The General Data Protection Regulation (GDPR) is the talk of the day for many (EU) organizations. You as a yoga studio, might have read a lot about this already, or you are still worrying about what steps you need to take.
In this article we will cover a few things to keep in mind as GDPR approaches and provide you with some insights. By the end of this read we will summarize what steps you should take to make your yoga studio ready for the GDPR.
What is GDPR?
On May 25th, the new privacy legislation, the GDPR, applies in all European countries. The GDPR seeks to give consumers more control over how organizations use their data. From that date on, every organization is obliged to keep a register of all processing of personal data.
How does it affect my yoga studio?
‘Controllers’ and ‘processors’ of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. Momoyoga, in this case, is the processor. The studio or individual teacher would be the controller of the personal data.
As an EU-based yoga studio, you would need to set up a register of the processing of personal data.
Does it affect my yoga studio outside of the EU?
For controllers and processors based outside the EU, the GDPR still applies as long as you are dealing with data belonging to EU citizens. In short this means that if your yoga studio is based outside the EU, you do not likely need to keep a register of the processing of personal data by law.
The Privacy Statement and General terms of Momoyoga will apply, as Momoyoga is based in the EU, and is the processor of all data.
What is this register of processing personal data?
The register of processing personal data is an important instrument for your accountability. It is mandatory to show you are protecting the personal data of your yogis and you are processing the data in a trustworthy way; is the data you are registering necessary to ensure the quality of your way of teaching and personal approach? Once the legislation comes into effect, the yoga studio must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
How do I set up this register?
The register needs to be held for your own administration. It is proof of how you are dealing with, and protecting personal data of your yogis. You can decide for yourself how to set up the register, but the law does require the following information to be included:
- Your name and contact details:
- your yoga studio name and representative;
- other organisations which you might share information with;
- the name of the Data protector officer, if you have assigned one;
- The purposes of which you process the personal data. For example: benefit recipients, customers or quality of your instructions;
- A description of the categories of personal data. Such as name and address details, telephone numbers, comments and information on injuries or points of attention;
- The date on which you must delete the data (if known and if applicable);
- Who can access the personal data, and why this person needs this access;
- Do you share the data with a third party or an international organisation in a country outside the EU? Then you must indicate this in the register;
- A general description of the technical and organizational measures you have taken to secure personal data that you process.
Setting up this register could take some of your time, but you can see it as an opportunity to take a good look at what you are doing with data and what measures you have taken to protect the personal data of your yogis.
How does this affect the yogis from my yoga studio?
The yogis have the right to access their data and they have the right to be ‘forgotten’. Meaning upon request, personal data needs to be deleted. It is the responsibility of the yoga studio to do so.
Data that is not necessarily required to have yogis sign in, attend classes, make payments and receive the right attendance during class, should be deleted or should not even be processed. Having that said, if you can declare why you need to save certain data, for example to successfully instruct a yogi attending a class, you are allowed to keep this data in file. Note that it is important that the yogi has registered with your studio with full consent.
Is Momoyoga as processor compliant?
In preparation of the GDPR, Momoyoga has created a Privacy Statement to explain what personal data is being processed, why this data is required and how it is protected. This Statement also explains who is responsible for which data. In addition we have updated the General Terms.
Momoyoga is going to present a processor agreement to all EU studios, which will need to be agreed with by all EU studios. This agreement will specify who is responsible for which data regarding processing and controlling personal data. This agreement will be supplied to all studios before the 25th of May.
Momoyoga has run a Data protection impact assessment and has set up a register on how they process and protect personal data. With the processor agreement Momoyoga wants to establish transparency about who is responsible for what. As the controller of data Momoyoga is obliged to do so.
- Momoyoga has updated the General Terms with additions to be compliant with the GDPR;
- Momoyoga has added a Privacy Statement which applies to the use of Momoyoga;
- Momoyoga will present a processor agreement to all EU based yoga studios;
- As a yoga studio you need to set up a register for processing personal data, as described above in this article.
Feel free to reach out to us if you have any questions about GDPR. We’d be happy to help you and your yoga studio. You can also find more information about GDPR here:
Please note, this blog is our interpretation of the new GDPR legislation and is not legal advice.