Updated: May 29th, 2018
What is the GDPR?
The General Data Protection Regulation, or GDPR, took effect on May 25, 2018. This new privacy law provides European individuals with certain rights over their personal data including a right to access, correct, delete, and restrict processing of their data. The GDPR regulates the “processing” of data which includes the collection, storage, transfer or use, of personal data about EU individuals. Any organization that processes personal data of EU individuals, is within the scope of the law, regardless of whether the organization has a physical presence in the EU.
Rock Gym Pro GDPR Compliance
Rock Gym Pro’s tools and processes are compliant with the GDPR. Rock Gym Pro is also Privacy Shield certified, which means we can lawfully collect, receive, and process personal data from the EU and beyond. We are committed to offering services and resources to our customers to help them comply with GDPR requirements that may apply to their activities.
Are Rock Gym Pro customers GDPR compliant?
Compliance with the GDPR requires a partnership between Rock Gym Pro and our customers in their use of our services. Rock Gym Pro’s Terms of Service outlines our customers’ obligation to lawfully obtain and process all personal data appropriately.
If you collect EU residents’ personal data, you are likely to be classified as a “Data Controller” under the GDPR. This means you will have some additional obligations around such things as data subject rights. We urge you to understand these obligations and seek legal advice where you think necessary.
What is Personal Data?
The GDPR definition of personal data includes what we typically consider personally identifiable information (PII)—name, passport number, birth date, etc.—but, it also includes data that we might consider to be non-PII, like IP addresses or device IDs.
For a comprehensive list of what the GDPR considers personal data, please read Article 4(1) of the GDPR. Additionally, included in the definition of personal data is a subset of data known as “special categories of personal data.” Special categories of personal data is a specific list of data, expressly set out in the GDPR, and includes things like race, religion, political opinions, health data, etc.
Key Principles of the GDPR
Businesses should keep in mind the following principles as you implement software that collects personal data.
What has Rock Gym Pro done to prepare for GDPR?
Rock Gym Pro is excited about the GDPR and the strong data privacy and security requirements it emphasizes and we look forward to helping our customers comply with the regulations. Rock Gym Pro is committed to ensuring that it is GDPR compliant when the law becomes enforceable on May 25, 2018 and is dedicated to helping our customers become GDPR compliant.
Rock Gym Pro’s steps to ensure it is GDPR-ready include:
Provisions and definitions of GDPR and how they may relate to your business.
Data Processor vs. Data Controller
If you are a Rock Gym Pro customer that collects data from EU subjects, under the GDPR, you are considered a data controller. The controller is a person or organization that determines the purpose of processing personal data. You therefore have the responsibility to ensure that you are fulfilling your obligations under the new GDPR regulations which includes maintaining the lawful processing of personal data of your customers.
A Controller’s General Obligations:
As a controller, you and your organization are required to process data in accordance with GDPR, including (but not limited to):
Each of your EU customers has the following rights:
Under GDPR, Rock Gym Pro acts as a data processor of the personal data received by Rock Gym Pro customers. The processor is the person or organization that processes personal data on behalf of the controller and in accordance with the instructions and scope that the controller and processor have mutually agreed upon. This means that Rock Gym Pro has an obligation to support its customers to ensure the processing of their customer data is secure and to ensure that the tools to accommodate the individual’s rights listed above are provided.
A Data Processor’s General Obligations:
As a Rock Gym Pro customer, you have chosen us to be the processor of your customer’s personal data – a responsibility we take very seriously. As your processor, we will do our best to assist with YOUR obligations as a controller.
Does GDPR require that EU personal data stay in the EU?
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. Rock Gym Pro’s security of your customer’s data is our top priority. We’re proud to have self-certified under the Privacy Shield Framework which helps our customers legalize transfers of EU and Swiss personal data outside of the U.S.
Where is Rock Gym Pro customer data stored?
Rock Gym Pro customer data is stored both locally (on servers/databases set up at the facility) and on backup servers located in the United States.
Is all data subject to a right to be deleted upon request?
The right to have personal data deleted is often referred to as “the right to be forgotten.” However, the right to be forgotten is not an absolute right. It only applies in certain circumstances and is subject to limitations. This right will not apply, for example, if retaining personal data is required to comply with a legal obligation, such as with contracts (waivers) or financial transactions. Deleting this data may put the business in unnecessary legal liability. We recommend that you get in touch with your legal adviser regarding which data and documents you are legally obligated to remove.
I was told that after 6 years, waivers are no longer enforceable. Is there an auto-delete function in RGP for these waivers?
No. (See bulk delete paragraph below). Deleting waivers is not an automatic process in RGP and GDPR does not require that documents be automatically deleted after a certain amount of time. Legal documents can play a critical role in the defense of a facility’s liability, regardless of the document date. While some countries limit the time a legal claim can be filed to six years from the date of the event, liability waivers can be material to any future litigation as these documents show a history of understanding of the agreed upon risks. Per GDPR, these legal documents are still “necessary in relation to the purposes for which they were collected”. Knowing that a participant has agreed to risks more than once over the course of a number of years can certainly bolster a business’s defense. For this reason, RGP does not automatically delete data that can potentially be used as material evidence in litigation. If you do choose to delete a customer record and associated waivers, the Admin on your RGP account will need to perform this action manually.
Can I bulk delete certain types of customers?
Yes. Rock Gym Pro will allow for tagging of certain types of customers (e.g.; customers that have no records or visits after a certain amount of time). Once tagged, you can choose to delete these customers and their records. This function will require an Admin user to delete customer types manually. More details on this function will be available prior to May 25th.
How will Rock Gym Pro handle individual requests to delete personal data?
Should there be a request from an EU subject to delete/edit customer information, that request would first need to be directed to the data controller (the facility) where the local data is stored. Within the Rock Gym Pro software, the controller has the ability to readily edit or “forget” all customer data from their local and online database. As the data controller (the facility), the methods to process a right to erasure (be forgotten) request; these can be handled using the tools at the following link: GDPR Tools
Is personal data in RGP Cloud handled differently than traditional/local RGP servers?
No, RGP Cloud functions the same as a local traditional installation of RGP. The methods to delete personal data is the same.
Since Rock Gym Pro is in compliance with GDPR, does that mean my business will automatically comply with the GDPR?
No. As a business regulated under the GDPR rules, you will need to evaluate your own obligations (such as opt-in and cookie consent standards). There are multiple resources online that outline what these obligations might be, but it’s always best to consult with your attorney on these matters.