The members of a fitness center trust in the safety concept of the operators. Beginners are introduced to training by the staff. When using the equipment, the employees take care that no accidents happen. However, one aspect is forgotten: The security of the data provided by members in order to take out a membership. There should be a good security concept for this as well.
According to the General Data Protection Regulation (GDPR), health data is considered particularly sensitive data. This also includes weight, height or BMI. This data is often requested when a gym membership is to be taken out. After all, the advice and training are based on this information.
In addition, there are personal data such as name and address and, of course, bank details for the membership fee. Perhaps the studio is also under video surveillance. That also falls under data protection.
All this data must therefore be stored and handled securely. However, it is not uncommon for mistakes to happen in the process, which are often simply due to inattention.
One of the best-known careless mistakes is not deleting the data of ex-members upon request. When someone terminates their membership, they have a right to have all personal data deleted. Forgetting to do so can result in heavy fines.
Gyms are usually an open space. There are usually several people in it. Employees and members. A consultation or personal training often takes place there as well. However, trainers often make the mistake of discussing personal and confidential matters with a member in public. This is a privacy violation, as other members should not hear this information.
Another big data pit can be a gym’s website. These are often outdated and only created quickly to showcase opening hours and offers. A DSGVO-compliant preparation has often not yet taken place. If interested parties then want to contact the operators via the website, for example, their data is not safe.
The first step to a data-secure gym is secure storage of data and records. This applies to digital data as well as paper documents. The first should be stored on a computer protected by passwords or better protection mechanisms like 2FA. The documents themselves should always be in a cabinet or room that is locked. By the way, this includes training schedules as well as personal data.
As mentioned earlier, personal conversations should not be held in public. Think of a visit to the doctor. You don’t want the doctor to leave the door open and the whole waiting room to know why you are there. So personal consultations and confidential discussions should always take place behind closed doors.
IT security is also important in modern gyms. Smart exercise equipment, for example, stores members’ settings. In most cases, access is established via a membership card, on which data is also stored. The IT department has to ensure that this data is secure.
Certain rules must also be observed when it comes to video surveillance. For one thing, it is of course not permitted to film locker rooms or showers.
In the membership contracts, it must be pointed out that certain areas are under video surveillance. This reference should also be mentioned verbally already before the membership. To make absolutely sure that everyone is in the picture, it makes sense to have a sign at the entrance pointing out the video surveillance.
Video camera footage should not be kept for more than 72 hours. The exception is if the videos are still needed to solve an accident or crime. The fact that the videos are not intended for the public and should be kept under lock and key, like all other data, is something we probably don’t need to mention.
Data protection in the gym sometimes involves more than is apparent at first glance. However, implementing secure data processing does not involve a great deal of effort. Often, it is only small mistakes that stand in the way of data protection. Therefore, it is important to train your own staff well and to create a secure concept for the data.