AEPD (Spain) - PS/00135/2020: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name= PS/0...")
 
 
(One intermediate revision by one other user not shown)
Line 56: Line 56:
Following a complaint from the  Madrid City Council's Health Services Bureau, the Spanish DPA imposed a fine on a gym center for the abusive clauses in the contracts with its clients, which did not comply with the duty to inform the affected person about the treatment of his/her personal data in accordance with Article 13 GDPR.
Following a complaint from the  Madrid City Council's Health Services Bureau, the Spanish DPA imposed a fine on a gym center for the abusive clauses in the contracts with its clients, which did not comply with the duty to inform the affected person about the treatment of his/her personal data in accordance with Article 13 GDPR.


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
The gym center had already been required by the Spanish DPA to make the necessary adjustments in its contracts to respect the GDPR requirements. One year and 5 months after the Madrid City Council's Health Services Bureau required the entity, twice, to modify the abusive clauses contrary to data protection regulations and 8 months after this Agency first requested their modification, the entity started to proceed to modify the contracts and some old clauses in breach of the GDPR were still active.
The gym center had already been required by the Spanish DPA to make the necessary adjustments in its contracts to respect the GDPR requirements. One year and 5 months after the Madrid City Council's Health Services Bureau required the entity, twice, to modify the abusive clauses contrary to data protection regulations and 8 months after this Agency first requested their modification, the entity started to proceed to modify the contracts. Some old clauses in breach of the GDPR were still active.


=== Dispute ===
===Dispute===




=== Holding ===
===Holding===
The Spanish DPA imposed a fine of EUR 5000 to the gym center for the omission of the duty to inform the affected person about the treatment of his/her personal data in accordance with Article 13 GDPR. The center proceeded to the payment of 3000 euros, amount resulting from the reduction by voluntary payment and recognition of the facts (after waiving a further appeal against the DPA's decision).
The Spanish DPA imposed a fine of EUR 5000 on the gym for the omission of the duty to inform the affected person about the treatment of their personal data in accordance with Article 13 GDPR. The center paid EUR 3000; the reduction was given because of voluntary payment and acknowledging the facts (after waiving a further appeal against the DPA's decision).


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.



Latest revision as of 14:04, 13 December 2023

AEPD - PS/00135/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Article 55 GDPR
Article 58(2) GDPR
Article 83(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 3000 EUR
Parties: SCHOOL FITNESS HOLIDAY & FRANCHISING,
AYUNTAMIENTO DE MADRID - UNIDAD DE CONSUMO
National Case Number/Name: PS/00135/2020
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: Agencia Española de Protección de Datos (in ES)
Initial Contributor: Silvia López Arnao

Following a complaint from the Madrid City Council's Health Services Bureau, the Spanish DPA imposed a fine on a gym center for the abusive clauses in the contracts with its clients, which did not comply with the duty to inform the affected person about the treatment of his/her personal data in accordance with Article 13 GDPR.

English Summary

Facts

The gym center had already been required by the Spanish DPA to make the necessary adjustments in its contracts to respect the GDPR requirements. One year and 5 months after the Madrid City Council's Health Services Bureau required the entity, twice, to modify the abusive clauses contrary to data protection regulations and 8 months after this Agency first requested their modification, the entity started to proceed to modify the contracts. Some old clauses in breach of the GDPR were still active.

Dispute

Holding

The Spanish DPA imposed a fine of EUR 5000 on the gym for the omission of the duty to inform the affected person about the treatment of their personal data in accordance with Article 13 GDPR. The center paid EUR 3000; the reduction was given because of voluntary payment and acknowledging the facts (after waiving a further appeal against the DPA's decision).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

DECISION R/00301/2020 ON TERMINATION OF PROCEEDINGS FOR PAYMENT
VOLUNTEER
In sanction procedure PS/00135/2020, conducted by the Agency
Spanish Data Protection Agency to SCHOOL FITNESS HOLIDAY & FRANCHISING,
S.L.U., having regard to the complaint lodged by the CITY COUNCIL OF MADRID - UNIT OF
CONSUMPTION, and based on the following,
BACKGROUND
FIRST: On June 16, 2020, the Director of the Spanish
Data Protection agreed to start sanctioning procedure against SCHOOL FITNESS
HOLIDAY & FRANCHISING, S.L.U. (hereinafter, the Respondent), by means of the
that is transcribed:
<<
Procedure No.: E/00135/2020
935-240719
AGREEMENT TO INITIATE DISCIPLINARY PROCEEDINGS
Of the actions carried out by the Spanish Data Protection Agency before
SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L. with CIF: B82887514, (in
hereinafter referred to as "the respondent"), pursuant to the claim made by the
MADRID CITY COUNCIL (HEALTH SERVICES AND
CONSUMPTION) (hereinafter referred to as "the Claimant"), and on the basis of the following:
FACTS
The Madrid City Council's Health Services and Consumer Affairs Department has
Two letters of complaint were sent to this Agency against the entity claimed by the
same facts. These two writings have led to the opening, in this Agency, of
two investigation files: E/0065/2019 and E/3498/2019.
A) With regard to Procedure E/0065/2019:
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
2/22
FIRST: On 26/11/18, it was entered into this Agency in writing by
the claimant, which, among other things, indicated
"Inspection visits were made by the Technical Services for Quality and Consumption at
establishment and reference holder on 16/04/18 and 09/05/18, was noted and
required the commercial company issued for the purpose of correcting irregularities of
unfair terms in the contract presented, in particular in the following terms:
(...) NINTH: All members are obliged to show their ID card to
requirements of the centre's employees, both at the entrance and during
your stay on the premises. Non-observance of this rule will make it impossible to
access to or stay in the gymnasium until this is remedied
requirement. Upon acceptance of the contract, each member will be required to read
the biometric parameters of your fingerprint that will be used for
acceptance of it and later for its entry and exit from the centres,
through the mechanism provided for this purpose. In accordance with Article 5(1) of
Law 15/1999, the member is informed that the data corresponding to the employer
The biometrics to be provided will be included in an automated file called
"customers and suppliers" that will be used for access by users of the
gymnasium and that in no case will be given to third parties. The reading of the data
The biometrics do not involve the recording of the fingerprint and the data obtained are not
in no way treatable as a fingerprint. The obligation to show the ID card,
without specifying valid reasons for requiring the employees, when for
acceptance of the contract and for the entry and exit of the centres the
reading the biometrics,
(...) TWELVE: By signing this contract the partner grants
authorisation for the company to use all the
images, photographs, videos, voice files, graphic material, etc., (in
the images) in which it is involved, or part of them, and include
your data in a file duly registered with the Spanish Agency of
Data Protection, in accordance with the provisions of the Organic Law
15/1999 of 13 December on the Protection of Personal Data.
Likewise, the partner authorizes the communication or transfer of the images to
persons whom the company deems appropriate, for the same purpose indicated
in the previous section, expressly informing you that in some cases
international data transfers shall be carried out for such assignment. At
These data may be communicated to third parties, without any
additional consent on your part, provided that this communication is limited
to this end. 
The partner grants this authorization with a wide territorial and temporal scope,
so the company may use the images, or part of them, in
all the Spanish territory and in all the countries of the world without limitation
geographical location of any kind. The partner grants this authorization for the
use of the images in which it appears, or part of them, in the
scope and purposes of both communication and dissemination of the activity of the
company. as of any other project, understood this one in its most
The aim of the project is to promote the development of a wide range of activities, including, but not limited to, the promotion of
the company's activities, in its own centres, its website and in
any other means that the company considers, and can be exploited in
all the means known at present and those that could be developed
in the future, all with the sole exception and limitation of those
uses or applications that could be detrimental to the right to honour, morality
and public order, as provided for in the legislation in force in each
country.
This authorization is understood to be given free of charge. The partner exempts
the company expressly disclaims all liability for any use that
can make a third of the images, outside the territorial scope.
material object of this contract. The right of image is regulated in
Organic Law 1/1982. of 5 May. on civil protection of the right to
Honor. to personal and family intimacy and to one's own image. All of them in case
are fundamental rights protected in Article 18(1) of the
Spanish Constitution. These are inalienable, unrenounceable and
imprescriptible. The indispensable principle for the
treatment of the image, the express and unequivocal consent of the owner
to obtain, reproduce or publish by any means or medium the image of
a person. Art. 2.2, Art. 6 LO 1/1982 the holder of the right has granted the
effect their express consent". Clause between the general condition that
does not allow the express and unequivocal consent of the image owner
(lack of transparency), not being expressed formally and explicitly. Clause
The treatment of one's own image is linked to the will of the
employer, Art. 85.3 TRLGDCU, which imposes with the exemption of
liability to the company. the waiver or limitation of the
consumer and user, Art. 86.7 TRLGDCU, which imposes the declarations of
acceptance or conformity or adherence of the consumer to a consent
of which he has not had the opportunity to take real knowledge of his
rights and the consequences of such declarations or the consequences of such
can affect. Art. 89.1 TRLGDCU. The responsible body being the AEPD,
60 gives you a copy of the present conditioned to the effect of the
appropriate actions within the scope of its competences.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
4/22
THIRTEENTH: In accordance with the provisions of Organic Law 15/1999 of
Protection of Personal Data (LOPD), the data provided by the
partner, including those corresponding to the biometric pattern, will be
incorporated to! file "clients and suppliers" whose holder is SCHOOL
FITNESS HOLIDAY FRANCHISING S.L.U., domiciled in Las Rozas
(28290) Las Rozas, Madrid, calle Rozabella nº 6. Europa Business Park.
For this purpose, the data provided by the partner/& is considered to be
certain... The biometric pattern data
FOURTEENTH: The partner authorizes the company to assign its rights and
obligations to a third party. This assignment shall not alter the
rights and obligations of the partners".
SECOND: In accordance with article 65.4 of the Organic Law 3/2018, of 5
December, on Personal Data Protection and guarantee of the digital rights that
has provided for a mechanism, prior to the admission of the complaints to be
to the Spanish Data Protection Agency, consisting of transferring
to the Data Protection Delegates appointed by the persons responsible or
the processors, or to them when they have not been designated, with a date
09/01/19 the claim submitted to the claimed entity was transferred to
to proceed with its analysis and to respond to the complainant and this Agency.
THIRD: On 22/02/19, this Agency received a written statement of allegations,
submitted by the entity in question, in which it set out, inter alia, the following:
"Condition adapted to data protection regulations. In the request for information we are asked to modify clauses nine, twelve, thirteen and fourteen to adapt them to Regulation 679/2016 of 27 April
(RGPD). In compliance with the requirements, we have proceeded to modify said conditions and to adapt them to the regulations in force. In proof of this we send you as
DOC 1 of this writing copies the conditionals in their new terms.
To give greater protection and security to the customer and ensure that acceptance is free,
voluntary, informed and unambiguous of the specific processing of their data, a specific annex has been introduced in addition to the amendments to the clause called
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
5/22
"data protection sheet" which is signed by all new registrations whether they are face-to-face
or via the web. A copy of this form is attached as DOC 2.
In relation to existing contracts and for their adaptation to the new regulations
have adopted the following measures, which are currently being implemented
due to the volume of customers: (iii) Subscription of annex communicating the change
of the conditions of the contract relating to data protection and communication of information
of data protection. It is being carried out on a face-to-face basis in the gyms. Referral of electronic communication to all clients informing them of the need to
to expressly accept the consent for the processing of your data. Personal request to subscribers by means of access control (lathes) for the subscription of the "Data Protection" file and collection of their signature either on paper or on tablet support. All measures are in the implementation phase and will take some time to be fully effective since: The campaign of
mailing has been poorly received by subscribers Not all subscribers go to
to the gym every day."
FOURTH: Dated 01/03/19, by the Director of the Spanish Agency of
Data Protection, a decision was taken to close the proceedings in the framework of the file, E/0065/2019, considering that it was not appropriate to initiate a sanctioning procedure since the complaint presented by the respondent had been dealt with.
A) With regard to Procedure E/03498/2019
FIFTH: On 26/09/19, the second document submitted by the complainant entered into this Agency, which resulted in the opening of file E/3498/2019 in
which, among other things, was indicated:
It is verified in these last inspections that the issued commercial continues
issuing with the consumers and would use the same and identical predisposed contract, as the reasoned alleged violation of the recognized rights of data protection in the campaign of inspection and Control of Gyms 2018.
Received the letter from the AEPD dated 01.03.19, which informs of the
The commercial company will correct the conditions and adopt corrective measures in the areas of its competence, resolving the issue of the filing of actions. This Consumer Unit must proceed to inform again
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
6/22
the AEPD of what was found in the supply of information by the reported company
inaccurate or false and failure to comply with remedial requirements.
Having studied the file, originated by the actions of the Technical Services of
Quality and Consumption Inspection of this Latino District in the 2019 Gymnasium Inspection and Control Campaign, and the documentation attached to it, is checked
that the expedited merchant continues to issue with consumers and
the same predisposed contract as the one that is the reason for the inhibition in the
Inspection and Control Campaign for Gyms 2018, for the inclusion of clauses
abusive in the terms of the contract presented to the file, according to the Royal
Legislative Decree 1/2007, of 16 November, approving the Consolidated Text of the
General Law for the Defense of Consumers and Users and other complementary laws (TRLGDCU), according to the analysis of the Districts and evaluation of the institute
Municipal Consumption.
SIXTH: In accordance with article 65.4 of the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights that
has provided for a mechanism, prior to the admission of the complaints to be
to the Spanish Data Protection Agency, consisting of transferring
to the Data Protection Delegates appointed by the persons responsible for or in charge of the processing, or to the latter when they have not been appointed, on 24/10/19,
The complaint was forwarded to the entity in question for analysis and response to the complainant and this Agency.
SEVENTH: On 26/11/19, this Agency received a written statement of allegations, presented by the entity complained of, in which it set out, among other things, the following
"On February 20, 2019 this company replied to the Subdirectorate General of
Inspection of the AEPD reporting that we had proceeded to the adaptation of the
We will send you a copy of the new conditions together with the data protection sheet and we will communicate the measures taken.
that we had adopted and that these were in the implementation phase.
Specifically, we explained that specific actions were being carried out
and the time required to do so indicating that:
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
7/22
In relation to existing contracts and for their adaptation to the new regulations
have adopted the following measures, which are currently being implemented
due to the volume of customers:
- Signing of an addendum communicating the modification of the conditions of the contract regarding data protection and communication of the protection sheet
of data. It's being conducted on-site at the gyms.
- Electronic communication is sent to all clients informing them of the
need to expressly accept consent for the treatment of
your data.
- Personal request to subscribers through access control (volumes) for the subscription of the card, "Data Protection" and collection of your
sign either on paper or on tablet
All measures are in the implementation phase and will take some time to be fully effective as the mailing campaign has been poorly received
by the subscribers Not all subscribers come to the gym every day. The control
in lathes is done in blocks of people to avoid collapsing accesses.
The adaptation works that have been carried out between February 2019
and current events are as follows:
- Modification of the clauses on the website for online contracting - > We have proceeded to modify the clauses of the general conditions and the
data protection on the website so that online recruitment is
equipped with all the guarantees and adapted to the new regulations. We accompany screen capture as DOC 2.
- Acquisition of all new tablets with the appropriate software for the capture of signature of new subscribers and the capture of signature of subscribers who already had contract by subscription of annex to the main contract.
We accompany invoices for the new tablets as DOC 3
- Cloud software implementation on central storage server with
secure communication between the administrative centre and the operational centres (a
total of twenty gyms). We accompany the invoice of the computer consultant
which updates the management software as DOC 4
As of today, we can certify that the implementation campaign has been completed in
all its phases successfully, both in central services and in each of the VEINC/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
8/22
TE (20) HOLIDAY GYM gymnasiums. 
It is worth noting in this report our surprise to see that the complainant has
was the Consumer Department of the Madrid City Council, from its
Aluche. And we say this because our company is in communication with the Department of Consumer Affairs of Madrid City Council Chamartin district located in Calle del
Príncipe de Vergara nº 140 to whom we have gone precisely to ask for help
so as not to breach any legal obligations in the field of consumer protection.
We can say that part of the process of implementing the new conditions has been to hold meetings with people from that Department of Consumption in the Chamartin district, who have helped us to specify much better the
terms and conditions to avoid that our company is committing irregularities or infringements in this matter.
It should be noted that on November 5, 2019, we held a meeting with
to inform them of this unpleasant situation and to indicate to us the
timely guidelines in case we were committing any irregularities. In particular, to
This meeting was attended by the Technical Advisor coordinating the 21 districts of
Madrid, the Head of the Unit of Sanctioning Procedures, the
Prince of Vergara District Consumption and Holiday Gym Representatives.
Today we are waiting to receive the approval of the said Office
the contract that the AEPD signed on March 1, 2009, with the
2019 archived for agreeing to the proposed conditionality. In short, no
irregularity has been committed by this company, although we must acknowledge that the
implementation process has been slower than projected.
We have been asked to provide copies of the latest contracts from September 2019 and so
we provide, indicating that they do not meet the requirements because
are contracts signed in the gymnasium and as a result the software operating with the new system and conditions has not been operational until the end of October
2019. A copy of these contracts is enclosed as DOC 5.
To demonstrate that the company has properly implemented the new conditionC/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
9/22
We have attached as AOC 6 a copy of the last contracts signed in the month
November, where we can see that our obligations have been fulfilled.
In short, we assume the delay in implementation, but we demonstrate that we have fulfilled our obligations to adapt.
The following sections of the DCO 6 submitted with the pleading are checked:
"All members are obliged to identify themselves sufficiently at the request of the centre's employees, in order to be able to verify the identity, if applicable, of the member who has breached the rules. The
Failure to comply with this rule will make it impossible to access or remain in the
gymnasium as long as this requirement is not met. Upon acceptance of the contract
Each member who wishes to do so will be required to read the biometric parameters of his/her fingerprint that will be used for entry and exit from the centres, through the mechanism provided for this purpose. The member is informed that the data
corresponding to the biometric pattern provided will be used for the access of the users of the gym and that in no case will be given to third parties.
The reading of the biometric data does not imply the recording of the fingerprint and
The data obtained are in no way treatable as fingerprints.
(...) TWELVE. By signing this contract, the partner grants permission for the company to use all the images indiscriminately.
photographs, videos, voice files, graphic material, etc., (from now on the images) in which it intervenes, or is part of them. Likewise, the partner
authorizes the communication or transfer of the images to the persons that the company considers appropriate. with the same object indicated in the previous section, informing him expressly that in some cases for this transfer
will perform international data transfers. In particular, these data
may be communicated to third parties, without any additional consent by their
party, provided that this communication is limited to this purpose. The partner grants this authorization with a wide territorial and temporal scope, so that the
The company may use the images, or part of them, throughout the territory
and in all the countries of the world without geographical limitation of any
class. The partner grants this authorization for the use of the images in
those that appear. or part of them. in the field and purposes both of communication and dissemination of the company's activity, as well as any other
The project is understood in its broadest form, intended, inter alia, but not limited to the promotion of the company's activities, in its
The company's own centres, its website and any other media considered by the company, can be exploited in all the media known at present and those that may be developed in the future, with the sole exception and limitation of those uses or applications that may attempt to
right to honour, morals and/or public order, as provided for in
the legislation in force in each country. This authorization is understood to be made with
free of charge. As a consequence of the assignment, the member expressly exempts the company from any liability for any use that may
to make a third party of the images, outside the territorial, temporal and material scope of this contract. All this under the protection of the provisions of the Law
Organic Law 1/1982, of 5 May, on the Civil Protection of the Right to Honour, at
Personal and family intimacy and self image. as well as the RGPD and others
applicable data protection regulations.
THIRTEENTH: In accordance with the provisions of current regulations
in Personal Data Protection, the company informs that the
data of the partners will be incorporated into the processing system owned by
the company HOLIDAY M. OESTE, S.L, with registered office at Calle Rozabella, nº 6, 28290, Las Rozas de Madrid, Madrid, for the purpose of processing
of the clients' database, to facilitate the management and control of the services provided by HOLIDAY M. OSTE, S.L as well as for communications
commercial and promotional advertising. In compliance with the
In accordance with current legislation, the company informs that the data will be kept for the period of time strictly necessary ' to comply with the precepts mentioned above on the basis of legitimate interest. As long as the partner does not communicate the contrary, it will be understood that their data have not been modified, committing themselves to notify any variation and giving the company their consent to use them for the mentioned purposes. The company informs
that it will process the data in a lawful, fair, transparent, adequate, relevant, limited, accurate and up-to-date manner. It therefore undertakes to adopt
all reasonable steps to ensure that these are promptly removed or rectified where they are inaccurate. In accordance with your rights under the
current regulations on data protection, the partner may exercise the rights
access, rectification, treatment limitation, deletion, portability and
opposition to the processing of your personal data, as well as the consent given for the processing of the same, by addressing your request
to the legal department of HOLIDAY M. OESTE, SL. at the address Calle Rozabella, nº 6, 28290, Las Rozas de Madrid, Madrid, or to the e-mail
***EMAIL.1.You may also contact the competent Control Authority
to make any claim it deems appropriate in the event that
considers that its data protection rights are infringed (Regulation
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
11/22
EU 2016/679 of 27 April 2016).
The customer can expressly accept the use of the biometric register for access to the gymnasium. The biometric reading does not involve the recording of the fingerprint
and the data obtained are in no way treatable as fingerprints. In information technology (IT), "biometric authentication" or
"Computer biometrics" is the application of mathematical and statistical techniques to an individual's physical or behavioural traits for authentication, i.e. to "verify" his identity. The data will be used to fulfil the provision of services contracted by the partner, as well as
commercial management and the sending or communication of advertising or information of a commercial nature or satisfaction surveys by any means. At
If the member wishes to receive advertising or commercial information, he/she must check the box corresponding to the acceptance of the contract. The acceptance
of the contract implies the partner's consent to the communication of its
personal data to any company of the group HOLIDAY GYM. in order to allow the access to the gyms. in addition to the above mentioned purposes.
FOURTEENTH: The member authorizes the company to transfer its rights and obligations to a third party. By means of this cession the rights and obligations of the members will not be able to be modified".
EIGHTH: In view of the facts reported, in accordance with the evidence
the Data Inspection of this Spanish Agency for the Protection of
Data considers the above, does not comply with current regulations, so
that the present penalty proceedings should be initiated.
LEGAL GROUNDS
I
In accordance with the powers granted by Article 58.2 of Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and the free
circulation of these data (RGPD), applicable from 25 May 2018, recoC/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
12/22
The Director of the Spanish Data Protection Agency is competent to settle this complaint in accordance with Article
12.2, sections i) and j) of Royal Decree 428/1993, of 26 March, which approves the Statute of the Data Protection Agency (RD 428/1993) and the
First transitory of the Organic Law 3/2018, of December 5, of Protection of Personal Data and guarantee of the digital rights (LOPDGDD).
In accordance with the provisions of Article 55 RGPD, the Spanish Data Protection Agency
Data Protection is competent to perform the functions assigned to it
in Article 57, including that of enforcing the Regulation and promoting
raising awareness of data controllers and processors about the
obligations incumbent upon them, as well as to deal with complaints submitted by a
and investigate the reason for them.
II
In the present case, it should be noted that, prior to the opening
of the present sanctioning file (PS/135/2020), had been previously processed
an investigative file for the same facts, in this Agency,
(E/0065/2019), during which time the entity in question was transferred for analysis and response. It was also requested to inform
of the measures they would take to avoid similar situations in the future.
The process of all the proceedings in the two cases has been as follows:
1.- On 16/04/18 and 09/05/18, the Technical Services for Quality and Consumption of the
The Madrid City Council made inspection visits to the complained entity, detecting a series of irregularities in the clauses of the contract that they were making with the clients and that were in breach of data protection regulations.
2.- On 26/11/18, the Technical Services of Quality and Consumption of the Madrid City Council notified this Agency of the facts detected in these inspections.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
13/22
3.- On 09/01/19, this Agency requested the entity in question
information on the reported events.
4.- On 22/02/19, the entity complained of affirms that they had already modified the
Unfair terms in the contract with customers, in particular terms that have been denounced for not being adapted to the new RGPD (the ninth, twelfth, thirteenth and fourteenth).
5.- On 01/03/19, this Agency closed the preliminary investigation proceedings (E/0065/2019), considering that the request had been correctly dealt with.
On 26 September 19, this Agency received a new complaint from
of the Technical Services for Quality and Consumption of the Madrid City Council, indicating that in the last inspections carried out on the issued company, there had been
to check again that it continues to issue the same biased contract.
7.- On 24/10/19, this fact was transferred to the entity in question so that
to proceed with its analysis and to respond to this Agency.
On 26/11/19, this Agency received a written statement of allegations, submitted
by the entity in question, claiming that:
- In relation to the old contracts, already existing until February
2019, the clauses denounced were eliminated and a new
writing them. But its adaptation had not been completed in its entirety, since, as it was carried out in person, and due to the large number of members distributed among the 20 gyms that the entity has in the Community of Madrid, many of whom do not attend the centers regularly, this process was taking a long time.
In the contracts signed from February 2019 to October 2019, the entity claims that "they did not meet the requirements because the
operating software installed on the entity's computer network has not been
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
14/22
operational until the end of October 2019", which is the same date as the
receipt of the second request by this Agency.
- For contracts signed from November 2019 onwards, the following is provided
A copy of the same, being able to verify the modification of the denounced clauses and their adaptation to the new RGPD.
It is noted that the complained entity became aware of the irregularities in its contracts with customers in April/May 2018, through the minutes of
The inspection was carried out by the Madrid City Council's Health Services Department, which was also required to remedy the deficiencies and adapt the
terms that are abusive to current data protection regulations.
Later, in February 2019, this Agency required him to remedy
the irregularities detected. On that occasion, the claimed entity stated that,
He responded to the injunction and proceeded to eliminate the unfair terms reported and to
to draft new ones in accordance with the RGPD, but it is not until November
2019, after having received the second request from this Agency, (the
24/10/19), when, according to the entity, the new contracts are definitively implemented.
Consequently, one year and 5 months after the Madrid City Council's Health Services Department required the entity, twice, to modify the abusive clauses contrary to data protection regulations and 8 months
After this Agency first requested their modification, the entity complained of, proceeds to modify the contracts. If we add to this the fact that many of the old contracts, made before November 2019, with the old clauses are still active, the facts denounced are clearly contrary to those stipulated in the RGPD.
III
The facts set out could constitute an infringement, attributable to the
claimed, for violation of Article 13 of the GPRS, which establishes the
information to be provided to the person concerned at the time of collection of
your personal data, indicating in the same that:
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
15/22
"1. Where personal data relating to a data subject are collected, the
The person responsible for the processing, at the time when these are obtained, will provide
all the information below:
(a) the identity and contact details of the person responsible and, where appropriate, his
representative;
(b) the contact details of the Data Protection Officer, if any;
(c) the purposes of the processing for which the personal data are intended and the legal basis
of the treatment;
(d) where the processing is based on Article 6(1)(f), interest
legitimate of the person responsible or of a third party;
(e) the recipients or categories of recipient of the personal data, in their
case;
(f) where appropriate, the controller's intention to transfer personal data to a third party
country or international organization and the existence or absence of a
adequacy of the Commission, or, in the case of transfers indicated in the
Articles 46 or 47 or the second subparagraph of Article 49(1), reference to
adequate or appropriate safeguards and the means to obtain a copy of these or
to the fact that they're on loan.
In addition to the information mentioned in paragraph 1, the person responsible for the
processing shall provide the data subject, at the time the data are obtained
the following information necessary to ensure the processing of data
loyal and transparent:
(a) the period of time for which personal data are kept or, where not
possible, the criteria used to determine this deadline; 
(b) the existence of the right to ask the controller for access to the
personal data relating to the data subject, and the rectification or deletion of such data or their limitation
of their treatment, or to object to the treatment, as well as the right to portability
of the data;
(c) where the processing is based on Article 6(1)(a) or Article
9(2)(a) the existence of the right to withdraw consent in
at any time, without affecting the lawfulness of processing based on the
consent prior to withdrawal;
(d) the right to lodge a complaint with a supervisory authority;
(e) whether the communication of personal data is a legal or contractual requirement or a
requirement to enter into a contract, and whether the person concerned is obliged to provide
personal data and is informed of the possible consequences of not
provide such data;
 (f) the existence of automated decisions, including profiling, to be
referred to in Article 22(1) and (4) and, at least in such cases, information
The importance and consequences of the new system for the development of the
provided for such processing for the data subject.
Where the controller plans the further processing of data
for a purpose other than that for which they were collected, will provide the
information on that other purpose prior to such further processing
and any additional relevant information within the meaning of paragraph 2.
4.The provisions of paragraphs 1, 2 and 3 shall not apply when and where the
insofar as the information is already available to the person concerned'.
On the other hand, Article 72.1.h) of the LOPDGDD, considers very serious, for the purposes of
the omission of the duty to inform the affected person about the treatment of
your personal data in accordance with Articles 13 and 14 of the GPRS'.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
17/22
In accordance with the above-mentioned precepts, and without prejudice to the
instruction of the procedure, for the purpose of fixing the amount of the penalty to be imposed in
in this case, it is considered that the penalty to be imposed should be graduated in accordance with
with the following criteria established by Article 83.2 of the RGPD:
a).- As aggravating criteria:
- The nature, gravity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation concerned,
as well as the number of stakeholders affected and the level of damage and
damages they have suffered. In our case, the claimed entity was aware
from May 2018, through the City Council inspections
the existence of abusive terms in the contract he signed with
customers (section a).
- Intentionality or negligence in the infringement. In the present case we are
in the event of negligent action, since it is not until the second requirement of this
Agency, when the entity complained of modifies the clauses contrary to the
new RGPD, (paragraph b).
- The categories of personal data affected by the infringement.
The data processed are of a markedly personal nature and therefore
person identifiers, (section g).
- The manner in which the supervisory authority became aware of the infringement. The
The way in which this AEPD has been made aware of has been through the communication
of the infringement by the Madrid City Council, (section h).
(b) As mitigating criteria:
- Measures taken by the controller or processor to mitigate
the damages suffered by the parties concerned, since it has been found that
modified the contract adapting it to the current RGPD, (section c).
The non-existence of a previous infringement committed by the person responsible or the person in charge
of the processing, for the same facts, (paragraph e).
- The degree of cooperation with the supervisory authority in order to remedy
to the infringement and to mitigate any adverse effects, (paragraph f).
The balance of the circumstances referred to in Article 83(2) of the RGPD, with
with regard to the infringement committed in breach of the provisions of Article 13 thereof allows
set a penalty of 5,000 euros, (five thousand euros).
Therefore, on the basis of the above, by the Director of the Agency
Spanish Data Protection,
AGREED:
START: PENALTY PROCEDURE to the entity SCHOOL FITNESS
HOLIDAY & FRANCHISING, S.L. with CIF: B82887514, for the infringement of Article 13
of the RGPD, punishable in accordance with the provisions of art. 83 of the said regulation.
APPOINT: Mr. A.A.A. as Instructor and Ms. B.B.B. as Secretary,
indicating that any of them may be challenged, if appropriate, in accordance with
established in Articles 23 and 24 of Law 40/2015 of 1 October on the Legal System
of the Public Sector (LRJSP).
INCORPORATE: to the sanctioning file, for evidential purposes, the claim
filed by the claimant and his documentation, the documents obtained and
generated by the Subdirectorate General for Data Inspection during the
investigations, all of which are part of the present administrative file.
WHAT: for the purposes of Article 64.2(b) of Law 39/2015 of 1 October, on
Common Administrative Procedure of Public Administrations, the sanction that
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
19/22
The fine would be 5,000 euros (five thousand euros), without
prejudice to the outcome of the investigation.
NOTIFY: the present agreement to initiate sanctioning proceedings to the entity
SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L., granting you a period of
hearing within ten working days to make the allegations and to present the
evidence that you deem appropriate.
If, within the stipulated period, he does not make any allegations to this agreement to begin with, the same
may be considered as a motion for resolution, as set out in Article
64.2(f) of Law 39/2015 of 1 October on the Common Administrative Procedure of
the Public Administration (hereinafter LPACAP).
In accordance with Article 85 of the LPACAP, if the
penalty to be imposed other than a fine, may acknowledge its responsibility within the
period granted for the formulation of arguments to the present agreement of beginning; the
which will be accompanied by a 20% reduction in the penalty to be imposed in
the present procedure, equivalent in this case to 1,000 euros. With the application of
of this reduction, the penalty would be set at
procedure with the imposition of this penalty.
Similarly, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed penalty, which
will result in a reduction of 20% of the amount of the payment, equivalent in this case
at 1,000 euros. With the application of this reduction, the penalty would be set at
4,000 and its payment will imply the termination of the procedure.
The reduction for the voluntary payment of the penalty can be cumulated with that for
apply for recognition of liability, provided that this recognition
of the responsibility becomes apparent within the time allowed for formulating
allegations to the opening of the procedure. The voluntary payment of the amount referred to
in the preceding paragraph may be made at any time prior to the resolution. At
in this case, if both reductions were to be applied, the amount of the penalty would be
established at 3,000 euros (three thousand euros).
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
20/22
In any case, the effectiveness of either of the two above-mentioned reductions will be
conditional upon the withdrawal or waiver of any action or remedy in the
administrative sanction against sanction
If you choose to pay any of the above amounts voluntarily
previously, you will have to make it effective by paying it into the account nº ES00
0000 0000 0000 0000 open on behalf of the Spanish Agency for the Protection of
Data in the CAIXABANK, S.A. Bank, indicating in the concept the number of
reference of the procedure in the heading of this document and the
cause of reduction of the amount claimed.
Likewise, you must send the proof of payment to the Subdirectorate General of
Inspection to continue the procedure in accordance with the quantity
admitted.
The procedure will last a maximum of nine months from the
date of the agreement to initiate or, where appropriate, the draft agreement to initiate.
Once this period has elapsed, the agreement will expire and, consequently, the
actions; in accordance with the provisions of Article 64 of the LOPDGDD.
Finally, it is noted that in accordance with Article 112.1 of the LPACAP,
No administrative appeal is possible against this act.
Mar Spain Martí
Director of the Spanish Data Protection Agency.
>>
 SECOND: On July 2, 2020, the claimant paid the
3,000 by making use of the two reductions provided for
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
21/22
in the above transcribed Inception Agreement, which implies recognition of the
responsibility.
THIRD: The payment made, within the period granted to make allegations to
the opening of the procedure, entails the waiver of any action or appeal in
administrative sanctioning and acknowledgement of responsibility in relation to
the facts referred to in the Agreement to Initiate.
LEGAL GROUNDS
I
By virtue of the powers conferred on each authority in Article 58(2) of the GPRS, the
control, and in accordance with Article 47 of Organic Law 3/2018, of 5
December, Protection of Personal Data and Guarantee of Digital Rights (in
(hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency
is competent to penalise infringements committed against it
Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General
of Telecommunications (hereinafter referred to as LGT), in accordance with the
Article 84.3 of the GLT, and the infractions defined in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of 11 July, on services of the company of the
information and electronic commerce (hereinafter referred to as the ISESA), as provided for in
43.1 of the said Act.
II
Article 85 of Law 39/2015 of 1 October on Administrative Procedure
Commonwealth of Independent States (hereinafter LPACAP), under the heading
"Termination in sanctioning proceedings" provides the following:
"1. Penalty proceedings are initiated if the offender acknowledges his
responsibility, the proceedings may be terminated with the imposition of the penalty
as appropriate.
2. Where the penalty is solely pecuniary in nature or where it is
impose a financial penalty and a non-pecuniary penalty but has been justified
the impropriety of the second, voluntary payment by the alleged perpetrator, in
any time before the resolution, will imply the termination of the procedure,
except as regards the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the penalty is solely of a pecuniary nature,
the body competent to decide on the procedure shall apply reductions of, at
at least 20 % of the amount of the proposed penalty, which may be cumulated
with each other. These reductions shall be determined in the notification of
initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or
waiver of any action or appeal in administrative proceedings against the sanction.
The percentage of reduction provided for in this paragraph may be increased
by regulation.
As noted,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the termination of procedure PS/00135/2020, of
in accordance with Article 85 of the LPACAP.
SECOND: NOTICE this resolution to SCHOOL FITNESS HOLIDAY &
FRANCHISING, S.L.U..
In accordance with the provisions of Article 50 of the LOPDGDD, this
The decision will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
Article 114(1)(c) of Law 39/2015 of 1 October on Administrative Procedure
The interested parties may lodge an appeal with the
administrative litigation before the Administrative Chamber of the
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the
Contentious-Administrative Jurisdiction, within two months of
day following notification of this act, as provided for in Article 46(1) of
referred to Law.
Mar Spain Martí
Director of the Spanish Data Protection Agency