My Fitness AS (hereinafter MyFitness or we) highly values its clients’ (hereinafter you) privacy.
In this privacy notice we explain how we collect and use your personal data as well as what we do to ensure the protection of your personal data. The aim of this privacy notice is to help you understand how and why we process your personal data as well as what are Your rights in relation to your personal data.
This privacy notice is applicable to you if you use our services under membership contract, without specific contract, e.g. under single-entry ticket, friend ticket or gift certificate, test training, under agreement concluded by a third party (e.g. employer), subscribe to our newsletter or have expressed the interest to receive our offers as well as if you submit an information request in our web environment.
1. The controller of personal data
My Fitness AS
Haabersti 5, Tallinn 13516
2. What type of personal data do we process?
- Personal data – first name and family name, personal ID code, number of identification document, date of birth, photo
- Contact data – phone number, e-mail address, residential address, correspondence language
- Surveillance camera recordings – surveillance camera recordings set-up in sport clubs to protect people and property
- Service data – the data which reveals your activities in using our services, e.g. your purchases of goods and services from but as well as data concerning your potential violations and the agreements concluded between you and us.
- Body analysis data – a special category of personal data which can only be processed upon your consent. If you have granted us respective consent, we will save the data regarding body analysis on your client account and if you have given separate consent, also the personal coach has the right to review such data.
3.What are our aims and legal basis when processing your personal data?
There are different aims for processing personal data and each processing activity must rely on one of the legal basis. MyFitness processes your personal data based on the following legal basis:
Data processing required for performance of contract
We process data relying on this legal basis if it is necessary for performance of the contract concluded with you or for taking measures required prior to signing the contract at your request. The following data are used for the following purposes to enable and ensure you the provision of contractual services.
|Purpose of processing||Personal data categories|
|Pre-contractual relations (offer requests and responses thereto)||Personal data, Contact data|
|Payments (invoice preparation, issuing and collecting payments)||Personal data, Contact data|
|Maintaining and developing client relationship (signing contracts, passing information on contract fulfilment)||Personal data, Contact data, Service data|
|Calculating and managing fees for the services used by client||Personal data, Service data|
|Managing circumstances and events influencing offering services to clients (informing, resolving complaints)||Personal data, Contact data|
|Client recognition||Personal data (incl. photo)|
Data processing needed for performance of legal obligations of MyFitness
In some cases, we need to process your personal data because we are obliged to do so under applicable laws. If the data processing is required by law, neither MyFitness nor you can influence the processing of such data. Based on this legal basis we process your personal data for example for the following purposes:
|Purposes of processing||Personal data categories|
|Accounting (incl. preservation of accounting base documents)||Personal data, Contact data|
|Informing the Estonian Data Protection Inspectorate and the data subject about personal data violations||Personal data, Contact data, Service data|
|Responding to public authorities’ and state institutions’ information requests||Personal data, Contact d|
Data processing based on MyFitness’s legitimate interest
A legitimate interest means that we do not directly need to process your data to fulfil contractual obligations nor our legal obligations, but the processing is still necessary. The processing may be needed to develop our services and products making them better for you, protect our property, clients and employees, using surveillance cameras, make business decisions and compile statistics. As under the legitimate interest we are not obligated to process your data by law or for performance of our contractual obligations but we also do not request your permission for the processing – we give you the right to ask for explanations as well as to present objections, if you consider that processing of your data for the following purposes breaches your rights.
|Purpose of processing||Personal data categories|
|MyFitness service development||Personal data, Contact data|
|MyFitness intra-group data exchange||Personal data, Contact data, Service data|
|Profiling for marketing purposes (see below for explanation)||Personal data, Contact data, Service data|
|Protection of MyFitness property, employees, clients and data – use of surveillance cameras in sports clubs (use of surveillance cameras is described in detail in section 8)||Surveillance camera recordings|
|Marketing activities||Personal data, Contact data|
|Maintaining and developing client relationship (responding to queries, general client service, info exchange)||Personal data, Contact data, Service data|
|General service statistics|
Profiling for marketing purposes
We use different data processing technologies to process your data for marketing purposes. Using mathematical analysis, statistics or other methods enable us to create marketing profiles, establish probabilities and make marketing predictions. The information received gives us an opportunity to evaluate and predict client expectations concerning our goods and services and develop our services according to the expectations. The information also allows us to make personal offers to you and personalise our services.
We may process your data with other aims than what is listed above, based on legitimate interest, but the aims will always stay in a reasonable relationship with our main activity and are necessary for its development.
Data processing based on your consent
In order to provide services based on your concrete needs and ensure personalised service, we may under certain circumstances need your consent for processing your personal data. If you consent to this, we will send you MyFitness newsletters as well as offers from us and our good cooperation partners. Our cooperation partners include, for example: sports, health, culture, beauty, catering, transportation and accommodation service providers. The list is illustrative, and our partners change from time to time, but we always maintain the joint aim of promoting a healthy and sporty lifestyle.
You always have the right to withdraw you consent (each separately as well as all jointly) given to us by removing the checkmark from the appropriate box within the self-service environment, in case you are our member under membership agreement. If you are not a MyFitness member and cannot access the self-service environment, you can send us a corresponding message to the e-mail address email@example.com. If you revoke Your agreement, we will not process your data for the purposes for which the consent was granted. In case of body analysis data, this means the data will be deleted within 7 days from your MyFitness user account and MyFitness system without the possibility to later restore the data.
|Purpose of processing||Personal data categories|
|Retaining of your body analysis data at your MyFitness user account||Body analysis data|
|Disclosing body analysis data the personal coach chosen by you||Body analysis data|
|Direct marketing (e-mails, SMS)||Personal data, Contact data|
4. Who else processes Your data in addition to MyFitness?
Your personal data is accessible only to those MyFitness employees who need the data to perform their work duties (on so-called need-to-know basis). Outside MyFitness, your data is accessible in very restricted situations which are described below and only if it is necessary for achieving the purposes of processing of personal data:
- Other companies of MyFitness group: Your personal data may be shared with other group companies (all are located within the European Union), if necessary for making management decisions and group business activity development as well as for using joint data systems.
- Persons providing services to us: Your data may be accessible to persons providing services to us (the list is not complete and occasionally we order services in new fields): business software provider, IT management and maintenance service provider, mail server provider, website administrator, auditor, lawyers, data analysis software developer, MyFitness mobile application provider, collection service provider.
- Public authorities and state institutions (e.g. police, courts, alarm centre, Data Protection Inspectorate): we will only disclose your data when we are legally obliged to do it.
If we share your data with the above-mentioned persons, we ensure the protection of your personal data through conclusion of data protection agreement with the above-referred persons (except for the public authorities and state institutions).
We do not store or transfer your data outside the European Economic Area or to countries to which the directive 95/46/EC article 25 paragraph 6 does not apply or if a decision concerning sufficient protection has not been made based the General Data Protection Regulation (EU) 2016/679 article 45 paragraph 1.
5. How long do we retain Your personal data?
Your personal data is for as long as required by law or as necessary to fulfil the data processing purposes described in this privacy notice. Below are some examples of data retention periods:
|1 month (after that rerecording begins)||Surveillance camera recordings|
|6 months||Data concerning people who have requested an offer or made other inquiries but with whom no client contract exists|
|3 years (after expiry or termination of contract)||Client contract and service data to protect us against potential claims or to file a claim for protecting ourselves and our own rights|
|7 years (after expiry or termination of contract)||Accounting base documents (e.g. client´s membership agreement and invoices).|
|Until withdrawal of consent for processing||Data for which You have given permission to process – e.g. body analysis data.|
You can obtain more specific information on retention of your personal data by making a corresponding query to the data protection contact person specified in section 1 of this privacy notice.
6. Security of your personal data
My Fitness has established necessary legal, organisational, physical and technical security measures to protect your personal data. Some examples of the measures we use:
Physical measures – paper-based documents containing personal data are stored in locked rooms and cabinets to which only certain employees have access for fulfilling their job duties; data processing rooms and IT-systems are sufficiently protected against fire, overheating, water, current instability and power outages.
Technical measures – video surveillance; all employee work computers are protected with password protected screensavers when the employee leaves; it is ensured that the IT-system does not accept new login attempts and locks the username if certain number of access attempts has been exceeded; it is ensured that especially vulnerable systems (e.g. laptops, smartphones) are sufficiently protected (using encryption or other means).
Organisational means – all IT system users are assigned roles and profiles; it is ensured that access rights are deleted when the employee leaves MyFitness; it is ensured that there is no access from publicly used rooms to rooms where personal data is being processed.
In case we use external companies for providing services, which include data processing, we conclude data protection agreements with such service providers obligating them to: a) take appropriate measures to ensure confidentiality and security of the personal and ii) process personal data in accordance with the applicable legal requirements and the agreement between us.
7. Your rights concerning your personal data
Right to access – You have the right to know which data we hold about you, for what purposes we process your data; to whom we disclose the data, how long the data is retained; what are your rights concerning restricting, correcting, deleting and processing data. In order to respond to your inquiry, we must first authenticate you to avoid granting information to unauthorised persons. We have the right to respond to your inquiry within 30 days.
Right to rectification – You have the right to demand correction of your personal data in case it is inaccurate or incomplete.
Right to deletion of personal data – You have the right under certain conditions to request the deletion of your personal data, foremost if the basis for processing your data originates from our legitimate interest or your consent (e.g. if we no longer need the data, you withdraw your consent granted for processing of your personal data).
Right to restrict processing – You have the right under certain circumstances to forbid or restrict the processing of your personal data for a certain period (e.g. if you have submitted an objection concerning data processing).
Right to present objections – You have the right to present objections concerning such data processing which is based on MyFitness’s legitimate interest incl. profiling based on our legitimate interest. We shall stop processing your personal data when you present an objection, except if we are able to prove that your personal data is processed for material legal reasons (which is decided case by case).
Right to data portability – In case processing the personal data is based on your consent or on a contract between us and data is processed automatically, you have the right to access data concerning you which you have given to us in a structured, generally usable and in machine readable form. You also have the right to demand that MyFitness forwards such data directly to another service provider if that is technically possible (that means the other service provider is capable of receiving the data in the forwarded format).
If you want to exercise any of the abovementioned rights, please contact us using the e-mail address firstname.lastname@example.org.
8. Use of surveillance cameras in sports clubs
All MyFitness sports clubs use surveillance cameras to protect people (that is clients and employees) as well as property (that is MyFitness, employees’ and clients’ property).
The surveillance cameras are located in sports clubs so that the surveillance area includes the service counter, changing room entrances, training hall, studio, as well as SPA or pool. Hence, the clients who are active in these given areas may also be video recorded. Below is a short description of the main terms of video surveillance:
- Legal basis for camera use – legitimate interest
- Short description of surveillance system – stationary, digital, zoomable, with sound recording
- With whom recordings may be shared – Police and Border Guard Board
- Who has access to the surveillance system and recordings – sport club manager, administration and development manager, camera installation and maintenance provider ATEA, training manager, client service personnel (for SPA and pool surveillance only)
- Recording’s retention period – recordings are kept for 1 month after which the video system starts automatically rerecording
- Surveillance time – round the clock
- Surveillance type – recording and on-demand viewing
- What is done to protect data collected with the surveillance system – the recordings are located on the hard disk in the server room. Access to the room only by the above mentioned persons.
- Access right – to access the data collected on you by surveillance cameras please contact us by using the e-mail address email@example.com. When requesting access to such data, please take into consideration that the data is retained for 1 month only and that for protection of the interests and rights of other persons in the recordings they must be made unidentifiable, therefore we cannot grant immediate access to such data. The costs for making persons unidentifiable in the recordings must be borne by yourself.
9. The right to submit a complaint to the Data Protection Inspectorate and the court
Should you need further information about processing your personal data or exercising your rights, please contact us at e-mail address firstname.lastname@example.org.
If you believe that the processing of your personal data breaches the General Data Protection Regulation requirements, you have the tight to turn to the Data Protection Inspectorate and the courts to protect your rights and interests.