I. PROCESSING OF PERSONAL DATA WHEN PROVIDING GYM SERVICES
In order for the Customer to enter into an Agreement for the Provision of Sports and Other Services (hereinafter referred to as the Agreement),
and in the performance of the Agreement by Gym Plius, Gym Plus shall collect and process the data necessary for the conclusion and performance of the Agreement.
The following personal data of Customers (natural persons) shall be collected for the purpose and on the basis set out above:
- name, surname, personal identification number, e-mail address, date of birth (for a minor visitor on whose behalf the Customer enters into the Agreement and in the case of online purchases), address, telephone number, gender (in the case of
- place of service (chosen gym(s));
- information related to the purchase of services (date(s) of payment(s), service option chosen, price, quantity, payment method, discount given, bank account number, bank, IP address (for online purchases));
- information on the use of services (attendance at selected gyms, group fitness classes, solariums and/or use of other services, Customer’s requests and the personal information contained therein, holiday/break times);
- information on payments made for services, overdue payments.
If the Agreement is signed with a legal entity, the names, surnames, residential addresses, telephone numbers, e-mail addresses, place of work of the persons who will be using the services, as well as the name, surname, position and basis of representation of the legal entity’s representative who concluded the Agreement shall be processed.
If the Customer wishes to suspend and/or extend his/her membership on the grounds of illness and voluntarily provides such information (i.e. on the basis of his/her express voluntary consent), Gym Plius shall collect and process information about the period of illness. The provision of such information is not compulsory, but failure to provide it shall forfeit the Customer’s right to suspend and/or extend membership on the grounds of illness.
The abovementioned data shall be stored for four years after the expiry of the Customer’s membership. The documents supporting the conclusion of the contracts shall be stored for 10 years from the end of the contract.
II. PROCESSING OF PERSONAL DATA COLLECTED THROUGH ACCESS DEVICES
For the purpose of access control, in order to protect the property of Gym Plius and the health and property of its customers, employees, (on the basis of the legitimate interests of the Company and third parties), for the purpose of the Customer’s identification (on the basis of the Customer’s explicit consent), the Company shall collect and process personal data of the employees, employees of the service providers (e.g. employees of the providers of the cleaning, security guard services), and of the Customer, recorded when these persons use access devices (access card and fingerprint readers) or show their personal identity documents to the administration.
The following information about individuals may be captured by the access devices:
• Movement within the Gym Plius area and/or access to the premises. The Company shall record and keep
a record of the date and time of entry or exit, the name, surname, access card number and name of the workplace, the name of the service and the binary code;
• Information on the use of services (solarium, group exercise classes, etc.). The system shall record the person’s name, surname, access card number, binary code, date, time.
The Company shall retain such personal data of individuals for as long as the contract (e.g. employment contract) or business relationship is in force, or for as long as is necessary to achieve the purposes for which it is processed, and in accordance with the retention requirements for this type of data set out in the legislation, the limitation periods for the assertion or defence of any legal claims, and, in the event of any such claims being asserted, for as long as is necessary for such purpose. The fingerprint pattern data (binary code) shall be permanently destroyed upon the expiry of the Agreement concluded with the Customer.
Evidence of consent shall be kept for two years from the date of withdrawal of consent/change of choice.
Processing of Biometric Data
On the basis of the Customer’s explicit consent and his/her choice of fingerprint scanning, the biometric data of the Customer for the purpose of identification of the Customer shall be processed, i.e. the digital image of the Customer’s fingerprint and the fingerprint model based on it, i.e. a binary code.
For this data processing, the Company shall use the data processor UAB Nsoft (address Žalgirio st. 88A, Vilnius, www.nsoft.lt).
In accordance with good biometric data management practices, the Customer’s digital fingerprint image shall not be stored and the fingerprint pattern data shall be stored in the database in encrypted form.
III. PROCESSING OF PERSONAL DATA FOR DIRECT MARKETING PURPOSES
Gym Plius shall process your personal data for the purpose of direct marketing after obtaining your explicit consent to such processing, e.g. when you subscribe to our newsletters. We may also process your personal data for direct marketing purposes on the basis of our legitimate interests, unless you object to such processing by entering into an Agreement with us.
For the purpose of direct marketing, we shall process the following personal data: telephone number, e-mail address.
You may opt-out of our direct marketing communications at any time. You may do so by clicking on the dedicated link at the bottom of our newsletters or by informing us by e-mail at: firstname.lastname@example.org.
We also use Facebook, Instagram, Linkedin and other online advertising providers. You may read about their privacy policies, the data they collect and the personal data protection measures they apply in the privacy policies of these service providers.
Customer data shall be used for the purpose of direct marketing as long as no objection to such processing of personal data / withdrawal of consent is received.
IV. PROCESSING OF PERSONAL DATA TO PROTECT THE INTERESTS OF THE COMPANY
The Company shall process the Customer’s name and surname for the purpose of informing the Company’s employees about the Customer as a person with whom the Company does not wish to enter into a new contract in the event of the termination of the Agreement for the Provision of Sports and Other Services due to the Customer’s fault (e.g. in the event of a complaint of the Customer’s inappropriate behaviour in the gym, and for any other material reason). Such processing shall be based on Article 6(1)(f) of the General Data Protection Regulation, i.e. the legitimate interest of the Company not to enter into an Agreement for the Provision of Sports and Other Services with an unwanted customer in the future. The Company shall obtain such data from the Company’s employees and existing customers.
Your data shall be stored in the Data Controller’s e-mail account, which is accessible to the relevant employees in connection with their job functions.
For this purpose, the Customer’s personal data shall be processed for a period of three years after termination of the Customer’s agreement. The Company shall reserve the right to extend this period if it receives reasonable evidence that the conclusion of the Agreement for the Provision of Sports and Other Services with the Customer would have a negative impact on the Company’s employees and existing customers.
V. BUSINESS PARTNERS, CONTRACTORS
Gym Plius shall also process personal data of business partners, suppliers, other parties to transactions, as well as their employees, representatives and agents. These data shall be collected and processed for the following purposes and on the grounds corresponding to these purposes:
- For the aforementioned persons to establish, maintain and develop a business, professional or other legal relationship with Gym Plius;
- Conclusion, performance and administration of transactions, contracts and agreements;
- Administration and management of financial settlements with natural persons who do not have an employment relationship with Gym Plius, legal entities, service providers and persons carrying out individual activities;
- Development and safeguarding of the legitimate interests of Gym Plius;
- To defend Gym Plius against claims, demands, complaints made against it (legitimate interest of Gym Plius);
- Gym Plus in fulfilling its obligations under applicable law.
Gym Plius shall store the personal data of such persons for as long as the contract or business relationship is in force or for as long as is necessary to achieve the purposes for which they are processed, and in accordance with the retention requirements for this type of data laid down by law, the statute of limitations for the assertion or defence of any legal claims or, in the event that such claims are asserted, for the period of time necessary for this purpose.
VI. PARTICIPATION IN GYM PLIUS EVENTS
Upon the receipt of the Customer’s consent, the Customer’s attendance, name, surname and image (photo) shall be used to inform the public about Gym Plius events. The Customer’s photographs may also be published on Gym Plius social media accounts and on the Website with the Customer’s consent.
VII. PARTICIPATION IN RECRUITMENT
We shall collect and process your CV, cover letter and/or other information provided by you for the purpose of recruitment on the basis of your consent, which you give to us or to the company providing the recruitment services by submitting your data.
Gym Plius shall retain the personal data you have provided until the end of the specific selection and, if you consent to further processing for the purpose of other recruitments, for a period of one year from the end of that selection, unless you withdraw your consent earlier.
Gym Plius shall inform you that, in order to assess your candidature, it may seek references from the former employers you have indicated to enquire about your qualifications, professional abilities and qualities. We shall collect such information in accordance with the legal requirements.
Gym Plius also notes that it may receive your personal data from third parties, such as companies operating job portals, recruitment agencies, if you have provided them with your personal data, and from publicly available sources where you have published your personal data.
VIII. PROCESSING OF PERSONAL DATA BY VIDEO SURVEILLANCE
In order to ensure the protection of the property, health and life of Gym Plius, our employees, our Customers and other persons, we shall carry out video surveillance in the premises of the Gym Plius (except for the changing rooms, toilets, showers, solarium) and on the grounds.
We shall carry out video surveillance and process the data (image data) of persons in the field of video surveillance on the basis of our legitimate interest and the legitimate interest of third parties (see paragraph above).
Persons shall be informed about video surveillance by means of information signs bearing the symbol of the video camera and the data controller’s details, which shall be displayed before entering the surveyed area and/or premises.
Personal data (video data) collected during video surveillance shall be stored for up to 14 days from the date of capture and then deleted. In certain circumstances where it is necessary for the protection of the interests of Gym Plius or a third party (e.g. in the event of an accident, crime or other violation of law, contract, gym rules), the retention period may be extended until the investigation has been completed and a final decision has been made.
IX. PROCESSING OF PERSONAL DATA ON THE WEBSITE
In the event that you visit our Website, Gym Plius may process your IP address, network and location data when you provide it and other data. Data shall be collected using cookies and other similar technologies on the basis of your consent.
Cookies are small text files (up to a few KB in size) that your web browser places on your computer, tablet or other smart device when you visit our Website. With cookies, Gym Plus aims to ensure the efficient and safe operation of the Website and to analyse your habits so that the operation of the Website is convenient, efficient and meets your needs and expectations.
More information about cookies and their deletion, management and related settings can be found here: www.allaboutcookies.org.
We use the following cookies on our Website:
|Cookie name||Description||Creation and validity of the cookie||Data collected with the help of a cookie|
|wp-settings-time-1, wp-settings-1, wordpress_logged_in, wordpress, PHPSESSID||A standard cookie used to maintain a user session||Created at the time of entry to the page and valid until the closing of the Website window|
|uid||This cookie is used to identify the user||Created at the time of entering the page and is valid for 60 days|
|AWSALB||A standard cookie used to ensure the speed and quality of use of the webpage||Created at the time of entering the page and is valid for 7 days|
|_ga||This cookie is used by Google Analytics to evaluate the user’s visit objectives, to compile reports on website activity for website operators and to improve the customer’s experience when visiting the Website.||Created from the moment of consent and valid for 2 years||Purposes of the user’s visit, clicks|
|_gat||These cookies are used by Google Analytics to collect statistical information about website traffic||Created the first time you access the Website and valid until the end of the session||Frequency of visits to the Website|
|_fbp, _fr||This cookie is used by Facebook to identify the user||Created at the time of first access to the Website and valid for 2 days|
|_zlcmid, __cfduid||This cookie is used to access the Chat features of the webpage||Created at the time of entry to the page and valid until the closing of the Website window|
|_gid||This cookie is used by Google Analytics to identify the user||Created at the time of first access to the Website and valid for 2 days|
X. DATA PROCESSORS AND OTHER RECIPIENTS
Gym Plius may use certain service providers (data processors) to process your personal data. Such data processors shall include: companies providing fingerprint processing, data centre services, companies providing web browsing or online activity analysis and services, companies developing, providing, maintaining and developing software, companies providing information technology infrastructure services, companies providing communication, security, recruitment services and other service providers, to whom your personal data is only disclosed to the extent necessary under the terms of the contract.
If the Customer chooses an E-Invoice to pay for services, the Customer’s personal data shall be transferred to the E-Invoice provider, its payment service provider and the intermediary in order to execute such choice.
If the Customer does not perform its payment obligations, we may transfer information about the Customer (his/her personal data) and other information related to indebtedness to third parties with a legitimate interest for the purpose of assessing solvency and managing indebtedness, as well as to debt collection companies for the purpose of debt collection.
On sufficient legitimate grounds (e.g., where it is necessary for the conclusion or performance of a contract with you and where you have been duly informed of such transfer), the data may be transferred to our business partners, contractors, counterparties insofar as this is related to the performance of the contractual obligations of the Gym Plius or to the performance of our ordinary activities.
Gym Plius hereby informs you that certain technical data from your visit to the Website (IP address, cookies, technical information of the browser you are using, and other information related to your browser activity and browsing on the Website) may be transferred to, or made available by, entities both within and outside of the European Economic Area (EEA) for the purpose of statistics, analytics, and related purposes (e.g. in the case of the use of the Google Analytics service by us, such entity shall be a company operating in the United States of America). Gym Plius will ensure that personal data shall only be transferred outside the EEA if there is a sufficient basis provided for in the applicable law, which may be necessary for the conclusion and performance of a contract, may be based on the standard data protection terms and conditions approved by the European Commission, or may be based on any other grounds, conditions, or exemptions provided for in the law. For more information on what data is transferred outside the EEA and on what basis, as well as other related issues, you may contact us at email@example.com.
Gym Plius is obliged to collect and provide your personal data to competent authorities and other persons in the cases and according to the procedure established by the law, when this is required by applicable laws or regulations (e.g. by the State Tax Inspectorate, the Social Insurance Institution (SODRA), the police, other competent bodies, institutions, organisations) or is required by contract (e.g. an insurance contract in connection with an insured event).
Personal data may also be provided, without the data subject’s individual consent, to a pre-trial investigation body, a public prosecutor or a court in connection with administrative, civil or criminal proceedings in their possession, as evidence, or in other cases provided by law.
XI. DATA STORAGE PERIOD
Your personal data may be stored longer than specified above in the following cases:
- It is necessary for Gym Plius to be able to defend itself against demands, claims or lawsuits and exercise its rights;
- There are reasonable suspicions of an illegal act, which is the subject of an investigation;
- Your data is necessary for the proper resolution of a dispute or complaint;
- Backup copies and other purposes related to the operation and maintenance of information systems or similar;
- In compliance with the obligations set forth in legal acts;
- In the presence of other bases established by legal acts.
XII. WHAT RIGHTS DO YOU HAVE?
In relation to your personal data, in the scope, cases, procedure and conditions provided by the applicable legal acts, taking into account the applicable restrictions, you shall have the following rights:
- To get acquainted with your personal data and how it is processed;
- To request correction of incorrect, inaccurate or incomplete data;
- To request the deletion of your personal data or restriction of processing of your personal data;
- To request the transfer of your personal data to another data controller or provide it directly in a form convenient for you (applicable to those personal data provided by you and processed by automated means on the basis of a contract or consent);
- The right to object to the processing of your personal data;
- The right to withdraw your consent at any time if your personal data is processed on the basis of consent;
- The right to contact and lodge a complaint with the State Data Protection Inspectorate (see www.vdai.lrv.lt for more information).
- You may exercise the abovementioned rights and/or lodge a complaint by contacting Gym Plius at firstname.lastname@example.org or by personally delivering a request to exercise your rights to the Gym Plius gym you visit. To confirm your personal identity, you must provide proof of your personal identity, i.e. a passport, personal identity card or driving licence, along with your application, or a scanned version of the relevant document if you apply by e-mail.
Upon receipt of your request, Gym Plius shall provide you with information on the action it has taken in response to your request no later than one month after receipt of your request and completion of the verification procedure. Taking into account the complexity and number of requests, Gym Plius shall have the right to extend the one-month period by a further two months, informing you at the latest within one month of the receipt of your request and the completion of the verification procedure, and stating the reasons for such extension.
XIII. IN WHAT WAYS AND THROUGH WHAT CONTACTS CAN YOU CONTACT US?
If you have any questions or requests related to the processing of your personal data, you may contact us by e-mail at: email@example.com.