Data Protection Policy

  • 1
    Introduction

    Data Protection Policy (a) applies to the Processing of Personal Data by electronic means and in paper-based filing systems, (b) excludes any processing of Personal Data of employees, candidates of the Company, and (c) does not address obligations For Fit may be subject to under local laws and other applicable regulatory laws.

    This Data Protection Policy enters into force on 25 May 2018. Until then, all For Fit personnel will make all necessary actions to abide by it.

    THE OBSERVANCE AND CORRECT APPLICATION IN PRACTICE OF THIS DATA PRIVACY COMPLIANCE POLICY WILL BE STRICTLY MONITORED BY THE COMPANY. INTENTIONAL, NEGLIGENT OR ACCIDENTAL NON-OBSERVANCE OF THIS DATA PRIVACY COMPLIANCE POLICY MAY RESULT IN SIGNIFICANT FINANCIAL AND REPUTATIONAL LOSSES FOR For Fit AND, POSSIBLY, DISCIPLINARY CONSEQUENCES FOR THE RESPONSIBLE For Fit EMPLOYEES

    EU Data Protection Laws impose the Company the full observance of the following principles:

    Lawfulness, fairness and transparency

    Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.

    Purpose limitation

    Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

    Data minimization

    Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

    Accuracy

    Personal Data shall be accurate and, where necessary, kept up to date

    Storage limitation

    Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed.

    Integrity and confidentiality

    Personal Data shall be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

    Accountability

    For Fit, as data controller shall be responsible for, and be able to demonstrate compliance with the EU Data Protection Laws.

    Data ProtectionCompliance starts with every person making the personnel of For Fit (“For Fit ” and/or the “Company”)

    For Fit personnel is expected to handle Personal Data with care. In this Data Protection Compliance Policy, it is explained how the protection of Personal Data must be achieved throughout the Company. The following main directions are mandatory and explained in this document:

    • • I only process Personal Data for specific Purpose(s) of Processing.

    • • I know that the Purpose of Processing has a valid lawful basis.

    • • I am transparent with Data Subjects.

    • • I am always informing natural persons in what the Company does with Personal Data (regardless of the natural person being a client, a supplier or any other business partner).

    • • The fact that I obtain Personal Data of a natural person representing a legal person or which is acting as an employee of a legal person does not make that Personal Data less important or outside data protection area.

    • • I only use Sensitive Personal Data if necessary and where expressly allowed.

    • • I make sure that Personal Data are up-to-date, complete and accurate.

    • • I treat seriously any request regarding Personal Data.

    • • I allow Data Subjects to correct, delete or block their Personal Data.

    • • I protect the Personal Data from unauthorized loss, alteration, disclosure or access.

    This Data Protection Policy was drafted based on the letter of GDPR as at the time of its drafting no local law was enacted. Any regulatory development (either at EU or national level) may trigger the need to amend or supplement this policy.

  • 2
    Terminology

    Throughout this Data Protection Policy, the following terms will have the following meaning:

    “Affiliate”

    Means companies which are part of For Fit Group in European Union to which For Fit sends Personal Data.

    “Automated decision making”

    Means a process where input data are evaluated exclusively using IT devices, with no humans involved, i.e. in accordance with pre-defined criteria/algorithms and the ultimate decision passed has significant consequences for the Data Subject.

    “Data Controller”

    Means For Fit , as it stands for the entity which determines the purposes and means of the Processing of Personal Data.

    “Data Processor”

    Means the entity which performs the Processing of Personal Data on behalf of the Data Controller.

    “Data Protection Officer”

    Means an individual appointed by For Fit pursuant to a mandatory obligation under EU Data Protection Laws. DPO’s role is mainly: (a) to inform and advise the Company and its employees about their obligations to comply with the EU Data Protection Laws, (b) to monitor compliance with the EU Data Protection Laws, and (c) to be the first point of contact for supervisory authorities and for individuals whose data is processed. Details on DPO rights and responsibilities are set within this document.

    “Data Subject”

    Means the identified or identifiable person to whom Personal Data relates. For the sake of this policy, Data Subjects may be clients or representatives of suppliers and business partners.

    “EU Data Protection Laws”

    Means all laws and regulations applicable in European Union, regardless of them being primary legislation (such as national laws and/or GDPR, defined below) or secondary legislation (such as the Working Party Guidelines or other guidelines issued by the Supervisory Authority), applicable to the Processing of Personal Data.

    “GDPR”

    Means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.

    “Internal Regulation”

    Means all internal documents (regardless of their name and object matter) mentioned in the Internal Registry.

    “Personal Data”

    Means any information relating to an identified or identifiable natural person and, where such information is protected under applicable EU Data Protection Laws and Regulations. For the purpose herein, Personal Data includes Personal Data relating to criminal convictions and offences (as defined below) and Special Categories of Personal Data (as defined below).

    “Personal Data relating to criminal convictions and offences“

    Means Personal Data relating to criminal convictions, offences and/or pardons.

    “Processing”

    Means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as for example collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    “Profiling”

    Means any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

    “For Fit Records of processing”

    Means records kept at Company level that provides an overview of all Processing activities within the organisation (e.g. what kind of data categories are being processed, by whom (which departments or business units) and for which underlying purposes of processing.

    “Special Categories of Personal Data“

    Means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

    “Sub-processor“

    Means any person appointed by or on behalf of Data Processor or by an Affiliate to Process Personal Data on behalf of any Company Group Member;

    “Supervisory Authority”

    Means National Authority for Supervision and Protection of Personal Data or any other authority to which data protection responsibilities where attributed pursuant to the EU Data Protection Laws and Regulations” of any Member State.

    “Transfer“

    Means to disclose or otherwise make Personal Data available to third party (including to any Affiliate or Sub-processor), either by physical movement of the Personal Data to such third party or by enabling access to the Personal Data by other means. For sake of clarity, storage, back-up shall qualify as transfer for the purpose herein.

  • 3
    For Fit’s purpose of processing

    For Fit has an inventory of the Purposes of Processing currently applicable to the Company, The Purposes of Processing are exhaustively mentioned in the For Fit Records of Processing (kept by the Data Protection Officer), Each Purpose of Processing has a legal valid basis and is directly linked with the business activities of the Company, The Purposes of Processing constitute the starting point for each activity of Processing and any deviation or amendment to them will be immediately notified to the Data Protection Officer, Processing of Personal Data (collection, use, storage etc.) is to be done in strict compliance with the Purpose of Processing.

    3.1 For Fit has identified specific Purposes of Processing

    Generally, the Company collects, uses, stores or otherwise Processes Personal Data in the following ways:

    • • I only process Personal Data for specific Purpose(s) of Processing.

    • • when Data Subject submits any form or document, enters into a formal agreement or provides other documentation or information in respect of its interactions and commercial relationship with For Fit;

    • • when Data Subject interacts with For Fit personnel, including customer service officers, relationship personnel and other representatives, for example, via telephone calls, letters, fax, face-to-face meetings and email;

    • • when Data Subject’s images are captured by For Fit via CCTV cameras while Data Subject is within the Company’s premises;

    • • when Data Subject uses For Fit services provided through online and other technology platforms;

    • • when Data Subject requests that For Fit contact him, be included in an email or other mailing list; or when Data Subject responds to For Fit’s request for additional Personal Data;

    • • when Data Subject uses the Company’s electronic services, or interact with For Fit via our websites;

    • • when For Fit carries out checks, due diligence or other screening activities (including background checks) in accordance with legal or regulatory obligations or the Company’s risk management procedures that may be required by law or that may have been put in place by For Fit;

    • • when For Fit acts on preventing or investigating any fraud, unlawful activity or omission or misconduct relating to Data Subject’s relationship with For Fit or any other matter arising from Data Subject’s relationship with For Fit, For Fit will collect your e-mail address to send you “transactional emails” with the product if you decide to buy it. If you agree to subscribe to the service newsletter, we will, from time to time, send free commercial marketing, content and promotional materials to your email address;

    • • when For Fit is complying with or as required by any request or direction of any public authority; or responding to requests for information from regulatory agencies, ministries, statutory boards or other similar authorities,

    • • when For Fit performs financial reporting, regulatory reporting, management reporting, risk management reporting (including monitoring risk exposure) audit reporting,

    • • when For Fit seeks information about Data Subject and receive Data Subject’s Personal Data in connection with its relationship with For Fit, from business partners, public agencies, current - employer and the relevant authorities; and/or

    • • when Data Subject submits its Personal Data or the Personal Data of a third party (e.g. information on spouse, children, parents, and/or employees etc.) to For Fit for any other reason.

    All the above activities are labelled as Purposes of Processing and are listed in the For Fit Records of Processing.

    3.2 For Fit’s Purpose of Processing have a lawful and valid basis

    For Fit’s Purposes of Processing are grounded on one of the following basis:

    CONSENT

    The Data Subject whom the Personal Data is about has consented to the Processing.

    PERFORMANCE OF A CONTRACT

    The Processing is necessary:

      • in relation to a contract which the Data Subject has entered into;or

      • because the Data Subject has asked for something to be done so it can enter into a contract.

    COMPLIANCE WITH LEGAL OBLIGATION

    The Processing is necessary because of a legal obligation that applies to For Fit.

    LEGITIMATE INTEREST

    The processing is in accordance with the “legitimate interests” condition.

    The basis for each For Fit’s Purpose of Processing is mentioned in For Fit Records of Processing.

    3.3 The Processing is limited to only what is necessary for achieving the For Fit’s Purpose of Processing

    3.3.1 For Fit’s Purposes of Processing are limited to certain categories of Data Subjects and to certain categories of Personal Data (data minimization)

    Internal Regulations list the documents and thus the exact Personal Data that is to be requested from Data Subject and to be processed in respect of that Data Subject. On one hand, the appendices to the Internal Regulations enlist the template forms and the template contracts that have to be filled in and/or signed by the Data Subject. On the other hand, the Internal Regulations allow the Personal Data to be collected by word of mouth directly from the Data Subject and introduced directly in the IT system of For Fit

    The Purposes of Processing refer to Personal Data which is not included in the category of „Special Categories of Personal Data” nor in the category of „Personal Data relating to criminal convictions and offences“, as these terms are defined in Section 2 of this policy.

    Processing that entails „Special Categories of Personal Data” and/or „Personal Data relating to criminal convictions and offences“ is to be treated as an exception and is to be avoided for as much as possible (except if expressly required by an Internal Regulation or the provisions of a law).

    Any supplementary Personal Data, outside the Personal Data specifically mentioned in the For Fit Records of Processing and outside the Personal Data mentioned in the Internal Regulations, cannot be requested from Data Subjects unless with prior authorization from the supervisory manager and/or the Data Protection Officer.

    Any supplementary Personal Data, outside the Personal Data specifically mentioned in the For Fit Records of Processing and outside the Personal Data mentioned in the Internal Regulations, which reaches the Company (either intentional or accidentally), from other source than Data Subject, is to be treated as a data privacy incident and brought to the attention of the Data Protection Officer.

    3.3.2 Personal Data collected by For Fit is accurate, integral and confidential (accuracy and confidentiality)

    All Personal Data collected by For Fit in relation to any Purpose of Processing must be accurate. Internal Regulations require that For Fit personnel makes sure that the Personal Data obtained directly from Data Subjects or indirectly is verified against relevant documentation.

    The integrity and the confidentiality of all Personal Data collected by For Fit in relation to any Purpose of Processing is mandatory at all times. Internal Regulations require that For Fit personnel makes sure that the Personal Data obtained directly from Data Subjects or indirectly is safely stored and accessed only on a need to know basis.

    3.3.3 Processing of Personal Data within For Fit is performed for the period needed to fulfil the Purpose of Processing (storage limitation)

    Depending on the Purpose of Processing, Personal Data collected by For Fit is kept in either hard-copy or electronic form (or both):

    • • for the time needed to accomplish the Purpose of Processing, or

    • • to the extent necessary to comply with an applicable legal requirement for the time mentioned by a law provision, or

    • • as advisable in light of an applicable statute of limitations.

    For Fit sets and implements retention period of documents (regardless of their form and title which may contain or not Personal Data).

    All personnel needs to analyze the Personal Data stored by them against the decided retention periods and decide to maintain or erase Personal Data accordingly.

    3.3.4 Processing outside the For Fit’s Purposes of Processing is generally forbidden (change of purpose)

    Generally, Personal Data will be used only for the Purpose(s) of Processing for which it was originally collected (original purpose). Personal Data may be Processed for legitimate purposes of For Fit different from the original purpose (secondary purpose) only if the original purpose and secondary purpose are closely related.

    It is generally permissible to use Personal Data for the following secondary purposes:

    • • establishing the risk profile of the Data Subject or the company which the Data Subject represents;

    • • or internal audits or investigations;

    • • or dispute resolution or litigation;

    • • or regulatory reporting purposes.

    Any Processing of Personal Data outside the Purposes of Processing specifically established in the For Fit Records of Processing will be immediately suspended and the situation will be brought to the attention of the Data Protection Officer as soon as possible.

    Any change in the original Purpose of Processing will be assessed carefully and in case of doubt, For Fit’s personnel will bring the matter to the attention of Data Protection Officer, before executing any further processing.

    3.3.5 Transfer of Personal Data

    While rendering its services, the Company can transfer data to other country or international/foreign organizations but only if in that country or international/foreign organizations data security is guaranteed appropriately.

    When transferring Personal Data to a state outside European Economic Area, the Company provides adequate guarantees of data protection on the basis of a contract concluded with that legal or physical person or international organization.

    3.3.6 Profiling and Automated Data Decision Making

    Generally, Personal Data will be used only for the Purpose(s) of Processing for which it was originally collected (original purpose). Personal Data may be Processed for legitimate purposes of For Fit different from the original purpose (secondary purpose) only if the original purpose and secondary purpose are closely related.

    Processing in For Fit may involve profiling, automated decision making or both in case of:

    • • risk management purpose analyses with the view to ensure the security and reliability of the debt recovery process or to prevent and filter out fraud;

    • • periodic automatic review of the Data Subject’s payments;

    In all such cases, For Fit will observe the rights of Data Subjects, as mentioned under the following section.

  • 4
    For Fit enables the data subject rights
    • • the right to be informed,

    • • the right of access,

    • • the right to rectification,

    • • the right to erase (right to be forgotten),

    • • the right to restrict processing,

    • • the right to data portability,

    • • the right to object,

    • • rights in relation to automated decision making and profiling.

    All For Fit personnel is aware and know how to react to any exercise of the Data Subjects’ rights.

    4.1 For Fit informs the Data Subjects of the Processing activity

    As a rule, documents that are given to Data Subject (either forms or contracts) contain all the required information for For Fit to observe the Company’s obligations to duly inform the Data Subjects of the Processing Activity.

    Notwithstanding the letter of the documents given to Data Subjects, upon request, For Fit personnel will explain thoroughly to what business activity is the Processing related to, what type of Personal Data is requested from the Data Subject, and that Company has set-up appropriate organizational and technical measures to ensure that Personal Data is kept safe and confidential.

    In case the Data Subjects are not required to fill in independently forms as Data Subjects are only required to submit certain documentation or to give their Personal Data verbally, For Fit personnel will have the obligation to inform the Data Subject of all the coordinates of the Processing activity. The checklist of the aspects that need to be brought to the attention of the Data Subject are the following:

    “What information must be supplied?”

    At the time the Personal Data are obtained:

    Identity and contact details of the Data controller and the DPO

    Purpose of the Processing and the lawful basis for the processing

    The legitimate interests of the Data controller

    Categories of Personal Data

    Any recipient or categories of recipients of the Personal Data

    Details of transfers to third country and safeguards

    Retention period or criteria used to determine the retention period

    The existence of each of Data Subject’s rights

    The source the Personal Data originates from and whether it came from publicly accessible sources

    Whether the provision of Personal Data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the Personal Data

    The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences

    In case of profiling and/or automated decision making, For Fit will ensure the observance of the Data Subject’s rights:

    • • – Data Subject shall be informed, upon the commencement of data processing, of the fact of profiling/automated decision-making, the range of his/her Personal Data involved in profiling, the logic involved in the method applied and the possible consequences of automated decision-making on the Data Subject.

    • • Where a decision can be delivered in a process either entirely as a result of an automated sub-process or also with human intervention, the Data Subject must then be informed of the cases where the Company can make decision entirely by automated means (as a result of a sub-process).

    • • When informing about the logic the automated decision-making is based on, it is not necessary to disclose in detail the algorithm, formula or business rationale applied (this information need not to be so in-depth as to compromise the Company’s business secrets). It is suggested to present the operation of automated decision-making by using examples.

    • • -The Data Subject subjected to an automated decision-making is entitled to request human intervention from the For Fit, to make his/her position known and submit an objection against that decision. This right to challenge does not entitle the Data Subject to force the conclusion of the contract, but to dispute the decision based on automated data processing leading to the rejection of concluding the contract.

    • • The Data Subject must be granted the opportunity in any case to avail of his/her right to make an objection.

    • • -If the legal basis for Processing is a legitimate interest of For Fit, the Data Subject is entitled to the right to object. It follows from the right to object that the Company must examine whether this objection is justified (i.e. whether the Data Subject’s interests override the Company’s interests) and decide on the objection.

    4.2 For Fit personnel recognizes and knows how to deal with a request from Data Subjects

    EU Data Protection Laws impose that any Data Subject request is responded as soon as possible but no later than 30 days from receipt.

    For Fit employees will treat with the utmost importance all enquiries from Data Subjects about the Processing activity.

    In all cases, For Fit employees will inform Data Subjects that they may submit a formal request and/or a complaint to the designated address, representing the contact details of the DPO appointed by the Company.

  • 5
    Fostering data protection compliance in For Fit

    5.1 Data Protection Officer appointed by For Fit

    The Company appoints a Data Protection Officer that fulfils the required skills profile as defined in the EU Data Protection Laws:

    • • Data Protection Officer function is established as a position directly subordinated and in direct reporting line to Top Management;

    • • Data Protection Officer function is not subject to conflicting interests;

    • • For Fit involves Data Protection Officer properly and in a timely manner in all issues which relate to the protection of Personal Data;

    Company shall:

    • • publish the contact details of the Data Protection Officer to Data Subjects and also internally on Company’s intranet, internal telephone directory, and organizational charts to ensure that his or her existence and function is known within the organization;

    • • communicate the contact details to the competent supervisory authority;

    • • make sure that Data Protection Officer is invited to participate regularly in meetings of senior management;

    • • always give a due weight to Data Protection Officer´s opinion. In case of disagreement it is important to document the reasons for not following the Data protection Officer’s advice;

    • • promptly and without undue delay consult the Data Protection Officer once a data breach or other incident has occurred;

    • • support Data Protection Officer by ‘providing resources necessary to carry out his/her tasks and access to Personal Data and processing operations, and to maintain his or her expert knowledge’.

    • • provide the Data Protection Officer with regular training. Data Protection Officer will be given the opportunity to stay up to date with regard to developments within data protection. The aim should be to constantly increase the level of expertise of Data Protection Officer, he/she should be encouraged to participate in training courses on data protection and other forms of professional development, such as participation in privacy fora, workshops, etc.;

    • • ensure that the Data Protection Officer ‘does not receive any instructions regarding the exercise of his or her tasks’.

    Data Protection Officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks.

    5.2 Internal roles dedicated to Data Protection Compliance at business departments’ level

    Data protection compliance is a continuous independent responsibility for each and every employee of the Company and failure to observe this policy may lead to professional liability.

    5.3 Internal Regulations

    As a general statement, this Data Protection Policy supplements all existing policies. In case of any discrepancies within this Data Protection Policy and EU Data Protection Laws, the latter shall prevail.