RYPT Data Protection Policy

Last modified: 4th June 2024

1. Purpose

RYPT must comply with all applicable data protection, privacy and security laws and regulations in the locations in which we operate. Infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher; and, personal liability can arise where an offence has been committed by the company and it is proved to have been committed with the consent or connivance of or to be attributable to neglect on the part of a director, manager, secretary, or similar officer of the company.

RYPT wants to foster a culture of openness, trust, and integrity by maintaining a high standard of data protection. The purpose of this Data Protection Policy is to set out RYPT’s requirements relating to the protection of personal data where we act as a Data Controller and/or Data Processor, and the measures we will take to protect the rights of data subjects, in line with EU and Irish legislation.

In the course of our work, we are required to collect and use certain types of information about people (hereafter referred to as data subjects in line with the regulation), including ‘personal data’ as defined by the General Data Protection Regulation (GDPR). This document sets out to ensure compliance with the GDPR.

2. Scope

This policy applies to all RYPT staff, meaning permanent, fixed-term, and temporary staff, as well as any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents, engaged with RYPT in Ireland or internationally, and handling or processing personal data as defined by the GDPR.

2.1. Enforcement

Adherence to this policy is mandatory and non-compliance could lead to disciplinary action. Any third-party partner company found in violation may have their network connection terminated.

3. Definitions

Please see Appendix A for a full list of definitions which are used throughout this policy.

4. Data Protection Policy

RYPT’s policy is that all data is processed and controlled in line with the principles of the GDPR and relevant Irish legislation.

4.1. Data Protection Principles and Requirements

The following data protection requirements apply to all instances where personal data is stored, transmitted, processed or otherwise handled, regardless of geographic location. RYPT will comply with the following high-level principles:

• Personal data shall only be processed fairly, lawfully and in a transparent manner (Principles of Lawfulness, Fairness and Transparency)
• Personal data shall be obtained only for specified, explicit, lawful, and legitimate purposes, and shall not be further processed in any manner incompatible with those purposes (Principle of Purpose Limitation)
• Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Principle of Data Minimisation)
• Personal data shall be accurate, and where necessary kept up to date (Principle of Accuracy)
• Personal data shall not be kept for longer than is necessary for the purposes for which the personal data are processed (Principle of Data Storage Limitation)
• Personal data will be retained in line with RYPT’s data retention policies
• Personal data shall be processed in a secure manner, which includes having appropriate technical and organisational measures in place to:
  1. prevent and/or identify unauthorised or unlawful access to, or processing of, personal data; and
  2. prevent accidental loss or destruction of, or damage to, personal data (Principles of Integrity and Confidentiality)

RYPT shall be responsible for, and be able to demonstrate compliance with, these key principles. (Principle of Accountability) In addition, RYPT will ensure that data subject’s rights are protected as set out in the GDPR.

• Data subjects will be able to request access to data we hold on them through a Subject Access Request (SAR) (Right of Access)
• Data subjects can request to change or correct any inaccurate data (Right to Rectification)
• Data subjects have the right to object to having their data processed (Right to Restriction of Processing)
• Data subjects can request to delete data that we hold excluding medical records (Right to Erasure/Right to be Forgotten)
• Data subjects can request to have their data moved outside of RYPT if it is in an electronic format (Right to Data Portability)
• Data subjects can object to a decision made by automated processing, with certain limited exceptions (such as legitimate grounds for the processing or the defence of legal claims) and request that any decision made by automated processes have some human element (Right to Object to Automated Decision Making, including Profiling)

RYPT, as a Data Controller, shall be responsible for, and be able to demonstrate compliance with these GDPR Requirements. The company will process personal data in accordance with the rights of data subjects.

• RYPT will communicate with data subjects in a concise, transparent, intelligible and easily accessible form, using clear language
• RYPT will only transfer personal data to Third Parties within Ireland and outside of the European Economic Area (EEA) in accordance with this policy
• RYPT shall conduct all personal data processing in accordance with legitimate GDPR based processing conditions in particular:
  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

4.2. Special Categories of Personal Data

Special categories of data are defined by the GDPR and include data such as racial or ethnic origin, religious or philosophical beliefs, genetic data, biometric data, health data, sex life details and sexual orientation. RYPT will explicit consent from the data subject to process special categories of personal data, including:

• Data submitted by the data subject should he or she wish to submit it:
  • Well-being Data including Sleep, Sleep Duration, Mood, Energy, Stress, and Muscle Soreness
  • Menstrual Cycle Data including cycle information and symptoms
• Data that may be submitted on behalf of the data subject by their coach(es):
  • Body Composition Data including weight, height, and measurements
  • Injury Data

The processing of special categories of personal data shall be lawful where it is necessary in order for the company to provide the service, including:

1. For the purpose of improving athletic performance through the prescription of individualised training plans
2. For the purpose of reducing injury risk through the management of training and recovery
3. For the purpose of managing injuries and injury rehabilitation

4.3. Data Storage Limitation Policy

RYPT should erase any personal data that violates:

1. Data Protection Law
2. Data Protection Regulations
3. Contractual Obligations
4. Requirements of this Policy
5. If the company no longer requires the Data to provide services to the data subject

4.4. Data Anonymisation and Pseudonymisation

RYPT must anonymise and/or pseudonymise personal data when it is being used for purposes other than the direct provision of its services.

4.5. Data Security

All RYPT staff must familiarise themselves with the up-to-date information security policies which are available in the RYPT Information Security Policy.

4.6. Unauthorised Disclosure

All persons covered under this policy are prohibited from disclosing a data subject’s personal data or special categories of personal data unless this policy or a legal basis allows for such disclosures.

All persons covered under this policy must report all suspected incidents of unauthorised access to the Data Protection Officer (DPO). Incidents include a breach of security, system or human failure, error or issue, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

RYPT has established formal procedures for reporting suspected incidents. All persons covered under this policy must follow these procedures which can be found in RYPT’s Data Breach Response Policy.

4.7. Data Protection by Design, and Data Protection by Default

RYPT aims to use its systems and processes which are guided by strict adherence to data protection legislation in the the company’s services. Aside from general data protection policy the company must incorporate the following principles in all projects involving the design of a new or updating an existing feature of the service:

1. Data Protection by Design
2. Data Protection by Default

If any staff member considers that a particular class of personal data processing may affect a data subject’s rights and freedoms then they should:

1. Engage the DPO on the issue
2. Conduct a mandatory Data Protection Impact Assessment (DPIA)
3. Register Data Protection Impact Assessments with the DPO.

4.8. Third Party Transfer Policy

RYPT must not transfer personal data to a Third Party outside of the EEA regardless of whether the company is acting as a Data Controller or Data Processor unless:

• The EU recognises the transfer country/territory as having an adequate level of data subject legal protection relating to personal data processing; or
• The EU recognises the transfer mechanism as providing adequate protection when made to countries/territories lacking adequate legal protection. Please see https://www.dataprotection.ie/docs/Transfers-Abroad/1244.htm
• The explicit consent of the data subject has been provided
• The transfer is authorised by law

Subject to the provisions above, RYPT may transfer personal data to a third party outside of the EEA where any of the following apply:

• The transfer is necessary to protect the data subject’s vital interests; OR
• The data subject has given explicit consent to the proposed transfer; OR
• The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between RYPT and a third party; OR
• The transfer is necessary or legally required for the establishment, exercise, or defence of legal claims; OR
• The transfer is required by law; OR
• The transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest

The DPO must assess whether any of the above exceptions apply prior to any personal data transfer and must record the determination in writing.

4.9. Third Party Relationships Policy

Where RYPT engages a third party for processing activities, this Data Processor must protect personal data through sufficient technical and organisational security measures and take all reasonable GDPR compliance steps.

When engaging a third party for personal data processing, RYPT must enter into a written contract or equivalent. This contract or equivalent shall:

• Clearly set out the respective parties’ responsibilities
• Ensure compliance with relevant European and local Member State Data Protection requirements/legislation
• Ensure that at the expiry of a data processor contract, the data processor is contractually obliged to return the full dataset to RYPT and provide unequivocal evidence that their copy of the dataset is erased.

RYPT must ensure that all third-party relationships are established and maintained on this basis. Data processors who are processing data on behalf of RYPT must secure approval from RYPT if they wish to engage further data processors.

4.10. Zero-Trust Policy

RYPT will adopt a “zero-trust” approach to data protection. The company will implement multiple mechanisms to support this approach, including but not limited to:

• Access Controls: RYPT will implement strict access controls to limit staff permissions, granting only the necessary access for the staff member’s specific tasks
• Least Privilege Principle: RYPT staff will be granted the minimum access required to perform their duties
• Continuous Authentication: RYPT will require staff to always authenticate based on all available data points, ensuring that access remains valid throughout the session
• Micro-Segmentation: Where feasible, RYPT will divide networks into smaller segments, preventing lateral movement within the system

4.11. Education and Awareness

RYPT will ensure that all staff are provided with the time, resources and support to understand their data protection responsibilities under the GDPR.

5. Responsibilities

The DPO should be involved, properly and in a timely manner, in all issues which relate to the protection of personal data. They are bound by secrecy or confidentiality concerning the performance of their tasks, in accordance with Union or Member State law. They are responsible for monitoring compliance with the GDPR and have overall control of how data is processed within RYPT,  including:

• Collecting information about processing activities
• Analysing and checking the compliance of processing activities
• Informing, advising and issuing recommendations management and the relevant data processors and controllers

6. Review

This policy will be reviewed and updated every 3 years or more frequently if necessary to ensure any changes to RYPT’s organisation structure and business practices are properly reflected in the policy, as well as any changes to the regulations.

Appendices

Appendix A – Definitions

TERM	DESCRIPTION
Anonymised	Means the process of making personal data anonymous data.
Anonymous Data	Means any information relating to a natural person where the person cannot be identified, whether by the Data Controller or by any other person, taking account of all the means reasonably likely to be used either by the Data Controller or by any other person to identify that individual.
Consent	Means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data	As used in this Policy shall mean information which either:is submitted by the data subject via the RYPT appIs submitted by the coach on behalf of the data subject via the RYPT website
Data Controller	Means a person or organisation who (alone or with others) determines the purposes for which and the manner in which any personal data are, or are to be, processed. A Data Controller can be the sole Data Controller or a joint Data Controller with another person or organisation.
Data Processor	Means a person or organisation that holds or processes personal data on the instructions of the Data Controller, but does not exercise responsibility for, or control over the personal data.
Data Protection	Means the protection of personal data
Data Protection Commission (DPC)	Means the office of the Data Protection Commission in Ireland.
Data Subject	Refers to the individual to whom personal data held relates, including: employees, customers, suppliers.
Data Protection Officer (DPO)	RYPT’s appointed Data Protection Officer.
European Economic Area (EEA)	Means the area in which the Agreement on the EEA provides for the free movement of persons, goods, services and capital within the European Single Market, as well as the freedom to choose residence in any country within this area.
Encryption	The process of encoding information stored on a device and can add a further useful layer of security. It is considered an essential security measure where personal data is stored on a portable device or transmitted over a public network.
EU Directive	Means the EU Data Protection Directive 95/46/EC.
Information Request	Means a request from a data subject relating to that individual’s personal data.
Personal Data	Means any information relating to an identified or identifiable natural person (Data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data Breach	Means a breach of security, system or human failure, error or issue, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Processing	Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Pseudonymisation	Means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Restriction of Processing	Means the marking of stored personal data with the aim of limiting their processing in the future.
Subject Access Request	Means a written request made to a Data Controller by any individual about whom a Data Controller keeps personal data on computer or in a relevant filing system. Response must be provided to the data subject under the terms outlined by GDPR and/or local requirements.
Third Party	Means an entity, whether or not affiliated with RYPT, that is in a contractual arrangement with the company. These Third Party relationships include, but are not limited to, activities that involve outsourced products and services, use of independent consultants, payment processing services, joint ventures and other business arrangements where RYPT has an ongoing relationship. Third Party relationships, for the purposes of this policy, generally do not include customer relationships. Under GDPR a ‘Third Party’ means a natural or legal person, public authority, agency or body, other than the data subject, controller, processor and persons who, under the direct authority of the Data Controller of Data Processor, are authorised to process personal data.