UK GDPRHospitality

Serco Leisure Operating Limited

Employee Surveillance

Authority

ICO

Country

United Kingdom

Date Issued

February 22, 2024

Industry

Hospitality

Summary

Serco Leisure and seven associated community leisure trusts were issued enforcement notices by the ICO for unlawfully processing biometric data (facial recognition and fingerprint scanning) of over 2,000 employees across 38 leisure facilities to monitor attendance without proper legal basis. The company was ordered to cease this biometric data processing immediately.

Violation Types

Employee SurveillanceLegal BasisData Processing

Articles Violated

View original enforcement decision

Related Enforcement Actions

Reddit, Inc.

ICO · UK GDPR · February 22, 2026

€17M

Capita plc and Capita Pension Solutions Ltd

ICO · UK GDPR · October 14, 2025

€16M

TikTok Inc.

ICO · UK GDPR · May 14, 2023

€15M

Advanced Computer Software Group Limited

ICO · UK GDPR · March 25, 2025

€4M

LastPass UK Ltd

ICO · UK GDPR · November 19, 2025

€1M

Avoid enforcement risk with automated compliance

IQWorks helps organizations automate UK GDPR compliance before regulators come knocking.

Talk to an Expert