Flexion Fitness alimited liability company with its principal office located at Unit 9Annesborough industrial estate, Lurgan, hereinafter referred to as the controller, along with affiliated entities (third party companies), referred tothe processors thereof, enters an agreement with you the members (subscripted members) and clients (one off service users) into the following agreement.
• The Controller - Flexion Fitness and its respective staff members.
• The Processors - Outside companies that specialise in data management such as virtue gym, mailchimp and the likes.
• The Clients - You the members both subscripted and non-the subscripted who have submitted their data.
Data Protection Concepts:
• Data Subject- Covering all aspects of the business and service it offers including, health , nutrition, planning, marketing, personal wellness,
app management, coaching, booking and the likes
• Confidential andPropriety information- covers and means any and all information of a confidential,proprietary, or secret nature which is or may be either applicable to, or related in any way to:
(i) The business, present or future, of Processor; or
(ii) There search and development or investigations of Processor Proprietary Information includes, for example and without limitation, the identity of a client, supplier or any customer of Processor, trade secrets, processes, formulas,user-data, know-how, improvements,
inventions, patents, copyrights, techniques,marketing plans, policies, procedures, pricing, technical software, including source and object
code, operating systems, bridgeware, firmware, middleware and utilities, and strategies, costs, profit and margin information, finances
and financial projections and current or future business plans and models.
Why and how we collect data:
The controller sanctions appropriate and legal processing of personal information in accordance with national GDPR guidelines to ensure confidence and security to the clients. The data collected by the controller is solely for business use and purposes to improve the service offered to the clients. Only Data that is necessary for the service is collected.
The Controller is responsible for handling and sharing all data submitted by you the members and clients. As part of this agreement the Controller works in partnership with the processor, in handling, processing and analysing your data.
The Processor as part of its service provides a web and mobile applications-based software technology application that offers a wide array of functionalities in the field of tracking, nutrition, coaching, membership and billing, among others. The processor also identifies trends and allows for appropriate marketing schemes to be developed.
In this role the Processor is solely responsible for:
i) Processing data
i) Storingdata and
iii) Analysing data;
iv) Marketing to the respective clients and members
We the Controller provide the Processors additional solutions for some or all of activity tracking, nutrition, coaching, booking, membership,billing and other information that can be paired with Processor’s Service for the benefit of The Controller.
The Controller and Processor previously entered into a license agreement for this Service, provided by the processors of which this Data Processing Agreement shall be a part;
With respect to Personal Data processing, The Processors qualify as a processor within the meaning of Section4(8) of the General Data Protection Regulation under the law of the EuropeanUnion (GDPR) and Controller qualifies as a controller within the meaning of Section 4(7) of the GDPR;
The members and clients -partly in implementation of the provisions of Section 28(3) of the GDPR - wish to document a number of conditions in this Data Processing Agreement which apply to their relationship in the context of the aforesaid roles for the benefit of the Controller.
There will now be an outline of the responsibilities of the controller and contracted processers with your information and data.
It is the Controllers responsibility to
(i) Gather and collect the relevant data and information.
(ii) To ensure all staff are kept updated on how to protect data and store it in accordance with thelaw. This will be carried out in annual
training and discussions.
(iii) Terminating the contracts of any employees or affiliate companies who handle data in appropriately or ineffectively resulting in the loss or
damage of data.
(iv) Encourages regular auditing of data management and allows for governmental bodies to carry out any regulatory audits following the
request of the party in line with the current guidelines outlined in GDPR
(v) Acknowledge that all clients have a right to access their own personal information and will deal with this request in a professional manor
ensuring appropriate data request sheets are filled out and processed within 40 calendar days.
(vi) Confirm that the company is currently in a legal and binding contract to virtue gym, that provides a service with the management and
handling of data management outlined below and that should it faulter at any level virtue gym is solely responsible for the safe keeping of
personal data and will ensure appropriate legal back up occurs if a failure should happen.
(vii) Confirm that Mailchimp in which it shares appropriate information for the use of its service.
Virtue Gym the processor has laid out their own roles and responsibilities in their following form:
1.1 In this Data Processing Agreement, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1.2“The Service”: Processor has developed a flexible white-label technology solution for web-based wellness platforms and mobile apps, offering a wide array of functionality in the field of tracking, nutrition, mental vitality,coaching, booking, membership management and billing.
1.1.3“Annex” means any appendix to this Data Processing Agreement which forms an integral part thereof;
1.1.4“Agreement” means the previously concluded license agreement between theParties;
1.1.5“Personal Data” means all information relating to an identified or identifiable natural person as referred to in Section 4(2) of the GDPR; 1.1.6“Process” means, as well as conjugations of this verb: the processing ofPersonal Data as referred to in Section 4(2) of the GDPR;
1.1.7“Data Processing Agreement” refers to this agreement;
1.1.8“Sub Processor” means the sub-contractor hired by Processor, that ProcessesPersonal Data in the context of this Data Processing Agreement on behalf of theController, as referred to in Section 28(4) of the GDPR. 1.2The provisions of the Agreement apply in full to this Data ProcessingAgreement. In case provisions with regard to the Processing of Personal Data included in the Agreement conflict with the provisions in this Data ProcessingAgreement, the provisions of this Data Processing Agreement shall control.
2.Purpose of Personal Data Processing
2.1Parties wish to enter into this Data Processing Agreement to control the terms of the Processing of Personal Data in the context of the Agreement. An overview of the type of Personal Data, categories of data subjects and the purposes ofProcessing, is included in Annex I.
2.2Processor undertakes to Process Personal Data only for the purpose of the activities referred to in this Data Processing Agreement. The Process or guarantees that it will not use the Personal Data which it Processes in the context of this Data Processing Agreement for its own or third-party purposes without the Controller’s explicit written consent, unless
i) purposes explicitly stated different in this Data Processing Agreement or previously signed agreements
ii) a legal obligation requires the Processor to do so. In which case, the Processor shall immediately inform the Controller of that legal
requirement before Processing, unless that law prohibits such notice to the Controller.
3. Technical and organizational provisions
3.1Processor will, taking into account the nature of the Processing and insofar as this is reasonably possible, assist the Controller in ensuring compliance with the obligations pursuant to the GDPR and taking appropriate technical and organizational measures to ensure a level of security appropriate to the risk.These measures will be designed to establish an appropriate level of security,taking into account best practices and the costs of implementation, in view of the risks entailed by Personal Data Processing and the nature of the data to be protected. The Processor will in any case use its commercially reasonable efforts to protect Personal Data against accidental or unlawful destruction,accidental or deliberate loss, forgery, unauthorized distribution or access, or any other form of unlawful Processing.
3.2 Processor will provide a document which describes the appropriate technical and organizational measures to be taken by the Processor. This document will be attached to this Data Processing Agreementas an Annex.
4.1The Processor will require the employees that are involved in the execution of this Data Processing Agreement to sign a confidentiality statement which in any case states that these employees must keep strict confidentiality regarding thePersonal Data.
5.Personal Data Processing outside Europe
5.1The Processor is permitted to transfer Personal Data outside the EuropeanEconomic Area if this is done in compliance with the applicable statutory obligations.
6.1 Processor is entitled to outsource the implementation of the Processing on Controller’s instructions toSub-processors, either wholly or in part, which parties are described in AnnexIII. In case Processor wishes to enable Sub-processors, Processor will informController of any intended changes concerning the addition or replacement of Sub-processors. Controller can object to such changes within 5 business days after receiving written confirmation of Processor’s intended change ofSub-processor, but any such objection must be on a reasonable basis.
6.2Processor aims to obligate each Sub-processor to comply with confidentiality obligations, notification obligations and security measures relating to theProcessing of Personal Data, which obligations and measures must at least comply with the provisions of this Data Processing Agreement.
7.1With regard to the liability and indemnification obligations of Processor under this Data Processing Agreement, the stipulation in or incorporation by reference in the Agreement regarding the limitation of liability applies.
7.2 Parties shall be liable to the other for any direct damages arising out of or relating to its performance or failure toper form under this Data Processing Agreement. However, any liability arising from this Data Processing Agreement, whether based on an action or claim in negligence, tort or otherwise, for all events, acts or omissions under thisAgreement, shall in total not exceed any fees paid or payable under theAgreement over a period of maximum six months.
8. Personal Data Breach
8.1 In the event Processor becomes aware of any incident that may have a material impact on the protection of PersonalData, Processor i) will notify Controller within 24 hours after Processor became aware of the incident and ii) will take all reasonable measures to prevent or limit the impact of the incident and prevent future incidents.
8.2Processor will, insofar as reasonable, provide all reasonable cooperation requested by Controller in order for Controller to comply with its legal obligations relating to any such identified incident.
8.3 Processor will, insofar as reasonable,assist Controller with Controller’s notification obligation relating to thePersonal Data to the Data Protection Authority and/or the data subject, as meant in Section 33(3) and 34(1) of the GDPR. Processor is, under this DataProcessing Agreement, never held to report a Personal Data breach with the DataProtection Authority and/or the data subject. 8.4Processor will not be responsible and/or liable for the (timely and correct)notification obligation to the relevant supervisor and/or data subjects, asmeant in Section 33 and 34 GDPR.
9.1Processor will, insofar as reasonably possible, provide all reasonable cooperation to the Controller in fulfilling its obligation pursuant to the GDPR to respond to requests for exercising rights of data subjects, in particular the right of access (Article 15 GDPR), rectification (Article 16 GDPR), erasure(Article 17 GDPR), restriction (Article 18 GDPR), data portability (Article 20GDPR) and the right to object (Article 21 and 22 GDPR). Processor will forward a complaint or request from a data subject with regard to the Processing ofPersonal Data to the Controller as soon as reasonably possible following receipt thereof, as the Controller can be (partially) responsible for handling the request. Processor is entitled to charge any costs associated with the cooperation with Controller with respect to any terms of this Data ProcessingAgreement. Controller will be solely responsible for applicable costs under this section, including - but not limited to - additional work at an hourly rate of69,- per hour to the Processor for time spent on requests under this section.
9.2Processor will, insofar as reasonably possible, provide all reasonable cooperation to Controller in fulfilling its obligation pursuant to the GDPR to carry out a data protection impact assessment (Section 35 and 36 GDPR).Controller will be solely responsible for applicable costs under this 9section,including - but not limited to - additional work at an hourly rate of 69,- per hour to the processor for time spent on requests under this section.
9.3 Processor will provide Controller with all the information reasonably necessary to demonstrate that Processor fulfills its obligations under the GDPR. Furthermore, Processor will – at the request ofController – enable and contribute to audits, including inspections by an auditor that is authorized by Controller. In case the Processor is of the opinion that an instruction relating to the provisions of this paragraph infringes the GDPR or other applicable data protection legislation, Processor will inform Controller immediately. Controller will be solely responsible for applicable costs under this section, including but not limited to an hourly rate of 150,- per hour to the Processor for time spent on preparation and assisting during inspection or the requested audit.
10.Termination and Miscellaneous
10.1With regard to the termination under this Data Processing Agreement the specific provisions of the Agreement apply. Without prejudice to the specific provisions of the Agreement, Processor will, at the first request of theController, delete or return all Personal Data controlled by Controller, and delete all existing copies, unless the Processor is legally required to store some or all thereof.
10.2 Processor is, within the applicable law,free to decide on the period of retention that will apply for Processing ofPersonal Data by Processor. 10.3 The obligations set forth in this DataProcessing Agreement that, by their nature, are designed to continue after termination, will remain in force also after the termination of this DataProcessing Agreement.
A. Information We Collect
The PersonalInformation that we may collect or receive about you broadly falls into the following categories:
(i) Information we receive about Contacts from our Members: A Member may provide PersonalInformation about you to us through the Services. For example, when a Member uploads their Distribution List or integrates the Services with another website or service (for example, when a Member chooses to connect their e-commerce account with Mailchimp), or when you sign up for a Member’s Distribution Liston a Mailchimp signup form, they may provide us with certain contact information or other Personal Information about you such as your name, email address, address or telephone number. You may have the opportunity to update some of this information by electing to update or manage your preferences via an email you receive from a Member.
• Device information: We collect information about the device and applications you use to access emails sent through our Services, such as
your IP address, your operating system, your browser ID, and other information about your system and connection.
• Product usage data: We collect usage data about you whenever you interact with emails sent through the Services, which may include dates
and times you access emails and your browsing activities (such as what pages are viewed). We also collect information regarding the
performance of the Services, including metrics related to the deliverability of emails and other electronic communications our Members
send through the Services. This information allows us to improve the content and operation of the Services, and facilitate research and
analysis of the Services.
(iii) Information we collect from other sources: From time to time, we may obtain information about you from third-party sources, such as social media platforms and third-party data providers. We take steps to ensure that such third parties are legally or contractually permitted to disclose such information to us, and we use this information to provide publicly available social media information about you to Members who have enabled the "Social Profiles" feature in their Mailchimp accounts.