Violation of rights in swimming pools

Violation of rights in swimming pools

Summer is coming and swimming pools, even with the pandemic among us, the capacity of the enclosures are the order of the day. A good example for the time in which we are, are the swimming pools, where we must be aware of what data are requested to access these and that could conflict with the data protection regulations.

Identification with ID card

Any request for the collection of personal data must respect the protection obligations established in the LOPD and the RGPD.

The processing of data will be lawful when the data to be collected, as well as the purpose of the processing, together with the confidentiality of such data, are disclosed.

Well, we can find ourselves in situations where these parameters are not met, as has been the case reported to the AEPD, where at the entrance to a pool of a community of owners, the security guard asked a person to show the DNI to identify her as the owner, pointing the data on a blank sheet without further information, being that the delivery of such data were a sine quanon condition for entry to the pool.

The person refused to hand over such data, even though the community of owners informed that this measure was mandatory due to health issues (covid-19), but the condominium regulations did not authorize it, a circumstance that led her to file a complaint before the AEPD (Spanish Data Protection Agency).

The AEPD ruled in the sanctioning procedure PS/00523/2021 that the measure adopted by the owners’ association was excessive, since it did not respect the principle of minimization, and the owners’ association could have chosen to request another type of information to identify individuals that was less invasive for personal data.

In addition, the AEPD also pointed out the existence of a breach of the duty of information, since no document indicating the purpose of the processing, nor the person responsible for it, was delivered or shown to the persons. Finally, the owners’ association was fined 9,000 Euros.

Body Temperature Measurement

Taking a person’s body temperature involves obtaining personal data related to health, i.e., catalogued by the Data Protection Regulations as special category data.

In principle, we can state that the processing of any health data implies the application of extraordinary measures as established by the data protection regulation.

The AEPD itself has expressed its opinion on the manner in which temperature measurements are carried out to determine whether or not they involve the processing of personal data, i.e., whether or not the temperature measurement can identify the person through some mechanism of identity control, as shown in some of the procedures undertaken, for example, against Metro de Bilbao and El Corte Inglés with No. E/03884/2020 and E/03882/2020, where the proceedings were archived.

For example, in the case of controlled access to swimming pools, if the temperature is taken with a thermometer commonly known as a “temperature gun” and this data is not associated with the name of the person accessing the premises, there would be no processing of personal data.

If, on the other hand, the temperature is noted in a list where it is related to the owner of a property or the names of persons are noted, there would be processing of personal data, which would require the express consent of the person for processing and the obligation to inform established in the RGPD.

The Duty to Inform, at a minimum, consists of disclosing the following:

  • Identification and contact details of the person in charge
  • Contact details of the Data Protection Officer (if applicable)
  • The legal basis or legitimacy for the processing
  • The time period or criteria for the conservation of information
  • The existence of automated decision making or profiling
  • Provision for International and Third Party Transfers/Transfers to Third Parties
  • Rights of any interested party and how to exercise them
  • The right to file a complaint before the Control Authorities.

The responsible party must prove, when required by the AEPD, that it complied with its obligation to inform.

Business Adapter® at your service

If you are a customer and need advice, contact your consultant.

If you are not yet a client and want us to help you comply with the European and Spanish data protection regulations(RGPD + LOPD) to which any company or professional is obliged, contact us by email: info@businessadapter.es, you can also call 96 131 88 04, or leave your message in this form:

[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]

Contact us, we will be pleased to help you.
error: Content is protected !!