My Fitness AS (hereinafter MyFitness or also we) highly values its clients’ (hereinafter You/Your) privacy.
In this privacy notice we explain how we collect and use Your personal data as well as what we do to ensure the protection of Your personal data. The aim of the given privacy notice is to help You understand how and why we process Your personal data as well as what Your rights relative to Your personal data are.
This privacy notice is applicable to You if You are our contractual member, use our services with no contract, e.g. single-entry ticket, friend ticket or gift certificate, test training, third party contract (e.g. employer), subscribe to our newsletter or have expressed the interest to receive our offers as well as if you submit an information request in our web environment.
1. The controller of personal data
My Fitness AS
Haabersti 5, Tallinn 13516
2. What type of personal data do we process?
- Personal data – first name and family name, identity code, personal identification document number, date of birth, photo
- Contact data – phone number, e-mail address, residential address, correspondence language
- Surveillance camera recordings – surveillance camera recordings set-up in sports clubs to protect people and property
- Service data – the data which reveals Your activities in using our services, e.g. your purchases of MyFitness goods and services as well as data concerning violations and Your signed agreements.
- Body analysis data – a special category of personal data which can only be processed with Your agreement. If You have given us the corresponding agreement, then we will save the data to Your client account and if you give separate permission, then the personal coach also has the right to review the data.
3. What are our aims and legal bases when processing Your personal data?
There are different aims for processing personal data and each processing must take place according to a legal basis. MyFitness processes Your personal data according to the following legal bases:
Data processing required for contract fulfilment
We use this legal basis for processing data if it is necessary for fulfilling the contract You signed with us or for actions which are required prior to signing the contract at Your request. The following data are used for the following aims to enable and ensure You the provision of contractual services.
|The aim of processing||Personal data categories|
|Pre-contract relations (offer requests and their responses)||Personal data, Contact data|
|Payments (invoice preparation, presentation and collecting payments)||Personal data, Contact data|
|Maintaining and developing Client relationship (signing contracts, forwarding info concerning contract fulfilment)||Personal data, Contact data, Service data|
|Calculating and managing fees for services used||Personal data, Service data|
|Managing circumstances and events influencing offering services to clients (informing, resolving complaints)||Personal data, Contact data|
|Client recognition||Personal data (incl. photo)|
Legally required obligations of MyFitness requiring data processing
Under certain circumstances legislation obligates us to process Your personal data. If the data processing is required by law, neither MyFitness nor You can influence the processing of such data. According to the given legal basis we process data with the following aims:
|The aim of processing||Personal data categories|
|Accounting (incl. accounting base document preservation)||Personal data, Contact data|
|Informing the Estonian Data Protection Directorate and the data subject about personal data violations||Personal data, Contact data, Service data|
|Responding to public authorities’ and state institutions’ information requests||Personal data, Contact d|
Data processing based on MyFitness’s legitimate interest
A legitimate interest means that we do not directly need to process Your data to fulfil contractual obligations nor legal obligations, but the processing is still necessary. The processing may be needed to develop our services and products making them better for You, protect our property, clients and employees, using surveillance cameras, make business decisions and compile statistics. Under the legitimate interest conditions we are not obligated to process Your data by law or through contractual obligations , we therefore do not request Your permission which gives You the right to ask for explanations as well as to present objections, if you consider that Your data processing for the following aims breaches Your rights.
|The aim of processing||Personal data categories|
|MyFitness service development||Personal data, Contact data|
|MyFitness internal data exchange||Personal data, Contact data, Service data|
|Marketing profiling (see below for explanation)||Personal data, Contact data, Service data|
|MyFitness property, employees, clients and data protection – use of surveillance cameras in sports clubs (surveillance camera use is described in detail in section 8)||Surveillance camera recordings|
|Marketing activities||Personal data, Contact data|
|Maintaining and developing Client relationship (responding to queries, general client service, info exchange)||Personal data, Contact data, Service data|
|General service statistics|
We use different data processing technologies to process Your data for marketing purposes. The technologies enable using mathematical analysis, statistics or other methods to create marketing profiles, establish probabilities and make marketing predictions. The information received gives us an opportunity to evaluate and predict client expectations concerning our goods and services and develop our services according to the expectations. The information also allows us to make personal offers to You and personalise our services.
We may process your data with other aims than what is listed above, based on legitimate interest, but the aims will always stay in a reasonable relationship with our main activity and are necessary for its development.
Data processing based on agreement
In order to provide services based on Your concrete needs and ensure personalised service, we need Your agreement for processing data under certain circumstances. If you give us Your agreement we will send you MyFitness newsletters as well as offers from us and our good cooperation partners. Our cooperation partners include, for example: sports, health, culture, beauty, catering, transportation and accommodation service providers. The list is illustrative and our partners change from time to time, but we always maintain the joint aim of furthering a healthy and sporty lifestyle.
You always have the right to revoke agreements (each separately as well as all jointly) given to us by removing the checkmark from the appropriate box within the self-service environment. If you are not a MyFitness club member and cannot access the self-service environment, you can send us a corresponding message to the e-mail address firstname.lastname@example.org. If you revoke Your agreement, we will not process Your data according to the agreed upon aim. In case of body analysis data, this means the data will be deleted within 7 days from Your MyFitness user account and the MyFitness system without the possibility to later restore the data.
|The aim of processing||Personal data categories|
|Preservation of Your body analysis data on Your MyFitness user account||Body analysis data|
|Body analysis data forwarding to Your chosen personal coach||Body analysis data|
|Direct marketing (e-mails, SMS)||Personal data, Contact data|
4. Who else processes Your data in addition to MyFitness?
Your personal data is accessible only to those MyFitness employees who need the data to perform their work duties (so-called need-to-know basis). Outside MyFitness, Your data is accessible under very restricted situations which are described below and only if it is necessary for achieving personal data processing aims:
Other MyFitness group companies: Your personal data is shared with other group companies (all are located within the European Union), if necessary for making management decisions and group business activity development as well as using joint data systems.
Persons providing services to us: Your data is accessible to persons providing services to us (the list is not complete and occasionally we order services in new fields): business software provider, IT maintenance and servicing provider, mail server provider, website administrator, auditor, lawyers, data analysis software developer, MyFitness mobile application provider, collection service provider.
Public authorities and state institutions (e.g. police, courts, alarm centre, data protection inspectorate): we will only forward Your data when it is a legal obligation.
If we share Your data with the above-mentioned persons, we ensure the protection of Your data through the agreement signed between us and the mentioned person concerning data processing and protection (with the exception of public authorities and state institutions).
We do not store or forward your data outside the European Economic Area or to countries to which the directive 95/46/EC article 25 paragraph 6 does not apply or if a decision concerning sufficient protection has not been made based on the directive’s follow-on document which is the General Data Protection Regulation (EU) 2016/679 article 45 paragraph 1.
5. How long do we retain Your personal data?
Your personal data is retained according to legally obligated requirements or for as long as required to fulfil the aims in this privacy notice. Below are some examples of data retention periods:
|1 month (after that rerecording begins)||Surveillance camera recordings|
|6 months||Data concerning people who have requested an offer or made other inquiries but with whom no client contract exists|
|3 years (after contract end, ending the contract)||Client contract and service data to protect oneself in the case of possible disputes or to place a demand for protecting one’s own rights|
|7 years (after contract end, ending the contract)||Accounting base documents (e.g. Client member agreement and invoices).|
|Until the agreement is revoked||Data for which You have given permission to process – e.g. body analysis data.|
You can obtain more exact info on personal data retention by making a corresponding query to the data protection contact person specified in section 1 of the given privacy notice.
6. Your personal data security
My Fitness has established necessary legal, organisational, physical and technical security measures to protect Your personal data. Some examples of the measures we use:
Physical measures – paper-based documents containing personal data are stored in locked rooms and cabinets to which only certain employees have access for fulfilling their job duties; data processing rooms and IT-systems are sufficiently protected against fire, overheating, water, current instability and power outages.
Technical measures – video surveillance; all employee work computers are protected with password protected screensavers when the employee leaves; it is ensured that the IT-system does not accept new login attempts and locks the username when a certain number of access attempts has been exceeded; it is ensured that especially vulnerable systems (e.g. laptop computers, smartphones) are sufficiently protected (using encryption or other means).
Organisational means – all IT system users are assigned roles and profiles; it is ensured that access rights are deleted when the employee leaves MyFitness; it is ensured that there is no access from publicly used rooms to rooms where personal data is processed.
In case we use external companies for providing services, we sign an agreement with such service providers who process Your personal data, concerning Your data processing and protection which obligates the service provider to: a) take appropriate measures to ensure the personal data’s confidentiality and protect their security and ii) process personal data according to the applicable legal requirements.
7. Your rights concerning personal data
Right to data access – You have the right to know which data we hold concerning You, for what aims they are processed; to whom the data is publicised (above all recipients in third countries), how long the data is retained; what are Your rights concerning restricting correcting, deleting and processing data. In order to respond to You, we must first authenticate you to avoid giving information to unauthorised persons. We have the right to respond to Your query within 30 days.
Right to data rectification – You have the right to demand corrections to Your personal data in case they are inaccurate or incomplete.
Right to data deletion – You have the right under certain conditions to request the deletion of Your personal data, foremost if the basis for processing Your data originates from our legitimate interest or Your agreement (e.g. if we no longer need the data, You revoke the agreement given to us to process the data).
Right to restrict processing – You have the right under certain circumstances to forbid or restrict the processing of Your personal data for a certain period (e.g. You have submitted an objection concerning data processing).
Right to present objections – You have the right to present objections concerning such data processing which is based on MyFitness’s legitimate interest incl. legally based profile analysis. MyFitness must stop processing Your personal data when You present an objection, except if MyFitness is able to prove that Your personal data is processed for effective legal reasons (decided upon case by case).
Right to data portability – In case the personal data processing is based on Your agreement or a contract signed with us and data is processed automatically, You have the right to access data concerning You which You have given to us in a structured, generally usable format as well as in machine readable form. You also have the right to demand that MyFitness forwards data directly to another service provider if that is technically possible (that means the other service provider is capable of receiving the data in the forwarded format).
If You want to exercise any of the abovementioned rights, please contact us using the e-mail address email@example.com.
8. Use of surveillance cameras in sports clubs
All MyFitness sports clubs use surveillance cameras to protect people (that is clients and employees) as well as property (that is MyFitness, employees’ and clients’ property).
The surveillance cameras are located in sports clubs so that the surveillance area includes the service counter, changing room entrances, training hall, studio, as well as SPA or pool. The MyFitness clients who are active in the given areas will also be video recorded. The following are the main video surveillance conditions:
Legal basis for camera use – legitimate interest
Surveillance system short description – stationary, digital, zoomable, with sound recording
To whom recordings can be given – PBGB (Police and Border Guard Board)
Who has access to the surveillance system and recordings – club manager, administration and development manager, camera installation and maintenance provider ATEA, training manager, client service personnel (for SPA and pool surveillance only)
Recording’s retention period – recordings are kept for 1 month after which the video system starts automatically rerecording
Surveillance time – continuously
Surveillance type – recording and on-demand viewing
What is done to protect data collected with the surveillance system – the recordings are located on the hard disk in the location’s server room. Access to the room is only possible by the previously mentioned persons.
How can a person view one’s own data – to view data collected concerning Your person please contact us by using the e-mail address firstname.lastname@example.org. When requesting access to data, it must be taken into consideration that the data is retained for 1 month only and in the interests and rights of other person’s in the recordings they must be made unidentifiable, therefore we cannot grant immediate access to data. The costs for making persons unidentifiable must be borne by yourself.
9. The right to submit a complaint to the Data Protection Inspectorate and the court
Should you desire further information concerning Your personal data or exercising Your rights, You have the possibility to contact us by using the e-mail address email@example.com.
If You believe that the processing of Your personal data breaches the General Data Protection Regulation requirements, You have the tight to turn to the Data Protection Inspectorate and the courts to protect your rights and interests.