This Data Processing Addendum (the Addendum), is entered by and between the Service Provider and the Customer (referred to collectively as the “Parties” and individually as a “Party”) and constitutes an integral part of the Perfect Gym Terms of Service and Perfect Gym Terms of Professional Service (the Terms). As used herein, all terms, except as otherwise indicated, shall have the respective meanings ascribed to them in the Terms.
Whereas, the Service Provider processes Personal Data in connection with its provision of Services to the Customer; and
whereas, the Parties wish to outline their respective responsibilities and positions with respect to EU Privacy Law (defined below).
Now therefore, for good and valuable consideration, the sufficiency and receipt of which is hereby acknowledged, the Service Provider and the Customer agree to add the following provisions to the Terms, notwithstanding anything to the contrary in the Underlying Agreement:
The following terms shall have the following meanings:
Applicable Privacy Laws – all applicable international, national, federal, and state data protection and privacy laws (including re EU Privacy Law as applicable to the processing of Personal Data, as defined below, in the European Union);
Controller – an entity that determines the purposes and means of processing Personal Data;
EU Privacy Law – EU Regulation 2016/679 (the General Data Protection Regulation) and any applicable national legislation made under or pursuant to it; and EU Directive 2002/58/EC and any applicable national legislation implementing it; in each case as amended or superseded;
Personal Data – any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The Service Provider acknowledges that the Customer is a Controller of Personal Data relating to its employees and clients. Pursuant to this Addendum, the Customer hereby entrusts data processing to the Service Provider to the extent specified below, and Service Provider undertakes to process entrusted data according to this DPA and Customers instructions.
The scope of personal data entrusted for processing may include:
- regarding the data of the Customer's clients: identification data (such as i.a. name, surname, identification number specific to the country, date of birth), contact details (such as i.a. address of residence, phone number, e-mail address), financial data (such as i.a.: payment data for membership in the club) other data necessary for the provision of services (such as membership data, fingerprint and other kinds of biometric data) or other clients data provided in connection with the provision of services.
- regarding the data of the Customer's associates: identification data (such as i.a. name, surname, identification number, date of birth, position and role in organization), contact details (such as i.a., phone number, e-mail address) other data (such as schedule and specialization),
Personal data entrusted to the Service Provider under this DPA shall be processed for the purposes of service provision.
The nature of the processing includes all operation carried on data which are necessary to provide services such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data.
Taking into account the state of technical knowledge, the cost of implementation, as well as the nature, scope, context and purposes of processing, the Processing entity shall implement the appropriate technical and organizational measures to ensure a level of security appropriate to the risk. By appropriate technical organizational measures, the parties understand the implementation and maintenance of an information security management system that complies with good practices in particular with ISO 27001. Service Provider ensures that persons authorised to process the personal data have committed themselves to confidentiality.
After finding a breach of personal data protection leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data sent, stored or otherwise processed, the Service Provider notifies the Customer about it without undue delay.
The service provider undertakes to conduct periodic audits covering the level of information security in the organization and, upon Customer's request, provides reports on conducted audits – including audits conducted by third parties or certification entities.
The Service Provider may engage another processor (Sub-processor) by way of a written contract (general consent within the meaning of Article 28 paragraph 2 of the GDPR). In such contract shall be set out the same data protection obligations as in this DPA. The list of current sub-processors is available on Controller’s request or on the Service Provider’s website at www.perfectgym.com/sub-processors. Service provider undertakes to keep the list up to date and the Controller should constantly review the list of Sub-processors for any objection, which should be granted within 7 days of the entity being named on the list.
Taking into account the nature of processing, the Service Provider shall assist the Customer, by taking appropriate technical and organizational measures, in so far as this is possible, in the fulfilment of the Service Provider’s obligation to respond to requests for exercising the data subjects’ rights laid down i.a. in the Chapter III of the GDPR. Under this obligation Parties understands promptly notifications of receipt of the requests from data subject.
The Service Provider shall assist the Customer in ensuring compliance with the obligations pursuant to the Articles 32 to 36 GDPR taking into account the nature of processing and the information available to the Service Provider.
Customer guarantees that the personal data entrusted to Service Provider collected in accordance with the law and legitimizes the appropriate legal basis for their processing.
Service Provider may provide recommended terms and conditions, privacy policy or disclosure language to the Customer. The Customer acknowledges that shall not rely on such recommended language as, or as a substitute for, legal advice, and that the Customer itself is solely responsible for any disclosures in its terms and conditions, privacy policies or on its websites.
If either Party receives any inquiry, complaint or correspondence (a Third Party Notice) from an individual, regulator, or other third party concerning the processing of Customer's employees' /clients' Personal Data in connection with the Services, it shall promptly inform the other Party, and the Parties shall cooperate in good faith and as reasonably necessary to address the requirements of such Third Party Notice
To the extent there is a conflict between the Terms and this Addendum, the terms of this Addendum shall govern and prevail.
Schedule a meeting with a free demo presentation to explore Perfect Gym software!