Data Processing Agreement (DPA)

This Data Processing Agreement (hereinafter also referred to as the "DPA") constitutes an addendum to the Service Agreement concluded on the basis of the Fitebo Platform Terms of Service (hereinafter the "Main Agreement") and specifies the rules for the processing by Digital Rep Sp. z o.o. of personal data entrusted by the Trainer in connection with the use of the Platform.

The DPA is concluded electronically, without the need to conclude a separate written agreement, at the moment of creation of the Account and acceptance of the Terms of Service by the Trainer, to the extent and insofar as the Trainer enters into the Platform personal data of which the Trainer is the controller or which the Trainer processes as an entity authorised to further entrust such data in accordance with applicable law.

The parties to the DPA are:

  1. the Trainer using the Platform, as the controller of personal data or an entity authorised to further entrust such data in accordance with applicable law, hereinafter referred to as the "Controller";

  2. Digital Rep Sp. z o.o., registered office address: Chmielna 2/31, 00-020 Warsaw, Poland, entered in the Register of Entrepreneurs maintained by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register under KRS number: 0000915075, share capital: PLN 5,000.00, NIP: 5252872328, REGON: 389664477, hereinafter referred to as the "Processor".

  1. Definitions

    1. Controller - the Trainer acting as the controller of personal data or an entity authorised to further entrust such data in accordance with applicable law.

    2. Processor - Digital Rep Sp. z o.o., providing services within the Fitebo Platform.

    3. Platform - the Fitebo Platform, including the Web Application, the Mobile Application, and functionalities available within Fitebo Companion, in accordance with the Terms of Service.

    4. Terms of Service - the Fitebo Platform Terms of Service specifying the rules for the electronic provision of services by the Processor.

    5. Main Agreement - the agreement for the provision of electronic services concluded between the Controller and the Processor on the basis of the Terms of Service.

    6. GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

    7. Entrusted Personal Data - personal data entered by the Controller into the Platform or transferred to the Processor in connection with the use of services covered by the Main Agreement.

    8. Subcontractor or Subprocessor - an entity whose services are used by the Processor in performing the DPA and which processes Entrusted Personal Data on behalf of the Controller.

    9. Personal Data Breach - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, Entrusted Personal Data.

  2. Nature and scope of application of the DPA

    1. The DPA constitutes an integral part of the Main Agreement and applies solely to the extent that the Processor processes Entrusted Personal Data on behalf of the Controller.

    2. The DPA remains in force for the duration of the Main Agreement, subject to those provisions which by their nature also remain in force after its termination, in particular those concerning confidentiality, liability, and deletion or return of data.

    3. With regard to the processing of Entrusted Personal Data, the provisions of the DPA shall prevail over the provisions of the Terms of Service if a conflict arises between these documents.

    4. The Controller should not enter into the Platform personal data which the Controller is not authorised to process or entrust for processing.

  3. Subject matter, purpose, and nature of processing

    1. The Controller entrusts the Processor with the processing of Entrusted Personal Data pursuant to Article 28 GDPR.

    2. The Processor shall process Entrusted Personal Data solely for the purpose of performing the Main Agreement, in particular in order to enable the Controller to use Platform functionalities designed for:

      • creating, storing, and sharing Training Plans;

      • maintaining Client Cards;

      • making data and content available in Fitebo Companion;

      • keeping a workout log;

      • communication between the Trainer and the Client;

      • collecting and presenting measurements, reports, photographs, and other data added by the Controller or the Client;

      • ensuring technical support and the maintenance and security of the Platform.

    3. The nature of processing includes operations necessary for the performance of the Main Agreement, in particular collecting, recording, organising, arranging, storing, modifying, reviewing, using, disclosing via the Platform functionalities, restricting, deleting, and destroying data.

    4. The Processor processes Entrusted Personal Data only on the documented instructions of the Controller, which include in particular the Terms of Service, this DPA, and individual actions undertaken by the Controller when using the functionalities of the Platform.

    5. If, in the Processor's opinion, an instruction of the Controller infringes the GDPR or other personal data protection laws, the Processor shall inform the Controller accordingly, unless such information is prohibited by law.

  4. Categories of data subjects and scope of data

    1. The DPA covers the personal data of persons whose data the Controller enters into the Platform in connection with the use of the services, in particular Clients and users of Fitebo Companion.

    2. The scope of Entrusted Personal Data may include, in particular, ordinary personal data such as:

      • first name and surname;

      • email address;

      • telephone number;

      • identification data assigned to the Client's account;

      • other data entered by the Controller within the Platform functionalities.

    3. The scope of Entrusted Personal Data may also include special categories of personal data and health data if the Controller decides to enter them into the Platform, in particular:

      • date of birth;

      • height, weight, and other body parameters;

      • information about the number of training days per week;

      • information about injuries, posture defects, mobility limitations, and perceived pain;

      • information about training level, training preferences, and possessed fitness equipment;

      • body measurements and training progress measurements;

      • photographs;

      • data concerning the course of workouts, including the number of sets, the number of repetitions, the load used, and the subjective assessment of difficulty;

      • data provided in reports, including information on well-being, sleep quality, motivation, recovery, fatigue, training attendance, and other information communicated by the Client to the Controller.

    4. The Controller decides on the scope of Entrusted Personal Data entered into the Platform and bears responsibility for the adequacy of that scope in relation to the purpose of processing.

  5. Representations and obligations of the Controller

    1. The Controller represents that the Entrusted Personal Data has been obtained and is processed in accordance with applicable law.

    2. The Controller ensures that it has an appropriate legal basis for processing the Entrusted Personal Data and for entrusting it to the Processor.

    3. If the scope of the entrusted data includes special categories of personal data, the Controller represents that it also has an appropriate legal basis for processing such data under Article 9 GDPR and has fulfilled all requirements provided for by law.

    4. The Controller undertakes to fulfil towards the data subjects the information obligations required by law, unless, in accordance with the agreed cooperation model, such obligation is performed by the Processor on behalf of the Controller using the Platform functionalities.

    5. The Controller is responsible for the content, scope, correctness, and accuracy of the Entrusted Personal Data entered into the Platform, unless the inaccuracy results solely from an act or omission of the Processor.

    6. The Controller undertakes to issue only such instructions concerning data processing as are compliant with the law.

  6. Obligations of the Processor

    1. The Processor undertakes to process Entrusted Personal Data in accordance with the DPA, the GDPR, and other generally applicable laws applicable to the processing of personal data.

    2. The Processor implements appropriate technical and organisational measures ensuring a level of security corresponding to the risk associated with the processing of Entrusted Personal Data, in accordance with Article 32 GDPR.

    3. The Processor ensures that persons authorised to process Entrusted Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of secrecy.

    4. The Processor ensures that Entrusted Personal Data is accessible only to those persons for whom such access is necessary for the performance of the Main Agreement.

    5. The Processor, taking into account the nature of processing and to the extent possible, assists the Controller through appropriate technical and organisational measures in fulfilling the obligation to respond to requests from data subjects.

    6. The Processor, taking into account the nature of processing and the information available to it, assists the Controller in fulfilling the obligations specified in Articles 32-36 GDPR.

    7. The Processor shall make available to the Controller the information necessary to demonstrate compliance with the obligations arising from Article 28 GDPR, subject to the protection of trade secrets, the security of other customers, and limitations arising from law.

    8. The Processor shall inform the Controller without undue delay of any Personal Data Breach concerning Entrusted Personal Data, no later than within 48 hours from becoming aware of it, unless the circumstances indicate that the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

    9. The Processor may process Entrusted Personal Data also where such obligation arises from European Union law or the law of a Member State to which the Processor is subject. In such case, the Processor shall inform the Controller of that legal obligation before processing begins, unless the law prohibits providing such information.

  7. Further entrustment of data

    1. The Controller gives general authorisation for the Processor to use Subprocessors in the performance of the Main Agreement.

    2. The current list of Subprocessors is available on the Platform at the address indicated by the Processor.

    3. The Processor shall inform the Controller of planned changes regarding Subprocessors by publishing updates on the Platform or by email, sufficiently in advance to enable the Controller to raise a justified objection.

    4. If the Controller raises a justified objection to the planned engagement of a new Subprocessor, the Parties shall act in good faith to remove the grounds for the objection. If this is not possible, the Controller may discontinue the use of those functionalities of the Platform to which the further entrustment relates, or terminate the Main Agreement in accordance with its provisions.

    5. The Processor ensures that each Subprocessor will be obliged to comply with personal data protection obligations no less stringent than those provided for in this DPA, to the extent appropriate to the activities entrusted to it.

    6. The Processor is liable for the acts and omissions of Subprocessors as for its own acts and omissions, to the extent provided for by applicable law.

    7. If, in connection with the use of Subprocessors, Entrusted Personal Data is transferred outside the European Economic Area, the Processor shall ensure that such transfer takes place in accordance with applicable law, in particular by using an appropriate transfer mechanism legitimising the transfer of data.

  8. Right of inspection and audit

    1. The Controller has the right to request from the Processor the information necessary to demonstrate compliance with the obligations arising from the DPA and Article 28 GDPR.

    2. The Controller has the right to conduct an audit or inspection of the Processor's activities concerning the processing of Entrusted Personal Data, subject to the provisions of this section.

    3. The audit should be conducted in a manner that does not infringe the Processor's trade secrets, the security of other customers' data, or the continuity of service provision.

    4. The Controller is obliged to inform the Processor of the intention to conduct an audit at least 14 days in advance, unless the need to conduct the audit results from a Personal Data Breach or a binding request of a public authority.

    5. The audit should, in the first instance, be based on documentation, explanations, and information made available by the Processor. On-site inspection may be conducted only where necessary and proportionate.

    6. The costs of the audit shall be borne by the Controller, unless the audit reveals a material breach of the DPA by the Processor.

  9. Requests of data subjects and cooperation with authorities

    1. If a data subject submits to the Processor a request concerning Entrusted Personal Data, the Processor shall, where legally permissible, inform the Controller thereof without undue delay.

    2. If a supervisory authority or another competent public authority directs to the Processor a request, inquiry, inspection, or other action concerning Entrusted Personal Data, the Processor shall, where legally permissible, inform the Controller thereof without undue delay.

    3. The Processor does not respond independently to requests of data subjects on behalf of the Controller, unless otherwise required by applicable law or expressly agreed by the Parties.

  10. Deletion or return of data after termination of cooperation

    1. After the end of the provision of services covered by the Main Agreement, the Processor shall delete or return the Entrusted Personal Data to the Controller, in accordance with the Controller's decision, provided that the relevant technical functionality is available and that applicable law does not require further storage of the data.

    2. If the Controller deletes the Account on the Platform or the Main Agreement expires or is terminated, the Entrusted Personal Data shall be deleted without undue delay, no later than within 30 days from the end of service provision, unless applicable law requires longer retention of the data.

    3. Entrusted Personal Data may remain for a limited time in backup copies if this results from a technically justified cycle of creating, storing, and overwriting backups, provided that during that period the data will not be further actively processed except to the extent necessary to ensure the security and integrity of the systems.

  11. Confidentiality

    1. The Processor undertakes to keep confidential all information, documents, materials, and data received from the Controller or obtained in connection with the performance of the Main Agreement, including Entrusted Personal Data.

    2. The confidentiality obligation applies throughout the duration of the DPA and also after its termination, without limitation in time, unless the obligation to disclose information arises from applicable law.

  12. Liability

    1. Each Party is liable for failure to perform or improper performance of obligations arising from the DPA in accordance with applicable law, in particular the GDPR and national laws on personal data protection.

    2. The Processor is liable only for such breaches of personal data protection obligations that concern obligations imposed directly on it by law or by this DPA.

    3. The Controller is liable for the lawfulness of obtaining the data, the existence of the legal basis for processing it, and the scope and content of instructions transmitted to the Processor.

  13. Final provisions

    1. The DPA is concluded in the Polish language electronically through acceptance of the Terms of Service by the Controller.

    2. The current text of the DPA is available on the Platform at the address indicated in the Terms of Service.

    3. Amendment of the DPA shall take place in accordance with the rules for amending the Terms of Service, unless mandatory provisions of law require a different procedure.

    4. In matters not regulated in the DPA, the provisions of the Main Agreement, the GDPR, and other relevant provisions of Polish law and European Union law shall apply.

    5. The Parties shall seek to resolve amicably any disputes arising from the DPA, and in the absence of the possibility of reaching an agreement, disputes shall be resolved by the competent Polish common courts, subject to mandatory provisions of law.