The General Data Protection Regulation (GDPR)

Last Updated October, 2023

Welcome to NordicTrack portal for the General Data Protection Regulation (GDPR). We have provided the following information and supporting links for helping you gain a stronger understanding of the GDPR, along with your rights for any of your personal data that is stored, processed, and/or transmitted by https://www.nordictrack.co.uk

As a European Union (EU) data subject, we value you as a client and at all times will work to ensure the safety, security, and privacy of your personal data.

Please view the following information and supporting links below to learn more about the GDPR and NordicTrack’s commitment to data privacy and data security.

  • What is the GDPR?
  • NordicTrack’s Commitment to Data Security and Data Privacy
  • Your Rights as a Data Subject
  • NordicTrack’s enhanced Privacy Policy for GDPR
  • NordicTrack’s Marketing Consent & Disclosure
  • How to Contact NordicTrack regarding GDPR requests

What is the GDPR?

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation regarding data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

Superseding the Data Protection Directive, the GDPR contains provisions and requirements pertaining to the processing of personally identifiable information of data subjects inside the European Union. Business processes that handle personal data must be built with privacy by design and by default, meaning that the system must be designed to adhere to principles of data protection with the highest level of safeguards from the start, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately.

Personal data may not be processed unless it is done under a lawful basis specified by the regulation, or the data controller or processor has received explicit, opt-in consent from the data's owner—which may be withdrawn at any time. In simpler terms, the GDPR gives individuals far-reaching rights and privileges regarding their data.

NordicTrack’s Commitment to Data Security and Data Privacy

Article 32 of the GDPR requires that controllers and processors have adequate levels of security in place for ensuring the confidentiality, integrity, availability – and more, of processing and other related activities.

Specifically, Article 32 requires NordicTrack to Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the following as deemed appropriate:

  • The pseudonymisation and encryption of personal data.
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

NordicTrack’s commitment to confidentiality, integrity, and availability – known as the CIA triad of information security, consists of the following initiatives:

  • Robust set of internal controls relating to the storing, processing and/or transmission of personal data for EU data subjects.
  • Comprehensive information security and operational policies, procedures, and processes relating to all core InfoSec domains, such as the following:
  • Access Control
  • Anti-Virus and Anti-Malware
  • Asset Inventory
  • Change Control | Change Management
  • Configuration Management
  • Data and Information Classification
  • Data Backup and Recovery
  • Database Policy
  • Encryption & Key Management
  • Firewall Policy
  • Incident Response
  • Internet Usage Policy
  • Remote Access Policy
  • Security and Patch Management
  • Software Development Life Cycle
  • Virtualization Policy
  • Vulnerability Management
  • Web Server Security Policy
  • Wireless Security
  • Workstation Security
  • User Provisioning
  • User De-Provisioning
  • Annual commitment to Payment Card Industry Data Security Standards (PCI DSS) compliance.
  • Annual security awareness training for all employees.
  • Annual risk assessment initiatives for assessing relevant risks to the organization and taking necessary action for reducing risk exposure.
  • Monitoring, as necessary, of all relevant third-party providers for which NordicTrack has a business relationship with in terms of storing, processing, and/or transmitting personal data for EU residents.

Your Rights as a Data Subject

If NordicTrack is storing, processing, and/or transmitting personal data for EU data subjects, then you must be made aware of the following rights and privileges under the General Data Protection Regulation (GDPR):

  • Right of Access: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.
  • Right to Rectification: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
  • Right to Erasure (“Right to be Forgotten”): The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay when various grounds apply.
  • Right to Restriction of Processing: The data subject shall have the right to obtain from the controller restriction of processing when various grounds apply.
  • Right to Data Portability: The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
  • Right to Object: The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

NordicTrack Marketing Consent & Disclosure

Please be advised that NordicTrack may collect, use and disclose your personal data which you have provided during phone support, the product registration process, forum disclosure, your NordicTrack account, newsletter sign-up, for providing marketing material that you have agreed to receive, in accordance with our enhanced privacy policy, available at the NordicTrack Privacy Policy and NordicTrack GDPR disclosures, available at our GDPR page, which is your GDPR portal.

How to Contact Us

If you have any questions regarding the GDPR or need to invoke any one of your rights as allowed by the regulation, please contact us at privacy@ifit.com for and we will provide the necessary information for facilitating your request.