Spanish Gym Chain Fined for Unlawful Facial Recognition Access System

Thumbnail Image

The information displayed in the AIM should not be reported as representing the official views of the OECD or of its member countries.

The Spanish Data Protection Agency fined gym chain Supera €96,000 for mandating facial recognition as the sole access method, violating GDPR rules on biometric data. The sanction followed a consumer group complaint, with the company admitting the infraction and paying voluntarily. Users' privacy rights were breached by the AI system's misuse.[AI generated]

Why's our monitor labelling this an incident or hazard?

The facial recognition system is an AI system processing biometric data to identify individuals for access control. The misuse of this AI system by processing sensitive biometric data without explicit consent led to a violation of data protection laws, which is a breach of fundamental rights. Therefore, this event qualifies as an AI Incident because the AI system's use directly caused harm in the form of unlawful data processing and rights violations.[AI generated]
AI principles
Privacy & data governanceRespect of human rights

Industries
Consumer services

Affected stakeholders
Consumers

Harm types
Human or fundamental rights

Severity
AI incident

Business function:
ICT management and information security

AI system task:
Recognition/object detection


Articles about this incident or hazard