Disclaimer: The content below is provided for informational purposes only and the information shared here is not meant to serve as legal advice. You should work with legal and other professional counsel to determine exactly how the GDPR may or may not apply to you.
On May 25th, 2018, the EU General Data Protection Regulation (GDPR) will go into effect bringing new global data protection rights for individuals in the European Union.
We at Exercise.com wholeheartedly support the privacy rights of our customers and our users and are proactively working toward GDPR compliance by May 25th, 2018.
Here are some of the changes we're making, as well as what you'll need to do as a customer or partner of Exercise.com.
Update for May 22nd, 2018:
We are making progress on all product changes and compliance efforts and expect to be fully compliant by the 25th of May. You can already delete your account today. We've gotten updated drafts of new Terms of Service DPAs and expect this to be available and shared shortly.
Update for May 23rd, 2018:
We have been working on our DPA with Exercise.com as a Processor (which should cover both customers and also partners as sub-processors). Check this page for any more updates!
To prepare for GDPR, we are undertaking some research and changes -- some small, some larger. You can read about those changes here.
As with any new regulation, we're working to understand our role under GDPR.
We're reviewing all the data we collect, as well as the reasons for why we collect it, as well as which Exercise.com employees have access to it.
We're working through our list of vendors to ensure they are adhering to GDPR as well as signing appropriate DPAs.
This includes the ability to download your data from Exercise.com, as well as delete it from Exercise.com. Much of this functionality already exists today (for example, you can export your health information) but we'll be adding upgrades here.
We will work to document and share any pertinent changes with customers and partners as we implement our changes.
This includes revamping processes for how we do customer support, build products, report on data, and work with applicants as we grow our team. Much of this with be in the form of internal documentation, training and processes as required by GDPR.
It is important to note that Exercise.com is acting both as a Data Controller and as a Data Processor within the realm of GDPR compliance:
As a Data Controller, you are responsible for safeguarding the data of your customers as they interact directly with services integrated with Exercise.com.
As a Data Processor, Exercise.com is responsible for safeguarding the data of our partners' and customers' users as it flows through our system.
As a Exercise.com customer or partner, you are a Data Controller and Exercise.com is acting as your Data Processor for your users. In this respect, you’ll want to take the following steps leading up to May 25th, 2018:
A list of our vendors / sub-processors is available upon request.