GDPR for Gyms and Leisure Centres: Member Data, Health Disclosures, and CCTV

Gyms, leisure centres, health clubs, and sports facilities collect some of the most sensitive personal data of any consumer-facing business: health histories, biometric identifiers, children's details, and continuous video surveillance footage. GDPR obligations in this sector are correspondingly demanding.

Membership Registration Data: Lawful Basis and Transparency

When a new member joins, you typically collect name, address, date of birth, emergency contact details, payment card data, and sometimes GP details. The lawful basis is contractual necessity (Article 6(1)(b)). Your privacy notice must clearly explain what data you collect, how long you retain it, whether it is shared with third parties, and member rights under GDPR.

PAR-Q Health Questionnaires: Special Category Data

The Physical Activity Readiness Questionnaire (PAR-Q) — or any form asking about heart conditions, joint problems, pregnancy, diabetes, or other health matters — collects special category health data under GDPR Article 9. You must obtain explicit consent (Article 9(2)(a)) via a separate, clearly labelled consent box. Bundling this into general membership terms is not sufficient.

CCTV: Gym Floor vs. Changing Areas

Changing rooms, showers, and toilets: absolute prohibition. Installing CCTV in any area where people undress is unlawful under GDPR and likely constitutes a criminal offence under the Voyeurism (Offences) Act 2019. No exceptions.

For gym floors, reception, car parks, and access points: CCTV is lawful on the basis of legitimate interests (Article 6(1)(f)), provided you conduct a Legitimate Interests Assessment, display clear signage, and delete footage after 31 days.

Biometric Access Control: Fingerprint and Palm Scanners

Biometric data used to uniquely identify individuals is special category data under GDPR Article 9. You must obtain explicit consent before enrolment, offer an equally convenient alternative (key fob, card, or PIN) for members who do not consent, and document a Data Protection Impact Assessment (DPIA). Conditioning membership on biometric enrolment is likely unlawful.

Personal Trainer Session Notes

PT session notes containing health information are special category data. Store them securely, not in personal WhatsApp messages. If PTs are self-employed, you need a Data Processing Agreement covering how member data is handled.

Email and SMS Marketing

Under PECR, you need prior explicit consent for marketing emails and SMS. Lapsed members who have not engaged for 12+ months should be suppressed or re-consented before further marketing.

Children's Memberships

For children under 13, parental or guardian consent is required for data processing. Children's data should not be used for marketing without parental consent.

Fitness Tracking App Integrations

Where member data flows to third-party fitness platforms, your privacy notice must disclose these integrations. Data processors require a Data Processing Agreement; independent controllers require member disclosure and choice.

Cancelled Member Data Retention

Define documented retention periods: basic membership records 6 years; health/PAR-Q data 3–6 years; CCTV footage 31 days. Holding vast databases of lapsed member data indefinitely is a GDPR liability risk.

Swimming Lesson Records

Swimming lesson records often contain children's data and health conditions — both attracting heightened obligations. Retain only as long as the child is enrolled plus typically 3 years for safeguarding purposes.

Online Booking Platforms

Booking systems like Mindbody, Legend, ClubRight, or Xplor are data processors. Ensure you have a Data Processing Agreement in place and understand where your member data is stored geographically.

Scan Your Website

Scan your gym or leisure centre website free at https://app.custodia-privacy.com/scan. Custodia identifies what data your website is collecting, which third parties are receiving it, and whether your consent mechanisms are fit for purpose under UK GDPR — in 60 seconds, no signup required.