For the purposes of the applicable EU personal data legislation, the Firstbeat client organization, such as the sports Team is the “data controller” (i.e. the company who is responsible for, and controls the processing of, your personal data – hereinafter “Team”). Firstbeat is the “data processor” on behalf of the Team. Firstbeat provides the Service to professional organizations and not directly to individual athletes.
If you are the coach of such Team, this document contains important information to your athletes about their personal data processing and their rights as data subjects. You need to ensure they are informed of their rights related to processing of personal data and you have their consent to process the data as described here and for your Team’s possible other purposes. Being in the role of the data controller, the sports Team shall be responsible for any and all data controller obligations and duties set forth in the applicable personal data legislation, including but not limited to informing the data subjects about processing, the legal basis for processing and so on.
If you are an athlete, whose data is stored in the Firstbeat system, you are entitled to obtain information from your Team about your data processing as further set forth in the applicable personal data legislation.
Personal data the Team may collect about the athlete in the Service
When you use Firstbeat’s Sports application and related service (“Service”) delivered and offered via Internet to you based on your Team’s order, the Team may obtain personal data about you, or the athlete you define, and process it in the Service, including:
- First name, family name
- Date of birth, gender, height, weight
- Sports team
- E-mail address
- Heart rate and movement information collected by measuring devices
- Activity class, maximum heart rate, resting heart rate, maximal oxygen consumption
- Variables calculated based on the personal data, such as averages
- Language set in your user interface
- Information about the use of the service
Anonymous use of the Service is also available by using a separate anonymous user ID. If you do not have consent of the athlete for storing the athlete’s personal data, you must store the data only with such anonymous user ID which cannot be tracked to any person.
When you have received access to the Service from us or another party, such as your Team, who has ordered the user right to you, at the same time you consent to the Team and Firstbeat processing your personal data in accordance with this Policy and applicable legislation or commit to getting such consent, as needed, from the athletes whose personal data is processed in the Service.
The personal data related to sports performance is stored as part of the provided Service or based on the consent of the data subject. Log data about the use of the Service is stored based on legitimate interests of the Team, Firstbeat and athletes, to ensure for example investigation of security breaches or to be able to prove that the paid service has been delivered.
The purposes for the processing of the athlete’s personal data in the Service are listed below. We hold the athletes’ integrity to the highest standards and only process data which is necessary and relevant.
How the collected information is used
The athlete’s personal data is used in the Firstbeat systems for the purposes of basic Service operations and measures related to user support.
The Team may also use the personal data for other purposes. The Team is responsible for informing the athlete about the use of personal data and for obtaining the athlete’s consent, if necessary for specific type of data.
Basic Service operation is to analyse and interpret sports performance data. The Service uses information of the user’s personal features and heart rate variability to give the specified users of the Team, such as sports coaches, information about the sports performance of the users or athletes. Measures related to user support may include delivery of user account information and new passwords to individual users.
If separately requested by the team, personal data may be processed together with other personal data processed by Firstbeat or its subsidiary companies, such as combining the measurement data with data from other Firstbeat services.
During the processing, an anonymized copy of the data will remain with Firstbeat for statistical and scientific research such as for determining average reference values. Statistical analyses shall only use automatized processes, for which reason no identity pertaining to a given person will be disclosed at any stage of the process.
Description of the group of data subjects
The Team defines and registers the data subjects (athletes and coaches) whose personal data is collected and stored in the Service.
Regular data sources
Data is regularly provided by the registered data subjects (athletes) themselves on their consent or by sports coaches of their Team, by uploading data from measuring devices or by entering information in a web interface. The Team is responsible for obtaining any necessary consents of the athletes.
Period of storing the personal data
The Team determines the period of storing the personal data. On Firstbeat side the period for which the personal data will be stored shall be three (3) years after the end of the Team’s customer relationship with Firstbeat, unless the Team or data subject destroys or requests us to destroy the data earlier. The personal data is only kept in order to make it available as reference values for future measurements. The personal data should, in any event, be destroyed by the Team upon the data subject’s request to the Team.
Main principles of protection
Firstbeat will protect the processed personal data so that only the authorized personnel have a right to process the personal data. Your personal information may be accessed only by our authorized personnel, yourself or the coaches of your sports Team which the Team has defined.
Firstbeat will use technical and organisational measures to safeguard your personal data during the processing, for example access to the athlete’s data is controlled by a password protection and individual user ID, the staff participate security trainings, the applications are designed in a secure way and the physical premises, where the technical systems are located and administered, are secured.
While Firstbeat will use all reasonable efforts to safeguard the athlete’s personal data, you acknowledge that the use of the Internet is not entirely secure and for this reason Firstbeat cannot guarantee the security or integrity of any personal data that is transferred from you or to you via the Internet.
Transfer of the personal data
Firstbeat will not disclose personal data without the athlete’s permission outside Firstbeat’s organization. Notwithstanding the above, we may however use third parties as sub-processors (including our current and future subsidiary companies and subcontractors) in accordance with applicable privacy legislation. Firstbeat will also not disclose personal data in a way that certain information could be identified to pertain to an individual, except in the following exceptional circumstances: if required by any ruling of a governmental or regulatory authority or court or by mandatory law, or if it is otherwise necessary for the purposes of preventing or finding out any breach of law, user terms or good practices or to protect our or third party’s rights.
Transfer of data out of the EEA
Heart rate data will be analysed at Firstbeat’s server located in EU, and by using the Service you give the Team a permission to analyse the data subject’s personal data in the Firstbeat service in accordance with this Policy and ensure that you fulfil your local legal requirements, including consent, to get the data processed this way. The data may be accessed by authorized Team’s users anywhere in the world. If you are located outside the EU or the EEA or if you provide processing of the personal data outside the EU or the EEA due to e.g. your location, you shall ensure you have the data subject’s consent or you are otherwise legally allowed to transfer the data to Firstbeat systems in Finland or elsewhere in the EU or the EEA or to such country outside the EU or the EEA in question and shall comply with any legal requirements for such transfer, unless otherwise agreed.
Access to the Service may require use of a web store of a third party. Firstbeat is not a party of such web store or any prospective contract between you, your Team and the web store administrator. By using such web store you consent that the Team, Firstbeat or third party may transfer the data subject’s personal data to countries outside the EEA on behalf of the Team. Information collected by third parties is governed by their privacy practices, which your Team should provide to you and the athlete and which we encourage you to learn.
Rest assured that Firstbeat will always ensure any transfer is subject to appropriate security measures to safeguard the processed personal data during the transfer.
The Team is responsible for any personal data it stores outside the Firstbeat systems.
Data subject’s rights
If your Team operates in the EU area, the data subject (athlete) has the right to request access to the personal data that your Team may process about the data subject in accordance with the applicable personal data legislation. The athlete also has the right to require the Team to correct any inaccuracies in his/her data free of charge or to request the erasure of data in certain cases. In certain case, the data subject has also the right to request from the controller restriction of processing of personal data or otherwise object the processing. Furthermore, data subject may in certain cases have right to require transmission of the personal data. The data subject also has the right to prohibit processing of personal data for direct marketing purposes.
If the data subject wishes to exercise these rights, they should contact their Team contact person who has given them the measuring devices or access to the system.
The athlete may withdraw the consent to the processing of his/her personal data at any time, in which case they must contact their Team and Firstbeat may not be able to provide the Services to them. They also have the right to complain to a supervisory authority, if they consider the personal data processing to infringe the EU GDPR regulation.
Our contact details
We welcome your feedback and questions. If you wish to contact Firstbeat, please send an email to firstname.lastname@example.org or you can call us on +358 84 154 1541.
Firstbeat’s contact details are as follows: Firstbeat Technologies Oy (business ID 1782772-5), Yliopistonkatu 28 A, 40700 Jyväskylä, Finland.
Firstbeat follows the changes in legislation and authorities’ guidelines and develops the Service, and hence we may change this Policy from time to time. You should check this Policy occasionally to ensure you are aware of the most recent version that will apply each time you use the Service.
This document has been updated in May 2018.