What is GDPR?
The General Data Protection Regulation (GDPR) is a new privacy legislation that replaces the EU Data Protection Directive (Directive 95/46/EC) within the European Union. The GDPR regulates the collection, use, transfer, and sharing of personal data with the key purpose of protecting it.
Why is GDPR important?
GDPR adds some new requirements regarding how companies should protect individuals' data that they process. It also raises the stakes for compliance by increasing enforcement and imposing greater fines for breaches. We are following the developments about GDPR and are taking the necessary steps to become compliant.
What constitutes personal data?
Personal data includes any information related to a living resident or citizen of the EU that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, medical information, or even an IP address or cookie.
Who does the GDPR affect?
The GDPR affects companies processing the personal data of individuals residing in the European Union, regardless of a company’s location. It applies not only to organisations located within the EU, but also to organisations located outside of the EU if they offer goods or services to or monitor the behaviour of EU residents and/or citizens.
What happens when the UK leaves the EU?
The UK is hoping for a unique status under GDPR and are working towards it. For the time being the UK has declared it will be GDPR compliant and its new data protection bill is in line with GDPR.
How will the GDPR affect businesses?
The GDPR requires organisations to be transparent on how personal data is collected, used, and stored. This requires transparency from organisations on what personal data is collected, purposes for which it is collected, and who it is shared with. It also requires companies to enable individuals whose personal data is being processed to exercise their rights in relation to their data. The GDPR also requires companies to ensure appropriate protections when EU personal data is transferred outside the EU (including transfers to the US).
What new user rights does GDPR regulate?
Right to Access. EU residents and citizens (or “Data Subjects,” as they are called in the regulation) have the right to obtain confirmation from the organisation that has collected their data as to whether their personal data is being processed, where, and for what purpose. They also currently have (and will continue to have under the GDPR) the right to receive a copy of this personal data.
Right to Be Forgotten (or Data Erasure). Data Subjects can demand that the organisations erase their personal data and cease further dissemination of the data.
Data Portability. Data Subjects can receive the personal data concerning them (which they have previously provided) in a machine-readable format and have the right to transmit that data to another organisation.
How do we process your information?
Prior to becoming an Xfit member, you may choose to provide us with your email address when downloading content from our website or blog. We will store your email address, and any other information you provide to us and use that data to contact you about Xfit. This data will be retained for 24 months, following which it is permanently deleted (unless you become a member in that period). You can unsubscribe from our emails at any time.
Contact Name, Email Address, Address, Phone Number, DOB, Emergency Contacts
We collect this information from you when you sign up as a member. If you cancel your membership we will store this information for 12 months, following which the data is permanently deleted. If you wish for us to permanently delete your data prior to the end of this retention period, please just let us know. We store this information in ClubManager which is our subscription and membership CRM system.
Your payment details are not stored on our own systems. The information is passed directly to Stripe or FastDD, depending on the options you select.
We do not and will not share any of your data with any third party other than the sub-processors detailed below.
Who are our sub-processors?
We share certain information with companies that may be considered our "sub-processors" under GDPR. This information is limited to the following:
ClubManager - for CRM and subscriptions and notification emails. We process and store your personal details in ClubManager.
Stripe - for payments. We process your billing address and payment details. Your payment details are passed directly to Stripe - they do not pass through our systems.
FastDD - for payments. We process your billing address and payment details. Your payment details are passed directly to FastDD - they do not pass through our systems.
Wix.com- to provide the chat system. Your name & email address are collected and stored for a period of 24 months.
How do we manage access to your information?
Our intention is to service access to information requests (such as delete and export) manually. If you are a member with us, you may access, correct, or request that we delete your personal data by contacting us at email@example.com.
We will respond to all requests within 14 days or less, which is well within the GDPR requirement of 30 days.