1. Wodify
  2. Product News
  3. GDPR

Understand Your GDPR Rights

Follow

Why This Matters

The General Data Protection Regulation (GDPR) empowers individuals to control how their personal data is collected, used, and shared. Upholding these rights not only ensures compliance with privacy laws but also strengthens trust and transparency between organizations and their users.

 

In this article, we will cover:

The Right of Access:

  • Individuals have the right to access their personal data.
  • This is commonly referred to as subject access.
  • Individuals can make a subject access request verbally or in writing.
  • You have one month to respond to a request.
  • You cannot charge a fee to deal with a request in most circumstances.

Personal data of the individual

An individual is only entitled to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone). Therefore, it is important that you establish whether the information requested falls within the definition of personal data. For further information about the definition of personal data please see the key definitions guidance.

Other information:

In addition to a copy of their personal data, you also have to provide individuals with the following information:

  • the purposes of your processing;
  • the categories of personal data concerned;
  • the recipients or categories of the recipient you disclose the personal data to;
  • your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
  • the existence of their right to request rectification, erasure, or restriction or to object to such processing;
  • the right to lodge a complaint with the ICO or another supervisory authority;
  • information about the source of the data, where it was not obtained directly from the individual;
  • the existence of automated decision-making (including profiling); and
  • the safeguards you provide if you transfer personal data to a third country or international organization.
  • You may be providing much of this information already in your privacy notice.

Note: You must act on the subject access request without undue delay and at the latest within one month of receipt.

You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.

What to do if you receive a subject access requests

We’re in the process of building and releasing tools that will make it easier for our users to handle their customer’s data appropriately. If you receive a request from one of your clients, leads, or drop-ins, you can email Wodify and we have developed an automated script that will pull all of the personal data we collect.

To put in a request just email gdpr@wodify.com with the email of the user and we will export their data using our automated script and respond to your email request.  It's important that you also include your personal privacy policy to address the other information required under GDPR.

We can also do the same for our customers.  If you would like to submit a subject access request for your own personal data, simply email gdpr@wodify.com and we will export all personal data held by Wodify and respond to your request with this information and our privacy policy details.

The Right to Object

  • The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
  • Individuals have an absolute right to stop their data being used for direct marketing.
  • In other cases where the right to object applies you may be able to continue processing if you can show that you have a compelling reason for doing so.
  • You must tell individuals about their right to object.
  • An individual can make an objection verbally or in writing.
  • You have one calendar month to respond to an objection.

What to do if someone invokes their right to object to the processing of their personal

We will handle these requests the same as we would for a request for erasure. As a processor, we will not delete a client's data without the consent of our customer (controller). Customers must submit a request to gdpr@wodify.com with their customer’s email so we can look up the user in our system and delete all personal data.

As a customer, you can also email gdpr@wodify.com directly and request we delete your personal data and we will process your request.

The Right to Rectification

  • The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
  • An individual can make a request for rectification verbally or in writing.
  • You have one calendar month to respond to a request.
  • In certain circumstances, you can refuse a request for rectification.
  • This right is closely linked to the controller’s obligations under the accuracy principle of the GDPR (Article (5)(1)(d)).

How to submit a data rectification request:

At Wodify we are prepared to service personal data rectification requests of our customers and on behalf of our customer’s customers. Simply email gdpr@wodify.com and we can correct any personal data we have stored in Wodify.

Most personal data can be edited directly in the client profile including:

  • Email Address
  • First Name
  • Last Name
  • Status
  • Gender
  • Location
  • Program
  • Date of Birth
  • City, State, Country

The Right to Erasure

  • The GDPR introduces a right for individuals to have personal data erased.
  • The right to erasure is also known as ‘the right to be forgotten’.
  • Individuals can make a request for erasure verbally or in writing.
  • You have one month to respond to a request.
  • The right is not absolute and only applies in certain circumstances.
  • This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data.

When does the right to erasure apply?

Individuals have the right to have their personal data erased if:

  • the personal data is no longer necessary for the purpose which you originally collected or processed it for;
  • you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
  • you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
  • you are processing the personal data for direct marketing purposes and the individual objects to that processing;
  • you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
  • you have to do it to comply with a legal obligation; or
  • you have processed the personal data to offer information society services to a child.

What to do if you receive a request for data erasure?

As a processor, we will not delete our customer’s client data without the consent of our customer (controller). Customers must submit a request to gdpr@wodify.com with their client's name and email so we can look up the user in our system and delete all personal data.

As a customer, you can also email gdpr@wodify.com directly and request we delete your personal data and we will process your request.

The Right to be Informed

  • Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
  • You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
  • You must provide privacy information to individuals at the time you collect their personal data from them.
  • If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
  • There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
  • The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.

At Wodify, We've updated our Privacy Policy so it is clear and transparent regarding individual data rights, how we use individual data, and third party processors of the data we collect.  To view the latest version of our privacy policy, you can visit: https://www.wodify.com/privacy-policy

We also encourage our business owners that operate in the EU or do business with EU customers to issue their own privacy policy to members, drop-ins, participants, etc and share it any time you collect data from them.

Your Privacy Policy can be added in Wodify by taking the following steps:

  1. Login to Wodify Core > 'Digital Presence' > 'Documents' > 'Waivers'
  2. Click 'Templates'
  3. Click 'New Waiver'
  4. When you create this new waiver, you have the option to create a brand new template.
  5. Name the Waiver ‘Privacy Policy’ and choose the information that would like to make mandatory from the clients
  6. Paste or type your Terms into the available text box
  7. View and edit the email template that is sent to clients notifying them that they have an un-signed waiver that will need to be signed.
  8. Choose the programs that the specific waiver is associated with.
  9. Save this as 'Published' or 'Draft' (if you do not want your clients to have the ability to sign this Privacy Policy)
  10. Before clicking 'Save,' click Preview to view your newly created Privacy Policy
  11. Once any necessary edits have been made, click 'Save'  

NOTE: If this is the first time creating a Privacy Policy it will ask if you would like to send a notification for all clients who have access to this specific program. If you edit this Privacy Policy after it has been signed it will also prompt you to re-send the updated Privacy Policy to those clients who have signed the original.

The Right to Restrict Processing

  • Individuals have the right to request the restriction or suppression of their personal data.
  • This is not an absolute right and only applies in certain circumstances.
  • When processing is restricted, you are permitted to store the personal data, but not use it.
  • An individual can make a request for restriction verbally or in writing.
  • You have one calendar month to respond to a request.
  • This right has close links to the right to rectification (Article 16) and the right to object (Article 21).

Individuals have the right to request you restrict the processing of their personal data in the following circumstances:

  • the individual contests the accuracy of their personal data and you are verifying the accuracy of the data;
  • the data has been unlawfully processed (ie in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead;
  • you no longer need the personal data but the individual needs you to keep it in order to establish, exercise or defend a legal claim; or
  • the individual has objected to you processing their data under Article 21(1), and you are considering whether your legitimate grounds override those of the individual.

What to do if you receive a request to restrict processing

Customers must submit a request to gdpr@wodify.com with their client's name and email so we can look up the user in our system and remove all personal data for processing.

As a customer, you can also email gdpr@wodify.com directly and request we remove your personal data from processing and we will process your request.

The Right to Data Portability

  • The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
  • It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
  • Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.
  • The right only applies to information an individual has provided to a controller.
  • Some organizations in the UK already offer data portability through midata and similar initiatives which allow individuals to view, access, and use their personal consumption and transaction data in a way that is portable and safe.

What to do if you receive a request for Data Portability:

If you receive a request from one of your clients, drop-ins, participants, you can email Wodify. We have developed an automated script that will pull all of the personal data we hold on them in a csv file that is easily portable.

To put in a request just email gdpr@wodify.com with the name and email of the user and we will export their data using our automated script and respond to your email request.  

We can also do the same for our customers.  If you would like to submit a request for a copy of your own personal data, simply email gdpr@wodify.com and we will export all personal data held by Wodify in a portable csv file and respond to your request.

GDPR Readiness & FAQ's

The GDPR is the European Union’s new data privacy law. The GDPR requires companies to take steps to help secure personal data rights and more generally protect that data. The regulation also provides individuals with certain rights over their personal data, including a right to access, correct, delete, and restrict processing of their data.
 

  • When does GDPR take effect?
    • The GDPR takes effect on May 25, 2018.
  • Who does GDPR apply to?
    • GDPR will impact virtually any company that’s either based in Europe or has any customers in Europe.  
    • The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person.

Key Terms

Before we get into the specifics of the GDPR, let’s go over some basic definitions.

Term Definition Example
Data Subject A “natural person” who can be directly or indirectly identified by information such as a name, an identification number, location data, an online identifier (such as a username), or their physical, genetic, or other identity. Jane Doe
Personal Data Any information relating to an identified or identifiable data subject. Woman. Age 48. Ph#: 33 1 7210 940. Address: 99 Red Cedar Lane, San Diego,CA 92131.
Sensitive Personal Data Personal data pertaining to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, information about health, sex life and sexual orientation, and genetic or biometric data. Broke leg last year, Catholic, Lesbian, etc
Processing Anything that is done to or with personal data. Any collection, storage, transfer, sharing, modification, use, or deletion of personal data.
Controller An entity that determines the purposes and means of processing of personal data. When Jane signs up for a membership at CrossFit ABC, CrossFit ABC becomes a controller of the personal data Jane provides.
Processor An entity that processes personal data based on the instructions of a controller. Wodify becomes a Processor of Janes data when CrossFit ABC adds her membership and personal data to Wodify


GDPR and Wodify

How does the GDPR affect Wodify?

The General Data Protection Regulation (GDPR) requires Wodify to make the following changes to its platform and internal privacy program:

  • It requires Wodify to re-organize our privacy policy and to document and keep records of certain privacy-related decisions made by our team so that we are accountable for our privacy practices.
  • It requires Wodify to make sure that we and our Users are able to honor the rights of European customers over their personal data.
  • It requires Wodify to make certain contractual commitments to our Users and requires us to get certain contractual commitments when we use a third-party subprocessor to provide our services.

Wodify has been preparing for GDPR in the following ways:

  • We appointed an experienced Data Protection Officer to oversee our data protection program and GDPR implementation plan.
  • We are updating our Terms of Service and Privacy Policy
  • We started to deliver GDPR-focused training to key teams and personnel so that they are aware of the law’s requirements and can design our products and business plans with privacy in mind.
  • We implemented a detailed procedure to deal with data subject access requests, deletion requests, and government access requests.

GDPR and You

What can you do to get ready for GDPR?

GDPR gives people more rights over their personal data, and it defines what counts as personal data very broadly. You can check out a complete guide to the legislation here.

It specifically gives people the right to access, correct, delete, and restrict processing of their data, and sets out strict guidelines about how you need to get customers to agree that you can use their data (aka, consent). This is especially important if you're using your customers’ data for purposes beyond simply filling orders, like for marketing or advertising.

GDPR also makes it your responsibility to protect that data (even if you’re using a processor like Wodify to actually store that data), and to make sure that your customers and website visitors can exercise all the rights they now have.

If someone in the EU emails you and asks you to delete their personal data from your business, for example, you’d need to be able to do that.

 

Collecting personal data

Personal data can be a name, address, email address, social media account, or even a digital identifier such as an IP address or a cookie ID. The GDPR protects the fundamental rights of individuals within the European Union in relation to the processing of personal data. Think about the following questions:

  • Are you collecting personal data from clients in Europe?
  • If your business uses third-party apps (like Wodify), do they collect and process data in accordance with the GDPR? 

 

Privacy notice

The GDPR (and particularly Articles 12 to 14 of the GDPR) include specific information that must be provided to individuals whose data you are processing, generally in the form of a privacy notice or privacy policy. You should make sure that you have a privacy policy that includes all of the information that you are required to provide under the regulation.

 

Appointing a Data Protection Officer

A Data Protection Officer (DPO) oversees how your organization collects and processes personal data. The GDPR includes specific tasks that a DPO needs to do, such as conducting data protection impact assessments when your organization changes how it collects and processes personal data. Consider whether you are required to appoint a DPO to advise on your compliance with the GDPR.

 

Client Consent

Under the GDPR, you might need to obtain consent to process the personal data of your customers or change how you currently obtain that consent. For example, you might need to obtain consent from your Clients if you are sending your customers marketing messages, or if you are using online advertising or retargeting apps. Where you need to obtain consent, the GDPR says that it must be "freely given, specific, informed and unambiguous." This means that the consumer needs to be given detailed information about the particular use case, and some affirmative action needs to be taken by the consumer to show consent. Consider incorporating this into your client contracts.

Consider the following questions:

  • Do you need to get affirmative, opt-in consent from your customers because of the personal information that you or a third-party app processes?
  • Are you providing your customers enough details around your processing activities and data usage to obtain effective consent?
  • Does the customer need to take an affirmative act to show consent?
  • Is the customer’s consent recorded and stored somewhere?

 

Parental consent

The GDPR includes specific parental-consent requirements for processing the personal data of users under the age of 16 (this age can be lower in certain countries). Consider whether you need to change how you process customer data to either stop processing the data of those users under the age of 16 or get parental consent?

 

Processing GDPR data requests

The GDPR expands on an individual's right to access and control their personal data. You might need to update how you process customer data to respond to personal data requests protected under the GDPR.

 

Subject access requests and portability

The GDPR gives individuals the right, in certain circumstances, to request a copy of their personal data that is being processed by a company. The GDPR requires that you provide your customers with a copy of their personal data in a common, easily readable, and portable format, so that they can use that data with a different service provider. If you need to obtain this information to respond to a request, then Wodify can provide you with the information that it stores. In addition to the information that Wodify stores about your clients, you will also need to think about other service providers that you might use who may have access to your clients’ personal data, such as third-party apps.

Consider the following questions:

  • What data would you need to provide in response to a subject access or portability request?
  • Which third parties would you need to contact in order to respond to a subject access or portability request?
  • In what format would you provide this data?
  • Do you need to change how you process client information to provide this data?

 

Erasure requests

The GDPR gives individuals the right, in certain circumstances, to ask that their personal data be erased, or that a company restrict the processing of their personal data. You should consider whether you might be obligated to erase or restrict the processing of your customers' data in response to such a request. As with subject access requests, Wodify can help you delete personal data that it stores on your behalf, but you should also consider what third parties you may need to work with in order to fulfill an erasure request.

 

Data breach notification

If you experience a data breach and the GDPR applies to you, then you might be required to notify affected users or specific regulatory bodies. Where applicable, you're required to provide notice as quickly as 72 hours after you become aware of the breach. You should think about putting together a data breach response plan for your business so that you are prepared for such an incident.

 

Subprocessing

The GDPR imposes certain requirements on a company that uses third-party vendors and service providers to process the personal data of its users. Consider reviewing the privacy practices of the vendors and service providers that you use, including Wodify, to try to make sure that they adequately protect your customers’ personal data.

 

Third-party apps

The GDPR requires that you take a number of affirmative steps relating to your and your third-party service providers’ collection and use of personal data. This includes Wodify, but also any third-party apps that you might use in connection with your Wodify account. While Wodify is happy to help you to the extent it can with regards to its data practices, it is up to you to ensure that you are using third-party apps in a way that complies with the GDPR. Compliance needs will vary depending on where you are located, where your customers are located, where the app developer is located, and how you have implemented and installed the app. Wodify wants to make sure that you are well-positioned to be able to assess your compliance needs, and we are working with our app developers to make sure that they provide you more information about their data collection and processing practices.

 

 

Was this article helpful?
0 out of 0 found this helpful

Comments

Check the current status of our products

View status
© Wodify Technologies Ltd 2019. All rights reserved.
We’re using cookies hope that’s cool.
Privacy Policy Terms of Service