Note on GDPR compliance 

We have set out below a high level overview of your obligations under the European Union General Data Protection Regulation (EU GDPR) and the equivalent laws of the United Kingdom (UK GDPR, and together with the EU GDPR, GDPR), assuming that you are acting:

• as a controller of personal information you collect:

• from visitors to your website;

• for your own business purposes from users of the Total Coach app (e.g. for account management, billing, marketing or product improvement purposes), and

• from other persons with whom you deal directly (e.g. people that might email or phone you), and

• as a processor of data that users of the Total Coach app input into the app (e.g. lesson bookings, notes and videos) (User Data). 

In our note below, Articles refer to Articles of the GDPR.

We have also assumed that you do not process any data:

• that falls under one of the special categories of data set out in Article 9, or

• that relates to an individual’s criminal record., or

• from or about children under the age of 16.

In addition to our high level summary below, there are good checklists of your obligations as a controller and as a processor here (while this is a UK checklist, there are only minor differences between the EU GDPR and UK GDPR).

Comply with data protection principles

Where are you are the controller of personal data, you need to comply with the data protection principles of the GDPR set out in Articles 5-11.  In your case, these are:

• the data protection principles set out in Article 5 

• ensuring you have a lawful basis for processing information as set out in Article 6, and

• ensuring that where you rely on consent from an individual to process data, you comply with Article 7 (e.g. you are able to demonstrate that consent, and that consent may be withdrawn), and 

• ensuring that where you are processing information from or about children under the age of 16, you comply with Article 8 (e.g. you make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility over the child).

Technical and organisational measures

As a controller under Article 25, and as a processor under Article 32, you must implement appropriate technical and organisational measures to give effect to the data protection principles of the GDPR.  You will need to determine what these technical and organisational measures are given all of the relevant circumstances.  

Some (non-exhaustive) examples given in Article 32 include: 

• the pseudonymisation and encryption of personal data

• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services

• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

There is also a good checklist of considerations here.  

Acting as processor 

Where you are acting as processer (i.e. in relation to User Data), Article 28(3) requires that there be a contract in place between the controller and processor that meets certain requirements.  The data processing addendum that we have provided meets these requirements.  

Engaging processors and subprocessors

The GDPR requires that you have certain contractual arrangements in place with each of your service providers that store and/or process data on your behalf.  A suggested process for complying with these requirements is set out below.

Commonly, service providers that process data that you control (e.g. data you hold for account management, billing and marketing purposes) are referred to as processors, and service providers that process User Data are referred to as subprocessors.  For ease of reference, when we refer to processors below, we mean both your processors and subprocessors.  As explained below, the steps you have to follow are the same for both.

When we refer to process below, we mean both storage and processing.

• Step 1:  Compile a list of your processors. 

• Step 2:  For each processor, identify the country/ies in which your data and/or User Data (as applicable) is stored or processed by that processor.  

• Step 3:  For each processor that processes EU data outside the EEA, determine whether that processor stores the personal data in a country that has been deemed to have an adequate level of data protection by the European Commission (list published here).  For each processor that processes UK data outside the UK, determine whether that processor stores the personal data in a country which has been deemed to have an adequate level of data protection by the UK government.  Currently, there are provisional arrangements so that UK adequacy regulations include the EEA and all countries, territories and international organisations covered by European Commission adequacy decisions valid as at 31 December 2020. The UK intends to review these adequacy regulations over time. 

• Step 4:  For processors that are not based in the EEA, the UK or in an adequate country: 

  • 4a:  You will need to rely on one of the transfer tools listed under Article 46 to transfer personal data to the processor.  One of the transfer tools commonly relied on is Article 46(2)(c), which is that the processor has adopted appropriate safeguards in the form of standard data protection clauses (SCCs) in the form mandated by the European Commission (or, for UK data, in the form mandated by the UK government).  

As a practical observation on Step 4a:  The standard terms with most large data processing providers will adopt the appropriate SCCs or otherwise meet the requirements of Article 46.

• 4b:  You will need to determine whether anything in the law or practice of the third country may limit the effectiveness of the safeguards of the Article 46 transfer tool you are relying on, in the context of your specific transfer.  An example of this is when a country has national security laws that allow a security agency to compel the processor to release personal data to the government.  We note in this regard that the United States, in particular, has laws that allow security agencies to compel release of personal data, meaning that supplementary measures as referred to in 4c below would need to be considered for any processing in the United States. 

• 4c:  If you find in Step 4b that the relevant local laws or practices limit the safeguards of the transfer tool you are relying on, you will need to identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. The European Data Protection Board (EDPB) has published a non-exhaustive list of examples of supplementary measures with some of the conditions they would require to be effective – see this publication.  That publication does provide guidance that, where the processor’s local laws (and not practices) are the issue, you may decide to proceed with the transfer without implementing supplementary measures if you consider and are able to demonstrate and document that you have no reason to believe that relevant and problematic legislation will be interpreted and/or applied in practice so as to cover your transferred data and importer.  However, any such decision should be considered carefully, in the context of all of the guidance given.  We can provide more information on this point if needed.

In Steps 4a – c above, we have referenced the Articles that are relevant to controllers.  However, in practice, you need to follow these same steps for User Data (where you are the processor and not a controller).   For User Data, under Article 28(4), for any of your subprocessors, you need to ensure that the same data protection obligations imposed on you apply to that subprocessor.  In practice, this requires you to go through the same analysis in Steps 1-4 above regardless of whether you are the controller or processor of that data.

For more information on this process, see pages 2-3 of the EDPB publication referred to in Step 4c above. 

• Step 5:  For any processors that store data in the EEA, the UK, or in a country that is adequate, you need to ensure that you comply with Article 28 requirements which essentially require you to ensure that the EEA or UK processor is bound by obligations that mirror your obligations in the data processing addendum we have provided you.

As a practical observation on Step 5:  The standard terms with most large data processing providers will likely meet the requirements of Article 28.

Note on Step 5:  If your EEA or UK processor is then exporting personal data back to a location that is not in the EEA/UK or a country that is adequate, you may also need to enter into additional SCCs with that EEA or UK processor that cover the re-export of the data, in order to meet the requirements for Article 46.  However, this is likely a fringe case so we have not elaborated on that.  We can discuss further if needed.

Representatives

Under Article 27(2)(a), in respect of the personal data you control, you must appoint a representative in the EU and the UK, unless you meet all 3 of the following criteria: 

• the processing is occasional

• the processing does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and

• the processing is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body. 

We would be happy to discuss this point further if you have any queries about whether you meet the criteria above.

We can also provide a referral to a service provider that provides EU and UK representative services, if you do not have anyone that you could use for this.

Record of data processing

Article 30 requires that, where you are acting as a controller or as processor (i.e. in relation to Uuser Ddata), you must maintain a record of data processing.  There are template records of data processing for controller and processors here.

Conduct an impact assessment

Article 35(3) requires data controllers to conduct a data protection impact assessment (DPIA) if the any of the following types of data processing is being conducted:  

• a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person

• processing on a large scale of special categories of data (referred to in Article 9(1)), or relating to an individual’s criminal history, or

• a systematic monitoring of a publicly accessible area on a large scale.

From the information provided to us, you do not do these types of processing and therefore we do not think there is a requirement for you to conduct a DPIA.  

If you do want to conduct a DPIA, there is a good guideline and template for this here.