AEPD Resolution: EXP202600385

The Incident: On 24th June 2024, a complainant filed a claim with the Spanish Data Protection Agency against 4USPORT INSTALACIONES DEPORTIVAS, S.L., a company managing sports facilities including a summer swimming pool. The complainant alleged that the company had unlawfully obtained and used her personal email address without consent, and had potentially exposed her data to unknown third parties.

The Swimming Pool Visit and Incident: On 21st June 2024, the complainant visited a summer swimming pool managed by 4USPORT as a paying customer. During her visit, an incident occurred involving:

• The facility managers
• The person responsible for managing the pool's catering/restaurant service
• An apparent dispute about food consumption on the premises

The exact nature of the incident isn't detailed in the resolution, but it clearly involved the complainant attempting to consume her own food somewhere on the pool grounds where this was prohibited.

The Unexpected Email: Three days later, on 24th June 2024, the complainant received an email at her personal email address—an address she claims she never provided to 4USPORT when purchasing tickets to access the facility. The email, sent from info@4usport.es with the subject line "Prohibido consumir comida y bebida en la pradera" (Prohibited to consume food and drink on the lawn), stated:

"Good morning, we inform you that for future celebrations and this Friday 21st June [the date had already passed when the email was sent], we have a designated picnic area so you can enjoy birthdays, snacks with children, friends and family who want to spend a day at the pool. By regulation, consuming [food] on the lawn is prohibited, and we have also received complaints from the pool bar. Best regards, 4U Sport Management"

The email also included an attached document with the 4USPORT logo stating in capital letters: "CONSUMABLES BROUGHT FROM HOME MUST BE ENJOYED IN THE PICNIC AREA WE HAVE ENABLED, PROHIBITED TO CONSUME FOOD AND DRINK ON THE LAWN"

The Complainant's Allegations:

1. Unauthorised Data Collection The complainant insisted she had never provided her personal email address to 4USPORT when purchasing pool tickets. She claimed:

• The email address was not requested during ticket purchase
• She never consented to communications from 4USPORT
• The company obtained her email through unauthorised means

2. Disclosure to Unknown Third Party The complainant noted that the email showed two recipients:

• "A.A.A." (presumably the complainant herself)
• "B.B.B." (a person unknown to the complainant)

She argued this constituted unlawful disclosure of her personal data to an unidentified third party, as her email address would have been visible to this other recipient.

The Evidence Provided: The complainant submitted:

• A screenshot of the email showing sender (info@4usport.es), two partially-visible recipient addresses ("A.A.A." and "B.B.B."), timestamp ("today 11:53"), and the full message content
• The attached PDF document with the food consumption prohibition notice

The AEPD's Investigation: The AEPD followed standard procedures:

4th July 2024: The AEPD transferred the complaint to 4USPORT under Article 65.4 LOPDGDD, requesting an explanation and information about compliance measures.

Notification Problems:

• Electronic notification was not collected within the availability period, deemed rejected on 15th July 2024
• A postal copy was sent and successfully delivered on 9th August 2024
• The postal notification reminded 4USPORT of their legal obligation to communicate electronically with the Administration
• No response was ever received

24th September 2024: The AEPD formally admitted the claim for processing.

Investigation Actions: The Subdirectorate-General for Data Inspection conducted preliminary investigation activities, including:

Information Requests (All Ignored):

• 28th October 2024: No response
• 17th December 2024: No response
• 23rd January 2025: No response

Independent Verification:

• Investigators used Chrome browser to access www.4usport.es
• The site redirected to https://4usport.wixsite.com/4u-sport (a Wix-hosted website)
• The website advertised services including "General pool entrance"
• Footer showed phone number, email address (info@4usport.es), and postal address
• This confirmed 4USPORT operated the facilities and used that email address

Despite multiple attempts, 4USPORT never cooperated with the investigation, providing no explanations, no documentation, and no evidence regarding their data processing practices.

The Legal Analysis:

The AEPD examined whether the alleged conduct violated:

1. Article 6 RGPD (Lawfulness of Processing) For processing to be lawful, at least one of six legal bases must apply:

• a) Consent for specific purposes
• b) Contract performance necessity
• c) Legal obligation compliance
• d) Vital interests protection
• e) Public interest or official authority tasks
• f) Legitimate interests (balanced against data subject rights)

The Question: Did 4USPORT have a lawful basis to process the complainant's email address for sending the food prohibition notice?

2. Article 5.1(f) RGPD (Integrity and Confidentiality) Data must be "processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage."

The Question: Did sending the email to two recipients constitute unlawful disclosure or inadequate security?

The Evidentiary Problem:

The AEPD applied the presumption of innocence principle, deeply rooted in Spanish Constitutional law (Article 24.2) and developed through extensive case law. Key principles from cited Constitutional Court and Supreme Court jurisprudence:

Presumption of Innocence Requires:

1. Sanctions must be based on incriminating acts or evidence of the reproached conduct
2. The burden of proof lies with the accuser—no one is obliged to prove their innocence
3. Any insufficiency in evidence must result in an acquittal
4. The "in dubio pro reo" (when in doubt, favour the accused) principle applies when indispensable evidence exists but creates rational doubt

Applying These Principles to the Case:

Issue 1: How Was the Email Address Obtained?

Complainant's Claim: She never provided or consented to use of her personal email address.

Evidence Problems:

• No proof of how 4USPORT obtained the email address
• No documentation of the ticket purchase process
• No records showing whether email was requested/provided
• 4USPORT's complete non-cooperation meant no counter-evidence

Possible Innocent Explanations:

• The email might have been voluntarily provided during ticket purchase (even if complainant doesn't recall)
• The ticket platform might have collected emails for confirmation/receipt purposes
• The complainant might have an account from a previous visit
• Family member or friend might have used her email for group booking

AEPD's Assessment: Receiving a single organisational or informational email does not, by itself, prove unlawful data processing under Article 6 RGPD. The email's content was general information about facility rules—not marketing, not personal data disclosure, not commercial solicitation.

Issue 2: Was Data Disclosed to Unknown Third Party?

Complainant's Claim: The email showed two recipients ("A.A.A." and "B.B.B."), exposing her email address to an unknown person.

Evidence Problems:

• The screenshot showed incomplete email addresses—only display names visible ("A.A.A." and "B.B.B.")
• Impossible to verify if these correspond to:
  • Real, operational email addresses
  • Addresses belonging to actual people
  • The same person (duplicate entries)
  • Test addresses or administrative accounts
• The email content contained no personal data—just general facility rules
• No evidence of actual harm or privacy impact from the alleged disclosure

AEPD's Assessment: The incomplete addresses visible in the screenshot don't constitute proof of data disclosure to identified or identifiable third parties. Without confirmation that "B.B.B." represents a real person who actually received and could see the complainant's email address, no GDPR violation can be established.

The "In Dubio Pro Reo" Application:

The AEPD concluded that reasonable doubts exist about whether a data protection violation occurred:

Doubts Regarding Lawfulness:

• Unknown how the email address was originally obtained
• Possible it was legitimately provided during ticket purchase
• Single informational email doesn't prove systematic unlawful processing
• Content was facility rules, not personal data exploitation

Doubts Regarding Disclosure:

• Unclear if "B.B.B." is a real recipient or display artifact
• No confirmation of actual third-party access to complainant's email
• Email content contained no personal information anyway
• Could be administrative copy, group booking coordinator, or technical error

The Company's Non-Cooperation: Notably, whilst 4USPORT's complete failure to respond to AEPD requests is itself problematic (and could potentially constitute a separate Article 58.1 RGPD violation for non-cooperation), it doesn't shift the burden of proof in sanction proceedings. The presumption of innocence means the AEPD must prove violations occurred—the respondent's silence cannot be used as proof of guilt.

The Archival Decision:

Unable to obtain and verify incriminating evidence, and applying the constitutional principle that doubts must favour the accused, the AEPD archived the proceedings. This means:

NOT a Finding That:

• 4USPORT did nothing wrong
• The complainant's concerns are unfounded
• Data protection rules don't apply
• The company's practices are compliant

RATHER, a Finding That:

• Insufficient evidence exists to prove a specific GDPR violation
• Reasonable doubts prevent imposition of sanctions
• The burden of proof wasn't met
• Constitutional protections require archival when evidence is inadequate

Important Caveat: The resolution explicitly states: "Without prejudice to possible subsequent actions that this Agency may carry out, applying the investigative and corrective powers it holds."

This means if new evidence emerges or additional complaints arise providing clearer proof of violations, the AEPD can reopen investigations or initiate new proceedings.

Based on Resolution EXP202600385, businesses (particularly those in leisure, hospitality, and membership-based services) should implement the following protocol to avoid similar complaints:

1. Document Data Collection Processes Meticulously

4USPORT's complete inability (or unwillingness) to explain how they obtained the email address was fatal to their defence.

Action:

• Implement Clear Data Collection Records:
  • Ticket purchase systems should log what information was requested and provided
  • Maintain audit trails showing when/how consent was obtained
  • Timestamp all data collection interactions
  • Preserve records for statute of limitations period (3 years for very serious infractions)

• User-Facing Transparency:
  • At point of data collection, clearly state: "We're collecting your email to send [purpose: booking confirmations, important facility updates, etc.]"
  • Separate marketing consent from operational communications consent
  • Provide immediate confirmation: "Your email address has been saved for [purpose]"

Legal Shield: Article 5.2 RGPD (accountability principle) requires controllers to demonstrate GDPR compliance. If you can't prove how you lawfully obtained data, you're vulnerable to complaints.

2. Distinguish Operational Communications from Marketing

The email in this case was arguably an "operational communication" (facility rules), not marketing—but the lack of prior relationship made it appear suspicious.

Best Practice Categories:

A. Transactional/Operational (Usually Permissible Without Express Marketing Consent):

• Booking confirmations
• Ticket/entry information
• Safety notices
• Facility closures
• Emergency communications
• Access credential delivery

B. Service-Related (Gray Area—Use Caution):

• Facility rule reminders (like this case)
• General announcements affecting all customers
• Policy updates

C. Marketing (Requires Explicit Consent):

• Promotional offers
• New service announcements
• Event invitations
• Newsletter subscriptions
• Cross-selling/upselling

This Case's Email: Fell into the gray area—it was ostensibly about facility rules, but sent days after the visit in response to a specific incident, making it appear more like "individual correction" than "general information."

Better Approach:

• Provide facility rules at point of entry (signage, ticket confirmation email, entrance handouts)
• If individual rule violations occur, address them in person during the visit
• Only send follow-up emails if there's clear operational necessity (e.g., "You left belongings at facility")

3. Be Extremely Careful with "CC" and "BCC" in Customer Emails

The visible second recipient ("B.B.B.") created the data disclosure allegation.

Email Hygiene Rules:

Never Use "CC" for Multiple Unrelated Customers:

• CC exposes all recipients' email addresses to each other
• This constitutes data disclosure requiring legal basis
• Particularly problematic if recipients don't know each other

Always Use "BCC" for Group Customer Communications:

• BCC hides recipients from each other
• Preserves confidentiality
• Standard practice for newsletters, announcements, group notifications

Individual Emails Are Safest:

• For sensitive or individual matters, send separate emails to each person
• Eliminates any risk of cross-disclosure
• More professional and personalized

In This Case: If the email genuinely had two recipients (not just a display error), both should have been BCC'd, not visible to each other.

4. Implement Proper Consent Mechanisms at Ticket Purchase

Leisure facilities often collect customer data at point of sale but fail to obtain proper consent for communications.

Compliant Ticket Purchase Flow:

Step 1: Necessary Information Collection "To complete your booking, we need:

• Name: [for ticket identification]
• Email: [for booking confirmation]
• Phone: [for emergency contact]"

Step 2: Optional Communications Consent "☐ Yes, send me facility updates and safety notices (operational emails) ☐ Yes, send me special offers and event announcements (marketing emails)

You can unsubscribe anytime. See our Privacy Policy for details."

Step 3: Record Keeping

• Log which boxes were checked
• Timestamp consent
• Store consent proof with customer record
• Provide immediate confirmation email stating what they've consented to

Critical Mistake to Avoid: Don't bury consent in terms and conditions with vague language like "By purchasing, you agree to receive communications." This fails Article 7 RGPD requirements for specific, informed, unambiguous consent.

5. Respond to AEPD Information Requests—Always

4USPORT ignored three separate information requests from the AEPD over several months.

Legal Obligation: Article 31 RGPD requires controllers and processors to "cooperate with the supervisory authority at its request in performing its tasks."

Consequences of Non-Cooperation:

• Article 58.1(e) empowers authorities to "obtain access to all personal data and information necessary for performing its tasks"
• Article 83.5(e) makes non-cooperation a potential infringement subject to fines up to €20 million or 4% of global turnover
• Practical impact: The AEPD may draw adverse inferences or lack information needed to exonerate you

In This Case: 4USPORT's silence meant they couldn't:

• Explain how they obtained the email (might have had legitimate documentation)
• Demonstrate lawful processing basis
• Clarify the "B.B.B." recipient issue (might have been administrative copy)
• Show good faith compliance efforts

Their silence didn't automatically prove guilt (thanks to presumption of innocence), but it certainly didn't help their defence.

Mandatory Response Protocol:

• Designate a Data Protection Officer or compliance manager responsible for AEPD communications
• Set up monitoring for AEPD notification email addresses and electronic notification systems
• Establish internal SLA: AEPD requests receive priority response within 5 working days
• Document all responses comprehensively
• Seek legal advice if uncertain about disclosure scope

6. Understand When Single Emails Constitute "Processing" Subject to GDPR

Some businesses mistakenly believe GDPR only applies to "databases" or "systematic processing."

Critical Principle: ANY operation on personal data constitutes "processing" under Article 4.2 RGPD, including:

• Collecting an email address once
• Storing it temporarily
• Sending one email
• Retrieving it from a system

"It Was Just One Email" Is Not a Defence:

• Single processing operations still require lawful basis
• Data minimisation principle applies even to one-time uses
• Security obligations apply regardless of scale

However (Practical Reality): The AEPD acknowledged in this case that "reception of a single organisational or informational email" doesn't automatically prove unlawful processing—context matters, and proportionality applies.

Practical Guidance:

• Even for one-off communications, ensure you have lawful basis
• Don't assume "it's just one email so GDPR doesn't apply"
• But also don't panic over every single customer communication—focus on having legitimate purposes and reasonable processes

7. Implement Incident-Response Communication Policies

This email was sent in response to a specific incident (the food consumption dispute).

When Customer Incidents Trigger Communications:

Good Reasons to Follow Up:

• Safety issue (customer left hazardous item)
• Lost property (customer forgot belongings)
• Service failure requiring apology/compensation
• Booking error requiring correction
• Legal obligation (accident report, insurance claim)

Questionable Reasons:

• "Teaching" customer about rules they violated (as appears to have happened here)
• Justifying staff actions during disputes
• Preemptively defending against potential complaints

Best Practice:

• Handle rule violations in-person during the incident
• Only send follow-up emails if there's clear operational necessity
• Keep tone professional and factual, not defensive
• Don't reference specific incidents in detail (privacy of everyone involved)
• Consider whether email is really necessary or just emotional reaction

In This Case: The email appears to have been triggered by the 21st June incident, sent three days later ostensibly about "future celebrations." The timing suggests it was really about addressing the specific incident, which raises questions about whether it was truly "operational communication" or something more pointed.

8. Privacy Policy and Website Transparency

The AEPD's investigation confirmed 4USPORT operated a website with contact information but couldn't verify privacy policy content.

Minimum Requirements:

Article 13 RGPD (Information When Collecting Data): When collecting personal data, you must inform data subjects of:

• Controller identity and contact details
• Data Protection Officer contact details (if applicable)
• Purposes and legal basis for processing
• Recipients or categories of recipients
• Retention periods
• Rights (access, rectification, erasure, restriction, portability, objection, complaint to AEPD)
• Whether provision is required and consequences of refusal
• Automated decision-making details (if applicable)

Article 14 RGPD (Information When Data Not Obtained Directly): If you obtained data indirectly (e.g., from booking platform), you must additionally inform of:

• Categories of personal data
• Source of the data (and whether from publicly accessible sources)

Implementation:

• Clear, accessible privacy policy on website
• Provide privacy notice at point of data collection
• Layer information (short notice + detailed policy)
• Review and update annually

9. Third-Party Platform Considerations

If 4USPORT used a third-party ticketing or booking platform, complex data controller relationships might exist.

Potential Scenarios:

A. Platform as Controller:

• Platform collects customer data for booking
• Platform determines purposes/means
• Platform responsible for GDPR compliance regarding booking process
• 4USPORT receives necessary information to deliver service

B. Joint Controllers:

• Both platform and facility determine purposes/means together
• Article 26 RGPD requires written arrangement defining responsibilities
• Both must ensure GDPR compliance
• Data subjects can exercise rights against either

C. Platform as Processor:

• 4USPORT is controller
• Platform processes on 4USPORT's behalf
• Article 28 RGPD requires written data processing agreement
• 4USPORT remains primarily responsible

Critical Question: If the email address came from a booking platform, whose responsibility was it to:

• Obtain consent for communications?
• Inform customer about data sharing with facility?
• Ensure lawful basis for onward processing?

Best Practice:

• Clearly define controller relationships with platform partners
• Document in written agreements
• Ensure customer-facing transparency about who controls what data
• Don't assume platform's compliance covers you

10. The Evidentiary Burden and Documentation Culture

The archival demonstrates that GDPR enforcement requires proof.

Key Lessons:

For Businesses (Defendants):

• Document everything: data sources, consent, legal bases, security measures
• Cooperate with investigations (even if you believe complaint is unfounded)
• Maintain records that can prove compliance (Article 5.2 accountability principle)
• Don't rely on "presumption of innocence" as a strategy—it's a last resort when evidence is ambiguous

For Complainants:

• Provide detailed evidence beyond general allegations
• Screenshot full email headers (not just partial recipient names)
• Document timeline clearly
• Specify exact GDPR articles allegedly violated
• Provide context that establishes unlawfulness

For Everyone:

• GDPR enforcement is evidence-based
• Burden of proof matters
• "He said, she said" situations favour archival
• Clear documentation protects both parties