icon(square-info) Only the German version of this page shall be authoritative for the contract's content. The English version is only for communication purposes and does not determine contractual terms and conditions. For more information, please visit our T&C icon(arrow-up-right-from-square)

EU General Data Protection Regulation (EU GDPR)

The new EU General Data Protection Regulation (EU GDPR) takes effect from May 25, 2018. On this page, we inform you about the principles of the regulation, Dr. Plano's measures, and, of course, what you should pay attention to as a gym operator or company. If you would like to conclude a data processing agreement (DPA) with us, please take a look at the explanations at the bottom of this page. You can find our privacy policy here.

Principles of the EU GDPR and Dr. Plano's measures

Lawfulness, fairness, transparency

The data should be processed lawfully, in good faith, and in a manner that is understandable to the data subject. The right of consent, access, and withdrawal should guarantee transparency.

What we do

As a company, we are a so-called "processor" from the perspective of the GDPR, as we process personal data on behalf of a "controller" (a climbing or bouldering gym or another company). The company itself is responsible for collecting personal data and its lawfulness. The purpose of this data processing is the shift scheduling and the organization of the booking system in the respective company. We have a contact person who can be consulted on all data protection issues.

Masoud is the person to contact for questions about privacyMasoudmasoud@dr-plano.comMember of the German Association for Data Protection and Data Security (GDD)

Purpose limitation

Data is collected for a specified and explicit purpose and may not be further processed in a way incompatible with that purpose.

What we do

The personal data is collected and processed by the responsible company solely for the purpose of the scheduling and the organization of the booking system. We do not collect any separate personal data ourselves. Furthermore, we do not process this data for other purposes or pass it on to third parties. This also means that we do not exchange our customers' data with each other. Customer data remains strictly separate from each other.

Data minimization

As little data as possible – as much data as necessary.

What we do

As a processor, Dr. Plano only processes the personal data necessary for the company's organization. For us, the principle of »privacy by design« applies. This means that we process as little data as possible and as much data as necessary to avoid creating a data leech in the first place. At the same time, as few people as possible and as many people as necessary should have access to this personal data.

Storage limitation – The right to be forgotten

Data should be stored for as long as necessary for the purpose of processing and the legal retention obligations.

What we do

The principle of "privacy by design" also applies to us here. We always try to avoid data waste in our software development. For example, data should only be stored for as long as it is useful for the purpose of processing or as required by legal retention and documentation periods. We will regularly offer our customers the option of automatically deleting their old data. In addition to this regular deletion option, companies can contact our contact person for data protection issues to request an immediate deletion process.

Integrity and confidentiality

When processing personal data, the highest level of security must apply. Above all, the data must be protected against access by unauthorized persons.

What we do

We have taken the following precautions to ensure the highest possible security of personal data:

  • Subcontractors are not part of our company structure, so we always know who has access to our customers' personal data.
  • Our server is located in Frankfurt and is, therefore, subject to German and European data protection and security regulations.
  • Data transmission is always SSL-encrypted to prevent unauthorized access to the data.
  • When selecting our processors (subcontractors), we primarily prefer those based in Germany to ensure greater security due to the stricter German laws. Currently, almost all of our processors are based in Germany or the EU. The new GDPR also applies to them. We attach great importance to this. Should we nevertheless work with a partner located in a country outside the EU, we ensure that they are committed to the GDPR or equivalent standards or that an adequacy decision by the EU Commission is in place.

We are constantly optimizing and expanding these data security measures.

Right to data portability

In the future, data subjects will have the right to receive the personal data they have provided for processing in a commonly used and machine-readable format.

What we do

Our export function allows you to download many relevant data independently. On request, we can also supply further personal data as an electronic file (Excel spreadsheet). Our contact person for data protection issues can also help you with this.

Your measures for EU GDPR

Responsibility towards your customers and employees

Your company is primarily responsible for data protection and handling personal data; after all, you collect the data from your customers and employees. Therefore, you should check whether you have to comply with the following requirements set out in the EU General Data Protection Regulation:

  • Whether you need to create a "Record of Processing Activities" (RoPA) involving personal data. The RoPA must contain all activities, e.g., marketing & sales, that process personal data.
  • Whether you need to appoint a data protection officer. This would not only be the point of contact for people whose data is processed but also for the supervisory authorities. If you do not have to appoint a data protection officer, you should announce a contact person for personal data in your company.
  • Whether you need to conduct a data protection impact assessment (DPIA). This is only appropriate for highly sensitive personal data to assess the associated risk before processing the data.

You can find out whether you have to fulfill these requirements in the criteria in the short papers of the Datenschutzkonferenz (DSK).

In any case, you must always obtain declarations of consent for the processing of personal data – from your customers and employees.

Responsibility towards your "processors"

According to the GDPR, you, as the gym operator, are responsible for personal data. Therefore, you must use the following questions to check whether your so-called processors – e.g., Dr. Plano – handle personal data appropriately:

  • Is the data processed according to purpose?
  • Will the data not be passed on to third parties?
  • How do processors respond to the GDPR? Do they comply with the regulation?

To ensure these things, you should conclude a contract in written or electronic form with your processors.

Agreement with Dr. Plano on data processing (DPA)

You can easily conclude a data processing agreement with us online and paperless. Please follow these steps:

  • Go to this page to sign the DPA online with the help of our provider HelloSign.
  • After entering your email address, please complete the agreement with your company data (company name and address), your name and position, and the place, date, and your electronic signature.
  • We have already signed the agreement. As soon as you complete it with your data and sign it electronically, the agreement is valid. Our provider will then send you the signed DPA directly to the email address you have provided.

You can find a detailed list of our technical and organizational measures (TOMs) here.

You can find a detailed list of our subcontractors for the provision of our services here.