Privacy Annex for FitMetrix
Services
Last Updated: March 5, 2019
This
Privacy Annex (Annex) is an annex
to the overhead agreement which refers to this Annex as being applicable
between the Parties (Agreement). If there are any conflicts or inconsistencies between thisAnnex and the Agreement, the provisions of this Annex
prevail.
To the extent that FITMETRIX acts as a Processor to You as a Controller,
in relation to Your Data originating from the EEA, the following terms apply.
1.
Compliance with Your instructions
FITMETRIX may only process Personal
Data in connection with its obligations and rights under the Agreement, or as
otherwise instructed by You or
required
by applicable law. The subject-matter, duration, nature and purpose of the
Processing, types of Personal Data and categories of individuals will be the
same as for the relevant Services to which the Processing relates. FITMETRIX may
aggregate or anonymize Your Data for the purpose of
product or service improvements,
data
science and reporting.
FITMETRIX will implement
commercially reasonable technical and organizational measures for the Services
that are designed to protect Personal Data against accidental or unlawful
destruction, loss, alteration, disclosure or access. If you have questions about what security
measures FITMETRIX has implemented that are not answered by Appendix 2, please
reach out to
[email protected]
. FITMETRIX
will notify You of a Personal Data Breach as required under applicable law.
3.
Audits
Upon Your request, up to once a
year, FITMETRIX will provide to You a copy of a self-certification confirming
that FITMETRIX complies with the material requirements set out in this
Annex. Such self-certification will be FITMETRIXs
Confidential Information.
The Parties acknowledge and agree
that such self-certification, where applicable, will satisfy clause 5(f) of the
Controller to Processor Standard Contractual Clauses and Article 28.3(h) of the
GDPR.
4.
Assistance
FITMETRIX will provide You
reasonable assistance to allow You, at Your sole costs, to demonstrate Your
compliance with obligations pursuant to this Annex in respect of notifying
Personal Data Breaches to a Supervisory Authority and individuals and
conducting Data Protection Impact Assessments.
5.
Individuals
FITMETRIX
will notify You of requests received directly from individuals in relation to
the Processing of their Personal Data, unless prohibited from doing so under
applicable law. FITMETRIX may, but is not required to, acknowledge receipt of
such request and ask additional questions to determine the identity and nature
of the request, or may refer such request and individual to You directly, and
provide You with reasonable assistance in meeting the request in a timely
manner.
You
are solely responsible for providing any necessary notices to, and obtaining
any necessary consents from, individuals with respect to the Processing of
Personal Data pursuant to the Agreement and this Annex.
You agree that FITMETRIX may use
Sub-Processors to assist FITMETRIX in Processing Personal Data for the
performance of the Services, provided that:
(a)
FITMETRIX
imposes no less stringent
duties
on such Sub-Processors regarding
security and confidentiality of Personal Data as those set out in this Annex.
(b)
FITMETRIX
remains responsible to You for the performance of the relevant Services by the
Sub-Processor, and
(c)
FITMETRIX
maintains a list of such Sub-Processors in Section 21 of its
Privacy Policy.
In order to receive notice of any change to this list, you must request to subscribe to the Sub-Processor Notification List by clicking here. You
accept that Your failure to join the list may result in missing the deadline to
object to new Sub-Processors. You may within five (5) business days of
receiving a notice, object to the involvement of such new Sub-Processor on
objective justifiable grounds related to the ability of such Sub-Processor to
protect the Personal Data or comply with data protection requirements
applicable to Sub-Processor. In the event that the
objection is not unreasonable, the Parties will work together in good faith to
find a solution to address such objection, including but not limited to
reviewing additional documentation supporting the Sub-Processors compliance.
7.
Transfers
To the extent that the Services
involve a transfer of Personal Data originating from the EEA, the
Controller to Processor
Standard Contractual Clauses, which
are herein incorporated by reference, will apply and FITMETRIX will comply, as
the Processor, with the obligations therein to facilitate such transfers. The Appendices
of such Controller to Processor Standard Contractual Clauses (the Appendices) are appended to this Annex
and are incorporated herein by reference.
Your click-through acceptance of the Agreement constitutes your
signature to and acceptance of the
Controller
to Processor
Standard Contractual Clauses and
the Appendices.
Notwithstanding the foregoing, FITMETRIX
may exchange the Controller to Processor Standard Contractual Clauses for any
other EEA-approved transfer mechanism in its sole discretion. Please consult
our current
Privacy Policy
for information regarding our data
handling practices and what transfer mechanisms are being used.
8.
Return and Deletion of Personal
Data
Upon
termination or expiration of the Services, FITMETRIX will make available to You Personal Data maintained by FITMETRIX for a duration of
three (3) months to allow You to retrieve where reasonably technically feasible
your Personal Data in a commonly used format set out by FITMETRIX. After such
period, FITMETRIX will destroy or otherwise render inaccessible, at our discretion,
such Personal Data from the production environment of the Services, except as
may be required by law. Actions set out in this section are at Your sole cost.
9.
Changes
We may make changes to this Annex, including the
Appendices, from time to time as necessary to reflect changes in our business
or legal and regulatory requirements. Changes we make will become effective
when we publish a modified version of the Annex on our websites.
If you continue using the Services after any changes, it means you have
accepted them. If you do not agree to any material changes, you must stop using
the Services, and you can terminate your account by emailing [email protected].
10.
Key definitions.
Unless
otherwise defined below, capitalized terms have the meaning set out in the
Agreement or the Privacy Policy.
10.1
Controller,
Personal Data
Breach
,
Data Protection Impact
Assessment
, Process/Processing,
Processor, and Supervisory Authority have the meaning
set out in the GDPR.
10.2
Controller to Processor Standard Contractual Clauses means
Standard Contractual Clauses adopted by the
EU
Commission pursuant to its decision C(2010)593 located at
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32010D0087
(as updated or replaced from time to time).
10.3
EEA means all member states of the European Union, Norway,
Iceland, Liechtenstein and, for the purposes of the Annex, Switzerland;
10.4
"GDPR"
means
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of natural persons
with regard
to
the processing of personal data and on the free movement of such
data, and repealing Directive 95/46/EC (General Data Protection Regulation).
10.5
Parties means You and FITMETRIX.
10.6
Personal Data means Your Data to the extent that it relates to an
identified or identifiable natural person.
10.7
Sub-Processors
means third party organizations that FITMETRIX engages for the Processing of
the Personal Data and which do not act under FITMETRIXs direct authority.
Appendix 1 to the Controller to
Processor Standard Contractual Clauses (description of transfer)
This
Appendix forms part of the
Controller to Processor
Standard
Contractual Clauses
.
The Member States may complete or
specify, according to their national procedures, any additional necessary
information to be contained in this Appendix.
Data Exporter and Data Importer
You transfer, and FITMETRIX
receives, Personal Data in relation to the supply of Services as set out in the
Agreement.
Data subjects
The personal data
transferred concern the following categories of data subjects:
Employees,
including temporary and prospective employees, ,
existing and prospective (customers) customers (including gyms, fitness
studios, practitioners), consumers, visitors or registrants at offices, web
sites and/or events, employees of corporate business associates,and other categories as relevant to the
Services.
Categories of data
Data as necessary
for the Services, including contact and other personal details (name, address,
telephone or mobile number, fax number, email, education and background, etc.),
billing and financial details, electronic data (including IP address,
application, device, Internet, network and browser data), sales and marketing
data (including prospects, membership
and mailing list participation), advantages, benefits and rewards, demographic
or geographic information, analysis and business intelligence, statistics and
use trends, service account data, training and technical support data,
know-how, app features and metrics (including workout attendance, body
measurements, biometrics and performance) and other data as relevant to the
Services.
Special categories
of data (if appropriate)
The personal data
transferred concern the following special categories of data (please specify):
Data regarding biometric
and performance data and other sensitive information as relevant to the
Services.
Processing operations
The personal data
transferred will be subject to the following basic processing activities
(please specify):
Processing operations are limited to the extent necessary to provide the
Services as specified under the Agreement.
Appendix
2 to the Controller to Processor Standard Contractual Clauses
This
Appendix forms part of the Clauses and must be completed and signed by the
parties.
Processor
must implement appropriate physical security controls within its premises to
prevent unauthorized persons from gaining access to data and systems.For this, Processor has implemented the
following measures:
Identification card for all members of staff
Manned reception area in all buildings
Visitor access procedure
Locked entry gates at all external doors
Data center access limited to authorized
personnel
Entry security systems 24x7 (e.g., smart card reader, code locks)
Locks for filing cabinets containing sensitive
data
Processor
must prevent unauthorized access to data processing systems.Processor has implemented the following
measures for electronic access control:
Access control system (User ID and Strong
Password)
Encryption of data transmitted via unsecure
networks
Firewalls
URL Filtering
Penetration testing
Automated vulnerability scans
Documented Security Incident Response Plan
Processor
must ensure that authorized members of staff have access only to the data which
they require in the course of their work duties and to which they have a right
of access, and must prevent any unauthorized access
outside of the granted permissions.
Processor has implemented the following measures:
Documented authorization process to grant only
the minimum access required for each member of staff to perform his/her work
duties
Regular controls of authorizations granted and
change process to reflect termination of employment, contract, agreement, or
change of roles
Privileged access limited to essential
administration personnel
Authentication process (User ID and Strong
Password)
Audit logs for servers, applications and
network devices
Secured interfaces
Disk management
Encryption of data transmitted via unsecure
networks
Processor
shall ensure that personal data are protected against any unauthorized reading,
modification, copying, or removal during electronic transmission or
transport. Measures must be in place to
verify to which recipients transfers are envisaged.
Processor has implemented the following measures during transport, transfer,
and transmission or storage on data carriers:
Encryption of data transmitted via unsecure
networks
Encryption of storage media in transport
Electronic signatures
Processor
shall ensure that it is possible to verify what personal data were entered into
processing systems, modified, or removed, at what time, and by whom.Processor has implemented the following to
allow for retrospective review of whether and by whom personal data are
entered, modified, or removed:
Authentication process (User ID and Strong
Password)
Documented Incident Response Plan
Processor
shall ensure that, in the case of sub-contracting personal data will be
processed only in accordance with the instructions of the Controller:
Written contractual arrangements/instructions
with all sub-contractors
Access controls to restrict access to what is
required to perform the specific services
Processor
shall take measures to protect personal data against accidental loss or
destruction. Processor has implemented
the following measures for availability control:
Daily automated Back-up
Redundant power feeds
Temperature and humidity controls and
monitoring
Encryption of data transmitted via unsecure
networks
Antivirus/firewall
The
data of the Controller are to be separated from the data of other customers and
the Processor. Personal data collected
for different purposes must be processed separately. Measures taken by
Processor for separation control are:
Customer data and systems are separated from
internal systems
Dedicated server
Separation of production and test systems
Defined roles and responsibilities including
appropriate segregation of duties amongst member of staff