Data Protection and GDPR. The following definitions apply in this section: “Data Protection Legislation”; the UK Data Protection Legislation and (for so long as and to the extent that the law of the European Union has legal effect in the UK) the GDPR and any other directly applicable European Union regulation relating to privacy. “GDPR”; General Data Protection Regulation ((EU) 2016/679). “UK Data Protection Legislation”; any data protection legislation from time to time in force in the UK including the Data Protection Act 1998 or 2018 or any successor legislation.
Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. In this clause, Applicable Laws means (for so long as and to the extent that they apply to My Gym) the law of the European Union, the law of any member state of the European Union and/or Domestic UK Law; and Domestic UK Law means the UK Data Protection Legislation and any other law that applies in the UK.
The parties acknowledge that for the purposes of the Data Protection Legislation, the Member is the data controller and My Gym is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). Without prejudice to the generality of this clause, the Member will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data (as defined in the Data Protection Legislation) to My Gym for the duration and purposes of the contract.
Without prejudice to the generality of this clause, My Gym shall, in relation to any Personal Data processed in connection with the performance by My Gym of its obligations under the contract:
(a) process that Personal Data only on the written instructions of the Member unless My Gym is required by Applicable Laws to otherwise process that Personal Data. Where My Gym is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, My Gym shall promptly notify the Member of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit My Gym from so notifying;
(b) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Member, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
(c) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
(d) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Member has been obtained and the following conditions are fulfilled:
(i) the Member or My Gym has provided appropriate safeguards in relation to the transfer;
(ii) the Data Subject (as defined in the Data Protection Legislation) has enforceable rights and effective legal remedies;
(iii) My Gym complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred;
(iv) My Gym complies with reasonable instructions notified to it in advance by the Member with respect to the processing of the Personal Data;
(e) assist the Member, at the Member’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(f) notify the Member without undue delay on becoming aware of a Personal Data breach;
(g) at the written direction of the Member, delete or return Personal Data and copies thereof to the Member on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(h) maintain complete and accurate records and information to demonstrate its compliance with this clause.
The Member consents to My Gym appointing any third-party processor of Personal Data under the contract that it so wishes during the existence of the contract. My Gym confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement substantially on that third-party's standard terms of business. As between the Member and My Gym, My Gym shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause. Either party may, at any time on not less than 30 days' notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms (which shall apply when replaced by attachment to the contract).
Schedule 1 Processing, Personal Data & Data Subjects
1. Processing by the Provider
1.1 Scope: parent (and additional carers) name, number, email, address, child's name, child allergies/special needs/important information, booking information, booking history, accident/incident records, payment details, payment history, correspondence
1.2 Nature: (in order for My Gym to answer enquiries, book children into classes & events, allow kids into gym, know how many kids expected each day and related items)
1.3 Purpose of processing: Health & Safety, My Gym’s insurance policy, in order to plan and provide the Services in full;
1.4 Duration of the processing: 10 years, unless customers specifically requested to delete their information
2. Types of personal data: parent (and additional carers) name, number, email, address, child's name, child allergies/special needs/important information, booking information, booking history, accident/incident records, payment details, payment history, correspondence
3. Categories of data subject: all customers of My Gym, including but not limited to, parents, children, instructors, teachers.
Updated: August 2, 2018