The purpose of this privacy regulation is to inform you how Fitsurance IN deals with personal data of persons who use our services and/or advice. Fitsurance offers services that give you insight into your physical fitness. Fitsurance respects your privacy and ensures that the personal data is treated confidentially, carefully and in accordance with applicable (privacy) legislation.

Fitsurance does not process more personal data than necessary for the performance of its services or other purposes as defined in this Regulation. Fitsurance strives for the accuracy, completeness and relevance of the processed and processed personal data. Personal data is only accessible to Fitsurance employees, or parties with whom Fitsurance cooperates, if you have given your consent.

For further information and questions about privacy protection, please contact the Information Protection Officer (FG) of Fitsurance.

These Regulations will be adopted in March 2020.

DEFINITIONS

Personal data

All information about an identified or identifiable natural person (“the data subject”); identifiable is considered to be a natural person who can be identified directly or indirectly, in particular by means of data such as a name, an identification number, location data, an online identifier or one or more elements characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

Processing

A processing or a set of processing operations relating to personal data or a set of personal data, whether or not carried out through automated processes, such as the collection, recording, organizing, structuring, storing, updating or modifying, requesting, consulting, using, providing by means of transmission, dissemination or otherwise making available, aligning or combining, shielding, erasing or destroying data.

File

Any structured set of personal data accessible according to certain criteria, whether centralised or decentralized or distributed on functional or geographical grounds.

Person concerned

The person to whom personal data relates: the person who purchases services and/or advice from Fitsurance.

Controller

Fitsurance is the person who determines the purpose and means for the processing of personal data; with which she is responsible for processing your personal data.

Processor

A natural or legal person, a public authority, a service or other body that processes personal data for the benefit of the controller.

Third

A natural or legal person, not the data subject, neither the controller nor the processor nor the persons authorised under the direct authority of the controller or processor to process the personal data.

Receiver

A natural or legal person, a public authority, a service or other body, whether or not a third party, to whom the personal data are provided.

Consent of the data subject

Any free, specific, informed and unambiguous expression of will with which the data subject (the client) accepts him by means of a statement or an unambiguous active act concerning the processing of personal data.

Supervisory authority

In the Netherlands the Dutch Data Protection Authority (AP).

ARTICLE 1 APPLICABILITY

1. The privacy regulations apply to the processing of personal data of by Fitsurance B.V. It concerns the wholly or partially automated processing of personal data, as well as the non-automated processing of personal data contained in a file or intended to be included in it.
2. Fitsurance has an overview of the processing of personal data. This overview is updated periodically.

ARTICLE 2 PERSONAL DATA COLLECTED

1. When we provide you with services, we process the following data:

• NAW data;
• Date of birth;
• Telephone number (mobile/fixed);
• Email address;
• Sex;
• Data about your health that we measure (process):
  • Cholesterol (total fat profile)
  • Blood sugar
  • Hemoglobin and Hematocrit
  • Oxygen saturation level
  • Anthropometry (measuring to the body; height, weight, circumference)
  • Blood pressure
  • Squeezing power
  • Well-being questionnaire (appetite, stress, sleep, vitality, happiness)
  • Daily physical activity
  • Endurance
  • Lung function data;
• Data on medicines and devices;
• Information about your job;
• Information that you provide to us yourself, for example in the contact form.

2. The data we collect is added to your overview, it contains data obtained by:

• Measurements made by Fitsurance employees;
• Providing data by yourself to Fitsurance employees.

ARTICLE 3 PROCESSING PURPOSES

Your personal data will be processed by Fitsurance for the following purposes:

• Executing the agreement(s) concluded with you for the delivery of our services;
• The administration and other activities of internal management;
• Calculating, recording and collecting amounts due, including the placing of claims in the hands of third parties;
• To be able to get in touch with you and respond to questions you have asked;
• To inform you about services of Fitsurance;
• Handling your request for information;
• To improve the website and service of Fitsurance;
• To comply with legal obligations, such as our administrative and retention obligations;
• Dealing with disputes and carrying out audits;
• To enable anonymised scientific research.

ARTICLE 4 ACCOUNTING PRINCIPLES FOR PROCESSING

The legal basis for the processing we have carried out is in:

• The implementation of the agreement (service/advice);
• The consent you give;
• Meeting legal obligations;
• The promotion of legitimate interests of Fitsurance or a third party (e.g. security website and ICT services).

ARTICLE 5 PROVISION OF PERSONAL DATA TO THIRD PARTIES

1. Fitsurance can only provide personal data to a third party with your written consent, unless the provision of personal data of you to a third party is necessary to implement a legal requirement.
2. In the context of scientific research and statistics, personal data may only be provided without your consent if:

• The investigation serves a public interest;
• Processing is necessary for the relevant examination or statistics;
• Asking for explicit consent is impossible or takes a disproportionate effort;
• Implementation shall provide for such safeguards that your privacy is not disproportionately harmed and you have not expressly objected to the provision of benefits.

ARTICLE 6 TRANSFER OUTSIDE EUROPE

Your personal data is not processed in countries outside the EEA.

ARTICLE 7 REGISTER OF PROCESSING

Each individual processing shall indicate in a register, including:

• The categories of personal data of which are processed;
• What types of personal data are processed;
• What the legal bases for processing and processing purposes are.

ARTICLE 8 ACCESS TO PERSONAL DATA

1. Employees only have access to that data that is necessary for his or her task in the context of our services.
2. Employees and/or trainees are obliged to keep confidential of the personal data of which they are aware, except where a legal requirement obliges them to make a communication or if their duties result in the need to make a communication. This confidentiality applies both during the working time at Fitsurance and after the termination of employment.
3. Employees responsible for carrying out technical work are required to keep all personal data of their knowledge. An exception to this is if a legal requirement obliges these persons to make a communication or if their duties result in the need to make a communication.

ARTICLE 9 RETENTION PERIODS

1. Fitsurance does not store your personal data for longer than is necessary for the purposes defined above, unless such data are necessary to comply with a legal retention requirement.
2. This retention period shall be:

• For two years for health data;
• For seven years of financial processing;
• For scientific research, anonymised data are kept for a maximum of ten years.

3. If the retention period of the medical data has expired, the relevant data shall be destroyed within a period of 3 months.
4. Destruction of medical data is not disclosed where it is reasonably plausible that the preservation is necessary in the context of good service to you, or a legal obligation to do so.

ARTICLE 10 PERSONAL DATA SECURITY

1. Fitsurance takes appropriate technical and organizational measures to protect your personal data from loss or against any form of unlawful processing. In this way, we ensure that only the necessary persons have access to the data, that access to the data is protected and that our security measures are regularly monitored. Persons who have access to your data on behalf of Fitsurance are kept in secret.
2. Annex 1 provides for fitsurance’s principles for information security.

Article 11 YOUR RIGHTS

1. Inza court

As a data subject, you are entitled to access and copy your data, unless in this information information information about another data subject state and opposes the provision of access or copy.

2. Right of correction and removal

You have the right to have data changed or even deleted if the data is no longer (longer) correct, or if the processing is no longer justified. In addition, you have the right to request destruction/deletion of your data from Fitsurance.

Data cannot be deleted in such cases that destruction is contrary to a legal requirement or if the destruction harms a significant interest of a person other than the data subject.

3. Right of objection

You have the right to object to certain processing of personal data. You have this right in all processing operations that are not based on (1) your consent, (2) taking pre-contractual measures at your request and/or implementing the agreement concluded with you, (3) meeting legal obligations or (4) protecting vital interests of yourself or others.

If you object to other forms of processing of your personal data, Fitsurance will assess whether we can respond to your objection. In that case, it is up to Fitsurance to show that, despite your objection, we still have a legitimate interest in continuing to process the personal data. If this consideration of interests is in your favour, Fitsurance will cease the processing of personal data.

You can make your objection known by filling out the online form on our website.

4. Right to restriction

Under circumstances, you also have the right to restrict the processing of your personal data. In short, fitsurance temporarily “freezes” the processing of the data. You can submit a request in writing to the FG of Fitsurance. This can be done in the following three situations:

1. Pending the assessment of an application for correction;
2. If fitsurance no longer needs the data while you still need the data to prepare for a court case; And
3. Pending the assessment of an objection.
4. Right to data portability

You have the right to receive (back) the personal data you provide to Fitsurance in a common file format. This right applies only to the personal data that Fitsurance processes on the basis of your (presumed) consent or an agreement concluded with you. Moreover, the law applies only to the data that Fitsurance already processes in digital form (i.e. not for analogue processing). You are free to then pass that information on to another party. If there is a link between the systems of Fitsurance and the systems of the third party to which you want to (have) the data passed on, Fitsurance can take care of this transfer on your behalf.

6. Automated individual decision-making

Fitsurance does not use automated decision-making and/or profiling.

ARTICLE 12 WITHDRAWAL OF AUTHORISATION

1. For the purposes described above, Fitsurance processes your data on the basis of your consent. You have the right at all times to revoke a once given consent. Fitsurance will then stop processing immediately. You can make this request to your our FG. You can find the contact details of the FG at the bottom of this Privacy Regulations.
2. The withdrawal of the consent has no retroactive effect. All processing that has already taken place will therefore remain valid.

ARTICLE 13 ANSWERING REQUEST EXERCISE RIGHTS

1. The exercise of rights is free of charge.
2. You exercise the rights by filling out our form online with your request, or by contacting our FG. You can find the contact details of the FG at the bottom of this Privacy Regulations.
3. Fitsurance answers your questions/requests in principle within 30 days. It may be that due to the complexity of the requests and/or the number of requests, the total answer period increases to three months. You will be informed of this in good time.
4. Fitsurance can ask for further proof of your identity in all questions/requests.
5. The rights described above are not absolute rights. Fitsurance assesses every request, if Fitsurance is unable to comply with a particular request, Fitsurance will make this known to you in a reason. You can go to the Dutch Data Protection Authority when you disagree.

ARTICLE 14 COMPLAINTS

1. If you believe that the provisions of these regulations and/or laws and regulations are not being complied with, you can contact the Information Protection Officer of Fitsurance.
2. You are also free to file a complaint with the regulator. The data controller for the processing of personal data (GDPR) and your privacy in doing so is the Dutch Data Protection Authority. You can find the contact details of the Dutch Data Protection Authority via the website autoriteitpersoonsgegevens.nl.

ARTICLE 15 AMENDMENTS

1. Fitsurance has the right to make changes to this Privacy Regulations. These changes will be announced on the Fitsurance website.
2. Fitsurance may process your personal data for new purposes that are not yet listed in this Privacy Regulations. In that case, we will contact you before using your data for these new purposes, to inform you of the changes to our personal data protection regulations and to allow you to refuse your participation.

FITSURANCE CONTACT DETAILS

If you have any questions about this Privacy Regulations or wish to invoke one of your legal rights, please contact us with the following information:

Via our online form or by email

• Fill out the online form(https://www.fitsurance.nl/contact/).
• The Data Protection Officer by email address: info@fitsurance.nl.

Per post on

• Fitsurance B.V. D-lab room P246, De Boelelaan 1085, 1081 HV Amsterdam.

ANNEX 1 PERSONAL DATA SECURITY

Fitsurance is the controller for the processing of personal data. As a result, it is complied with certain security requirements, which are also required by laws and regulations. Fitsurance uses the following requirements in the implementation and application of its information security.

1. Fitsurance has an active policy on security awareness of management and employees.
2. Fitsurance has rules of conduct for the use of (general) information services. Compliance with these rules of conduct is monitored.
3. In the case of violation of the regulations for information security and/or relevant legal provisions, the Management Can impose a penalty within the possibilities of the law and (employment) agreements.
4. Measures have been taken to ensure the physical security of people and resources, including confidential information and equipment on which this information is stored.
5. Measures have been taken to ensure the security and management of operational information and communications facilities. Measures against all kinds of malicious software (computer viruses, spam, spyware, etc.) are an important part of this.
6. Laptops and hard (external) drives are provided with passwords and participants’ data is stored in a computerized way. In addition, a secure cloud environment is used to store all data.