How GDPR Affects You as a Service Provider of Firstbeat Technologies

General Data Protection Regulation (GDPR) is the new data privacy regulation of the European Union (EU). The new regulation came into effect in 25.5.2018. This will have changes on your activities as a service provider if you are working in EU area. This letter explains what kind of changes and effects the GDPR will have on you.

The GDPR defines regulations for handling personal data within the EU. It replaces and standardizes the current rules of data protection across the EU. Personal data is any information that relates to an identified or identifiable individual. Whenever handling personal data, there needs to be a lawful justification behind of it. There are additional requirements for dealing with health-related personal data.

The GDPR was designed to protect and empower private persons when dealing with their personal data, and to simplify the regulatory environment for international business by unifying the regulation within the EU. Some of the main points in the new regulation are the right for individuals to have access on their personal data, and the rights to rectify and erase the data. In most countries, these rights will increase in the new regulation. There are also increased responsibilities for parties handling personal data to inform the subjects of their rights as well as how and why their personal data is being processed.

As a service provider, you will be the data controller and have the corresponding responsibilities under the GDPR, including informing your customers (end user) how their personal data is being handled. To achieve this, you need to create your own privacy policy documentation. We offer this sample template to help you in this process. Additional information resources can be found on our website: www.firstbeat.com/en/privacy/.

The information should be available to your customers when providing the service, for example on your website.

Responsibilities

Informing subjects of their personal data processing and their rights: As a service provider, you need to inform your customer (end user) on how his/her personal data is being used and what their rights are. Create GDPR compliant privacy policy documentation and keep it up to date. The information must be presented to your customers when providing the service, for example on your website.

Right to erasure of personal data: If the end user asks you to delete his/her measurement data of Firstbeat Technologies Oy, as a service provider you need to erase the end user’s profile in the Lifestyle Assessment software.

Preservation time of personal data: The period of time for which the personal data will be stored, or the criteria to determine the period, needs to be defined, and the end user’s profile need to be erased accordingly. For example, Firstbeat Technologies Oy keeps their own end users’ profiles for 18 months to be used in possible follow-up measurements and deletes them if there are no follow-ups.

Portability of personal data: If end user asks his/her measurement data, you can get them from the Lifestyle Assessment software. If the end user requires data of multiple measurements, please be in contact with the Firstbeat technical support.

Notification of data breach: Personal data breach means leaking, intentionally or inadvertently, personal information for third parties. If a personal data breach occurs, you need to inform data privacy authorities without delay and, if necessary, the impacted end users.

This will surely raise some questions and we are here to help you. Please send your questions to palveluntarjoajat@firstbeat.com.