The General Data Protection Regulation (GDPR) is a set of comprehensive regulations that unify data protection laws across all European Union member states. It defines an extended set of rights for European Union citizens and residents regarding their personal data.
To comply with its requirements, Perfect Gym has adopted the existing processes and products used to collect and handle personal data.
The GDPR will directly apply in all EU Member States starting on 25 May 2018. By that time, all the changes required will be reflected on all Perfect Gym client systems and Perfect Gym internal company processes.
Perfect Gym internal company changes
- Perfect Gym has conducted an information audit to map data flows. An information audit was organised around our business.
- Perfect Gym Data protection policy has been updated. The policy sets out our approach to data protection together with the responsibilities for implementing the policy and monitoring compliance.
- Perfect Gym has nominated a data protection lead or Data Protection Officer (DPO). The DPO is the first point of contact for all data processing & protection matters. This person monitors compliance with the GDPR and other data protection laws, including managing internal data protection activities, awareness-raising, the training of staff and conducting internal audits. Please contact firstname.lastname@example.org in case of any questions.
- Perfect Gym has implemented appropriate technical and organisational measures to show that our company has considered and integrated data protection into our processing activities, so data protection by design principles are applied.
- Data protection awareness training for all staff was provided.
- Data processing contracts will be signed/updated. When processing personal data, Perfect Gym as a processor must have a written contract in place between Perfect Gym and the controller (a Perfect Gym client). Contracts with Perfect Gym sub-processors will be updated as well.
- Breach notification flow was developed. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The GDPR bestows a duty on Perfect Gym as a processor to inform controllers of a personal data breach “without undue delay” after becoming aware of it.
- Right of access. Perfect Gym has a process to respond to a controller's request for information (following an individual's' request to access their personal data).
Individuals have the right to obtain:
- confirmation that their data is being processed;
- access to their personal data; and
- other supplementary information – this largely corresponds to the information that a controller should provide in their privacy information.
Perfect Gym has to send a controller the information in a commonly used electronic format as a password-protected file. Such requests should be sent to Perfect Gym support.
- Right to data portability. Perfect Gym can respond to a request from the controller to supply the personal data we process in an electronic format. That would be done through Perfect Gym API
- Role-based access control to Perfect Gym system with configurable permissions and privileges for individual users and user groups;
- IP whitelisting - enables to define the range of IP addresses from which users will access the application
Procedures and Logs. User Authentication. Data encryption
- Users passwords are stored in a secured format and aren't logged;
- All system components, including firewalls, routers and operating systems log information to their respective system log facility in order to enable security analysis and reviews;
- Access to Perfect Gym services requires identity verification, which is encrypted while in transmission;
- Perfect Gym uses encryption products to protect Customer Data, including SSL certificates
Production data centres & offices used to provide Perfect Gym services have access control systems. These systems permit only authorized personnel to have access to secure areas (card access control system). These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions.
Reliability and Backup
All system components and database services are backed up on a regular basis. These backups and system snapshots are stored on a separate server to ensure reliability and performance.
Perfect Gym services changes
- Marketing notifications management. A user may unsubscribe from marketing newsletters through an unsubscribe link placed in marketing email footer. Additionally, a new feature for user agreements management will be placed on Client Portal.
- Registration of club members' personal data processing - we are adding info about the VIEW action on member personal data (currently, we log CREATE and EDIT actions). Those logs will be placed in the User Profile -> Changes in PGM.
- Mass contact removal from CRM - a useful tool to remove leads in status Rejection and do not process personal data without need.
- The right to be forgotten - a tool to remove individual member data. Anonymises all personal data of the a club member through the whole system.
- Disposing of personal data - the system provides a possibility to routinely and securely dispose of personal data that is no longer required
- Extensive personal data processing permissions that allow
1) to hide personal data from club members & client profiles screens
2) to hide personal data from reports.
By default, Perfect Gym employees will not have access to club member personal data. Moreover, only Perfect Gym’s Support may temporary check club members personal data for requested support investigation purposes.
- To anonymise CRM data - the same approach as personal data anonymisation in PGM.
- System integrations - if you use any of Perfect Gym’s integrations mentioned below, you should ask club members for agreement as their personal data will be sent to the following 3rd parties:
- Technogym - MyWellness
Then, we will send data required for the integration only for these club members who signed an integration agreement
- Member profiling - POS recommended products/favourite products will be available soon as a part of our brand-new Business Intelligence module. Clubs should have an agreement signed by a club member if this profiling will be used. It may be done through user agreements during the joining process in Client Portal, User agreements on Client Profile in PGM and mentioned in a club's information clause.