myFitApp and the GDPR

myFitApp and the GDPR

GDPR regulations come into force on May 25th 2018 and many myFitApp customers have asked what do they need to do to comply ?

Innovatise is not qualified to offer advice on this and all myFitApp customers should seek professional advice on their responsibilities. To help customers we have prepared the following which is our understanding of GDPR and the implications. Please note we cannot be held responsible or liable for any consequences of following this advice, you should ask a professional.

Our Understanding – an overview:

  • GDPR is about how you process people’s personal information – that is information that directly or indirectly identifies a person.
  • Most gyms have this information about their members and prospects.
  • Some information, for example on children, is particularly sensitive and so has special rules
  • There are three main parts to GDPR
    • You must establish a lawful basis for processing – there are 6 to choose from, in most cases your basis will Legitimate Interest – people would reasonably expect that when they join your gym you need to store their name, address, email, phone number… Similarly to book a class in the app, we need to know who they are.
    • You must respect and implement a number of rights for individuals. The relevant ones for most gyms are:
      1. The right to be informed
      2. The right of access
      3. The right to rectification
      4. The right to erasure
    • You must establish accountability and governance – this means implement appropriate technical and organisational measures that ensure and demonstrate that you comply
  • There are additional principles to GDPR, for example you should only process personal information that you need, and you should only process it for as long as is required. Further you need to store it securely. You also need to be transparent and communicate what you are processing and why.

What do you need to do

Most gyms will need to engage a lawyer or consultant to help them comply with GDPR. Our understanding is that for most this will involve:

  1. Internal processes and documentation – you’ll need to document for you and your staff what personal information you’re processing, who has access to it and which third parties you’re sharing it with. As part of this you’ll create a Privacy Policy which documents your internal procedures for handling personal information
  2. External documentation – you’ll need to prepare a Privacy Notice on your website that explains people’s rights, what personal data you process and why.
  3. You need to be able to respond to people who want to exercise their individual rights concerning their data – for example people can ask you to provide all the personal information you hold on them or that you correct errors in it or that you delete it. GDPR says you need to respond to such requests within 1 month.

If there is a security incident that has affected the confidentiality, integrity or availability of personal data, and it is likely to negatively impact an individual then GDPR states that you should inform the ICO within 72 hours of being aware of the breach. In some cases you may also have to inform the affected members

What is Innovatise’s role

Most gyms are the Data Controller of the personal information of their members, users or prospects. Innovatise is a Data Processor or if you purchase your app solution from a Reseller, the Reseller is a Data Processor and Innovatise is a Data Sub-processor.

You, the gym, are responsible for complying with the GDPR requirements relating to the personal information you control. Innovatise is permitted to process that information only in ways you authorise. The GDPR states that there must be a contract between the Data Controller (you) and the Data Processor (us) which formalises this relationship.

If a reseller is involved, there is one contract between the Data Controller (you) and the Data Processor (the Reseller) and a similar contract between the Data Processor (the Reseller) and the Data Sub-processor (us).

How we can help

We can help you comply with your GDPR obligations as follows:

  • We are making changes to the myFitApp cockpit and app to
    1. enable you to inform your app users as required by the GDPR
    2. allow your app users to opt-in/opt-out of marketing as required by GDPR and related PECR regulations
    3. enable you to implement the individual rights of access, rectification and erasure
  • We are also providing documentation on the categories of processing that we perform on your behalf. You can use this as a basis for the app-related parts of your Privacy Notice.
  • For our direct customers (those that have not purchased from a Reseller) we will add a Data Processing Addendum to our standard Terms & Conditions to formalise our data processing obligations.

What personal information is processed by myFitApp

The myFitApp solution processes the personal information of

  • Cockpit users – typically you or your staff that log in into the cockpit
  • App users – typically your members, your users and their friends

In both cases, we are processing this data on behalf of you, the Data Controller, and you own and are responsible for meeting the GDPR obligations of processing of this data.

The GDPR requires that you document the categories of processing. myFitApp solution has some baseline functionality that all apps use and a number of optional modules which you may or may not use in your app. We perform different categories of processing depending on which modules you use in your app. One category of processing relates to how we develop, test and support the myFitApp solution. Another relates to how you manage your app through the web cockpit.

The GDPR also requires that if personal information is shared with third parties that you document their name and the country in which processing occurs. Like most Software-as-a-Service providers, we use a number of third parties to help us provide the myFitApp solution.

The categories of processing we have defined are currently:

1. Anonymous app usage

In apps without native app login, we process data on how the app is used but we cannot identify the user.

Examples: App ID, app opens, clubs selected, opt-ins, phone type, model, OS, app version, modules opened, articles viewed or shared, notifications received

2. Identified app usage

If the user logs in to the native app login, we process the user personal info which then includes their app usage data.

Examples: In addition to the information processed in Anonymous app usage, we process app users member ID & profile info (name, email, gender, member type, age, member start/end, status, strike count, permitted clubs) depending on the member management software you use.

3. Gym Finder

If the gym finder option is used, we process the phone location.

Examples: Phone location and/or locations searched.

4. Lead Generation

We process the personal info of the referrer and any leads.

Examples: Referrer info, referrals made, lead info if they provide it, lead status.

5. Native Booking

Requires native app login. We process booking transactions.

Examples: Bookings, booking status & history, favourites, cancellations, shares.

6. Local Marketing

We process the location of the phone through beacons or QR scans

Examples: Phone location, QR scans, beacon events.

7. Personal Comms

We process messages sent and read by specific app users.

Examples: Messages sent, message status (opened, read…).

8. Web cockpit usage

We process details of gym staff using the web cockpit

Examples: Cockpit users name, email, cockpit usage.

9. Development and support services

We process details of cockpit users and app users data in the course of developing, testing and supporting the myFitApp app solution.

Examples: All of the above.

Reasons for processing

The reasons for processing this information are:

Operational

We need to process this information to make our apps as easy to use as possible and provide functionality that our users find useful. In order for us to make this work, we have to process personal information. For example:

  • In apps for gym chains that cover multiple clubs, it’s annoying for users to have to search for and find their club every time they use the app. We therefore store the club to make it easier for them.
  • In the Native Booking module users can store favourite classes which makes it quicker and easier for them to book in the following weeks.
  • In the Personal Comms section we need to store messages so that if a user changes phone, their messages will be displayed correctly on their new phone

Product improvement

The success of our apps is dependent on them allowing app users to get access to relevant information in the most useable way possible. We process personal information to understand how app users are using our apps, what features are used most often and what uses are seldom used. By making changes to app content and features we and gym content providers can improve the product. For example:

  • By storing information on which articles are most read and which least read, gym content editors can learn what topics users are interested in and focus on them.
  • By surveying app users in the app, we and gym content editors can get valuable feedback from app users on which parts of the app they like and which we should improve.
  • By measuring the proportion of all bookings that are made in the app relative to other ways of booking, gyms can understand the benefits the app is bringing in freeing up staff for more productive duties than handling telephone bookings.

Marketing

We process this information to allow us to market relevant products and services to customers. Marketing is in accordance with the PECR and the GDPR and governed by opt-ins from app user. By basing our marketing on personal information we can increase the relevance of content provided to users so they receive offers that they are interested in. For example:

  • In marketing by club we can ensure it reaches only app users that have expressed an interest in that club.
  • By telling only app users that we know have booked classes about changes to class timetables, we can avoid disturbing members who only use the fitness centre or pool.
  • We can avoid disturbing members if we send joining offers only to casual users

Data Retention

GDPR requires that personal information is deleted or anonymised if it is no longer required.

As a Data Processor or Sub-Processor acting on your behalf, we will retain personal information we process on you behalf until you tell us that you no longer require us to keep it. Please use the support email address provided by Innovatise or your Reseller to request this.

Third Parties

Subcontractors

We are a small, highly-specialised business working in a complex and rapidly evolving field. As such it benefits us and our customers if we work with the most talented and trusted people available no matter where they are located or employed. For that reason we work with a small number of subcontract companies who act as data sub-processors while providing the following services:

  • Software development and testing
  • IT systems operations and security
  • Technical and customer support
  • Sales and marketing

Service Providers

Like many modern businesses we take full advantage of SaaS internet-based tools that allow us to provide exceptional solutions and service quickly and economically without having to invest in and manage our own infrastructure.

We use the following services which necessitate us sharing your information:

  • Internet-based customer software development support services
  • Internet hosting services
  • We use Apple services for processing Push Notifications to iOS devices
  • We use Google services for processing Push Notifications to Android devices
  • We use Google Maps APIs services for processing Gym Finder locations

All of these services are provided by well-known, established companies that have comprehensive data management and data security policies and procedures.

Data Security and Data Processing Agreements

The GDPR mandates that you, the Data Controller, should:

  • Document internally and in your Privacy Notice the security measures you are taking to protect the security of personal information you control
  • Document in your Privacy Notice the types of third parties that information may be shared with and the reasons (but there is no requirement to detail the specific third parties)
  • Have a contract with Data Processors that process the information on your behalf
  • Be informed by those Data Processors of the specific third parties that a Data Processor is using

We take the security of the information we process on your behalf very seriously. The security measures we take are detailed in our Data Processing Agreement:

  • If you purchase myFitApp from Innovatise, the Data Processing Agreement is an addendum to our standard Terms and Conditions.
  • If you purchase our solution through a Reseller, our Data Sub-Processing Agreement is part of our contract with the Reseller — you will have a Data Processing Agreement with the Reseller.

Your Privacy Notice

The GDPR requires you are transparent about what personal information you process. You should take advice from a professional on what to include in your privacy notice. We expect it will include:

  • What data you hold — you can use the section above on What personal information is processed by myFitApp to add information about your app. It is up to you on how much detail you provide, we have provided a lot of detail to give you the option to decide, you may want to summarise some of this.
  • How you will use that data, the Reason for Processing — you can use the section above on Reasons for processing to cover your app. Again, you may want to summarise this.
  • If processing is outside the EEA — in myFitApp we do not transfer or process data outside the European Economic Area unless the nature of the processing requires it. It is possible that services that we use such as from Apple and Google do transfer personal data outside the EEA. We ensure that entities outside the EU have adequacy agreements in place to protect user data.
  • Retention periods — the section on Data Retention above describes this for app data.
  • Third Parties — the section on Third Parties above describes this for app data.
  • Data Security — the section on Data Security and Data Processing Agreements above describes this for app data.

Changes to myFitApp functionality for the GDPR

Existing Opt-ins

The GDPR requires that opt-ins are specific and doesn’t accept default opt-ins. The opt-ins on your iOS apps to date have all been specific positive opt-ins, so we can continue using them. We may need to reset all Android opt-ins, we’re awaiting confirmation of this.

Auditing Opt-ins

The GDPR requires that we have evidence of when and how an opt-in was made so we’re making sure we record this information and can provide it to you on request.

In App Privacy Notice

The GDPR requires that app users are kept informed through a Privacy Notice. We’re enhancing the app Drawer (the panel that slides out when you click the menu bar top-left on the app home screen) to include your Privacy Notice. You’ll control the content of the Notice in the cockpit and you’ll be able to format the text in the Notice, including using links. So if you want, you can simply have a link to your website Privacy Notice and your app users can click through to that. But if you’re going to do this, make sure you website Privacy Notice is mobile-responsive and readable on a phone.

We’re also making it possible for you to set a different Privacy Notice for different clubs as we know some of our gym chains require this.

App Factory Privacy Notice URL

Both the Apple App store and Google Play store provide a place for you to link to your Privacy Notice — this allows a potential app user to read your Privacy Notice before downloading your app. We’re enhancing the App Factory to allow you add this URL.

Lead Generation enhancements

The way our Lead Generation works is very GDPR-friendly in that, in contrast to most solutions, we don’t ask the referrer to give you, the gym, their friends’ details. Rather our Lead Generation lets members send their friends a personal message inviting them to get in touch with you, the gym. So our Lead Generation is very GDPR friendly already, so we only need to make a few small changes:

  • We’re adding a check-box in the prospect journey to get specific permission from the prospect for you, the gym, to use the details they are about to enter to market to them.
  • We’re renaming the “Imprint/ Privacy Policy” to “Privacy Notice” and you’ll be able to format and include links in the Lead Gen Privacy Notice.

Report on all personal information for an app user

We’re adding the ability for us to provide you with all the personal information we hold on an app user, so you can provide it to user if they ask you for this. Note that if your app does not have a native login, we hold no personal information in the app. We only have personal information if an app user has logged in to our native login.

Initially we’ll do this on your behalf when you request it through our support system or, if you purchase our services through a Reseller, through the Reseller’s support system.

Delete all personal information for an app user

We’re adding the ability for us to anonymise all the personal information we hold on an app user, so you can respond to an app user requesting you delete all their personal information you process. Note that if your app does not have a native login, we hold no personal information in the app. We only have personal information if an app user has logged in to our native login.

Initially we’ll do this on your behalf when you request it through our support system or, if you purchase our services through a Reseller, through the Reseller’s support system.

Report on all personal information for a cockpit user

We’re adding the ability for us to provide you with all the personal information we hold on a cockpit user, so you can provide it to user if they ask you for this.

Initially we’ll do this on your behalf when you request it through our support system or, if you purchase our services through a Reseller, through the Reseller’s support system.

Delete all personal information for a cockpit user

We’re adding the ability for us to anonymise all the personal information we hold on a cockpit user, so you can respond to a user requesting you delete all their personal information you process.

Initially we’ll do this on your behalf when you request it through our support system or, if you purchase our services through a Reseller, through the Reseller’s support system.

Opt-ins by topic

The GDPR says that we should differentiate between service messages (“The Pilates instructor is sick”) and marketing messages (“Sign up for our new spinning class”). Service messages don’t need an opt in; they are legitimate interest processing and not marketing messages. We’re enhancing the Marketing opt-in in the app to add Topics, but this may be in a later release.

Deep-link to Opt-ins

Several customers told us they understood that the GDPR requires all opt-ins to be in the same place — for example on their website. Our advice is that the neither the GDPR nor the PECR require this, they require opt-ins to easy, clear and accessible but not in one place. We are therefore planning to provide enhanced opt-ins initially in the app only and will provide customers with a deep-link for each app which can be used on web pages or in emails to link to the app opt-in section. This may be in a later release.

Timescales

We’re confident we’ll have the changes we’re working on released into the cockpit well before May 25th. We also expect to update all our customers apps before that date also. For your members to benefit from these changes, they will need to update your apps.

Please note also that we expect to make further GDPR-related enhancements to our solution after May 25th. Our lawyers recently attended a presentation regarding GDPR at the ICO, the UK’s independent body set up to uphold information rights. They shared this guidance from the meeting:

  • Firstly, the ICO do not view May 25th as a deadline, the ICO are viewing this as the beginning of a new era, where they can start to enforce the rights and freedoms of the individuals. They expect that your journey towards compliance will be well underway, but it is not a drop dead date. They stressed that you cannot stop working on May 25th either, GDPR should be an ongoing commitment and will become part of your business as usual activities.
  • Elizabeth Denham (the ICO Commissioner), and her deputy both said that large fines were possible but unlikely. Other sanctions would be used first; reprimands, slapped wrists, instructions to change and possibly the most damaging (and more so than fines), the instruction to stop processing data temporarily. Any sanction would be considered and proportionate to the offence.
  • When asked in a Q&A session what advice she had for practitioners currently undergoing GDPR readiness work, she said that the most important thing was transparency; get your record of processing in order and get your privacy statement on your website. Make sure the privacy statement is a true representation of what you do. She said the privacy statement is one of the first things the ICO would be looking at. This is in line with what we have been saying to you all so far, so I was relieved to hear that!
  • When asked if the ICO would provide templates for Data Protection Agreements to prevent the millions of documents flying between processors and controllers at the moment, the answer was no. There is guidance on the website but they do not believe one size fits all and hence could not create template or even the equivalent of EU model clauses at this stage.
  • It was acknowledged that no one is sure what will happen when compensation claims from individuals who feel that their rights under the regulations have been infringed start to happen, and the impact it may have. The ICO has increased its staff significantly and acknowledges that companies will start to see an increase in requests for the rights of the individual. They stressed the need to treat these requests properly.
  • All in, not a lot that was new, but reassurance that as long as you are doing the right thing by starting your journey to compliance and creating a culture of compliance through out your organisation, then you will not be under the spotlight for now.

The priority needs to be on those records of processing and external privacy statements, with a good project plan being executed for everything else

GDPR FAQs

How do we evidence that people have consented to receiving Push Notifications ?

We are enhancing our platform to record changes to opt-ins and can provide records for particular app users on request. Note, that your app needs to have native login for this and the user needs to have logged in.

What if a user changes their mind and wants to opt-out ?

User will be able to opt-out both through their phone operating system as they can today, or in the app itself.

Does GDPR mean we’ll have to reset all existing opt-ins ?

No, for iOS apps we can maintain existing opt-ins for service messages. For Android apps we may have to reset and encourage app users to re-opt-in.

Is Lead Generation compatible with GDPR ?

Our implementation of Lead Gen is much more GDPR-friendly than most. See Lead Generation enhancements for more.

How can we inform a user of all their data the app is processing ?

Please raise a Support ticket either directly with us or through your reseller and we’ll get this information for you.

How can we delete all of the data being processed by the app for a particular user ?

Please raise a Support ticket either directly with us or through your reseller and we’ll anonymise this information for you.

I noticed Lead Generation uses fitcoupon.de — is this a 3rd party ?

No, this domain is owned by Innovatise.

What is a native login and how do I know if my app has one ?

If your app has a native booking module or native profile modules, it will have a native login. If your app doesn’t, you don’t have native login. The native login screen typically, but not always, looks similar to this:

If you’ve already logged into your app, you can check if the login is native by clicking the home screen menu and looling at the slide-out drawer contents — if there is an “Account” option there, you have native login.

If you’re not sure please raise a Support ticket and the Support team will let you know

Innovatise Logo

Sign up for our Newsletter today!

X
Share This