Work Example
GDPR document package for a fitness centre
FjordForm (fictional) Treningssenter AS
Assignment
Develop GDPR-compliant documentation for a Norwegian fitness centre launching an app for class booking, membership management, and member follow-up.
Deliverables (document package)
- Privacy Policy (app + website)
- Data Processing Agreement template with app/system provider (GDPR Art. 28)
- Internal procedure for deletion and handling of data subject rights
- Record of Processing Activities (GDPR Art. 30)
- Practical checklist for cookies/tracking and marketing consents
Assessment of relevant legislation and regulatory framework
FjordForm operates in Norway (EEA). The app and website are aimed at individuals (B2C) and process personal data about members and potential members.
Core requirements
- Personal Data Act (2018) and GDPR: legal basis for processing, information obligations, data subject rights, security, and documentation requirements.
- Electronic Communications Act (Act of 13.12.2024 No. 76, in force 1 January 2025): use of cookies/tracking requires consent that is valid under GDPR.
- Marketing Control Act Section 15: requirement for prior consent for marketing via email/SMS to individuals (with certain exceptions).
- Bookkeeping Act and Bookkeeping Regulations: obligation to retain accounting records (affects deletion/retention periods).
- E-Commerce Act and Right of Withdrawal Act: information obligations and right of withdrawal for online sale of services (relevant for sign-up/payment via app/website).
- Transfers outside the EEA: requirements for transfer mechanisms (e.g., SCCs or adequacy decisions where available).
Industry-specific data protection considerations
- Fitness centres often process data that may be perceived as private (exercise habits, attendance, goals). If the app processes health data (injuries/diagnoses), stricter requirements apply (GDPR Art. 9).
- Minors: If the app is offered directly to children, age limits and consent mechanisms must be specifically assessed. In Norway, the age limit for children's consent to information society services is normally 13 years – children under 13 require parental consent.
Process
1. Discovery and data mapping
- Clarification with the client: which features the app has (booking, payment, messaging, training plans).
- Mapping of personal data flows: what is collected, where is it stored, who has access, and which vendors are involved.
- Role clarification: data controller (FjordForm) vs. data processors (app provider, hosting, email/SMS) – and clarification of other recipients/independent data controllers (e.g., payment provider, depending on the solution).
2. Legal assessment and gap analysis
- Legal basis per purpose (GDPR Art. 6) and, where applicable, Art. 9 for special categories.
- Information obligation: content required in the privacy policy (GDPR Art. 13).
- Requirements for data processing agreements (GDPR Art. 28) and sub-processors.
- Security measures and breach management (GDPR Art. 32-34).
- Retention/deletion: alignment between GDPR and accounting requirements (bookkeeping regulations).
- Cookies/tracking and marketing: consents and opt-out mechanisms.
3. Document production and implementation
- Draft privacy policy and adapt to actual data usage.
- Draft data processing agreement template with appendices for processing description and security.
- Establish internal procedure for deletion and handling of data subject rights requests.
- Establish and complete record of processing activities (GDPR Art. 30).
Download sample documents
This is an illustrative work example showing how we approach GDPR documentation for fitness centres. Actual content and scope are always adapted to the client's specific situation.