1.1 In the course of undertaking its business activities, Fitii collects, receives and processes information a) about its customers, being individuals who use the services of Fitii as a personal trainer hub (“Customers”) and b) about the customers and clients of its Customers (“Consumers”) who, through the Customers, link into and use the Fitii platforms and software functionality as part of the services that the Customers provide to their own Consumers. Fitii is legally responsible for ensuring that this information ("personal data") is held and processed in accordance with the law and with individuals' rights.
1.2 This Policy sets out how Fitii complies with the key rules governing the use of such data, including the requirements of the General Data Protection Regulation 2018 ("GDPR"). For the purposes of this Policy, "Data Protection Legislation" shall be taken to mean GDPR and any UK law concerning the protection of personal data, including any legislation which supplements or replaces GDPR and the Data Protection Act 1998 and laws relating to E-Privacy. In preparing this Policy, Fitii has taken into account guidance available at the time from the Information Commissioner's Office (“ICO”) and has taken advice.
1.3 Words and phrases, such as "data controller" and "data processor" as used in this Policy shall have the meanings given to them in GDPR.
1.4 Fitii believes it is principally a "data processor" for personal data it holds and, with its Customers agreement, is required to hold that data for the Customer’s purposes. It also processes data of Consumers through their registration to the Customer and enables access to Fitii’s services. However, Fitii can also collect and hold such personal data itself, at which time it would be a "data controller".
1.5 Fitii also processes the personal data of employees or appointed agents or consultants to Fitii who in effect work as part of Fitii and the term "employee" will be used to refer to such persons.
1.6 This Policy does not document every part of GDPR which may be relevant, but focuses on the key parts applicable to Fitii and its aim is to make Fitii compliant and to eliminate so far as is reasonably possible potential Data Protection Legislation breaches by Fitii and any harm or loss to Customers, Consumers or the employees of Fitii.
1.7 Fitii may review and amend this policy from time to time as it thinks fit, and will review it on at least an annual basis.
Under Data Protection Legislation, Fitii is responsible for ensuring that personal data is held and processed in accordance with the data protection principles within the Data Protection Legislation. In summary, these principles are that personal data:
For the purposes of GDPR, "processing" includes collecting and storing personal data.
3.1 When processing personal data, under Article 6 GDPR, Fitii may only process where one or more lawful grounds apply.
3.2 Having considered GDPR and the business activities of Fitii, Fitii has concluded that its processing of personal data in undertaking its business activities is lawful on the following GDPR grounds:
3.3 As a result, Fitii’s management has reasonably concluded that the legal basis for it processing personal data will be individual consent, except where this is otherwise necessary (see section 3.4 below) and that such consent is given by:
3.4 As it is possible that Consumers may submit to Fitii certain special categories of personal data and in particular medical records or histories, then Fitii recognises the need to obtain such explicit consent to the processing of that type of personal data for the purposes of Article 9 GDPR as described in paragraph 3.3(b)(ii) above.
4.1 Fitii is required to maintain a record of its processing of personal data activities containing specified information (see Article 30 GDPR). To enable Fitii to comply with this requirement it will:
5.1 Fitii recognises that personal data should not be held longer than is necessary. In general terms, very little physical hard copy personal data is held at all, and if so it is for a variety of periods of time depending upon the nature and type of the matter concerned. Such physical information – and thus the hard copy personal data within it - will be kept by Fitii for six years and then destroyed as such minimum period of time is required from tax and regulatory rules, guidance, codes and good industry practice, in addition to the fact that six years is often the limitation period in relation to claims. Fitii’s public liability insurers also require it.
5.2 As regards personal data in electronic digital form, the same principles apply. Digital personal data is securely encrypted and password-protected using one of the leading tailored IT software systems and Fitii will keep abreast of technological developments.
6.1 Fitii will ensure that all Customers receive, in their Subscription Agreement with Fitii, full notice and details under Article 14 GDPR containing information about how the Customer’s personal data (and that of the Consumers) will be used. It will also contain a tick box under which they give Fitii consent to use their personal data to send them Fitii’s marketing and promotional information.
6.2 Fitii will ensure that the terms of the Subscription Agreement will also contain clear instructions to the Customers that their specific contracts with their Consumers shall contain suitable, adequate and appropriate express positive consent being given by the Consumer at sign up/registration stage to their personal data (and any special data) being passed to, held and processed by Fitii as the platform and service provider for the Customer, such details being sufficient under Article 14.
6.3 For further compliance, Fitii will, at the initial registration of a Consumer to use Fitii’s platform, software and services through the benefit of their contract with the Customer, obtain a clear positive consent of that Consumer allowing and agreeing to Fitii’s collection, use and processing of such personal data for the specific purposes which will be indicated (and any special personal data being so collected will have its own separate clear description as to purpose, how it is held and for how long.
6.4 Fitii engages third party PR and marketing agencies to promote Fitii, including through printed matter and by email sent to individuals. Fitii is aware of the individual’s consent, whether Customer, Consumer or otherwise, that it needs to do this. All such recipient databases containing those individuals who have consented to receiving such information will be held by the third party agency and in addition any emails sent out will include the appropriate notices concerning continuing consent.
6.5 Fitii does not intend to sell or pass to a third party any personal data for the purposes of that third party’s advertising to individuals.
6.6 The information in the Subscription Agreement and registration with Fitii’s platforms will include, amongst other things:
6.7 Fitii will review this information in its Subscription Agreement and website registration processes annually and will amend it to reflect any changes in Data Protection Legislation or in Fitii’s practice.
6.8 Fitii will keep this approach under review – including taking into account any guidance produced by ICO and industry standards set by appropriate bodies,.
6.9 This Policy will be available upon request to all and placed on the Fitii website and platform.
7.1 Data subject access requests
Individuals have the right, in certain circumstances, to access their data in machine-readable format and, where technically possible, to have their data transferred directly from Fitii to another data controller (Article 20 GDPR). Fitii has decided to take no action in relation to data portability at the current time but will monitor the situation and take advice should this become necessary in future.
8.1 System perimeter security will secured using an advanced Firewall device setup to prevent non-essential assess via port access restrictions. All data is stored on secure servers provided by AWS (Amazon Web Services) – please refer to https://aws.amazon.com/security/. The Firewall provides an Intrusion Prevention System, logging all activity.
8.2 Fitii will have up to date device and server security. Endpoint devices are protected with TLS 1.2 (SHA256) protocol security software which includes protection for the following:
8.3 User access to Fitii’s systems will be controlled with a best practice “strong” password policy, which includes password complexity and renewal period rules. Access to application software will be controlled with two factor authentication rules.
8.4 Fitii will use G-Suite, supplied and provided by Google (please refer to https://gsuite.google.co.uk/intl/en_uk/security/?secure-by-design_activeEl=data-centers) Email Security’ which gives extensive email security measures. These include:
9.1 The employees all have responsibility to ensure that in performing their duties they do not endanger the safety and security of personal data Fitii holds and processes and at all times act in an appropriate manner concerning the Data Protection Legislation generally and their individual obligations.
9.2 Fitii gives all employees a Privacy Notice which covers not only the Privacy Notice required by GDPR Article 14 as regards Fitii’s use of their own personal data, but also the obligations of Fitii which they must uphold and adhere to. A ‘Do’s and Don’ts’ list is also given to employees. All employees must be aware and cognisant of personal data security and confidence and this will be reinforced by training.
9.3 All Fitii employees will undertake mandatory formal training on data protection (and other issues) at suitable intervals and other training as Fitii considers appropriate.
9.4 Fitii will undertake Data Protection Impact Assessments (as defined in GDPR) (“DPIA”) as and when appropriate.
10.1 Fitii shall ensure that it has a written contract which meets the requirements of GDPR in place with each data processor to which it may pass personal data to be processed. In particular, Fitii will expect each data processor to guarantee that it will meet the requirements of GDPR and will protect clients’ and other individuals’ rights.
10.2 Before engaging a new data processor, Fitii will check that:
10.3 Fitii will seek appropriate assurances from each data processor as to the security arrangements it has in place. This may take the form of:
10.4 Fitii recognises that its data processors may wish to sub-contract some services, which may include sub-contractors processing data on behalf of the data processor. Fitii will ensure that its contract with a data processor wishing to do this will contain provisions concerning sub-contracting which meet the requirements of GDPR.
11.1 Fitii takes seriously the need to deal with any data breach swiftly and appropriately to minimise or eliminate risk of detrimental impact on any data subjects. For this purpose, a data breach may include (but is not limited to) unauthorised disclosure of or access to personal data; or accidental or unlawful destruction of personal data; or loss or alteration of personal data.
11.2 Fitii shall require its employees and its data processors to report data breaches or complaints to Fitii’s Data Protection Officer promptly and to assist Fitii in ensuring compliance with the requirements of GDPR.
11.3 On being notified of a data breach or complaint, the Fitii Data Protection Officer will as soon possible notify Fitii’s senior management and Fitii shall initially deal with it through the process outlined in Fitii’s GPDR Complaints Policy.
11.4 Notwithstanding the initialisation of the procedure outlined in Fitii’s GDPR Complaints Policy, in any event where a data breach has occurred, Fitii shall consider whether it is necessary or appropriate to notify the Information Commissioner's Office ("ICO") or the affected individual in the event of a data breach, and will take professional advice as a matter of urgency where required.
11.5 Fitii will maintain a record of any data breaches and complaints and action taken in relation to each breach and complaint in inventory form.
11.6 Fitii will act reasonably in assisting data controllers of information it holds and its appointed sub-processors in investigating and resolving any breaches of this Policy or GDPR generally and will review, update and amend this Policy (and others) in the light and context of any breaches or issues arising.
12.1 Fitii has considered the sections under Data Protection Legislation to appoint a data protection officer ("DPO") or to carry out a data protection impact assessment ("DPIA") in certain circumstances.
12.2 Fitii, having considered the possibility of appointing a Data Protection Officer as described in GPDR, has concluded that it is required to appoint a DPO.
12.3 Under GDPR, organisations are required to undertake a DPIA "where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons."
12.4 Fitii does not believe that at the present time the nature of its processing (which - as set out in section 3 above - is fundamentally to provide a central database and hub for service users of its Consumers as required by its Subscription Agreement obligations is such that there is likely to be a high risk to the rights and freedoms of individuals and it has concluded that it is not necessary for it to undertake any DPIAs at the present time.
This Version 1.1 of this Policy was adopted by the directors of Fitii Limited on 23 May 2018.