected in the inspection report. In the first part, this Agency's inspection team met with representatives of the respondent party, explained the reason for their visit and the details of the alleged events, and addressed the respondent party's representations to the rest. The second part consisted of gathering evidence and performing various tests on the information systems used by the gym.
1. Information obtained.
Business organization
The representatives of HOLIDAY FIT indicated that (i) HOLIDAY FIT TRES CANTOS S.L. is part of the group of companies operating under the HOLIDAY GYM trademark, with the parent company being SCHOOL FITNESS HOLIDAY & FRANCHISING S.L., and that (ii) each company in the group has its own legal personality and management autonomy. However, the parent company acts as coordinator and is responsible for common group management tasks such as promoting the trademark. In fact, it is responsible for managing the group's various social media accounts for these promotions and for publishing content. The gym located in Tres Cantos, therefore, is the responsibility of HOLIDAY FIT TRES CANTOS S.L., and the staff there are employees of this entity.
The roles played by both entities are those of joint data controllers, as will be discussed below.
It should be noted that this model has been adapted over time, which is why part of the documentation provided referred to a direct relationship between
(...) the complainant and SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L.
Regarding this matter, HOLIDAY FIT provided the following documentation:
- Document "Docs 4, 5, 6.pdf". Copy of the "Collaboration and Personal Data Processing Agreement" regarding the business group and the relationships that articulate the operation between SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L. and HOLIDAY FIT TRES CANTOS S.L. (hereinafter, the
gym), dated July 1, 2018. The handwritten signature of C.C.C. appears.
The roles defined according to this agreement are those of joint controllers, as
stated: "the aforementioned companies will collaborate to optimize the
customer experience, becoming joint controllers for the
processing of personal data." It subsequently states that this
aspect will be communicated to customers: "The GYM will inform customers
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/45
of the aforementioned joint controllership as part of the new customer registration process."
Regarding the processing of each, it is stated: "The GYM will process its clients' personal data for the purpose of managing billing and payment collection for the service, providing in-person fitness training, and selling in-person training products."
Furthermore, "SCHOOL FITNESS HOLIDAY & FRANCHISING SL. will process the personal data it receives from the GYM for the following purposes:
- To manage member access to the gym, based on each member's fee.
- To offer digital services (workout routines, workout music, etc.) to all GYM customers through the website holidaygym.es and the mobile app of the same name.
- To send commercial information in electronic format. - To sell training products online.
- To maintain the "Admission Rights" file.
- To publish promotional images and videos of the gyms on the website and on social media (exclusively for GYM employees and customers who have given their consent)."
Regarding the exercise of rights, the following working procedure is indicated: "The exercise of rights of access, rectification, deletion, objection, restriction, and portability, which individuals exercise in person, will be handled at the GYM reception. If an individual exercises their rights by mail or electronically, requests will be handled by SCHOOL FITNESS HOLIDAY & FRANCHISING SL."
Video and image recording:
HOLIDAY FIT representatives stated that (i) the recording and taking of images is done for the purpose of commercially promoting the gym,
showing the different activities carried out there, but that it is done occasionally, for example, on holidays or special dates; and that (ii) in the case of the Tres Cantos establishment (HOLIDAY FIT TRES CANTOS S.L.), the (...) at that center is the only person recording images of clients. These images are taken using a single corporate mobile phone kept by the (...).
Furthermore, the representatives of the aforementioned entity indicated that they have a written protocol regarding image recording, contained in the existing manual available to instructors, along with the data protection clauses of the employment contract. Among the measures indicated by the responsible party,
is also the prohibition of instructors' personal phones being used within
the classrooms while teaching. Basic training on data processing is also provided upon enrollment.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/45
Regarding this matter, HOLIDAY FIT (TRES CANTOS) provided the following documentation:
- Document “Doc.3 MPO General.pdf”. Copy of the “General Procedure Manual” available to employees for this case study. No publication date is recorded, and the “Holiday Gym” logo appears on all pages.
In the “Data Protection” section (page 4 and following), the following aspects are highlighted:
“(…)”
“(…)”
“(…)”
In the “Monitors” section (page 15 and following), the following issues are highlighted:
“(…)”
“(…)”
- Document “Docs 4, 5, 6.pdf”. Copy of a “Contract "permanent employment agreement"
signed in February 2022 between HOLIDAY FIT TRES CANTOS S.L. and an
employee with the position of "multi-purpose monitor," whose data appears anonymized; as well as the data protection and confidentiality clauses contained in said contract (Pages 1 to 16).
The clauses include a "Confidentiality Agreement" with HOLIDAY
FIT TRES CANTOS S.L., stating that the employee: "(…)." It is also specified that they should not collect any information after the end of the
employment relationship "(…)".
There are two sections on the use of computer systems. No mention of the use of mobile phones was found in them.
Regarding the authorization to use images, it is oriented toward the publication of images of the employees themselves, not of clients (…). And, the following aspects are detailed:
"(…)".
There is a box at the end of this section to authorize or reject the processing of one's own image.
Dissemination of videos and images:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/45
Regarding the dissemination of multimedia material, HOLIDAY FIT representatives indicated (i) that these images are published on social media, specifically on Instagram on the group's account, in the app's so-called stories, which last 24 hours; (ii) that they have been used on Facebook and are in the process of being used on TikTok; (iii) that for fixed posts, posters, etc., they use material from an image bank, tagging their clients in some of these temporary social media posts; and (iv) that the publication of this content is carried out by the parent company's marketing department, located in its central offices. They are not published from each specific gym.
Regarding the process used for the recording itself, as well as the motivation for it, the representatives of HOLIDAY FIT TRES CANTOS stated that the marketing department is in charge of taking the initiative regarding the different campaigns that are generally carried out for specific dates or events. To do so, they request that the different gyms take images and videos of the activities or other aspects such as decoration. These requests are made via corporate email. The multimedia files are shared using the OneDrive tool, through a shared folder between each gym and the marketing department. Once the content has been downloaded by the marketing department, it is deleted from OneDrive.
They indicated that the files are periodically deleted from the mobile phone by the (...)
center and, regarding email, the (...) center (...) does not specifically delete the emails sent, as stated. There is also no email configuration for automatic deletion on a regular basis.
List and information for clients regarding recordings:
Regarding the consent provided by clients, HOLIDAY FIT TRES CANTOS representatives stated that consent for recording, in addition to the contractual clauses discussed below, is collected verbally at the beginning of each class to be recorded. The purpose of the recording is also communicated at the same time. If a person indicates they do not want to be recorded, they are asked to leave the room at that time or to leave the classroom.
HOLIDAY FIT representatives state that customers are informed of their data protection rights, both in the mobile application and on the website. During the registration and subscription process, acceptance of the privacy policy and legal terms is mandatory. This section includes the contact method for exercising their rights, according to their statements.
Regarding this matter, HOLIDAY FIT provides the following documentation:
- Document "Docs 4, 5, 6.pdf". Copy of the "Terms and Conditions," which include the data protection information provided to customers during the registration process (Pages 11 to 16).
In section "2. Contract Acceptance and Data Protection," the following information is included:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/45
"Data Protection Information.
Data Controller:
My data will be processed by two joint data controllers: SCHOOL FITNESS HOLIDAY & FRANCHISING SL. and HOLIDAY FIT TRES CANTOS SL.
Purpose of Processing:
SCHOOL FITNESS HOLIDAY & FRANCHISING SL. is the owner of the Holiday Gym brand, the website holidaygym.es, and the mobile app of the same name.
My data will be processed to manage my access to the different gyms based on my rate, to offer me the digital services to which I am entitled as a member, to send me information in electronic format, for the online sale of training products, and for maintenance. from the
right of admission file and, if I grant my consent, to publish images or videos on the website or social media.
HOLIDAY FIT TRES CANTOS SL is the owner of the gym where I am contracting the service and will process my data to manage the
billing and collection of payments for the service and to provide me with in-person fitness training services and the in-person sale of training products.
Legitimacy:
The general legitimate basis for processing is the contractual relationship with
the two joint controllers. The timely sending of commercial information, the
processing of video surveillance, and monitoring of the right of admission, for the legitimate
interest of the joint controllers. Additionally, my consent, if I decide to
grant it, is the legitimate basis for processing the photographs or videos in
which my image appears.
Recipients:
My personal data and video surveillance images may be shared with law enforcement agencies and courts if necessary for the investigation of misdemeanors or crimes.
If I have given my consent, my image may appear in photographs or videos published on the Holiday Gym website and social media.
My personal data will not be transferred to third parties except under legal obligation.
Rights:
I have the right to access, rectify, delete, and object to the processing of my personal data. I also have the right to data portability and restriction of the processing of my data by contacting SCHOOL FITNESS HOLIDAY & FRANCHISING SL. ***ADDRESS.1 or by requesting it at the following email address: ***EMAIL.1
I also have the right to file a complaint with the Spanish Data Protection Agency if I believe my rights have been violated.
Terms and conditions of use.
(…)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/45
I accept the contract, including its general and specific conditions and the gym's rules, and I expressly accept the processing of my personal data by the company for the purposes set forth in this contract/general contracting conditions."
Through due diligence carried out by this Agency on January 8, 2025, the contracting process was reviewed through the website ((...)), detecting relevant information that was omitted in the documentation provided. In particular,
the following point is included during the contracting process:
(...)
This section is mandatory for contracting services. Therefore, it could contradict other actions and guarantees related to obtaining the consent of the interested parties.
It has been verified that the company referenced in this clause varies depending on the location for which the online registration is being made. The aforementioned text is reproduced for the case of the contract being made at the gym located in Tres Cantos.
Furthermore, in the online contracting process, no mention was found within the clause regarding the aforementioned consent for the processing of images ("my consent, if I decide to grant it, is the legitimizing basis for the processing of photographs or videos in which my image appears.").
2. Evidence obtained.
Moving on to the evidence obtained during the on-site inspection, this Agency's inspection team initially requested permission from the representatives of HOLIDAY FIT TRES CANTOS to allow them access to their facilities and demonstrate the image recording process, as well as the transfer of these files and their subsequent deletion.
The following checks were performed on the mobile phone and corporate email (using a computer) of (...) at the center, in which he was present and who handled the devices:
- Using the mobile device's file manager, various folders where the system's multimedia content is stored were reviewed, but no content related to clients was found.
- The mailbox of (...) at the center was reviewed in the various existing folders. The checks were performed chronologically, reviewing the oldest items in the mailbox to verify the preservation procedures.
The results obtained were verified that no old video submissions were found whose material was accessible. An email was found
sent to the corporate group's marketing department with some
client photographs, dated May 25, 2023. These photographs were not
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/45
sent via OneDrive, as is the usual procedure, but were attached as documents. The entity's representatives state
that they were sent this way because they were provided by the client
via email and, exceptionally, were handled this way for convenience. The inspectors verify that these images
indeed come from an email with the Gmail.com domain.
- There are no email policies configured for the automatic deletion of
old emails containing multimedia material (images, videos), so deletion must be done manually.
Additionally, it was verified that the gym does not have fixed recording cameras in the classrooms or sports facilities used by customers, by checking the different rooms within the facility. There is a camera at the entrance to the establishment, but it does not capture images during activities; it is only used for access control.
3. Other evidence obtained.
The representatives of HOLIDAY FIT TRES CANTOS state that there is no data transfer to third countries. They indicate that the reference appearing in certain documentation was in old contracts, which were also not used, but was included for greater legal security. They state that it is no longer recorded.
Finally, it is noted that the Data Protection Officer has not issued a specific report on this processing. There is no written risk analysis for this treatment; however, they state that the security measures to be implemented have been discussed in meetings held at the entity's management level, although this has not been recorded in writing.
4. Posting images and videos of clients on social media.
Following the reported events, the social media posts, particularly on Instagram, made from the group's corporate account (***URL.2), have been reviewed.
On this account, the majority of the posts are from instructors (who state this at the beginning of the recordings), and the temporary posts, which last 24 hours, are often from clients themselves and which the group shares from the corporate account. However, the following posts from 2024 have been located regarding class recordings, made directly from the corporate account, in which clients do appear:
- ***URL.3
- ***URL.4
- ***URL.5
- ***URL.6
- ***URL.7
- ***URL.8
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/45
- ***URL.9
As this is a joint account for the brand, it is not known which particular gym these videos were recorded at.
5. Regulatory framework and additional documentation obtained.
HOLIDAY FIT TRES CANTOS has provided, in addition to the documents listed in this report, the following documentation:
- Document "Doc.1. School Processing Activities Record.pdf". The record, dated January 2, 2024, was prepared by SCHOOL
FITNESS HOLIDAY & FRANCHISING S.L. and consists of 12 points.
Section "1. Attention to the Rights of Individuals (ARCO)" includes the following questions:
"(…)
(…)
(…)
(…)
(…)
(…)."
Section "3. Clients" includes the following aspects:
"(…)
(…)
(…)
(…)
(…)."
In section “8. Images,” the following information is included:
“(…)
(…)
(…)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/45
(…).”
In section “12. Video Surveillance,” the following information is included:
“(…)
(…)
(…)
(…).”
- Document “Doc 2. Contract signed with Holiday Fit Tres Cantos.pdf.”
o Copy of the contract signed between (...) the claimant and HOLIDAY FIT TRES CANTOS, S.L., dated September 13, 2022, for a
validity of 12 months, a copy of the (...) claimant's cancellation contract, dated May 18, 2023, signed solely by HOLIDAY FIT TRES CANTOS, S.L., and a copy of the bank statement regarding the collection of the fee and the partial refund after the cancellation to (...) the claimant, with the "print date August 7, 2023." This documentation is identical to that provided by SCHOOL FITNESS in its response to the transfer, dated August 7, 2023.
FIFTH: According to the report collected from the AXESOR tool, SCHOOL FITNESS is a company established in 2001, with a turnover of €978,207 in 2023.
LEGAL BASIS
I
Jurisdiction
In accordance with the powers granted to each supervisory authority by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR) and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), the Presidency of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.
II
Procedure
Likewise, Article 63.2 of the LOPDGDD establishes that: "Procedures processed by the Spanish Data Protection Agency shall be governed by the provisions
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/45
of Regulation (EU) 2016/679, by this Organic Law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, in a subsidiary capacity, by the general rules on administrative procedures."
In accordance with Article 64 of the LOPDGDD (Organic Law on Public Administrations), and taking into account the characteristics of the alleged violations committed, a sanctioning procedure is initiated.
The procedure will last a maximum of twelve months from the date of the initiation agreement. After this period, the procedure will expire and, consequently, the proceedings will be closed, in accordance with the provisions of Article 64 of the LOPDGDD (Organic Law on Public Administrations).
If no objections are made to this initiation agreement within the stipulated period, it may be considered a proposed resolution, as established in Article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP).
III
Preliminary Questions
Processing of Personal Data
Article 4(1) of the GDPR defines "personal data" as: "any information relating to an
identified or identifiable natural person ("data subject"); an identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
Article 4.2 of the GDPR defines "processing" as: "any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction."
In the present case, the recording and publication of images and videos captured during classes taught at gyms constitutes the processing of personal data, as the image is personal data. This processing is evident in the documentation provided within the framework of the preliminary investigations carried out by this Agency.
Roles Regarding the Recording and Publication of Images and Videos for Promotional
Purposes
Article 4.7 of the GDPR defines the "controller" or "controller" as: "the natural or legal person, public authority, agency or other body which,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/45
alone or jointly with others, determines the purposes and means of processing; where Union or Member State law determines the purposes and means of processing, the controller or the specific criteria for its nomination may be
laid down by Union or Member State law."
Article 4.8 of the GDPR defines the "processor" or "processor" as
"the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."
Article 26 of the GDPR defines “Joint Controllers” as: “1. Where two or more controllers jointly determine the purposes and means of processing, they shall be considered joint controllers. The joint controllers shall determine, in a transparent manner and by mutual agreement, their respective responsibilities for compliance with the obligations imposed by this Regulation, in particular with regard to the exercise of data subject rights and their respective information provision obligations referred to in Articles 13 and 14, except to the extent that their respective responsibilities are governed by Union or Member State law to which they apply. Such agreement may designate a contact point for data subjects.”
The inspection report dated December 19, 2023, highlights the following statements from the representatives of HOLIDAY FIT TRES CANTOS:
1. “HOLIDAY FIT TRES CANTOS SL is part of the group of companies that operate under the HOLIDAY GYM trademark, with the parent company being SCHOOL FITNESS HOLIDAY & FRANCHISING SL. Each company in the group has its own legal personality and management autonomy; however, the parent company acts as coordinator and is responsible for common group management tasks such as brand promotion. In fact, it is responsible for managing the group's various social media accounts for these promotions.” (emphasis added by this Agency).
2. “The recording and image capture are carried out for the purpose of commercially promoting the gym, showing the different activities carried out there. (…) In the case of the Tres Cantos establishment, it is the (…) the only person who records images of the clients. They are taken using a single corporate mobile phone that is in the custody of the same (…).
These images are published on social media, specifically on Instagram on the group's account, in the so-called app stories, which last 24 hours. They also indicate that they have been used on Facebook and are in the process of using them on TikTok. For still posts, posters, etc., they use material from an image bank. The clients themselves are tagged in some of these temporary social media posts.” (emphasis added by this Agency).
3. “The publication of this content is handled by the parent company's marketing department, located in its central offices. It is not published from each specific gym. The marketing department is responsible for taking the initiative regarding the various campaigns carried out, which are generally carried out for specific dates or events. To do so, they ask the different gyms to take images and videos of the activities or other aspects such as decoration. These requests are made via corporate email. The multimedia files are shared using OneDrive, through a shared folder between each gym and the marketing department. Once the content has been downloaded by the marketing department, it is deleted from OneDrive. (…)” (emphasis added by this Agency).
On January 4, 2024, HOLIDAY FIT TRES CANTOS provided the documentation requested by this Agency, which highlights:
- Document 1. The Record of Processing Activities, prepared by
SCHOOL FITNESS HOLIDAY & FRANCHISING S.L. and printed
on January 2, 2024. In section "8. Images," the following is stated:
"(…)
(…)
(…)
(…)
(…)."
- Document 2. A copy of the contract signed between (…) the complainant and HOLIDAY
FIT TRES CANTOS, S.L., dated September 13, 2022, which does not contain any data protection clause; as well as a copy of the
termination agreement of (...) the claimant, dated May 18, 2023, in which
SCHOOL FITNESS HOLIDAY & FRANCHISING is identified as the
data controller for the purposes of exercising the rights provided for in the
GDPR.
- Document 3. The Operating Manual for HOLIDAY GYM employees,
which includes a section ("Data Protection") that addresses the protocol
for collecting images, requesting customer consent, work procedures, and deleting files. This manual identifies
SCHOOL FITNESS HOLIDAY & FRANCHISING S.L. as the controller for the
processing of recorded and published images and videos.
- Documents 4, 5, and 6. A copy of a "Permanent Employment Contract" signed
in February 2022 between HOLIDAY FIT TRES CANTOS S.L. and an employee,
which includes a confidentiality agreement and a section regarding the transfer of images for brand promotion, aimed solely at the employees. It identifies HOLIDAY FIT TRES CANTOS S.L.
as the data controller.
Also, a copy of the "Terms and Conditions," which detail the data protection information provided to clients during the registration process. It identifies HOLIDAY FIT
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/45
TRES CANTOS S.L. and SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L.
as joint data controllers.
Finally, a copy of the "Collaboration and Personal Data Processing Agreement" signed between SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L. and HOLIDAY FIT TRES CANTOS S.L. ("gym"), on July 1, 2018, in which it is expected that both entities will act as joint controllers and will carry out the following processing:
The GYM will process its clients' personal data for the purpose of
managing billing and collection of service payments, providing in-person physical training services, and for the in-person sale of training products.
SCHOOL FITNESS HOLIDAY & FRANCHISING SL. will process the personal data it receives from the GYM for the following purposes:
- Managing member access to the gym, based on each member's fee.
- Offering digital services (workout routines, workout music,
etc.) to all GYM clients through the holidaygym.es website and the mobile app of the same name.
- Sending commercial information in electronic format.
- Selling training products online.
- Maintain the "Admission Rights" file.
- Publish promotional images and videos of the gyms on the website and on social media (exclusively for GYM employees and clients who have given their consent).
As can be seen from the statements and documentation provided by
HOLIDAY FIT TRES CANTOS within the framework of the preliminary investigation, it can be inferred that there are contradictions regarding the roles played by
SCHOOL FITNESS and HOLIDAY FIT.
According to EDPB Guidelines 07/2020, joint data processing occurs when there are several data processing participants who
hold the status of data controller and jointly determine the objectives and means of a processing operation. As with the concepts of "controller" and "processor," the "joint data controller" is a functional concept; it must be established by virtue of its specific activities in the case analyzed and not by
the formal designation that may appear in the agreement or contract: "52. The assessment of joint responsibility must be based on a factual analysis, not a formal analysis, of the actual influence on the purposes and means of processing. All existing or planned agreements must be verified in relation to the factual circumstances in which the relationship between the parties is developed. To this end, it is not sufficient to rely on a mere formal criterion, for at least two reasons: in some cases, the formal appointment of a data controller may not be present—for example, by law or contract; in others, the formal appointment may not reflect the reality of the agreements, because the function of data controller has been formally entrusted to an entity that, in practice, is not in a position to "determine" the purposes and means of processing. In the present case, this Agency considers that, although there is an agreement between HOLIDAY FIT TRES CANTOS and SCHOOL FITNESS whereby they would act as joint data controllers, in practice, it is SCHOOL FITNESS that determines the purposes and means of the processing, consisting of the recording and publication of images and videos on the group companies' websites and social media platforms in order to promote the brand. It decides when, how, and what commercial campaigns are to be carried out; while HOLIDAY FIT TRES CANTOS merely captures images and videos of the activities or other matters indicated by the SCHOOL FITNESS marketing department.
Therefore, this Agency concludes that SCHOOL FITNESS carries out this processing operation in its capacity as data controller, given that it determines the purposes and means of such activity, pursuant to Article 4.7 of the GDPR. For its part, HOLIDAY FIT TRES CANTOS CANTOS is considered the data processor, acting on behalf of SCHOOL FITNESS in the recording of the images and videos used for promotional purposes.
Finally, it should be noted that section 11 of the aforementioned Article 4 GDPR provides the following:
11. "consent of the data subject": any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she accepts, whether by a declaration or by a clear affirmative action, the processing of personal data relating to him or her.
IV
Unfulfilled obligation. Consent of the data subject
Article 6 "Lawfulness of processing" of the GDPR establishes:
"1. Processing shall only be lawful if at least one of the following conditions is met:
a) the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes;
" b) processing is necessary for the performance of a contract to which the data subject is a party or, at the request of the data subject, for the implementation of pre-contractual measures.
c) processing is necessary for compliance with a legal obligation to which the data controller is subject;
d) processing is necessary to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/45
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The provisions of letter f) of the first paragraph shall not apply to processing carried out by public authorities in the exercise of their functions.
Article 6 of the GDPR establishes in its first paragraph the situations in which the regulations permit the processing of a third party's personal data, which are referred to as "lawful bases." If none of these situations or conditions are met, the processing will not be legitimate, or considered lawful by the GDPR.
In the present case, it is inferred from the documentation in the file that the consent of the data subject would constitute the legal basis that would legitimize HOLIDAY FIT TRES CANTOS to carry out the processing consisting of the recording and publication of images and videos of clients during classes taught at its facilities. This is evident from the entity's statements that the clients consented to the recording of the images and their subsequent dissemination.
Regarding this matter, (…) the complainant provided documents indicated in the "Facts" section, first point, of this agreement. In the contract of April 13, 2022, signed between (…) the complainant and HOLIDAY FIT TRES CANTOS, no section was found that seeks the client's consent for the recording and publication of their image on the entity's website and social media. It should be noted that, at the time the September 2016 contract was signed between both parties, the GDPR was not yet applicable.
Furthermore, at the time of the agreement to initiate sanctioning proceedings, and comparing the content of the responses to the complaint filed by
(...) the complainant through the HOLIDAY FIT TRES CANTOS website attached to the complaint and the response to the transfer from SCHOOL FITNESS, the SCHOOL FITNESS document does not include a transcription of any clause of the contract relating to the use of the image. However, the sender in the signature caption is the same person, "B.B.B. Customer Service Department, Holiday Gym."
In the response to the transfer dated August 7, 2023, SCHOOL FITNESS stated that (i) "in the subscription contract, members expressly consent to the recording and dissemination of images during individual and group sessions, and verbal consent is also requested from the data subject" and (ii) "The legitimacy of the consent of the remaining users is granted by express acceptance at the time of signing the subscription contract, and verbal consent is also requested from any member who may be affected." As evidence of these statements, it provided an identical copy of the subscription contract provided by (...) the complainant, which therefore does not contain a consent clause for the processing in question. C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/45
For their part, the representatives of HOLIDAY FIT TRES CANTOS stated
during the on-site inspection conducted by this Agency on December 19, 2023, that consent is the legal basis for the processing of personal data consisting of the recording and publication of images and videos of HOLIDAY FIT TRES CANTOS clients. Specifically, they indicated that (i) "Consent to recording, in addition to the contractual clauses, is obtained verbally at the beginning of each class to be recorded. The purpose of the recording is also communicated at the same time. If anyone indicates that they do not wish to be recorded, they are asked to leave the classroom at that time, or to leave the classroom at that time." (ii) "There is a written protocol regarding the recording of images, contained in the manual available to instructors, along with the data protection clauses of the employment contract."
As evidence of these statements, they provided documentation that highlights:
- Document 1. In section "8. Images" of the Data Processing Activities Record prepared by SCHOOL FITNESS, printed on January 2, 2024, it is stated that the legal basis that legitimizes SCHOOL FITNESS to process the personal data in the image is the consent of the data subject, and that
the purpose is to publish promotional images and videos on the website and social media.
- Document 2. In the copy of the contract signed between (...) the complainant and
HOLIDAY FIT TRES CANTOS, dated September 13, 2022, and signed,
there is no data protection clause, the content of which is identical to that provided by (...) the complainant.
- Document 3. In the "Data Protection" section of the general procedure manual, employees are instructed to record while reading the
following text to clients before taking images for promotional purposes:
"Text to be recorded as evidence:
Hello everyone. Due to data protection protocol, I must read this text to you:
Participation is completely free and voluntary, and anyone who does not
want to appear in photographs or videos, please stand outside the recording area I have indicated. Those of you who stand within the recording area are giving your consent to appear in the photographs or video we create. The data controller for
these images is SCHOOL FITNESS HOLIDAY & FRANCHISING SL, which
may use them to promote Holiday Gym on our website
holidaygym.es or on our social media accounts. You may exercise your data protection rights on the website holidaygym.es or by email at ***EMAIL.1”
- Documents 4, 5, and 6. The copy of the “Terms and Conditions,” without date or signature, states:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/45
“Purpose: (…) If I give my consent, to publish images or videos on the website or social media.
Legitimacy: (…) Additionally, my consent, if I choose to grant it, is the legitimate basis for processing photographs or videos in which my image appears.
Recipients: (…). If I have given my consent, my image may appear in photographs or videos published on the Holiday Gym website and social media. (…)
Contracting conditions: (…) I accept the contract, including its
general and specific conditions and the gym's rules, and I expressly accept
the processing of my personal data by the company
for the purposes set forth in this contract/general contracting conditions."
Taking into account what is described in the preceding paragraphs, it is noted, first of all,
that in the Register of Processing Activities prepared by SCHOOL FITNESS, the
legitimate basis for the processing of images for promotional purposes is the
consent of the data subject. In this regard, it is important to note that
Article 7 of the GDPR refers to the circumstances that must be met for
consent to be granted, namely:
"1. When processing is based on the consent of the data subject, the
controller must be able to demonstrate that the data subject consented to the processing of their
personal data.
2. If the data subject's consent is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in a way that is clearly distinguishable from the other matters, in an intelligible and easily accessible manner, and using clear and plain language. No part of the declaration that constitutes a breach of this Regulation shall be binding.
3. The data subject shall have the right to withdraw consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal. Before giving consent, the data subject shall be informed thereof. Withdrawing consent shall be as easy as giving it.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract,
including the provision of a service, is made conditional on consent to the processing of personal data that are not necessary for the performance of that contract. For its part, the LOPDGDD (General Data Protection Act) states in its Article 6, entitled "Processing based on the data subject's consent," the following:
"1. In accordance with the provisions of Article 4.11 of Regulation (EU) 2016/679, the consent of the data subject is understood to be any manifestation of free, specific, informed, and unequivocal will by which the data subject accepts, whether through a
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/45
declaration or a clear affirmative action, the processing of personal data concerning him or her.
2. When the processing of data is intended to be based on the data subject's consent for a plurality of purposes, it must be specifically and unequivocally stated that such consent is given for all of them.
3. The performance of the contract may not be subject to the data subject's consent to the processing of personal data for purposes unrelated to the maintenance, development, or control of the contractual relationship." (emphasis added by this Agency).
On these issues, EDPB Guidelines 5/2020 offer mechanisms to assist in the interpretation of these criteria and their compliance by data controllers. From what is indicated in this document, it is worth highlighting some aspects related to the validity of consent, specifically regarding the elements "specific," "informed," and "unequivocal":
"3.2. Expression of specific will
Article 6(1)(a) confirms that the data subject's consent to the processing of their data must be given "for one or more specific purposes" and that a data subject may choose with respect to each of these purposes. The requirement that consent be "specific" is intended to ensure a level of control and transparency for the data subject. This requirement has not been amended by the GDPR and remains closely linked to the requirement for "informed" consent. At the same time, it must be interpreted in line with the "opt-out" requirement for obtaining "free" consent. In short, to comply with the "specific" requirement, the data controller must implement:
i) specification of the purpose as a safeguard against misuse,
ii) opt-out in consent requests, and
iii) a clear separation between information related to obtaining consent for data processing activities and information related to other matters.
(…)
“3.3. Informed Expression of Will
The GDPR reinforces the requirement that consent must be informed. In accordance with Article 5 of the GDPR, the requirement of transparency is one of the fundamental principles, closely related to the principles of fairness and lawfulness. Providing information to data subjects before obtaining their consent is essential so that they can make informed decisions, understand what they are authorizing, and, for example, exercise their right to withdraw their consent. If the controller does not provide accessible information, user control will be illusory, and consent will not constitute a valid basis for data processing. If the requirements for informed consent are not met, consent will not be valid, and the controller may be in breach of Article 6 of the GDPR.
3.3.1. Minimum content requirements for "informed" consent
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/45
For informed consent, it is necessary to inform the interested party
of certain elements that are crucial for making a choice. Therefore, the WP29 believes that at least the following information is required to obtain valid consent:
i) the identity of the data controller,
ii) the purpose of each of the processing operations for which consent is sought,
iii) the type of data to be collected and used,
iv) the existence of the right to withdraw consent,
v) information on the use of data for automated decision-making in accordance with Article 22(2)(c), where relevant, and
vi) information on potential data transfer risks due to the absence of an adequacy decision and appropriate safeguards, as described in Article 46.
However, in the present case, the consent collected by SCHOOL FITNESS and allegedly granted by the data subject would not meet the four legally required conditions.
SCHOOL FITNESS and HOLIDAY FIT TRES CANTOS They claim that the interested party's consent for the recording and publication of their image for promotional purposes is obtained at two stages: in the subscription contract and, additionally, verbally. However, from the documentation in the administrative file, it can be inferred that the subscription contracts, at least as of April 13, 2022—the date on which (…) the claimant signed a subscription contract with HOLIDAY FIT TRES CANTOS—do not mention any clause for the general use of client images. The fact that SCHOOL FITNESS's contract template does not include such a clause means that its clients' consent is flawed, since the four conditions required by Article 7 of the GDPR are not met for it to be considered valid and, therefore, the basis for legitimacy of Article 6.1.a) of the GDPR is met. It should also be noted that in the "Contract Clauses," a copy provided by HOLIDAY FIT TRES CANTOS on January 4, 2024, the information regarding the granting of consent for the recording and publication of images and videos by the interested party is confusing. While it appears that the interested party is free to grant consent for their image to be used on the website and social media, in practice, they would not meet the conditions of consent as they were not free and informed. Well, signing the document implies full and express acceptance of all the clauses of the contract and, therefore, of the processing of your image as well, as can be seen from the following clause: "Contracting conditions: (...) I accept
the contract, including its general and specific conditions and the rules of the
gym, and I expressly accept the processing of my personal data by the company for the purposes set forth in this contract/general contracting conditions" (the underlined text corresponds to this Agency).
The same applies to the online contracting process with HOLIDAY FIT TRES
CANTOS ((...)), completed by this Agency on January 8, 2025. The contracting of its services is conditional on the acceptance of several sections,
among which is the one related to the image and its collection and dissemination for promotional purposes and for internal and external use of the company.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/45
Finally, it should be noted that, although both entities state that the data subject's consent is also collected verbally at the beginning of the recordings, there is no evidence in the administrative file to support this.
Consequently, based on the evidence available at this time regarding the agreement to initiate sanctioning proceedings, it is considered that the known facts could constitute an infringement, attributable to SCHOOL
FITNESS, for violating Article 7 of the GDPR.
V
Classification of the violation of Article 7 of the GDPR and qualification for the purposes of
statute of limitations
If confirmed, the aforementioned violation of Article 6.1 of the GDPR could entail the commission of the violation classified in Article 83.5 of the GDPR, which, under the heading "General conditions for the imposition of administrative fines," provides:
"Violations of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of up to EUR 20,000,000 or, in the case of a company, by an amount equivalent to a maximum of 4% of the total global annual turnover of the preceding financial year, whichever is higher:
a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7, and 9; (...)"
For the purposes of the statute of limitations, Article 72.1 "Very serious violations" of the LOPDGDD states:
"1. Pursuant to the provisions of Article 83.5 of Regulation (EU) 2016/679, violations that constitute a substantial violation of the articles mentioned therein, and in particular the following, are considered very serious and will be subject to a three-year statute of limitations:
(…)
c) Failure to comply with the requirements of Article 7 of Regulation (EU) 2016/679; (…)”; (…)”
VI
Proposed sanction for infringement of Article 7 of the GDPR
In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed, which state:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/45
“1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for infringements of this Regulation indicated in paragraphs 4, 9, and 6 are, in each individual case, effective, proportionate, and dissuasive.
2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures provided for in Article 58(2)(a) to (b). h) and j). When deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of:
a) the nature, gravity, and duration of the infringement, taking into account the nature, scope, or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damage suffered by them;
b) the intentionality or negligence of the infringement;
c) any measures taken by the controller or processor to mitigate the damage suffered by data subjects;
d) the degree of responsibility of the controller or processor, taking into account any technical or organizational measures they have implemented pursuant to Articles 25 and 32;
e) any previous infringements committed by the controller or processor;
f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate its potential adverse effects;
g) the categories of personal data affected by the infringement;
h) the manner in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, to what extent;
i) where the measures referred to in Article 58(2) have been previously ordered against the controller or processor concerned in relation to the same matter, compliance with such measures;
j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42; and
k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.
For its part, Article 76 "Sanctions and corrective measures" of the LOPDGDD provides:
"1. The sanctions provided for in sections 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679 shall be applied taking into account the grading criteria established in section 2 of the aforementioned article.
2. Pursuant to Article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account:
a) The ongoing nature of the infringement.
b) The connection between the offender's activity and the processing of personal data.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/45
c) The benefits obtained as a result of the infringement.
d) The possibility that the affected party's conduct could have led to the infringement.
e) The existence of a merger by absorption process subsequent to the infringement, which cannot be attributed to the acquiring entity.
f) The impact on the rights of minors.
g) The availability of a data protection officer, when not mandatory.
h) Voluntary submission by the controller or processor to alternative dispute resolution mechanisms in those
cases where there are disputes between them and any interested party."
In the present case, considering the seriousness of the potential violations,
with particular attention to the consequences that their commission has on those affected, a fine would be appropriate.
The fine imposed must be, in each individual case, effective, proportionate,
and dissuasive, in accordance with the provisions of Article 83.1 of the GDPR. To guarantee
these principles, SCHOOL FITNESS's turnover of €978,207 in 2023 is considered as a preliminary matter.
For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence available at the time of the
initiation of the sanctioning procedure, and without prejudice to the results of the investigation, It is considered appropriate to grade the sanction to be imposed according to
the following circumstances, contemplated in the aforementioned provisions. As a preliminary matter, the following circumstances are deemed to be present:
- The nature, severity, and duration of the violation, taking into account the
nature, scope, or purpose of the processing operation in question,
as well as the number of data subjects affected and the level of damages and
losses they have suffered (Article 83.2, letter a) of the GDPR). In the present
case, the violation committed is of considerable severity, since the recording
and subsequent publication of such content on the website and social media poses the
possibility of immediate and wide-ranging dissemination, taking into account
that it can be accessed by anyone.
Likewise, the following grading factors are considered aggravating factors:
- The connection between the offender's activity and the processing of personal data (Article 76.2, letter b) of the LOPDGDD): SCHOOL FITNESS
is the parent company of a group of companies dedicated to gym activities that, in order to carry out their activity, require continuous processing of personal data. SCHOOL FITNESS, as a result of its business activity, routinely and continuously processes the personal data of a large number of interested parties, which necessarily involves processing the personal data of its clients. Thus, the infringement occurs within the framework of the processing of personal data, in the present case, consisting of the recording and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/45
publication of images and videos to promote the trademark, which it routinely carries out.
The balance of the circumstances contemplated in Article 83.2 of the GDPR and 76.2 of the LOPDGDD, with respect to the infringement committed by violating the provisions of Article 7 of the GDPR, allows for the initial imposition of an administrative fine of €15,000 (fifteen thousand euros).
VII
Breach of obligation. Retention Period
Article 5, “Principles relating to processing,” states:
“1. Personal data shall be:
(…)
e) kept in a form that permits identification of data subjects
for no longer than necessary for the purposes of the processing of the personal data;
personal data may be retained for longer periods provided that they are processed exclusively for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, in accordance with Article 89(1), without prejudice to the application of appropriate technical and organizational measures imposed by this
Regulation to protect the rights and freedoms of the data subject
(“retention period limitation”); (…)”
The principle of retention period limitation set out in the aforementioned article
makes the retention of personal data subject to the purpose for which they were
collected, and may exceed this period in the case of archiving purposes in the public interest, scientific or historical research, or statistical purposes.
In the present case, the Record of Processing Activities prepared by SCHOOL FITNESS, and printed on January 2, 2024, indicates in the section regarding image processing and deletion period that "they will be retained indefinitely." It is clear that SCHOOL FITNESS, by establishing the retention period as indefinite, does not comply with the requirements of the aforementioned provision, which is that the data will be considered retained for the time strictly necessary for the purpose of processing. Indefinite retention does not conform to this strict interpretation of the data retention period provided for in the regulations. Therefore, it can be understood that SCHOOL FITNESS
has specified a retention period for the images intended to be published
on the website and social media that would not comply with the provisions of the aforementioned provision,
since the retention of the images would not only not have a specific retention period, but also, and precisely for this reason, this retention period would exceed the purpose for which they were collected.
Therefore, in accordance with the evidence available at this time regarding the agreement to initiate the sanctioning procedure, and without prejudice to the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/45
results of the investigation, it is considered that the known facts could constitute an infringement, attributable to SCHOOL FITNESS, for violation of
Article 5.1.e) of the GDPR.
VIII
Classification of the violation of Article 5.1.e) of the GDPR and qualification for the purposes of limitation
The known facts could constitute an violation, attributable to SCHOOL FITNESS, classified in Article 83.5 of the GDPR, under the heading "General conditions for the imposition of administrative fines," which provides:
"5. Violations of the following provisions shall be punishable, in accordance with
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total global annual turnover of the preceding financial year, whichever is higher:
a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7, and 9; (...)"
For the purposes of the limitation period for violations, the alleged violation is subject to a three-year statute of limitations, pursuant to Article 72 of the LOPDGDD (Organic Law on Personal Data Protection), which classifies the following conduct as very serious:
a) "The processing of personal data in violation of the principles and guarantees established in Article 5 of Regulation (EU) 2016/679; (...)"
IX
Proposed sanction for the violation of Article 5.1.e) of the GDPR
In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed, which state:
"1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for the violations of this Regulation indicated in paragraphs 4, 9, and 6 are, in each individual case, effective, proportionate, and dissuasive.
2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures provided for in Article 58, paragraph 2, letters a) to h) and j). When deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of:
a) the nature, severity, and duration of the infringement, taking into account the
nature, scope, or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damage they have suffered;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/45
b) the intentionality or negligence involved in the infringement;
c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects;
(d) the degree of responsibility of the controller or processor, taking into account the technical or organizational measures they have implemented pursuant to Articles 25 and 32;
(e) any previous breaches committed by the controller or processor;
(f) the degree of cooperation with the supervisory authority to remedy the breach and mitigate any adverse effects of the breach;
(g) the categories of personal data affected by the breach;
(h) how the supervisory authority became aware of the breach, in particular whether the controller or processor notified the breach and, if so, to what extent;
(i) where measures referred to in Article 58(2) have been previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct pursuant to Article 40 or certification mechanisms approved pursuant to Article 42; and (k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.
For its part, Article 76 "Sanctions and Corrective Measures" of the LOPDGDD (Organic Law on Personal Data Protection) provides:
"1. The sanctions provided for in sections 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679 shall be applied taking into account the grading criteria established in section 2 of the aforementioned article.
2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account:
a) The ongoing nature of the infringement.
b) The connection between the infringer's activity and the processing of personal data.
c) The benefits obtained as a result of the infringement.
d) The possibility that the affected party's conduct could have led to the infringement.
e) The existence of a merger by absorption process subsequent to the infringement, which cannot be attributed to the entity. Absorbent.
f) The impact on the rights of minors.
g) Having, when not required, a data protection officer.
h) Voluntary submission by the controller or processor to alternative dispute resolution mechanisms in those cases where there are disputes between them and any interested party.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/45
In the present case, considering the seriousness of the potential violations, paying special attention to the consequences their commission has on those affected, a fine would be appropriate.
The fine imposed must be, in each individual case, effective, proportionate, and dissuasive, in accordance with the provisions of Article 83.1 of the GDPR. To guarantee these principles, SCHOOL FITNESS's turnover of €978,207 in 2023 is considered as a preliminary matter.
For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with The evidence currently available to initiate sanctioning proceedings, and without prejudice to the outcome of the investigation, it is considered appropriate to grade the sanction to be imposed according to the following circumstances, contemplated in the aforementioned provisions. As a preliminary matter, the following circumstances are deemed to be present:
- The nature, severity, and duration of the violation, taking into account the
nature, scope, or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damages and losses they have suffered (Article 83.2, letter a), of the GDPR). In the present
case, the violation committed is of considerable seriousness, as it entails the
possibility of immediate and wide-ranging dissemination, taking into account that it can be accessed by anyone.
Likewise, the following grading factors are considered aggravating factors:
- The connection between the offender's activity and the processing of personal data (Article 76.2, letter b) of the LOPDGDD): SCHOOL FITNESS
is the parent company of a group of companies dedicated to gym activities that, in order to carry out their activity, require continuous processing of personal data. SCHOOL FITNESS, as a result of its business activity, routinely and continuously processes the personal data of a large number of interested parties, which necessarily involves processing the personal data of its individual clients. Thus, the infringement occurs within the framework of the processing of personal data, in the present case, consisting of the recording and publication of images and videos to promote the trademark, which it routinely carries out.
The balance of the circumstances contemplated in Article 83.2 of the GDPR and 76.2 of the LOPDGDD, with respect to the infringement committed by violating the provisions of Article 5.1.e) of the GDPR, allows for the initial imposition of an administrative fine of €15,000 (fifteen thousand euros).
X
Breach of obligation. Data Processor
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/45
The provisions regarding the data processor are set out in Article 28 of the GDPR, which stipulates the following:
"1. Where processing is carried out on behalf of a controller, the controller shall only choose a processor that offers sufficient guarantees to implement appropriate technical and organizational measures to ensure that the processing complies with the requirements of this Regulation and ensures the protection of the rights of the data subject.
2. The processor shall not use another processor without the prior written authorization, whether specific or general, of the controller. In the latter case, the processor shall inform the controller of any planned changes to the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
3. Processing by the processor shall be governed by a contract or other legal instrument, in accordance with Union or Member State law, which binds the processor to the controller and sets out the subject matter, duration, nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. Such contract or legal instrument shall stipulate, in particular, that the processor shall:
a) process the personal data only on documented instructions from the controller, including with respect to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which the processor is subject; in such case, the processor shall inform the controller of this legal requirement prior to processing, unless such law prohibits processing on important grounds of public interest;
b) ensure that persons authorized to process personal data have committed themselves to confidentiality or are subject to a statutory obligation of confidentiality; (c) take all necessary measures in accordance with Article 32; (d) comply with the conditions set out in paragraphs 2 and 4 for using another processor; (e) assist the controller, taking into account the nature of the processing, through appropriate technical and organizational measures, where possible, to enable the controller to fulfill its obligation to respond to requests exercising the data subject's rights set out in Chapter III; (f) assist the controller in ensuring compliance with the obligations set out in Articles 32 to 36, taking into account the nature of the processing and the information available to the processor; (g) at the controller's discretion, erase or return all personal data once the provision of the processing services has ended, and erase existing copies unless the retention of the personal data is required by Union or Member State law; shall make available to the controller all necessary information to demonstrate compliance with the obligations set out in this Article, as well as to enable and contribute to the performance of audits, including inspections, by the controller or another auditor authorized by the controller.
With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other data protection provisions of the Union or of the Member States.
4. Where a processor uses another processor to carry out certain processing activities on behalf of the controller, the same data protection obligations shall be imposed on that other processor, by means of a contract or other legal act established under Union or Member State law, as those stipulated in the contract or other legal act between the controller and the processor referred to in paragraph 3, in particular the provision of sufficient guarantees for the implementation of appropriate technical and organizational measures to ensure that the processing complies with the provisions of this Regulation. If that other processor fails to comply with its data protection obligations, the original processor shall remain fully liable to the controller for compliance with the other processor's obligations.
5. The processor's adherence to a code of conduct approved pursuant to Article 40 or a certification mechanism approved pursuant to Article 42 may be used as evidence of the existence of the sufficient safeguards referred to in paragraphs 1 and 4 of this Article.
6. Without prejudice to the conclusion by the controller and the processor of an individual contract, the contract or other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on the standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they form part of a certification granted to the controller or processor in accordance with Articles 42 and 43.
7. The Commission may establish standard contractual clauses for the matters referred to in paragraphs 3 and 4 of this Article, in accordance with the examination procedure referred to in Article 93(2).
8. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraphs 3 and 4 of this Article, in accordance with the consistency mechanism referred to in Article 63.
9. The contract or other legal act referred to in paragraphs 3 and 4 shall be in writing, including electronic format.
10. Without prejudice to Articles 82, 83, and 84, if a data processor infringes this Regulation by determining the purposes and means of processing, it shall be considered a data controller with respect to that processing.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/45
As detailed in Legal Basis III of this initiation agreement, to which we refer for the sake of brevity, this Agency analyzed the facts to elucidate the true role of SCHOOL FITNESS and HOLIDAY FIT TRES CANTOS regarding the recording and publication of images and videos of the gym's clients on the website and social media in order to promote the trademark. It concluded that SCHOOL FITNESS was actually the data controller for those images and videos, while HOLIDAY FIT TRES CANTOS acted as a data controller. as a data processor.
However, this is not reflected in the documents governing the relationship between both entities, nor, consequently, do they include the requirements of Article 28.3 of the GDPR.
The erroneous attribution of the roles of data controller and data processor entails a lack of clear attribution of responsibilities between the two entities, preventing the data controller from fulfilling the obligations imposed by the GDPR to ensure proper protection of the personal data processed on its behalf in relation to the control of the delivery process it carries out.
On the other hand, from the perspective of the data subjects whose data are being processed, this omission also has consequences: the contract between the data controller and its data processor is an element that not only legally articulates the relationship between the two parties (data controller and data processor) but also fulfills a function of guaranteeing the rights and freedoms of the data subjects.
In this regard, the contract for the processing operation subject to this sanctioning procedure must provide, among other aspects, that:
- The data will only be processed in accordance with a double guarantee for the data subjects: existence of documented instructions by the controller and the obligation of the processor to process the personal data by following these instructions.
- The processor's employees who process the personal data of the data subjects must respect confidentiality.
- The processor must take all necessary measures in accordance with Article 32 of the GDPR.
- The processor may not use another processor without the controller's prior written authorization, whether specific or general.
- The processor has the obligation to delete or return the personal data to the controller once the provision of the processing services has ended, and to delete existing copies unless the retention of the personal data is required under Union or Member State law.
In conclusion, this contract regulates and directs how the relationship between the data controller and its data processor will be developed, with the clear objective of providing adequate protection of the rights and freedoms of the data subjects whose data are being processed. This has not occurred in the relationship between
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/45
SCHOOL FITNESS and HOLIDAY FIT TRES CANTOS regarding the recording and publication of images and videos of the gym's clients on the website and social media to promote the brand.
Therefore, based on the evidence currently available regarding the agreement to initiate sanctioning proceedings, it is considered that the known facts could constitute an infringement, attributable to SCHOOL FITNESS, for violating Article 28 of the GDPR.
XI
Classification of the violation of Article 28 of the GDPR and classification for the purposes of limitation
Article 83.4 of the GDPR classifies the violation of the following articles as an administrative offense. The penalties, in accordance with paragraph 2, shall be administrative fines of up to EUR 10,000,000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global turnover of the preceding financial year, whichever is higher:
a) "the obligations of the controller and the processor pursuant to Articles 8,
11, 25 to 39, 42, and 43;"
For its part, the LOPDGDD (Organic Law on the Protection of Personal Data) in its Article 71, Infractions, states that: "The acts and conduct referred to in sections 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this Organic Law, constitute infringements."
For the sole purpose of the statute of limitations, Article 73 of the LOPDGDD establishes the following:
"In accordance with the provisions of Article 83.4 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein, and in particular the following, are considered serious and will be subject to a two-year statute of limitations:
(…)
k) Entrusting data processing to a third party without prior formalization of a contract or other written legal act with the content required by Article 28.3 of Regulation (EU) 2016/679."
XII
Proposed sanction for violation of Article 28 of the GDPR
In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed, which state:
“1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for violations of this Regulation indicated in paragraphs 4, 9, and 6 are effective, proportionate, and dissuasive in each individual case.
2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures provided for in Article 58, paragraph 2, letters a) to h) and j). When deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of:
a) the nature, gravity, and duration of the infringement, taking into account the
nature, scope, or purpose of the processing operation in question,
as well as the number of data subjects affected and the level of damage suffered by them;
b) the intentionality or negligence of the infringement;
c) any measures taken by the controller or processor to mitigate the damage suffered by data subjects;
d) the degree of responsibility of the controller or processor, taking into account the technical or organizational measures they have implemented pursuant to Articles 25 and 32;
e) any previous infringements committed by the controller or processor;
f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, to what extent; (i) where measures referred to in Article 58(2) have been previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures; (j) adherence to codes of conduct pursuant to Article 40 or certification mechanisms approved pursuant to Article 42; and (k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.
For its part, Article 76 "Sanctions and Corrective Measures" of the LOPDGDD
provides:
"1. The sanctions provided for in sections 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679 shall be applied taking into account the grading criteria established in section 2 of the aforementioned article.
2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account:
a) The continuous nature of the infringement.
b) The connection between the offender's activity and the processing of personal data.
c) The benefits obtained as a result of committing the infringement.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/45
d) The possibility that the affected party's conduct could have Inducing the commission of the violation.
e) The existence of a merger by absorption process subsequent to the commission of the violation, which cannot be attributed to the acquiring entity.
f) The violation of the rights of minors.
g) Having, when not mandatory, a data protection officer.
h) Voluntary submission by the controller or processor to alternative dispute resolution mechanisms in those cases where there are disputes between them and any interested party.
In the present case, considering the seriousness of the potential violations, paying special attention to the consequences their commission has on those affected, a fine would be appropriate.
The fine imposed must be, in each individual case, effective, proportionate, and dissuasive, in accordance with the provisions of Article 83.1 of the GDPR. To guarantee these principles, SCHOOL FITNESS's turnover of €978,207 in 2023 is considered as a preliminary matter.
For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence currently available, and without prejudice to the outcome of the investigation, the following shall be considered: The Court considers that the sanction to be imposed should be graded according to the following circumstances, contemplated in the aforementioned provisions. As a preliminary matter, the following circumstances are deemed to exist:
- The nature, severity, and duration of the violation, taking into account the
nature, scope, or purpose of the processing operation in question,
as well as the number of data subjects affected and the level of damages and
losses they have suffered (Article 83.2, letter a) of the GDPR): In the present
case, the violation committed is of considerable severity, as it would affect
HOLIDAY FIT TRES CANTOS clients who appeared in the images
and videos that this gym sent to SCHOOL FITNESS, up to the present.
Likewise, the following grading factors are considered aggravating factors:
- The connection between the offender's activity and the processing of personal data (Article 76.2, letter b) of the LOPDGDD): SCHOOL FITNESS
is the parent company of a group of companies dedicated to gym activities that, in order to carry out their activity, require continuous processing of personal data. SCHOOL FITNESS, as a result of its business activity, routinely and continuously processes the personal data of a large number of interested parties, which necessarily involves processing the personal data of its clients. Thus, the infringement occurs within the framework of the processing of personal data, in the present case, consisting of the recording and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 39/45
publication of images and videos to promote the trademark, which it routinely carries out.
The balance of the circumstances contemplated in Article 83.2 of the GDPR and Article 76.2 of the LOPDGDD, with respect to the infringement committed by violating the provisions of Article 6.1 of the GDPR, allows for the initial imposition of an administrative fine of €6,000 (six thousand euros).
XIII
Corrective Measures
If the infringement is confirmed, the resolution issued may establish the corrective measures that the offending entity must adopt to end the non-compliance with personal data protection legislation, in this case Articles 6.1 of the GDPR, 5.1.e) of the GDPR, and 28 of the GDPR, in accordance with the provisions of the aforementioned Article 58.2.d) of the GDPR, according to which each supervisory authority may "order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period...".
Thus, the responsible entity may be required to bring its actions into compliance with personal data protection regulations, within the scope expressed in the previous Legal Basis.
This document establishes the alleged violation committed and the facts that could lead to this potential breach of data protection regulations. From this, it is clear what measures to be adopted, without prejudice to the sanctioned party's responsibility to implement the specific procedures, mechanisms, or instruments. The data controller is fully familiar with their organization and must decide, based on proactive responsibility and a risk-based approach, how to comply with the GDPR and the LOPDGDD. However, in this case, regardless of the foregoing, in accordance with the evidence currently available regarding the agreement to initiate sanctioning proceedings, the resolution adopted may require SCHOOL FITNESS to adopt the following measures within 6 months from the date of the executive order finalizing this procedure:
- Prove that the measures have been adopted to ensure that the recording and publication of images and videos of HOLIDAY FIT TRES CANTOS gym clients are carried out with an adequate legal basis, and
delete the content that has been subject to this processing operation without such a legal basis.
- Prove that the necessary measures have been adopted to ensure compliance with the provisions of Article 5.1.e) of the GDPR.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 40/45
- Proof of the execution of the corresponding data processing contract with HOLIDAY FIT TRES CANTOS, S.L.
The imposition of these measures is compatible with the sanction of an administrative fine, as provided in Article 83.2 of the GDPR.
Please note that failure to comply with the possible order to adopt measures imposed by this body in the resolution of this sanctioning procedure may be considered an administrative infraction pursuant to the provisions of the GDPR, classified as an infraction in Articles 83.5 and 83.6 thereof. Such conduct may lead to the opening of a subsequent administrative sanctioning procedure.
Likewise, it is recalled that neither the recognition of the infringement committed nor, where applicable, the voluntary payment of the proposed amounts exempts the applicant from the obligation to adopt the relevant measures to cease the conduct or correct the effects of the infringement committed, nor from the obligation to provide proof of compliance with this obligation to this Spanish Data Protection Agency.
Therefore, in accordance with the foregoing, the Presidency of the Spanish Data Protection Agency,
IT IS HEREBY AGREED:
FIRST: TO INITIATE SANCTIONING PROCEEDINGS against SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L., with NIF B82887514, for:
- The alleged infringement of Article 7 of the GDPR, as defined in Article 83.5 of the GDPR.
- The alleged infringement of Article 5.1.e) of the GDPR, as defined in Article 83.5 of the GDPR.
- The alleged violation of Article 28 of the GDPR, defined in Article 83.4 of the GDPR.
SECOND: APPOINT D.D.D. as investigating judge and E.E.E. as secretary, indicating that they may be challenged, if applicable, in accordance with the provisions of
Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP).
THIRD: INCORPORATE into the file, for evidentiary purposes, the claim filed by the complaining party and its documentation, as well as the
documents obtained and generated by the Subdirectorate General of Data Inspection in the actions prior to the initiation of this sanctioning procedure.
FOURTH: THAT for the purposes provided for in Art. 64.2 b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the
appropriate sanction would be:
- For the alleged violation of Article 7 of the GDPR, defined in Article 83.5 of the GDPR, an administrative fine of €15,000 (fifteen thousand euros).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 41/45
- For the alleged violation of Article 5.1.e) of the GDPR, as defined in Article 83.5 of the GDPR, an administrative fine of €15,000 (fifteen thousand euros).
- For the alleged violation of Article 28 of the GDPR, as defined in Article 83.4 of the GDPR, an administrative fine of €6,000 (six thousand euros).
FIFTH: NOTIFY this agreement to SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L., with NIF B82887514, granting it a hearing period of ten business days to formulate its allegations and present any evidence it deems appropriate. In your written statement of allegations, you must provide your NIF (Tax Identification Number) and the procedure number shown in the heading of this document.
In accordance with the provisions of Article 85 of the LPACAP (Spanish Civil Code), you may acknowledge your liability within the period granted for submitting allegations to this initiation agreement; this will result in a 20% reduction in the sanction to be imposed in this procedure. With the application of this reduction, the sanction would be set at €28,800 (twenty-eight thousand eight hundred euros), and the procedure would be resolved with the imposition of this sanction.
Likewise, you may, at any time prior to the resolution of this procedure, voluntarily pay the proposed sanction, which will result in a 20% reduction in its amount. With the application of this reduction, the penalty would be set at €28,800 (twenty-eight thousand eight hundred euros), and its payment would terminate the proceedings, without prejudice to the imposition of the corresponding measures.
The reduction for voluntary payment of the penalty is cumulative with the reduction applicable for acknowledgment of liability, provided that this acknowledgment of liability is made clear within the period granted for filing allegations at the opening of the proceedings. Voluntary payment of the amount referred to in the preceding paragraph may be made at any time prior to the resolution. In this case, if both reductions were to be applied, the penalty would be set at €21,600 (twenty-one thousand six hundred euros).
In any case, the effectiveness of either of the aforementioned reductions will be conditioned upon the express withdrawal or waiver of any action or appeal against the penalty in administrative proceedings.
For these purposes, if you choose either of them, you must send the
General Subdirectorate of Data Inspection an express notification of your withdrawal
or waiver of any administrative action or appeal against the penalty, indicating which of the two reductions you are choosing, or whether you are choosing both.
If you choose to voluntarily pay any of the amounts indicated above (€28,800 or €21,600), you must do so by depositing it into the account IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Data Protection Agency at CAIXABANK, S.A., indicating in the account description the procedure reference number shown in the heading of this document and the reason for the reduction in the amount you are applying for. Likewise, proof of payment must be sent to the Deputy Directorate General of Inspection, along with express notification of withdrawal or waiver of any administrative action or appeal against the sanction in order to continue with the procedure in accordance with the amount paid.
Finally, it is noted that, pursuant to Article 112.1 of the LPACAP, no administrative appeal may be filed against this act.
1479-290125
Olga Pérez Sanjuán
The Deputy Director General of Data Inspection, in accordance with Art. 48.2
LOPDGDD, due to vacancy in the position of President and Deputy President
>>
SECOND: On March 11, 2025, SCHOOL FITNESS proceeded to pay
the fine in the amount of €21,600.00, making use of the two reductions
provided for in the initiation agreement transcribed above, which implies
acknowledgment of liability in relation to the events referred to in the
initiation agreement and its legal classification.
THIRD: The initiation agreement transcribed above indicated that, if the infringement was confirmed, it could be agreed that the controller would be required to adopt appropriate measures to bring its actions into compliance with the regulations mentioned in this act, in accordance with the provisions of the aforementioned Article 58.2 d) of the GDPR, according to which each supervisory authority may "order the controller or processor to ensure that processing operations comply with the provisions of this Regulation, where appropriate, in a specific manner and within a specified period...".
Having acknowledged responsibility for the infringement, the imposition of the measures included in the initiation agreement is appropriate.
LEGAL BASIS
I
Jurisdiction
In accordance with the powers granted to each supervisory authority by Article 58.2 of Regulation (EU) 2016/679 (the General Data Protection Regulation, hereinafter GDPR) and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the President of the Spanish Data Protection Agency is competent to resolve this procedure.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 43/45
Similarly, Article 63.2 of the LOPDGDD establishes that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this Organic Law, by the regulatory provisions issued in its development, and, insofar as they do not contradict them, subsidiarily, by the general rules on administrative procedures."
II
Termination of the Procedure
Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading "Termination of Sanctioning Procedures," provides the following:
"1. Once a sanctioning procedure has been initiated, if the offender acknowledges responsibility,
the procedure may be terminated with the imposition of the appropriate sanction.
2. When the sanction is solely pecuniary in nature, or when a pecuniary sanction and a non-pecuniary sanction may be imposed, but the inadmissibility of the latter has been justified, voluntary payment by the alleged offender, at any time prior to the resolution, will entail the termination of the procedure,
except with regard to restoring the altered situation or determining compensation for damages caused by the commission of the offense. Infraction.
3. In both cases, when the sanction is solely monetary in nature, the competent body to resolve the procedure will apply reductions of at least 20% on the amount of the proposed sanction, which may be combined.
These reductions must be specified in the notification of initiation of the procedure, and their effectiveness will be conditional on the withdrawal or waiver of any administrative action or appeal against the sanction.
The percentage reduction provided for in this section may be increased by regulation.
III
Voluntary Payment and Acknowledgment of Responsibility
In accordance with the provisions of the aforementioned Article 85 of the LPACAP, the notified initiation agreement provided information on the possibility of acknowledging responsibility and voluntarily paying the proposed penalty, which would entail two cumulative reductions of 20% each. With the application of these two reductions, the penalty would be set at €21,600.00, and its payment would imply the termination of the procedure, without prejudice to the imposition of the corresponding measures.
Following notification of the aforementioned initiation agreement, SCHOOL FITNESS has proceeded to acknowledge responsibility and voluntarily pay the penalty, availing itself of the two proposed reductions. In accordance with section 3 of Article 85 of the LPACAP, the effectiveness of the aforementioned reductions will be conditional on the withdrawal or waiver of any administrative action or appeal against the penalty.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 44/45
It should be noted that, in accordance with the provisions of the LPACAP, as well as the Supreme Court's jurisprudence on this matter, the exercise of voluntary payment by the alleged liable party does not exempt the administration from the obligation to resolve and notify all proceedings, regardless of their initiation. Similarly, Article 88 of the aforementioned law establishes that the resolution that concludes the proceedings will decide all issues raised by the interested parties and any other issues arising from them.
Therefore, in accordance with applicable legislation and having assessed the criteria for graduating sanctions, the Presidency of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the commission of the violations and CONFIRM the sanctions
determined in the operative section of the initiation agreement transcribed in this resolution.
The sum of the aforementioned amounts results in a total of €36,000.00.
After SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L. has made prompt payment and acknowledged liability, pursuant to Article 85 of the LPACAP, the aforementioned total is reduced by 40%, resulting in the final amount of €21,600.00.
The effectiveness of the aforementioned reductions is conditioned, in all cases, on the withdrawal or waiver of any administrative action or appeal.
SECOND: DECLARE the termination of procedure EXP202309454, in accordance with the provisions of Article 85 of the LPACAP.
THIRD: ORDER SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L. to notify the Agency, within 6 months of this resolution becoming final and enforceable, of the adoption of the measures described in the legal grounds of the initiation agreement transcribed in this resolution.
FOURTH: NOTIFY SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L. of this resolution.
FIFTH: In accordance with the provisions of Article 85 of the LPACAP (Spanish Civil Code), which conditions the
reduction for voluntary payment and acknowledgment of liability on the withdrawal or waiver of any action or appeal in administrative proceedings, this resolution will become final in administrative proceedings and fully enforceable upon notification.
In accordance with the provisions of Article 50 of the LOPDGDD (Spanish Civil Code), this resolution will be made public once it has been notified to the interested parties.
Any appeal against this resolution, which terminates the administrative proceedings as provided for in
Art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of Article 25 and Section 5 of the Fourth Additional Provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Law.
However, in accordance with the provisions of Article 90.3.a) of the LPACAP, The Agency may provisionally suspend the final administrative decision if the interested party expresses their intention to file an administrative appeal. If this is the case, the interested party must formally notify this fact in writing to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registries provided for in Article 16.4 of the aforementioned Law 39/2015, of October 1. They must also forward to the Agency the documentation proving the effective filing of the administrative appeal. If the Agency does not become aware of the filing of the administrative appeal within two months from the day following notification of this resolution, it will terminate the provisional suspension. 1259-260325
Lorenzo Cotino Hueso
President of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
