Data Protection Policy

Overview

  1. What is this data protection policy about?
  2. Who are we?
  3. What is ‘personal data’ and what does ‘processing’ mean?
  4. Who and what is this data protection policy for?
  5. What personal data do we process and why?
  6. Who do we share your personal data with?
  7. When do we send your personal data overseas?
  8. Do we carry out profiling and automated individual decisions?
  9. How do we protect your personal data?
  10. How long do we save your personal data?
  11. What rights do you have in connection with the processing of your personal data?
  12. What else should you know?
  13. Changes to this data protection policy

1. What is this data protection policy about?

Data protection is a question of trust, and your trust is important to us. That is why we have published this data protection policy. It outlines which personal data we process in what way and for what purpose with respect to the new European General Data Protection Regulation (‘GDPR’). Although the GDPR is a European Union regulation, it has significance for us too. The Swiss Federal Act on Data Protection (‘FADP’) is heavily influenced by European law, and its pending revision will adopt many of the provisions of the GDPR. In addition, there are circumstances under which companies outside the European Union must comply with the GDPR. We want to guarantee the high protection afforded by the GDPR to everyone whose personal data we process, and so have decided to align this data protection policy fully with the GDPR. You can view the GDPR by following this link:

https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679&from=DE

It is a matter of concern to us to that you are fully informed about the processing of your personal data. This data protection policy is a means of informing you how and why we collect, process and use your personal data. It is important to us that you understand:

  • which personal data we collect and process;
  • when we collect your personal data;
  • why we use your personal data;
  • how long we store your personal data;
  • who has access to your personal data; and
  • what rights you have with regard to your personal data.

You can find information and explanations to this effect in this policy. Feel free to contact us at any time if you have any questions. You can find our contact details in section 2.

2. Who are we?

A specific company is deemed responsible within the meaning of data protection law for every instance of data processing. That is the company that decides whether a specific instance of processing – e.g. processing done while providing a service, while using the website, etc. – should take place, the reasons for doing this and the principles that should be applied (if these decisions are made by several companies, they may be held jointly responsible). The following company (‘we’ or ‘us’) is generally responsible for the data processing referred to under this data protection policy:

ACTIV FITNESS AG
Thurgauerstrasse 32
8050 Zurich, Switzerland

We have appointed a data protection officer who can be contacted at the following address: datenschutz@activfitness.ch

We have also appointed the following company as our representative in the EU/European Economic Area (‘EEA’; e.g. Liechtenstein):

BAY GmbH
Dirk Seeburg
Wirtschaftsprüfungsgesellschaft Rechtsanwaltsgesellschaft
Technopark II | Werner-von-Siemens-Ring 12
85630 Grasbrunn | Germany

Tel. +49 (89) 90 420 49 62

In certain instances, another company is responsible for data processing:

  • If you contact another company within the Migros Group, e.g. if you contact a company’s customer service department, then this company is responsible for this instance of data processing – unless this data protection policy stipulates otherwise for the processing in question.
  • In some cases, we will share your personal data with another Migros Group company or third parties to enable these recipients to use this personal data for their own purposes (i.e. not on our behalf). This may include authorities. In such cases, the relevant recipient will be regarded as the data controller. Information about these data controllers can be found in their respective data protection policies – generally on their website. 

3. What is ‘personal data’ and what does ‘processing’ mean?

Data protection law regulates the processing of personal data. ‘Personal data’ refers to any information that can be traced back to a specific natural person; i.e. an individual. This may include the following information:

  • Contact information; e.g. name, postal address, email address, phone number
  • Other personal details; e.g. gender, date of birth and age, marital status, nationality
  • Professional details; e.g. profession, title, role, training, former employers, skills and experience, permits and licenses, memberships
  • Shopping details; e.g. data on purchases, orders, shopping history, preferred shopping places and times, baskets, preferences and affinity for certain product categories
  • Financial details; e.g. credit card number, account details, credit rating, assets and income
  • Health details; e.g. details of physical and mental impairments, treatments and medications
  • Image, sound and video recordings
  • Logs of your visits to websites and your use of apps

In Switzerland, information relating to specific legal entities is also viewed as personal data (e.g. details of a contract with a company).

Some personal data has special protection afforded it by the legislature. This includes ‘particularly sensitive personal data’ (also referred to as ‘special categories of personal data’). This includes data that identifies race or ethnic origin, political opinions, religious or ideological beliefs or trade union affiliation, genetic data, biometric data that can be used to uniquely identify an individual, health data and data relating to an individual’s sex life or sexual orientation, data of criminal convictions and offences, and in some cases data of any forms of social welfare received.

Generally speaking, we collect your personal data directly from you when you act in a certain manner; for instance, if you visit a website or access features online or via an app, such as the member area on the ACTIV FITNESS website. Data may also be collected indirectly; for instance, if other individuals are mentioned in communications with us or if additional information is purchased from third-party data sources (e.g. from social media or address brokers).

We do not necessarily process all personal data mentioned in these categories. You can find specific details of the personal data we process in section 5. In some cases of data processing, we will inform you additionally in a separate data protection policy or notice, particularly if a certain form of data processing is not self-evident.

Processing’ refers to any handling of your personal data, including the following actions:

  • Collection and storage
  • Organisation and administration
  • Adjustment and modification
  • Sorting and retrieval
  • Use and exploitation
  • Transmission and disclosure
  • Combination
  • Restriction
  • Erasure and destruction

4. Who and what is this data protection policy for?

This data protection policy applies to personal data processing performed by us in all our business divisions, including the commercial operations of all ACTIV FITNESS studios. It applies to the processing of data that has already been collected and personal data yet to be collected. Certain services may also be subject to additional data protection terms.

Our data processing operations may involve the following persons (referred to as ‘data subjects’) in particular:

  • Individuals that write to us or contact us by any other means
  • Customers in our studios
  • Visitors to our premises
  • Users of online features and apps
  • Individuals that use our services or come into contact with our services
  • Visitors to our website
  • Recipients of information and marketing communications
  • Participants in competitions, prize draws and customer events
  • Participants in market research and opinion surveys
  • Contacts of our suppliers, buyers and other business partners
  • Job applicants

5. What personal data do we process and why?

The personal data we process varies widely depending on the reason and purpose. We process personal data – including particularly sensitive personal data in some cases – for the following purposes in the following situations, among others:

  • Communication: We process personal data if you contact us or if we contact you; e.g. if you write to us using the contact form on the Activ Fitness website or if you call us to arrange a trial fitness session. For this, we generally only require information such as name and contact details and the content and date and time of the messages in question. We use this data to allow us to answer your queries or send you messages, process your enquiries, communicate with you and for quality assurance and training purposes. We also forward messages to the relevant company departments within the Migros Group; e.g. if your enquiry relates to another company.
  • Use of services: We also process personal data if you use our services; e.g. if you purchase a service from us in the form of a trial training session, or a consultation on physical condition and/or performance goals, or if you become a member of Activ Fitness. In such cases, we process your personal data as part of the processing of member agreements and billing. Where a subscription has been taken out, we also process personal data in connection with your credit rating and your payment habits. For instance, we use credit rating information to decide whether to offer you payment by monthly instalments.
  • Visits to websites: When you visit our websites, we process personal data depending on the relevant site’s content and functions. This includes technical data such as information relating to the time of access to the website, duration of the visit, pages accessed and details about the device used (e.g. tablet, PC or smartphone: ‘device’). We use this data to provide the website, for reasons of IT security and to improve the user-friendliness of the website. We also use cookies – these are files saved on your device when you visit our website. In many cases, cookies are necessary to ensure the functionality of the website and are deleted automatically after you exit the site. Other cookies serve to personalise the web presence and are saved for a specific duration (e.g. two years). We also use analysis services, such as Google Analytics. These services collect detailed information relating to use of the relevant website.
  • Online features and apps: We also process personal data if you use our online features, such as the member area on the Activ Fitness website (even if you do not purchase any products or services). Depending on the type of feature, this may include information relating to any potential customer account and use of the same, and information relating to the installation and use of mobile applications (‘apps’).
  • Information and direct marketing: We process personal data in order to send information and promotional communications. For instance, if you register for a newsletter or SMS notifications, we will process your contact details and, in the case of emails, information relating to your use of the messages (e.g. whether you have opened an email and downloaded the embedded images) in order to enable us to better tailor our services to you and to improve these generally. You can block the processing of usage data in your email program if you do not agree to this.
  • Competitions, prize draws and similar events: Now and then, we hold competitions, prize draws and similar events; e.g. special fitness events. When doing so, we process your contact details and information relating to your participation in order to run the event, for communicating with you in connection with said event and for promotional purposes. You can find more information in the respective terms of participation.
  • Entering our premises: If you enter our premises, we may make video recordings in designated areas for security and evidentiary purposes, particularly in those of our studios where 24/7 customer supervision is not available (unsupervised hours). It is also possible that you might use our Wi-Fi service; in this case, we will collect device-specific data when you sign in and may also ask you to provide your name and email address or mobile phone number.
  • Customer events: We also process personal data when we host customer events (such as promotional events and special sport and fitness events). This includes the names and contact details of participants and/or interested parties and potentially other data; e.g. your date of birth. We process these details in order to hold customer events, but also to contact you directly and to get to know you better.
  • Business partners: We work with various different companies and business partners; e.g. with suppliers, commercial buyers of goods and services, cooperation partners and service providers (for instance, IT service providers). In the course of this, we also process the personal data of contact persons in these companies, e.g. name, role, title and communication with us, for the initiation and execution of contracts, for planning and accounting purposes, and for other contract-related purposes. In some fields, we are also required to subject the relevant company and its employees to a more detailed check; e.g. by means of a security check. In such cases, we will collect and process additional information. We may also process personal data to improve our customer orientation, customer satisfaction and customer retention (customer/supplier relationship management).
  • Administration: We process personal data for our own and Group-internal administration. For instance, we may process personal data in the context of invoicing or IT-related management of the member system. We also process personal data for accounting and archiving purposes and for the review and improvement of our internal processes generally.
  • Corporate transactions: We may also process personal data in order to prepare and administer company acquisitions and sales, and purchase and sale of assets. The subject matter and scope of the data collected or transmitted in the course of this depend on the stage and subject matter of the transaction.
  • Job applications: We also process personal data if you apply for a job with our company. For this, we generally need the standard information and documents referred to in a job advertisement.
  • Compliance with legal requirements: We process personal data to comply with legal requirements. This includes, for instance, receiving and processing complaints and other notices, internal investigations or the disclosure of documents to an authority if we have good reason to do so or are legally obliged to do so.
  • Protection of interests: We process personal data in various forms in order to preserve our rights; e.g. to enforce claims in and out of court, before authorities in Switzerland and abroad, or to defend ourselves against claims. For instance, we may seek clarification on the potential outcome of legal proceedings or submit documents to an authority. In the course of this, we may process your personal data or share it with third parties in Switzerland and other countries insofar as this is necessary and permissible.

6. Who do we share your personal data with?

Our employees have access to your personal data where this is necessary for the purposes outlined and the role of the employees. They act on our instructions and are bound by an obligation of confidentiality and secrecy when handling your personal data.

We may also share your personal data with other companies within the Migros Group for the purposes of Group-internal administration and for various processing reasons. This may lead to your personal data being processed and linked with personal data held by other companies of the Migros Group for the respective purposes.

  • We may share your personal data with third parties if we want to use their services (‘contract data processors’). These primarily include services in the following areas:
  • Services in the field of corporate administration; e.g. accounting or management of member data
  • Consultancy services; e.g. services of tax advisors, lawyers, corporate consultants, consultants in the field of personnel recruitment and placement
  • IT services; e.g. services in the fields of data storage (hosting), cloud services, dispatch of email newsletters, data analysis and enhancement, etc.
  • Credit checks; e.g. if you want to pay a subscription by monthly instalment

By selecting contract data processors and with suitable contractual agreements, we ensure that data protection is guaranteed by third parties at all stages of the processing of your personal data. Our contract data processors are obliged to process said personal data solely on our behalf and in line with our instructions.

It is possible that personal data may be shared with other companies for their own purposes (in addition to ours). In such circumstances, the recipient of the data is a data controller in its own right as defined under data protection law. This applies in the following cases:

  • If we review or conduct transactions such as corporate mergers or the acquisition or sale of individual parts of a company or its assets, we must transmit personal data to another company in connection with this. In such cases, we will inform you as early as possible and will try to limit the personal data processed as far as possible.
  • We may disclose your personal data to third parties (e.g. authorities in Switzerland and other countries) if this is required by law. We also reserve the right to process your personal data to comply with court orders or to assert or defend against legal claims, or where we deem it necessary on other legal grounds.
  • We may share your personal data with former employers if you apply for a job advertised by us (for references), or with future employers if you apply for a new position. However, we will not do this without your request or your consent.
  • If we assign claims against you to other companies, such as, for example, debt collection companies.

7. When do we send your personal data overseas?

The recipients of your personal data (section 6) may be based overseas – including outside the EU or the EEA. The countries in question may not have laws in place that protect your personal data to the same extent as in Switzerland or the EU or the EEA. In the event that we transmit your personal data to such states, we are obliged to ensure that your personal data is adequately protected (Arts. 46 and 47 GDPR). This is done through concluding data transmission agreements with the recipients of your data in third-party states, which guarantee the required level of data protection. These include agreements approved, issued or recognised by the European Commission and the Federal Data Protection and Information Commissioner, and referred to as standard contract clauses (legal basis: Art. 46 para. 2 GDPR). Transmission of said data to recipients subject to the terms of the US Privacy Shield Programme – https://www.privacyshield.gov/list is also permitted.

Please contact us if you would like a copy of our data transmission agreements (section 2). You can see an example of the agreements generally used here – https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_de. Under exceptional circumstances, transmission to countries without adequate protection is permitted in other cases, e.g. based on express consent (Art. 49 para. 1a GDPR), to fulfil a contract with the data subject or to process a contract application on their part (b), to conclude or fulfil a contract with somebody else in the interests of the data subject (c), or for the assertion, exercise or defence of legal claims (e).

8. Do we carry out profiling and automated individual decisions?

Profiling’ is the name given to a process whereby personal data is processed on an automatic basis in order to assess, analyse or predict personal aspects; e.g. work performance, financial circumstances, health, personal preferences, interests, reliability, behaviour, place of residence or change in location. We often carry out profiling when selecting job applicants or reviewing contractual partners.

Automated individual decision making’ refers to decisions made on an automated basis, i.e. without any relevant human input, and which may have negative legal implications or other similar negative implications for you. We will inform you separately in the individual cases where we use automated individual decision making and where this is provided for by law.

9. How do we protect your personal data?

We take appropriate security measures of a technical nature (e.g. encryption, pseudonymisation, logging, access restriction, data back-ups, etc.) and organisational nature (e.g. instructions for our employees, confidentiality agreements, checks, etc.) to safeguard the security of your personal data, to protect it against unauthorised or unlawful processing, and to prevent against the risk of loss, unintentional modification, unintentional disclosure or any unauthorised access. However, it is not generally speaking possible to completely rule out security risks; certain residual risks are almost unavoidable.

10. How long do we save your personal data?

We save your personal data in personalised form for as long as is required by the specific purpose for which it was collected; in the case of contracts, said data is generally held for at least the duration of the contractual relationship. We also save personal data where we have a legitimate interest in saving it. This may be the case in particular if we require personal data to enforce or defend against claims, for archiving purposes, in the interests of guaranteeing IT security, or if limitation periods for contractual or non-contractual claims are ongoing. For instance, limitation periods of ten years and, in some cases, five years or one year often apply. We will also save your personal data for as long as it is subject to any statutory retention period. For instance, a ten-year retention period applies to certain data. Short retention periods apply to other data in given situations; e.g. for video surveillance recording or logs of certain online processes (log data). Under certain circumstances, we will ask you for your consent to save personal data for longer periods (e.g. for pending job applications). Following the expiry of the stated periods, we will delete or anonymise your personal data.

11. What rights do you have in connection with the processing of your personal data?

You can object to data processing at any time and generally you are free to revoke consent to any data processing. You are entitled to object in particular to the processing of data in connection with direct advertising (e.g. promotional emails).

You also have the following rights:
Right to informationYou have the right to be provided with transparent, clear and extensive information as to how your personal data is processed and which rights you have in connection with the processing of your personal data. We hereby fulfil this obligation by issuing this data protection policy. If you would like further information, please do not hesitate to contact us (section 2).                
Right of accessYou have the right to request access to any of your personal data held by us at any time, free of charge, provided we process such information. You therefore have the opportunity to check which personal data of yours we process, and that we use said data in accordance with applicable data protection regulations. Under certain circumstances, the right of access may be restricted or excluded, in particular:if we have any doubt as to your identity and cannot identify you;for the protection of others (e.g. to safeguard confidentiality duties or third-party data protection rights);where the right of access is exercised excessively (alternatively, we may request a fee for accessing data in such cases); orif full access would cause disproportionate effort.
Right of rectificationYou have the right to have incorrect or incomplete personal data corrected and to be informed when it has been rectified. In such cases, we will inform the recipients of the relevant data of the changes made, insofar as this is possible and does not involve disproportionate effort.
Right of erasureYou are entitled to have your personal data deleted. You can request that your personal data be deleted if:said personal data is no longer necessary for the intended purposes;you validly withdraw your consent or have validly objected to the processing;said personal data has been processed unlawfully.In such cases, we will inform the recipients of the relevant data of the erasure, insofar as this is possible and does not involve disproportionate effort.Under certain circumstances, the right of erasure may be excluded, particularly if said processing is necessary:to exercise freedom of opinion;to fulfil a legal obligation or if it is in the public interest; orto exercise legal claims.
Right to restriction of processingUnder certain conditions, you are entitled to ask that the processing of your personal data be restricted. This may, for instance, mean that personal data will (temporarily) cease to be processed or that published personal data may (temporarily) be removed from a website. In such cases, we will inform the recipients of the relevant data of the changes made, insofar as this is possible and does not involve disproportionate effort.
Right of data portabilityYou are entitled to receive personal data that you have supplied to us in a legible format, free of charge, provided:said data has been processed based on your consent or is necessary for the fulfilment of a contract; andthe processing has been carried out as part of an automated process.Depending on the individual circumstances, your personal data may be transmitted to you personally or directly to the third-party provider.
Right of appealYou have the right to file a complaint with any competent supervisory authority against the manner in which your personal data is being processed.
Right of revocationYou are generally entitled to revoke any previously granted consent at any time. However, said revocation will not render any prior processing operations carried out on the basis of your consent unlawful.

12. What else should you know?

The GDPR stipulates that the applicable legal basis is stated for each respective data processing operation. Personal data processing is permitted, particularly if

  • it is necessary to fulfil a contract with the data subject or for pre-contractual measures at their request; e.g. review of their contract application (legal basis: Art. 6 para. 1b GDPR);
  • legitimate interests render it necessary, provided the interests or basic rights and freedoms of the data subject do not outweigh these (legal basis: Art. 6 para. 1f GDPR). Legitimate interests include our own interests and those of third parties. These are diverse and may include, for instance, interests in effective customer service, maintaining contact and other forms of communication with customers, including non-contractual communication; in advertising and marketing activities; in better getting to know our customers and other individuals; in improving and developing products and services; in the Group-internal management and Group-internal communication necessary in a group where cooperation is based on a division of labour; in fraud prevention and the prevention and investigation of offences; in the protection of customers, employees and other individuals and data, secrets and assets of the Migros Group; in guaranteeing IT security, particularly in connection with the use of websites, apps and other IT infrastructure; in the safeguarding and organisation of business operations, including the operation and further development of websites and other systems; in corporate governance and development; in the sale or purchase of companies, parts of companies and other assets; in the enforcement or defence of legal claims; in compliance with Swiss law and internal regulations;
  • it is based on valid consent that has not been revoked (legal basis: Art. 4 para. 11 and Arts. 7 and 8 GDPR);
  • it is necessary for compliance with legal regulations (legal basis: Art. 6 para. 1c GDPR).

Stricter limitations apply to the processing of particularly sensitive personal data (see section 3). This is permitted, inter alia,

  • with valid and express consent that has not been revoked (legal basis: Art. 9 para. 2a GDPR);
  • provided it does not relate to personal data openly publicly disclosed by the data subject (legal basis: Art. 9 para. 2e GDPR);
  • where necessary to protect interests (legal basis: Art. 9 para. 2f GDPR);
  • if this is necessary to comply with certain legal regulations (legal basis: Art. 9 para. 2a GDPR).

Similarly, the transmission of data overseas is permitted only under certain conditions. You can find information on this in section 7.

The GDPR also requires that you are informed of whether you are legally or contractually obliged to provide personal data, or whether this is required to conclude a contract, and the consequences of any failure to supply said data. Generally speaking, there is no obligation to disclose personal data to us unless you have a contractual relationship with us that justifies such an obligation (e.g. health questionnaire in a trial fitness session to protect the health interests of the customer). However, we are obliged to collect the personal data necessary or required by law for the initiation and processing of a contractual relationship and the fulfilment of the associated obligations (e.g. due diligence obligations towards our customers). Otherwise, we cannot conclude or continue the relevant contract. Certain data must also be processed during the use of websites. Although you have the option to disable cookies (you will find more information on this in this data protection policy), certain data, but usually not personal data, such as your IP address, must generally be logged for technical reasons.

Under certain circumstances, you may wish or be required to send us third-party personal data. Please note that in such cases you are obliged to inform the relevant individuals of this data transmission and this data protection policy, and to ensure the accuracy of the relevant personal data.

13. Changes to this data protection policy

This data protection policy may be changed over the course of time, in particular if we change our data processing operations or if new legal regulations come into effect. In the event of any significant changes, we will actively inform those individuals whose contact details are registered with us of such charges, provided this is possible without disproportionate effort. However, the respective data protection policy in the version effective as of the start of the relevant data processing operation will, generally speaking, apply to any data processing.
 

22 April 2020    Version 1.2