GDPR for Gyms and Fitness Businesses: Member Data, Health Information, and Biometrics

Gyms and fitness studios collect more sensitive personal data than almost any other type of small business — and most owners have never given it serious thought from a compliance perspective.

Think about what happens when someone joins your gym: they fill in a health questionnaire disclosing injuries and medical conditions, they hand over payment details, they’re photographed or fingerprinted for access control, their attendance is logged, their class bookings are tracked, and their progress might be synced to a wearable app. Every one of those data points is regulated by GDPR, and several of them — health data, biometrics — trigger the regulation’s strictest protections.

This guide is written for gym owners, fitness studio operators, personal trainers, and anyone running a health and fitness business. It covers the specific GDPR obligations that apply to your sector, what you’re probably getting wrong, and what you need to put right.

Start by scanning your website at Custodia to see what data your digital presence is already collecting — that’s the easiest win and takes 60 seconds.

Health PAR-Q Forms: Special Category Data You’re Almost Certainly Mishandling

The Physical Activity Readiness Questionnaire (PAR-Q) — or any equivalent health screening form you use before members start training — is not just a liability waiver. Under GDPR Article 9, health data is special category data, subject to far stricter rules than ordinary personal information.

When a member discloses a heart condition, a recent surgery, high blood pressure, or a history of back injuries, that information is health data under GDPR. Processing it requires not only a lawful basis under Article 6, but also a specific Article 9 condition.

For gyms, the most applicable Article 9 condition is vital interests (Article 9(2)(c)) — processing is necessary to protect the vital interests of the data subject when they’re unable to consent, such as in an emergency. This covers keeping emergency medical information accessible to staff. You may also rely on explicit consent (Article 9(2)(a)) — but consent must be freely given, specific, informed, and unambiguous, separate from your membership contract.

What this means in practice:

• PAR-Q data must be stored securely, with access restricted to staff who genuinely need it
• You cannot use health data disclosed on a PAR-Q form for any purpose other than safety assessment
• Members must be told, clearly, what happens to their health data — in a privacy notice, not buried in terms and conditions
• You should have a defined retention period for PAR-Q data — typically the length of membership plus a reasonable period afterwards for insurance purposes
• If a member leaves, their health data should be deleted or anonymised according to your retention schedule

Biometric Door Access: Your Biggest Compliance Problem

Fingerprint readers and facial recognition systems for gym entry are increasingly common. They’re convenient, they prevent card-sharing, and they create audit trails. They are also subject to some of the most demanding requirements in GDPR.

Biometric data used to uniquely identify a person is special category data under Article 9. This means your fingerprint-based door access system requires both an Article 6 lawful basis and an Article 9 condition. And here’s the problem: the most commonly relied-upon Article 9 condition for biometrics is explicit consent — but explicit consent cannot be a condition of membership.

The EDPB (European Data Protection Board) and national data protection authorities have been consistent on this: if the only way to enter the gym is to register a fingerprint or submit to facial recognition, consent is not freely given because there is no genuine alternative. If you require biometric data as a condition of membership, you don’t have valid consent.

What gyms must do:

• Offer a non-biometric alternative for entry (key fob, membership card, PIN) so that biometric consent is genuinely optional
• Present a separate, explicit consent request for biometric enrolment — not bundled into your membership contract
• Explain clearly what biometric data is captured, how it is stored (is the raw image stored, or a mathematical template?), and whether it is processed by a third-party vendor
• Carry out a Data Protection Impact Assessment (DPIA) before deploying or continuing to operate any biometric system — this is mandatory under GDPR Article 35 for large-scale processing of biometric data
• Ensure your biometric access vendor has a Data Processing Agreement (DPA) in place and is GDPR-compliant

If you operate biometric access without these safeguards, you are in breach of GDPR. This is an area where data protection authorities have issued fines — a Polish gym operator was fined for exactly this issue.

CCTV: Gym Floor vs. Changing Areas

CCTV is common in gyms for security and safety. GDPR applies to CCTV footage because it captures personal data (identifiable images of individuals).

The key rules:

• CCTV must be signposted. Notices must be visible at the point of entry and near cameras, explaining who operates the system, the purpose, and contact details for exercising data rights.
• Retention must be limited. Most gyms have no legitimate reason to retain CCTV footage for more than 30 days. After that, it should be automatically overwritten.
• Changing rooms and toilets: never. CCTV in changing areas, showers, or toilets is unlawful regardless of the stated security purpose. This is not a grey area.
• Purpose limitation applies. Footage captured for security cannot be repurposed — you cannot, for example, use gym floor CCTV to monitor staff performance or to review a member’s form during a class.

If you share CCTV footage with police or insurers following an incident, you should have a procedure for doing so that is documented in your ROPA (Records of Processing Activities).

Membership CRM Data and Class Booking Systems

Your membership management software — whether that’s Mindbody, Glofox, ClubRight, TeamUp, or a similar platform — is a data processor operating on your behalf. Under GDPR Article 28, you must have a Data Processing Agreement in place with your software provider. Most major gym management platforms have DPAs available — check your account settings or contact their support team.

Your CRM typically holds: name, address, date of birth, contact details, payment information, membership tier, attendance history, class bookings, and potentially medical notes. This is a significant volume of personal data that must be:

• Accurate — give members a way to update their details
• Retained only as long as necessary — active members plus a defined period after cancellation for tax, insurance, and legal purposes (typically 6–7 years for financial records)
• Secured appropriately — access controls, staff training, and awareness of what to do if there’s a data breach

When a member requests deletion of their data (the right to erasure), you can only refuse if you have an overriding legitimate reason — for example, retaining invoicing data for tax compliance. You cannot retain full membership profiles “just in case.”

Personal Trainer Client Records

Personal trainers — whether employed by a gym or self-employed and renting studio space — have their own GDPR obligations for the client records they maintain.

A PT’s client file typically includes: contact details, health history, injury notes, training programmes, progress measurements, body composition data, and potentially food diary or nutrition information. Much of this is health data, and some (like body measurements) sits in a grey area that many supervisory authorities would treat as health-related.

For employed PTs: The gym is the data controller. Client records maintained by PTs on behalf of the gym are subject to the gym’s privacy policies and data retention rules. PTs should not maintain separate personal records of client health data on personal devices without the gym’s knowledge and appropriate security measures.

For self-employed PTs: You are your own data controller. You need a privacy notice for clients, a lawful basis for processing health data (explicit consent is appropriate here), secure storage for client records, and a process for responding to data subject requests. If you use apps to track client programmes (Trainerize, My PT Hub, etc.), check their GDPR compliance and get DPAs in place.

Loyalty and Attendance Tracking

Attendance tracking — logging which members came in, when, and how often — is a routine part of gym operations. From a GDPR perspective, it’s personal data that reveals behavioural patterns.

Loyalty programmes that reward attendance (free classes, discounts) involve profiling: drawing inferences about member behaviour to decide what offers to make. GDPR’s rules on automated decision-making (Article 22) apply where a decision affecting someone is made solely by automated means. Most gym loyalty schemes don’t reach this threshold — a human (or at minimum, a human-designed rule set) is making the offer — but if you use AI-driven systems to determine personalised pricing or offers, you should document this.

Attendance data should be:

• Covered in your privacy notice (what you track, why, how long you keep it)
• Retained for a defined period — active membership plus a reasonable window
• Not shared with third parties without appropriate safeguards

Marketing to Members

You cannot automatically add members to your marketing list because they joined the gym. The fact of membership gives you a contract basis to send operational communications (class cancellations, membership renewals, facility updates) — but marketing requires a separate, valid basis.

For email marketing to UK/EU individuals, you need:

• Explicit consent (the member actively opted in to marketing), or
• Soft opt-in (a limited exception: you can market similar services to existing members using the same channel they engaged on, as long as you gave them a clear opt-out opportunity when collecting their details, and give one in every message)

In practice: At membership sign-up, give members a clear, separate tick-box for marketing consent — not pre-ticked, not bundled with T&Cs. If they opt out, don’t email them promotions. If they later opt out of an email list, honour that immediately.

For referral programmes, member testimonials, or before-and-after photographs used in marketing — each of these requires explicit, specific consent and must be revocable.

Children’s Memberships and Parental Consent

Junior memberships, holiday camps, school partnerships, and youth fitness programmes all involve processing children’s personal data. GDPR Article 8 (in the UK, the Children’s Code) requires parental or guardian consent for data processing where the child is under 13 (under 16 in some EU member states).

Key requirements:

• Membership contracts for under-16s should be signed by a parent or guardian, not the child
• Health data collected for junior members (PAR-Q equivalent) requires parental consent
• Do not use children’s data for marketing without explicit parental consent
• If you photograph children during junior sessions for social media or promotional use, you need separate, explicit, revocable consent from parents — a general photography consent in the membership form is not sufficient
• If you share children’s data with schools or sports bodies, you need a data sharing agreement

Fitness Apps and Wearable Integrations

Increasingly, gyms integrate with wearables (Garmin, Fitbit, Apple Watch) or fitness apps (MyFitnessPal, Strava, Whoop) to track member activity. This raises specific GDPR concerns.

When a gym integrates with a third-party app, data flows in both directions. Who is the controller of that data? Who is processing it and under what terms? If members connect their wearable data to your gym platform, the gym becomes a data processor (or joint controller) for that health data.

What you must do:

• Be explicit in your privacy notice about what integrations you offer and what data is shared
• Ensure members actively consent to wearable data sharing — don’t make it a default setting
• Review the privacy policies of third-party fitness platforms you integrate with
• Ensure any app or API integration is covered in your data mapping / ROPA

Emergency Medical Information and Vital Interests

Keeping emergency medical information — a member’s allergy, a known heart condition, emergency contact details — on file is not only permitted under GDPR, it is one of the clearest examples of the vital interests lawful basis (Article 6(1)(d)) and the corresponding Article 9(2)(c) condition for health data.

The vital interests basis applies where processing is necessary to protect someone’s life. A gym storing the fact that a member has a severe nut allergy or a pacemaker, accessible to staff in an emergency, fits this basis precisely.

However:

• Only store what is genuinely necessary for emergency response — this is not a licence to build a full medical record
• Ensure frontline staff know the information exists and how to access it
• Keep it updated — if a member’s medical situation changes, the record should be updated

Member Data Subject Access Requests (DSARs)

Members can submit a Subject Access Request (SAR) asking for a copy of all personal data you hold about them. You have one month to respond (extendable to three months for complex cases). You cannot charge a fee unless the request is manifestly unfounded or excessive.

For a gym, a typical DSAR response might include: membership records, booking history, attendance logs, PAR-Q data, personal training records, payment history, marketing preferences, CCTV footage (for the relevant retention period), and any notes on the account.

The key challenges for gyms:

• Data is scattered across multiple systems — CRM, booking platform, access control, CCTV, payment processor, email marketing system. You need to search all of them.
• CCTV is technically complex — extracting individual footage and redacting other members from the footage takes time and equipment
• Health data in the response — you’re sending special category data; ensure the response is sent securely (not in an unencrypted email attachment)

Build a simple DSAR response procedure before you receive one. Identify who in the business handles requests, which systems hold member data, and what your secure delivery method will be.

Your GDPR Compliance Checklist for Gyms

• [ ] Privacy notice that covers all data types collected (health data, biometrics, CCTV, marketing)
• [ ] Separate, explicit consent for biometric enrolment, with a non-biometric alternative available
• [ ] DPIA completed for any biometric access system
• [ ] Data Processing Agreements with: membership software provider, biometric system vendor, payment processor, email marketing platform, any fitness app integrations
• [ ] CCTV signage in place, retention period defined and enforced, no cameras in changing areas
• [ ] Separate marketing consent collected at sign-up (not bundled with T&Cs)
• [ ] Parental consent process for junior memberships
• [ ] DSAR response procedure documented
• [ ] Staff trained on data protection basics — what to do if someone asks for their data or reports a breach
• [ ] Records of Processing Activities (ROPA) documenting all data processing activities

Where to Start

The most common audit finding for gyms is a mismatch between what the privacy policy says and what the systems actually do. Before you update any policies, scan your digital presence to see what you’re actually collecting.

Run a free scan at Custodia to check your website’s data collection practices, cookie behaviour, and consent mechanisms. It takes 60 seconds and gives you a concrete list of issues to fix. Then work through the checklist above for your physical operations — biometrics first, because that’s where the enforcement risk is highest.

This post provides general guidance on GDPR as it applies to gyms and fitness businesses. It does not constitute legal advice. Requirements may vary by EU member state and specific circumstances. Consult a qualified data protection professional for advice specific to your business.