The Purpose of data processing: Processor, including its employees, agents, subcontractors and representatives will only use Personal data for purposes of performing its services. Specific purposes are: - Enabling Controller to provide its services, e.g. coaching, personal training, teaching, corporate health and services, improving quality of the service. - Implementing appropriate measures designed to ensure the security and confidentiality of Personal Data. - Protect Personal Data against any known or anticipated threats or hazards to the security or integrity of such information; and protect against unauthorised access to, or use of, Personal Data that could result in harm or inconvenience to any individual. Type of personal data - Basic personal information (e.g. name) - Contact details - Bank details - limited - Product information (e.g. membership information) - Account status information - Personal account settings (e.g. language preference) - Profile information (e.g. profile pictures) - Log-in information (e.g. password) - Training information - Progress information - other than training information (e.g. weight) - Coach information (e.g. client goal) - Communication information (e.g. community posts) - Purchase information (e.g. membership purchases) - Visit / facility access information - Booking information (e.g. lessons scheduled) - Questionnaire information - Marketing information (e.g. newsletter) - Other connected information (e.g. uploaded files). Data subjects - Staff, including volunteers, temporary and casual workers; and - Clients and patients, including, but not limited to, sportsman and employees. Our processor company is committed to ensure the following regulatory compliance: Processor meets the following general requirements: - Ensuring that a security team focused on managing and maintaining Processors information security program is in place; - Maintaining an organisational diagram outlining the roles and responsibilities of all individuals performing security functions; and - Obtaining and maintaining an industry standard comprehensive Information Security Program. Operational security Processor documents and maintains a comprehensive Information Security Policy that is communicated to all personnel and all other parties permitted to have access to Personal Data. In addition, Processor: - Requires personnel and all relevant other parties to acknowledge and adhere to its security policies and practices when accessing and handling Personal Data; and - Formally reviews (and updates when applicable) all security policies at minimum on an annual basis. Security awareness Processor maintains a security awareness training program for all personnel that at least will include i) the nature of Personal Data, ii) proper methods for handling, protecting, transferring and storing Personal Data, iii) procedures for reporting security incidents and iv) consequences for failing to comply with the Information Security Policy. Processor ensures that each member of its personnel conducts the security awareness training at least annually and upon employment. If any faults or omissions in the security awareness training are detected, Processor will update the Security Awareness Training accordingly in a timely manner. Human resources Processor is responsible for performing background checks on all employees. Baseline requirements for background checks can include past employment verification, verification of education, reference screenings and social media screenings. Encryption Processor enforces encryption for transmissions and storage of Personal Data. Processor complies with applicable international and national standards, as well as all Dutch legal and regulatory controls. Processor securely manages all cryptographic keys and certificates in accordance with documented control requirements and procedures consistent with current industry best practices and Processors Information Security Policy, and protects Controller's data from unauthorised access or destruction. Access control Processes are documented and enforced to ensure all Personal Data is anonymized after a set period of time after the owner became inactive; - User accounts can be made inactive manually at any time; - Reconciliation of system accounts to existing users is performed at least annually; - Unique user IDs and passwords are used for all Processors personnel; - Processes are documented and enforced to review and track user privileges when a user changes job roles/responsibilities; - A compiled list of personnel with administrator privileges and other high-level privileges is maintained; - The system enforces user account lockout after a maximum number of login attempts to prevent password guessing attacks Password management Processor maintains policies for its systems, user accounts, all supporting service accounts, and all management protocols supporting authentication adequately provide the following password management controls: - Authentication mechanisms that cannot be bypassed to gain unauthorised access to systems and authentication data such as passwords are stored in an encrypted form that does not allow the authentication data to be recovered in readable form. Data protection Processor stores all backup and archival media containing data in secure, environmentally-controlled areas.