Rock Gym Pro and GDPR

Updated: May 29th, 2018

 

What is the GDPR?
The General Data Protection Regulation, or GDPR, took effect on May 25, 2018.  This new privacy law provides European individuals with certain rights over their personal data including a right to access, correct, delete, and restrict processing of their data. The GDPR regulates the “processing” of data which includes the collection, storage, transfer or use, of personal data about EU individuals. Any organization that processes personal data of EU individuals, is within the scope of the law, regardless of whether the organization has a physical presence in the EU.


Rock Gym Pro GDPR Compliance
Rock Gym Pro’s tools and processes are compliant with the GDPR. Rock Gym Pro is also Privacy Shield certified, which means we can lawfully collect, receive, and process personal data from the EU and beyond. We are committed to offering services and resources to our customers to help them comply with GDPR requirements that may apply to their activities.


Are Rock Gym Pro customers GDPR compliant?
Compliance with the GDPR requires a partnership between Rock Gym Pro and our customers in their use of our services. Rock Gym Pro’s Terms of Service outlines our customers’ obligation to lawfully obtain and process all personal data appropriately.

If you collect EU residents’ personal data, you are likely to be classified as a “Data Controller” under the GDPR. This means you will have some additional obligations around such things as data subject rights. We urge you to understand these obligations and seek  legal advice where you think necessary.

 

What is Personal Data?
The GDPR definition of personal data includes what we typically consider personally identifiable information (PII)—name, passport number, birth date, etc.—but, it also includes data that we might consider to be non-PII, like IP addresses or device IDs.

For a comprehensive list of what the GDPR considers personal data, please read Article 4(1) of the GDPR. Additionally, included in the definition of personal data is a subset of data known as “special categories of personal data.” Special categories of personal data is a specific list of data, expressly set out in the GDPR, and includes things like race, religion, political opinions, health data, etc.


Key Principles of the GDPR

Businesses should keep in mind the following principles as you implement software that collects personal data.

  • Personal data collected needs to be processed in a fair, legal, and transparent way. It should not be used in any way that a person would not reasonably expect.
  • Personal data should only be collected to fulfill a specific purpose and not further used in a manner that is incompatible with those purposes. Organizations must specify why they need the personal data when they collect it.
  • Personal data held needs to be kept up-to-date and accurate. It should be held no longer than necessary to fulfill its purpose.
  • EU citizens have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization without hindrance.
  • All personal data needs to be kept safe and secure, and companies undertaking certain types of activities are now required to appoint a data protection officer (DPO).


What has Rock Gym Pro done to prepare for GDPR?
Rock Gym Pro is excited about the GDPR and the strong data privacy and security requirements it emphasizes and we look forward to helping our customers comply with the regulations. Rock Gym Pro is committed to ensuring that it is GDPR compliant when the law becomes enforceable on May 25, 2018 and is dedicated to helping our customers become GDPR compliant.

Rock Gym Pro’s steps to ensure it is GDPR-ready include:

  • Rock Gym Pro is Privacy Shield certified. By complying with the Privacy Shield Principles, we can lawfully collect, receive, and process personal data from the EU and Switzerland in the US and beyond.
  • Making available a GDPR-compliant Customer Data Processing Agreement for Rock Gym Pro’s processing of personal data under the GDPR on behalf of its customers. If your use of Rock Gym Pro requires Rock Gym Pro to process personal data within the scope of the GDPR, Rock Gym Pro’s GDPR Data Processing Addendum is available for e-signature here.
  • Vendor agreements review: To ensure that our customers’ personal data is protected all the way down the sub-processing chain, we are reviewing our vendor agreements and ensuring GDPR-compliant terms are in place with vendors and service providers who process GDPR personal data on our behalf.
  • Making behind the scene changes to ensure that the Rock Gym Pro platform and services are GDPR compliant and support GDPR rights: Including implementing changes focusing on record deletion, waiver privacy policy viewing, opt-in consents, and cookie consents. Rock Gym Pro has also been working to ensure that we are able to help our customers to respond to any data subject requests that they may receive and proactively ensuring GDPR compliance for every new product or enhancement.
  • Evaluating our Privacy and Cookie Notices and making any updates as needed.


Provisions and definitions of GDPR and how they may relate to your business.

Data Processor vs. Data Controller

Data Controller:
If you are a Rock Gym Pro customer that collects data from EU subjects, under the GDPR, you are considered a data controller. The controller is a person or organization that determines the purpose of processing personal data. You therefore have the responsibility to ensure that you are fulfilling your obligations under the new GDPR regulations which includes maintaining the lawful processing of personal data of your customers.

A Controller’s General Obligations:
As a controller, you and your organization are required to process data in accordance with GDPR, including (but not limited to):

  • Establishing a process to identify and report data breaches within the timeframes of the GDPR
  • Ensuring that the processed personal data is adequately protected
  • Informing your customers how their data is processed
  • Determining what personal data is processed and for what purposes.

Each of your EU customers has the following rights:

  • Right of information and access
    An individual can require information be given regarding the personal data that is being processed, including the purpose of the processing and how long the data will be retained.
  • Right to rectification
    An individual can require that incorrect personal data be edited.
  • Right of portability
    An individual can require personal data be provided so that it can be transferred to another data controller.
  • Right to object
    An individual may object to the processing of their data for direct marketing purposes and/or scientific, historical, research or statistical purposes.
  • Right to erasure (be forgotten)
    An individual may require a controller to have personal data deleted if the processing of their data fails to satisfy the requirements of GDPR.
  • Right to restriction of process
    An individual may require the processing of their data be restricted when the processing is challenged.

Data Processor:
Under GDPR, Rock Gym Pro acts as a data processor of the personal data received by Rock Gym Pro customers. The processor is the person or organization that processes personal data on behalf of the controller and in accordance with the instructions and scope that the controller and processor have mutually agreed upon. This means that Rock Gym Pro has an obligation to support its customers to ensure the processing of their customer data is secure and to ensure that the tools to accommodate the individual’s rights listed above are provided.

A Data Processor’s General Obligations:
As a Rock Gym Pro customer, you have chosen us to be the processor of your customer’s personal data – a responsibility we take very seriously. As your processor, we will do our best to assist with YOUR obligations as a controller.


FAQs
Does GDPR require that EU personal data stay in the EU?
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. Rock Gym Pro’s security of your customer’s data is our top priority. We’re proud to have self-certified under the Privacy Shield Framework which helps our customers legalize transfers of EU and Swiss personal data outside of the U.S.

Where is Rock Gym Pro customer data stored?
Rock Gym Pro customer data is stored both locally (on servers/databases set up at the facility) and on backup servers located in the United States.

Is all data subject to a right to be deleted upon request?
The right to have personal data deleted is often referred to as “the right to be forgotten.” However, the right to be forgotten is not an absolute right. It only applies in certain circumstances and is subject to limitations. This right will not apply, for example, if retaining personal data is required to comply with a legal obligation, such as with contracts (waivers) or financial transactions. Deleting this data may put the business in unnecessary legal liability. We recommend that you get in touch with your legal adviser regarding which data and documents you are legally obligated to remove.

I was told that after 6 years, waivers are no longer enforceable. Is there an auto-delete function in RGP for these waivers?
No. (See bulk delete paragraph below). Deleting waivers is not an automatic process in RGP and GDPR does not require that documents be automatically deleted after a certain amount of time.  Legal documents can play a critical role in the defense of a facility’s liability, regardless of the document date. While some countries limit the time a legal claim can be filed to six years from the date of the event, liability waivers can be material to any future litigation as these documents show a history of understanding of the agreed upon risks. Per GDPR, these legal documents are still “necessary in relation to the purposes for which they were collected”. Knowing that a participant has agreed to risks more than once over the course of a number of years can certainly bolster a business’s defense. For this reason, RGP does not automatically delete data that can potentially be used as material evidence in litigation. If you do choose to delete a customer record and associated waivers, the Admin on your RGP account will need to perform this action manually.

Can I bulk delete certain types of customers?
Yes. Rock Gym Pro will allow for tagging of certain types of customers (e.g.; customers that have no records or visits after a certain amount of time). Once tagged, you can choose to delete these customers and their records. This function will require an Admin user to delete customer types manually. More details on this function will be available prior to May 25th.

How will Rock Gym Pro handle individual requests to delete personal data?
Should there be a request from an EU subject to delete/edit customer information, that request would first need to be directed to the data controller (the facility) where the local data is stored. Within the Rock Gym Pro software, the controller has the ability to readily edit or “forget” all customer data from their local and online database. As the data controller (the facility), the methods to process a right to erasure (be forgotten) request; these can be handled using the tools at the following link: GDPR Tools

Is personal data in RGP Cloud handled differently than traditional/local RGP servers?
No, RGP Cloud functions the same as a local traditional installation of RGP. The methods to delete personal data is the same.

Since Rock Gym Pro is in compliance with GDPR, does that mean my business will automatically comply with the GDPR?
No. As a business regulated under the GDPR rules, you will need to evaluate your own obligations (such as opt-in and cookie consent standards). There are multiple resources online that outline what these obligations might be, but it’s always best to consult with your attorney on these matters.