In May 2018, the new General Data Protection Regulation (GDPR) came into force. This applies to all companies - what do I have to consider as a gym operator?
What is the GDPR and to which data does it apply?
The DSGVO is a European regulation that brings new laws or tightens existing ones. They regulate the storage and handling of employee and customer data. All companies that deal with the data of other companies or individuals from the European Union must comply. Since gyms deal a lot with other people's data, their operators should pay attention to a few things.
What do I have to consider as a gym operator?
Depending on the facility, various data is processed and stored in fitness studios. Starting with personal data such as address, age or telephone number, to log-in data, to health data from the medical history. In any case, the customer must give his consent in advance and be informed about the use of his data.
First of all, every studio operator should review the existing structures in his company. What data is stored, how and where? Those who have an overview can make improvements and adjustments accordingly according to the specifications.
When do I need a data protection officer?
If the storage of biometric data is the "core activity" of a company and if this is "extensively processed", a data protection officer must be appointed according to the GDPR. Extensive processing depends on the:
- Number of data subjects
- Amount of data involved and/or multiplicity of different data sets
- duration of the data processing
- Geographical scope of the data processing
If a company does not process biometric data, but the company employs more than ten people who work with personal data, a data protection officer must also be appointed in this case.
The tasks of the data protection officer include:
- Advising the company with regard to the obligations resulting from the GDPR
- Monitoring compliance with the data protection provisions of the DSGVO
- Cooperation with the supervisory authority
What happens if I do not comply?
The sanctions for possible non-compliance with the GDPR are very sensitive and, in the worst case, can even threaten the existence of the company. The supervisory authority can impose a fine of up to €20,000,000 or 4% of annual turnover, whichever is higher. So the risk of such a fine is clearly too high than not to comply.
Checklist for studio operators:
- Check structures in the company
- Clarify whether a data protection officer is necessary
- Train employees
- Handle personal and sensitive data accordingly
- Have members sign a declaration of consent
Conclusion
Especially in health fitness training, the General Data Protection Regulation brings some changes. It is advisable to hire a service provider from the area, who will check the processes in the company once and show suggestions for improvement. This makes it easier for the fitness facility operator to make the secure transition. To think "We have better things to do than deal with data protection!" is unlikely to be the way to go, given the potential fines.
Members at the Employers' Association of German Fitness and Health Facilities (DSSV) can see resuming information and dates to Workshops to the topic DSGVO in addition on-line in the Login range.
Editorial fitnessmarkt.de (NJ)
Image source: Adobe Stock
Published on: 31 October 2018