PerfectGym - GDPR Compliance

 

The General Data Protection Regulation (GDPR) is a set of comprehensive regulations that unify data protection laws across all European Union member states. It defines an extended set of rights for European Union citizens and residents regarding their personal data.

To comply with its requirements, PerfectGym has adopted the existing processes and products used to collect and handle personal data.

The GDPR will directly apply in all EU Member States starting on 25 May 2018. By that time, all the changes required will be reflected on all PerfectGym client systems and PerfectGym internal company processes.

PerfectGym internal company changes

• PerfectGym has conducted an information audit to map data flows. An information audit was organised around our business.
• PerfectGym Data protection policy has been updated. The policy sets out our approach to data protection together with the responsibilities for implementing the policy and monitoring compliance.
• PerfectGym has nominated a data protection lead or Data Protection Officer (DPO). The DPO is the first point of contact for all data processing & protection matters. This person monitors compliance with the GDPR and other data protection laws, including managing internal data protection activities, awareness-raising, the training of staff and conducting internal audits. Please contact dpo@perfectgym.com in case of any questions.
• PerfectGym has implemented appropriate technical and organisational measures to show that our company has considered and integrated data protection into our processing activities, so data protection by design principles are applied.
• Data protection awareness training for all staff was provided.
• Data processing contracts will be signed/updated. When processing personal data, PerfectGym as a processor must have a written contract in place between PerfectGym and the controller (a PerfectGym client). Contracts with PerfectGym sub-processors will be updated as well.
• Breach notification flow was developed. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The GDPR bestows a duty on PerfectGym as a processor to inform controllers of a personal data breach “without undue delay” after becoming aware of it.
• Right of access. PerfectGym has a process to respond to a controller's request for information (following an individual's' request to access their personal data).

Individuals have the right to obtain:

• confirmation that their data is being processed;
• access to their personal data; and
• other supplementary information – this largely corresponds to the information that a controller should provide in their privacy information.

PerfectGym has to send a controller the information in a commonly used electronic format as a password-protected file. Such requests should be sent to PerfectGym support.

• Right to data portability. PerfectGym can respond to a request from the controller to supply the personal data we process in an electronic format. That would be done through PerfectGym API
• Data security. Our robust security and privacy policy carefully considers data protection matters across our services, including data submitted by customers to our services. After a security audit, our organisation required only one point - audit of encryption of hard drives in PerfectGym. Security and privacy-related controls applicable to PerfectGym may be found below:

Security control

• Role-based access control to PerfectGym system with configurable permissions and privileges for individual users and user groups;
• IP whitelisting - enables to define the range of IP addresses from which users will access the application

Procedures and Logs. User Authentication. Data encryption

• Users passwords are stored in a secured format and aren't logged;
• All system components, including firewalls, routers and operating systems log information to their respective system log facility in order to enable security analysis and reviews;
• Access to PerfectGym services requires identity verification, which is encrypted while in transmission;
• PerfectGym uses encryption products to protect Customer Data, including SSL certificates  

Physical security

Production data centres & offices used to provide PerfectGym services have access control systems. These systems permit only authorized personnel to have access to secure areas (card access control system). These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions.

Reliability and Backup

All system components and database services are backed up on a regular basis. These backups and system snapshots are stored on a separate server to ensure reliability and performance.

PerfectGym services changes

• Marketing notifications management. A user may unsubscribe from marketing newsletters through an unsubscribe link placed in marketing email footer. Additionally, a new feature for user agreements management will be placed on Client Portal.

• Registration of club members' personal data processing - we are adding info about the VIEW action on member personal data (currently, we log CREATE and EDIT actions). Those logs will be placed in the User Profile -> Changes in PGM.

• Mass contact removal from CRM - a useful tool to remove leads in status Rejection and do not process personal data without need.

• The right to be forgotten - a tool to remove individual member data. Anonymises all personal data of the a club member through the whole system.

• Disposing of personal data - the system provides a possibility to routinely and securely dispose of personal data that is no longer required

• Extensive personal data processing permissions that allow

 1) to hide personal data from club members & client profiles screens

2) to hide personal data from reports.

By default, PerfectGym employees will not have access to club member personal data. Moreover, only PerfectGym’s Support may temporary check club members personal data for requested support investigation purposes.

• To anonymise CRM data - the same approach as personal data anonymisation in PGM.
• System integrations - if you use any of PerfectGym’s integrations mentioned below, you should ask club members for agreement as their personal data will be sent to the following 3rd parties:
  • Virtuagym
  • Milon
  • Clubplanner
  • Technogym - MyWellness

Then, we will send data required for the integration only for these club members who signed an integration agreement

• Member profiling - POS recommended products/favourite products will be available soon as a part of our brand-new Business Intelligence module. Clubs should have an agreement signed by a club member if this profiling will be used. It may be done through user agreements during the joining process in Client Portal, User agreements on Client Profile in PGM and mentioned in a club's information clause.