Zbodyfit is a service/platform provider primarily for national associations in the field of fitness and bodybuilding (hereinafter referred to as "Associations"). Associations process personal data of their members and competitors as separate data controllers through the Platform. Zbodyfit is acting on behalf of Associations as their processor. Data protection agreement pursuant to Art. 28 GDPR is part of the general terms and conditions applicable to the use of the Platform (the "GTC"). In these cases, the processing of personal data is carried out under the law applicable to the Association.
At the same time, Zbodyfit is a data controller in relation to members, competitors or registered users of the Platform, due to the fact that we constantly evolve, improve and administer the Platform as well as due to the fact that some contestants are not associated in Associations (WORLD) but still use the Platform as other sportsmen. In these cases, the processing of personal data is carried out the Slovak law. We explain our status separately in relation to each processing purpose below.
In case of questions regarding the processing of personal data, please feel free to contact us at firstname.lastname@example.org or by post at the address of the company: Štermenská 1281/56, 92523 Jelka, Slovakia.
If you are a member of the Association, we process your personal data in the name of your association as its processor, typically for the following purposes:
|1. Maintaining records of the Association’s members||Consent according to Art. 6 (1) a) GDPR and/or contract fulfilling according to Art. 6 (1) b) GDPR.||Through the Platform we allow Associations to keep online records of their members. Such processing of personal data may also include recording the competition history of a member of the Association, together with its results, the actual weight of the competitor at the time of the contest, the photo, etc.|
|2. Organisation and evaluation of competition events||Consent according to Art. 6 (1) a) GDPR and/or contract fulfilling according to Art. 6 (1) b) GDPR.||Associations use our Platform primarily for the purpose of organizing and evaluating competition events related to fitness and body building.|
|3. Sending marketing communication (newsletter/SMS)||Legitimate interest according to Art. 6 (1) f) GDPR or consent according to Art. 6 (1) a) GDPR.||In some cases, Associations use our Platform to inform about their activities, the discounts, benefits or products and services of Associations or third parties, and the communication may constitute direct marketing communications to which your prior consent is required under the relevant legislation. In some Member States, sending such communications to existing customers is permitted (in Slovakia e.g. section 62 (3) of the Electronic Communications Act).|
|4. Statistic purposes||Any legal basis for original purposes in connection with art. 89 GDPR.||When using the Platform, the Association may ask us to compile statistical indicators and other aggregated statistical data that can be obtained only as a result of the processing of personal data.|
However, the above stated information is only indicative and each Association is entitled to define the purpose and legal basis of the processing by other means and with different manner. Given that the processing of personal data in the above cases primarily corresponds to Associations as separate controllers, we refer you to more information provided by Associations themselves. As the Platform provider, we allow Associations to place their own privacy policies in their own description profile on the Platform. If Associations submit their own information, they shall take precedence over the information given here.
If you are a registered user of this Platform, we process your personal information as the controller for the following purposes:
|1. Development, improvement and testing of Platform||Legitimate interest according to Art. 6 (1) f) GDPR||Your personal data and/or data including personal information (e.g. the way you use the Platform) are also important for further development, improvement and testing of the Platform, which we consider to be our legitimate interest.|
|2. Raising awareness in the online environment||Legitimate interest according to Art. 6 (1) f) GDPR||If we operate our own profiles on social networks (e.g. Facebook) we rely on our legitimate interest of raising awareness about the Platform in the online environment. It will also be possible that we process personal data when website´s visitors interact with icons and plugins of social networks such as Facebook, which are integrated into our site or in our communications through contact forms available at our websites. This may be the case when you write us suggestions, comments or ask us to answer your questions.|
|3. Informing the community about competition results||Legitimate interest according to Art. 6 (1) f) GDPR||We are part of the bodybuilders’ community. We realized that there were not enough historical and transparent resources about the sports results in this area. In accordance with the Platform’s focus and interests of registered members, we collect, enrich and publish the results of sports fitness and bodybuilding competitions not just about our registered members but also about other athletes. Informing the community about the results of competitions we consider to be the legitimate interest of us but also legitimate interest of third parties (community of bodybuilders). This service is only available to registered users of the Platform.|
|4. Provision of the services of registration to competition||Contract fulfilling according to Art. 6 (1) b) GDPR.||If you are not registered in any Association but you are registered on a Platform to be able to sign up for contests, we process your personal data to a similar extent as do Associations for the purpose of signing its members on the competition. We do so on basis of your acceptance of our GTC, which constitute a contract between us and you.|
|5. Security of personal data and IT systems||Fulfilling of legal obligations according to Art 6 (1) c) GDPR||As the controller, we have the obligation under the GDPR to ensure an adequate level of protection of personal data we process. In ensuring our internal IT security, we may process personal data not only about users of our IT systems within log management, but also about visitors of the website www.zbodyfit.com and related sites (e.g. when blocking IP addresses causing a cyber-attack in progress).|
|6. Statistics||Any legal basis for original purposes in connection with art. 89 GDPR.||In accordance with the conditions of Art. 89 GDPR, we process personal data obtained for the above purposes and based on the above legal bases for statistical purposes as well. The result of such processing is never personal data but aggregated/anonymous information (such as how many customers we have or economic statistics).|
We process personal data as the controller for the following general or typical business-related purposes, but not directly related to the Platform:
|1. Fulfilment of the various legal obligations||Legitimate interest according to Art. 6 (1) f) GDPR||For example, the processing of personal data when handling data subject requests under the GDPR, handling of complaints, fulfilment of various obligations arising from Act No. 440/2015 Coll., the act on sport, as amended.|
|2. Performance of contractual obligations (contract agenda)||Contract fulfilling according to Art. 6 (1) b) GDPR, if the contractual party is a natural person and legitimate interest according to Art. 6 (1) f) GDPR, if the contractual party is a legal person.||As the controller, we process personal data necessary for the performance of various contracts concluded with natural or legal persons such as purchase contracts, license agreements, contracts for work, mandates/orders, advertising contracts, etc.|
|3. Accounting and tax purposes (accounting agenda)||Fulfilling of legal obligations according to Art 6 (1) c) GDPR||The accounting and tax regulations provide us with the obligation to process personal data contained within an accounting documents, records or documents (e.g. within invoices).|
|4. Establishment, exercise or defence of legal claims (legal agenda)||Legitimate interest according to Art. 6 (1) f) GDPR||In some cases we must establish, exercise or defend our legal claims within court or off-court settlement or report certain facts to public authorities (judicial officers or criminal investigators) which we regard as our legitimate interest. This processing typically contains typical legal department agenda, including communication and providing an assistance to public authorities, exercising rights in legal proceedings, preparation, review or retaining of agreements etc.|
We take the confidentiality of your personal data very seriously and have rules in place to ensure that your data is only shared with authorized personnel at our company or a verified third party. Our admins might have access to your personal data on a strictly need-to-know basis typically governed and limited by function, role and department of the employee.
Personal data of our clients, employees, business partners or other natural persons are provided to the extent necessary to following categories of recipients:
Where we use processors to process personal data, we verify that they meet the requirements of an organizational and technical nature to ensure the appropriate security of the processing of your personal data GDPR. If we are requested by the public authorities to provide your personal data we examine the conditions laid down in the legislation to accept the request and to ensure that if conditions are not met, we do not adhere to the request.
By default, we restrict any cross-border transfers of personal data to third countries outside the EU and/or the European Economic Area, if this is not necessary. However, some of our sub-vendors or the above-mentioned recipients of personal data may be established, or their servers may be located in the United States of America (USA). The US is generally considered to be a third country which does not ensure an adequate level of personal data protection. However, companies that are certified according to the EU-US privacy Shield (EU), approved by the Commission (EU), are considered to be undertakings ensuring an adequate level of protection. Any transfer of personal data outside the EU and/or the European Economic Area shall take place only in the strict observance of the GDPR. In our circumstances, there is a particular cross-border transfer of personal data to third countries not guaranteeing an adequate level of protection of personal data in the use of services of different recipients from following categories: (i) social network providers (e.g. Facebook), (ii) Payment Services providers (e.g. PayPal), (iii) providers of tools for the analysis, processing and storage of data (e.g. Google Analytics). In all of the above cases, cross-border transfers of personal data to the United States take place in accordance with the European Commission's decision establishing the so-called Privacy Shield . Verification of the data recipient's certification can be found here: (URL: https://www.privacyshield.gov/list). In general, if there is need to carry out cross-border transfers of personal data, we always ensure that third party recipients are either certified according to Privacy Shield, we will use standard contractual clauses approved by the Commission (EU) or require meet other reasonable guarantees
Since we allow each Association to use the Platform regardless of which third country the Association originates from, there might be cross-border transfers of personal data to third countries not ensuring an adequate level of protection (e.g. Albania, Bosnia and Herzegovina, Macedonia, Kenya). From legal perspestive, however, by running the Platform, we do not transfer your personal data to these countries, since the processing of personal data is already taking place in these countries. However, your Association or you may send your personal data to the organizer in a third country through the Platform. This is done on the basis of the Association relationship with the organizer (for which we are not responsible) or on the basis of your request, which we consider to be your consent or the performance of the contract (GTC) within the meaning of art. 49 (1) (b) b) and (d). c) GDPR.
If we process your personal information as the processor of the Association for its purposes, we will never process it longer than the termination of the contractual relationship between us and the Association and/or the issue of the Association´s instruction to terminate the processing of your personal data. If you want more information on retention periods relating to the purposes where the Associations are acting as controllers, please contact the respective Association.
If we process your personal information as the controller, we must not and we do not want to store your personal data for longer than necessary for the given purpose of processing that we inform you above Retention periods are either provisioned in respective laws or are set out by us in in relation to specific purpose.. The Platform has been designed in accordance with the principles of privacy by design pursuant to Art. 25 (1) GDPR, so it has built-in automatic restrictions on the retention of personal data. For example, if the user does not sign in a given calendar year, he/she is automatically considered inactive. If the user does not sign during whole year his/her inactive participation is confirmed and his personal data is erased.
The general periods of retention of personal data defined by us for the processing of personal data are as follows:
|Purpose||General period for retaining of personal data|
|1. Development, improvement and testing of Platform||Until data subject lodges a legitimate objection to the processing and/or completion of the development or tests, but not longer than the duration of the relationship relating to the use of the Platform.|
|2. Raising awareness in the online environment||Until data subject lodges a legitimate objection, but not longer than the duration of the relationship relating to the use of the Platform.|
|3. Informing the community about results of contests||Until data subject lodges a legitimate objection, but not longer than the duration of the relationship relating to the use of the Platform.|
|4. The provision of the services of login to competition||During the validity of agreement based on Terms & Conditions of Platform, but not longer than the duration of the relationship relating to the use of the Platform.|
|5. Fulfilment of the various legal obligations||Until the expiration of the relevant legal period for the storage of personal data.|
|6. Performance of contractual obligations (contract agenda)||As a rule, the end of the contract and the expiration of the limitation period usually three years after the end of the contract.|
|7. Accounting and tax purposes (accounting agenda)||10 years.|
|8. Establishment, exercise or defence of legal claims (legal agenda)||Until the limitation period of related legal claims.|
|9. Security of personal data and IT systems||1 year, but not longer than the duration of the relationship relating to the use of the Platform.|
|10. Statistics||Duration of any other purposes.|
We most often collect your personal information directly from you. In such a case, the acquisition of personal data is voluntary and does not constitute a contractual or legal obligation. You can provide us your personal data in a variety of ways, such as:
We may collect your personal data from the Association for which we process personal data as the processor – in this case we do not exercise the information obligation under art. 14 GDPR, but the Association shall inform you as the controller under Art. 13 GDPR that we are the recipient of your personal data, what can also be achieved by reference to this document.
Other sources of personal data that we collect indirectly may also be other entities. Most often these are cases where we conclude or negotiate a contractual relationship or its terms with our business partner or supplier. If the collection of personal data relates to a contractual relationship, it is most often a contractual requirement or a requirement necessary to conclude a contract. Failure to provide personal data (whether your or your colleague´s) may have negative consequences for the organization you represent, because the conclusion of the contract would not be realised. If you are a member of a statutory body of an organization that is a contracting party to us or with whom we are negotiating a contractual relationship, we may obtain your personal data from publicly available sources and registers.
In any case we do not systematically process any random personal data obtained to any of the purposes for processing personal data.
"You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. You also have a right to object to any direct marketing processing of your personal data including profiling."
"You have right to object to any processing that is based on legitimate interest we rely on as described above. The same right is applicable on processing on legal ground of public interest that we do not currently rely on."
In case of exercising the right we will gladly demonstrate to you how we have evaluated these legitimate interests as compelling over the rights and freedoms of data subjects.
The GDPR lays down general conditions for the exercise of your individual rights. However, their existence does not automatically mean that they will be accepted by us because in a particular case exception may apply. Some rights are linked to specific conditions that do not have to be met in every case. Your request for an enforcing specific right will always be dealt with and examined in terms of legal regulations and applicable exemptions.
You have a right to lodge a complaint related to personal data to the relevant data protection supervisory authority or apply for judicial remedy. Please note that our competent data protection authority is the Office for Protection of Personal Data of the Slovak Republic (URL: www.dataprotection.gov.sk). In any case we advise to primarily consult us with your questions or requests.
No, we do not currently conduct processing operations that would lead to the decision which produces legal effects or similarly significantly affects concerning you based solely on automated processing of your personal data in light of Article 22 GDPR. During your visit of our website, there may be certain processing operations with character of non-invasive profiling that has a minimal impact on the protection of your privacy and can serve us in particular to better understand your interactions with our website and its functionality have gained better statistics that will make it easier for us to further develop, improve the website, or other essential management decisions on the Platform.
Specifically, we mainly use the following cookies:
|Title||Purpose of use|
|Pay Pal (Essential)||They generally serve to allow websites, services, apps, and tools to store relevant information on your browser or device later to recognize your device with servers and internal systems. These cookies can be used to prevent fraudulent conduct.|
This service from Google Inc. is an analytical tool that allows the storage of information into cookies to generate statistical outputs about www.zbodyfit.com web site. This functionality is not necessary for viewing the website and serves us to monitor the operation of the website and for development and improvement.
When using Google Analytics, we do not process any personal data or other identifiers that are usable for indirect identification (e.g. IP address) of the data subjects. Google Inc. as a Google Analytics service provider process personal data as a controller.
The primary cookie used by Google Analytics is the __ga file. You can learn more about the types of cookies used by Google Inc. here: https://policies.google.com/technologies/types?hl=sk.
In addition to reporting on our website usage statistics, Google Analytics can be used together with some ad cookies to display relevant ads from Google (Based on search history and activities on our site) as well as to measure interactions with display ads from Google Inc.
Google Inc. uses information collected while using our website to evaluate your use of the website, to report on the activities on the website and to provide us with other services associated with the use of our website and using the Internet. This data processing by Google Analytics can be prevented by using the appropriate Internet browser settings to which you install the add on browser plugin available through the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
You can control and/or delete cookies at your own discretion – for example, the details are listed on www.aboutcookies.org. You can delete all cookies stored on your computer, and you can set most browsers to prevent them from being kept in your device. However, in this case, you may need to manually edit some settings and some services and features will not work every time you visit a website.
It is our obligation to protect your personal data in an appropriate manner and for this reason we focus on the questions related to protection of personal data. Our company has implemented generally accepted technical and organizational standards to preserve the security of the processed personal data, especially taking into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. In situations where special categories of data are processed, we use encryption technologies e.g. during communication with the payment gateway of Paypal. Your personal data are stored on our secure servers or servers of our web site providers located in data centers in the Slovak Republic. If third-party analytics tools are used data are stored on third-party servers (see cookies).