Description of personal data processing in the ACTPRO Individual Coaching and Training Services and Services including Firstbeat Life Service (“Service”), which is produced by Firstbeat Technologies Oy.
This document contains information about the personal data processing as required by the EU General Data Protection Regulation (GDPR).
ACTPRO Individual Coaching and Training Services: ActPro Oy (business ID 2105779-4), Aleksanterinkatu 17, 00100 Helsinki, Finland (“ACTPRO”, “Service Provider” or “Controller”)
Firstbeat Life Service: Firstbeat Technologies Oy (business ID 1782772-5), address Yliopistonkatu 28 A, 40100 Jyväskylä, Finland (“Firstbeat”, “Service Provider” or “Controller”).
Or together also as “Service Providers”.
“Customer” is a person or organization who is in a contractual relationship with ACTPRO for ACTPRO and/or Firstbeat to produce the Service, using personal and in case of Firstbeat Life, also measured information from the Subject(s), who are defined by the Customer. In a typical scenario the Customer is an employer, whose employees are Subjects.
“Subject” is the person, whose information is used by Service Providers to produce the Service, using personal information about the Subject. In case of Firstbeat Life Service this information may include also e.g. pulse measurement data.
“ACTPRO Coaching and Training Services” are Services which support individuals in their skills development regarding e.g. Self Management, Wellbeing and Performance.
Individuals may attend the Services e.g. by submitting a registration form, making online -reservations or by answering surveys. ACTPRO may approach Subject with the Service related information and actions by e-mail, phone or other channel provided by the Subject or Customer.
ACTPRO may coordinate Firstbeat Life Services provided to Subjects. If certain Service includes Firstbeat Life Service, ACTPRO may use Subjects name and e-mail address to invite Subject to the Firstbeat Life Service via Service of the Firstbeat.
ACTPRO or Firstbeat Services are not a Health Care Services or a substitute to Health Care Services.
Firstbeat Life Services for ACTPRO and for its Customers and Subjects are provided by Firstbeat Technologies Oy (Y-ID 1782772-5), which is always the responsible Personal Data Processor and Data Controller of all Firstbeat Life Services.
“Firstbeat Life” is a Service, requiring Subjects to install a local mobile application, which stores some personal information locally on their mobile device, and where they keep the measurement device in their possession.
The person using the Firstbeat Life service must familiarize oneself with Firstbeat’s data processing documentation and accept the data processing principles of the Firstbeat Life service in connection with the use of the service. These can also be found in the Firstbeat Life application when registering for the service and using it.
Notes about the Controller Position
For clarity, in the sense of the personal data legislation:
- ACTPRO is the Data Controller regarding the individual ACTPRO Services delivered by ACTPRO to the Subject.
- Firstbeat Life Service is always produced by Firstbeat. Firstbeat is always the Data Controller for all Firstbeat Life Services.
ACTPRO Contact Information for the Data Controller
The responsible Personal Data Processor and Controller, ActPro Oy, Customer Service, Aleksanterinkatu 17, 00100 Helsinki, Finland is responsible of your personal data in accordance with the applicable data protection law.
If you think we are processing your personal data incorrectly, you can contact us. Contact information and the contact form can also be found on our website www.actpro.fi.
Firstbeat Contact Information for the Data Controller
Detailed Firstbeat data processing principals and contact information can be found from https://www.firstbeat.com/en/privacy/firstbeat-lifestyle-assessment-privacy-policy/ and from Firstbeat Life mobile application.
The Purpose and Legal Basis of Processing the Personal Data
The purpose of processing the personal data is the basic operation of the Service, including user support operations, collecting statistics regarding Service usage, and conducting scientific and market research.
The basic operation and purpose of the Service is to provide ACTPRO Coaching and Training Services and in case of Firstbeat Life Service, a personalized analysis on the effect of lifestyle factors on different aspects of well-being.
In Firstbeat Life Service the Subject’s personal qualities and measured heartbeat analysis data are used to provide the Service. This Service may additionally include direct personal feedback to each individual Subject by a ACTPRO or Firstbeat representative by telephone, or in person, which is possibly used to agree on action goals or to support individual skills development.
The Firstbeat Life Service typically includes an anonymized feedback or group report to the Customer regarding the general well-being of a group of Subjects (typically employees) as a whole.
Personal data is also used for Service support operations, which typically include, for example, delivering user account information or the private web link to the Subject.
Personal data may be used to inform of Services, such as sending info- or newsletter or other ways of maintaining the customer relationship. The personal data of the Subject may be used to market a personal follow-up analysis following the applicable personal data legislation.
If the applicable legislation requires the Subject consent for processing some of the personal data described in this document (for instance, concerning health related data i.e. so-called special categories of data), the consent will be acquired using an appropriate method. This may be done for example by checking a separate consent checkbox, making the choice in the technical settings of the Service or website, or by another specific action or statement to signify consent. Declining consent may impact the ability to offer the specific Service.
Log data of the Service use or handling measurement devices is additionally saved in order to protect the legitimate interests of the Customer, Service Providers and the Subjects, for example in order to investigate possible security breaches or for example in order to be able to prove, that invoiced services have been delivered.
Personal data may be processed individually or together with Service Providers and their subsidiary companies’ other personal data files. Service providers may keep a copy of data saved in the service for statistical and scientific research, such as for determining average reference values. Such statistical or scientific use of data is done using automated processes in such a way that data from an individual Subject cannot be identified during any stage of the process. The aggregated data could be combined in a manner which makes it theoretically possible to identify personal data of a Subject. However, Service Providers does not, at any point during the process, perform any such measures.
The legal justification for processing personal data is fulfilling the contract between the parties or the legitimate interest of Service Providers, which is based on the relationship between the parties. The legal justification may also be the Subject consent, if the applicable legislation requires this.
The Personal Data Retention Period
Service Providers (ACTPRO and Firstbeat) retain personal data for as long as necessary to process personal data or required by the applicable legislation. The need to retain personal data is evaluated on a regular basis while considering the applicable legislation. In addition, Service Providers regularly take every reasonable step to ensure that the retained personal data is not incompatible, outdated or inaccurate considering the purposes of processing. Any such information will be corrected or erased without delay.
Some personal data, which is not directly related to e.g. the Firstbeat measurement and not containing data related to heart rate or health, and which may be required to protect the legitimate interests of Customer, Service Providers or Subjects and investigate any possible problems (such as for example general log information about the use of the service) are not erased together with other personal data.
Description of the Group of Data Subjects
The personal data from participating Subjects is processed in the Service. In a typical case, the Customer of ACTPRO is the organization represented by the Subjects, often an employer, and the Customer determines the group of Subjects.
Regular Data Sources
Primarily the personal data is provided by the Subjects themselves to ACTPRO or Firstbeat.
In some cases the Customer provides Service Providers the email address of each Subject or offers their Subjects a chance to provide their email address with a self-registration form or tool. Each Subject is then emailed a personal invitation to activate the Service.
Service Providers representatives may additionally gather or correct e.g. contact information, information about the Service usage, or collect feedback from the Subjects when providing the Service.
The Type of Personal Data
Most of the data is related to registering to or usage of a certain Service or related to booking coaching or training sessions via a booking system.
ACTPRO does not collect any confidential information about the contents of the coaching or training sessions or any health information attached to personal information.
The database contains the following information (partial or complete) about the Subjects:
- Full name (first and last)
- Contact information, e.g., address, email address and telephone number
- Information about the Customer, e.g., name, contact information and Subject’s personnel group
- Other information with the Subject’s consent
- Other information submitted by the Subject through the Service or otherwise (e.g., by answering to questionnaires)
- Information about the use of the Service, including but not limited to user interface language choice, log data, audit trail, service statuses and service usage
- Information (not health information) about the Subject if submitted by the Service Provider or their representatives.
- Information about the consents of processing data in the service
In addition to the above, ACTPRO has access to the Subjects Firstbeat Life data, if the Customer has acquired the Firstbeat Life Service through ACTPRO.
In case of Firstbeat Life Service (Data Controller is always Firstbeat and the consents of processing data is accepted by the Subject), the database may contains also the following information (partial or complete) about the Subjects:
- Date of birth, gender, height, weight
- Activity class, maximum and minimum heart rate
- User interface language choice
- Heart rate and acceleration measurements
- Sensitive health information, e.g.:
- Information about chronic and acute diseases and medication if provided by the Subject
- Body Mass Index
- Maximal oxygen consumption and fitness level classification
- Heart rate and heart rate variability
- Information about heart rhythm and possible related abnormalities
- Appearance and intensity of detected stress and recovery reactions
- Respiration rate
- Oxygen consumption and energy expenditure
- Sleep start time and sleep duration, and sleep rhythm formed by many periods of sleep
- In addition to the above, general wellness and physical activity related information such as detected exercise sessions, step count and training effect.
- Diary entries if created by the Subject during the measurement period, such as alcohol consumption, self-documented events that are noteworthy and of interest to the Subject and self-evaluations regarding the diary entries.
- The results report with defined target actions created for the Subject based on the data analysis
- Password, if using Firstbeat Life
- Other information with the Subject’s consent
Principles of Data Protection
Service Providers follow the best practices for managing data, including appropriate technical and organisational measures as required by the personal data legislation. Service Providers protects the data so that only the authorized personnel defined by it, who are bound by confidentiality agreement, have access to the file and only for purposes related to their work. These authorized personnel may be Service Providers own employees or subcontractors.
Service Providers ensure that all data systems and computer equipment are sufficiently protected with appropriate technical methods, including access control to physical premises, firewalls, passwords, personal user IDs and personnel security training.
The Internet connection from the Subject web interfaces to Service Providers Services are always protected with encryption (SSL).
If Service Providers use third parties (like subcontractors) for technical maintenance of its systems processing the data, Service Provider fulfils the responsibilities required by the data protection legislation related to subcontractors.
Transfer of Personal Data
Personal data may not be transferred without the data Subject’s consent outside Service Providers or their subsidiary companies in a manner that the data could be identified, except in following exceptional circumstances: if required by any ruling of a governmental or regulatory authority, court, or by mandatory law; or if it is otherwise necessary for the purposes of preventing, or investigating, any breach of law, user terms or good practices or to protect the rights of Service Providers or a third party.
Unless upon Subject’s explicit, separate consent, personal data of the Subjects will not be given to the Customer except information about misuse of the Services or in cases the Subject does not return the materials related to Service in time. In this case Subject name and contact information may be given to the Customer responsible of the costs of the Service or its misuse.
Additionally, for Subjects using Firstbeat Life, the following information limited to each Subject’s subscription status may be transferred to the Customer for the purposes of making the most of the Service: initial e-mail address given by Customer or Subject for the invitation (but not the current address, if Subject has changed it), Subject’s name and user interface language as identifiers; initial activation date when subscription period has started; how long ago that user has last actively used the Service; and possible other corresponding general information about the subscription status so that the Customer may choose to discontinue unused Service or advice Subjects to use the Service and for the purposes of preventing any misuse. (Note: if the Subject is a person who buys the Service for him/herself, the Subject is also a Customer and will naturally receive his/her own personal data.)
Other than this Service or Subscription management related information, the Customer only receives periodic average or summary information about their Subject group’s feedback, status or e.g. wellbeing as a whole. The averages will not be provided if the number of Subjects or number of data updates since the previous information is so small, that individual data could be directly or indirectly recognized from the information or changes in the information, unless the Subjects in question have given their explicit consent for the transfer.
In case of Firstbeat Life, the Customer may also receive information about which Subjects are actively using the Service (including how many months ago the Subject has used the Service),. If a Subject is using a loaned device which is not returned in time, which, then the Customer may also be given information which Subject has not returned the device.
When Firstbeat Life is provided to Customer or Subject through ACTPRO the Subject may be required to consent to handing over some personal information to ACTPRO, in order to use the Service subscription. Details of the type of personal information and identity of Firstbeat Life Service Provider are visible to the Subject in Firstbeat Life mobile application (Subject’s personal account) at the time of requesting their consent.
With the separate consent of the Subject, access to personal data may be given to a specified third party, such as a party providing health care to the Subject.
ACTPRO does not generally transfer personal data included in its registers outside of EU/EEA.
However, e.g. when using Firstbeat Life Service, personal data is additionally stored locally on the mobile application of the Subject’s mobile device, which the Subject can oneself take out of the EU/EEA area.
The Rights of the Data Subjects
The data Subject has the rights according to the personal data legislation applicable in Finland, including the EU General Data Protection Regulation (GDPR), to inspect his/her personal information, change or request to change his/her information and under some circumstances, the right to request erasure of personal information. Therefore, the Subject has the right to request Service Providers to correct inaccurate or incorrect personal information without unnecessary delay. The Subject has the right to request erasure of his/her information without unnecessary delay, for example when the personal data is no longer required for the original purposes, the personal data has been processed unlawfully, or the Subject withdraws consent to the processing and when there is no other legal ground for the processing.
The Subject has the right to request Service Providers to limit the processing in certain situations, including when the Subject denies the information being accurate or the processing is illegal. Under some circumstances the Subject also has the right to object to the processing.
The Subject may, under some circumstances, have the right to request transferring the personal data from one system to another. Whenever the legal justification for processing the personal data is consent, the Subject also has the right to withdraw the consent at any time.
ACTPRO wishes that any disputes concerning the processing of personal data are primarily resolved in a conciliatory manner between the parties. The Subject has also the right to lodge a complaint to the authorities responsible for personal data protection.
Any requests to inspect, modify or erase the personal data shall be indicated to Service Provider in person, or by a signed letter or similarly verified document, so that Service Provider can confirm the requestor has the right to make such a request. The request can be made with e-mail, if using the e-mail address registered when using the service. Service Provider may need to identify the Subject and ask for additional information in order to fulfil this kind of requests.
This description of the personal data processing has been updated 06.04.2023. ACTPRO follows the changes in legislation and regulator instructions related to personal data processing and develops the service further and will therefore reserve the right to make changes to this description.