Pursuant to Articles 13-14 of EU Regulation 2016/679 (GDPR)
This notice describes how Dynami Srl (hereinafter "Dynami" or "Controller") processes the personal data of users, members, and individuals who use its services, in compliance with EU Regulation 2016/679 (GDPR) and Italian Legislative Decree 196/2003, as amended by Legislative Decree 101/2018.
1. Data Controller
- Name: Dynami Srl
- Registered office: Via Messina 28, San Giovanni la Punta (CT) - 95037, Italy
- VAT / Tax ID: IT05962330873
- Email: privacy@dynamilab.com
- Certified email (PEC): dynami@namirialpec.it
2. Categories of Data Processed
2.1 Common data
- Identifying data: first name, last name, date and place of birth, tax code
- Contact data: address, telephone number, email
- Payment data: bank details or credit/debit card information
- Facility access data and data relating to attendance and use of services
2.2 Special categories of data (Art. 9 GDPR)
Dynami processes the following special categories of personal data, capable of revealing the data subject's health status:
- Blood tests and biochemical analyses
- Biometric parameters (weight, height, BMI, body composition, heart rate, blood pressure, VO2 max, etc.)
- Pathological conditions, diagnoses, and medical history
- Medications taken and allergies relevant to sports activity
- Any other health information communicated by the data subject or collected in the context of preventive medicine services
3. Purposes and Legal Bases for Processing
The processing of common data is based on Art. 6 GDPR; the processing of special categories of health data is based on Art. 9 GDPR, according to the derogating grounds set out below.
| Purpose | Legal basis (Art. 6) | Legal basis (Art. 9) |
|---|---|---|
| Provision of sports services and management of the contractual relationship | Art. 6.1.b – performance of the contract | – |
| Preventive medicine and assessment of fitness for physical activity | Art. 6.1.b – performance of the contract | Art. 9.2.h – preventive medicine; Art. 9.2.a – explicit consent |
| Personalisation of training programmes based on health data | Art. 6.1.a – consent; Art. 6.1.b – contract | Art. 9.2.a – explicit consent |
| Monitoring of progress and adjustment of the programme over time | Art. 6.1.a – consent | Art. 9.2.a – explicit consent |
| Fulfilment of legal obligations (tax, insurance, regulatory) | Art. 6.1.c – legal obligation | Art. 9.2.b – obligations under labour and safety law |
| Protection of the data subject's physical integrity in emergency situations | Art. 6.1.d – vital interests | Art. 9.2.c – vital interests |
| Legal defence and protection of Dynami's rights | Art. 6.1.f – legitimate interest | Art. 9.2.f – establishment, exercise, and defence of legal claims |
4. Explicit Consent for Health Data
The processing of the special categories of data referred to in Section 2.2 is subject to the explicit and specific consent of the data subject, given by signing the relevant form attached to this notice. Consent may be withdrawn at any time, without prejudice to processing already carried out on the basis of consent previously given. Withdrawal of consent may make it impossible to provide certain personalised services.
5. Data Processors
The processing of health data is carried out, on behalf of Dynami, by qualified healthcare personnel (sports physicians, nutritionists, physiotherapists, and other health professionals) acting as Data Processors pursuant to Art. 28 GDPR, bound by specific confidentiality agreements and by the instructions issued by the Controller.
Such personnel are specifically authorised for the processing and are required to maintain the utmost confidentiality regarding information acquired in the performance of their duties, in compliance with Art. 29 GDPR and the applicable professional codes of conduct.
The Controller maintains an updated list of Data Processors, available upon request by data subjects.
6. Recipients and Communication of Data
Personal data may be disclosed, within the strictly necessary limits, to the following categories of recipients:
- Dynami's qualified healthcare personnel (Data Processors under Art. 28)
- IT service providers and management platforms (within the limits of the contract and upon appointment as Processor)
- Legal, tax, and accounting consultants
- Public, health, or judicial authorities, in cases provided for by law
- External healthcare facilities, subject to the data subject's explicit consent
Health data WILL NOT be disseminated to unspecified parties, WILL NOT be sold to third parties for commercial purposes, and WILL NOT be transferred outside the European Economic Area, except where adequate safeguards are in place pursuant to Articles 46-47 GDPR.
7. Retention Period
Personal data is retained for the time strictly necessary to achieve the purposes for which it was collected, in compliance with the principles of minimisation and storage limitation (Art. 5.1.e GDPR):
| Data category | Retention period |
|---|---|
| Identifying and contractual data | 10 years from the end of the relationship (Art. 2946 Italian Civil Code) |
| Health data and blood tests | 10 years from collection (Art. 2220 Italian Civil Code; Legislative Decree 81/2008); subsequently anonymised |
| Biometric and monitoring parameters | For the entire duration of the membership + 5 years; then anonymised for statistical purposes |
| Tax and payment data | 10 years (Italian Presidential Decrees 633/1972 and 600/1973) |
| Data relating to claims or disputes | Until the conclusion of the proceedings + 10 years |
| Data for marketing purposes (where consented) | Until consent is withdrawn |
Once the retention period has expired, health data will be irreversibly anonymised using techniques that prevent re-identification of the data subject, and may be retained without time limits for statistical and research purposes, no longer constituting personal data under the GDPR.
8. Security Measures
Dynami adopts appropriate technical and organisational measures to ensure a level of security commensurate with the risk, pursuant to Art. 32 GDPR, with particular regard to health data:
- Encryption of data at rest (AES-256) and in transit (TLS 1.3 or higher)
- Pseudonymisation of health data in analysis and monitoring systems
- Access control based on the need-to-know principle
- Audit logs of all access to special-category data
- Encrypted backup and disaster recovery procedures
- Mandatory periodic training of authorised personnel
- Data Protection Impact Assessment (DPIA) periodically updated
9. Rights of the Data Subject
The data subject may at any time exercise the following rights, pursuant to Articles 15-22 GDPR:
- Right of access (Art. 15): obtain confirmation of processing and a copy of the data
- Right to rectification (Art. 16): correct inaccurate or incomplete data
- Right to erasure (Art. 17): obtain deletion of data in the cases provided for by law
- Right to restriction (Art. 18): obtain restriction of processing in certain circumstances
- Right to portability (Art. 20): receive the data in a structured format and transfer it to another controller
- Right to object (Art. 21): object to processing based on legitimate interest
- Right to withdraw consent (Art. 7.3): withdraw consent at any time
- Right to lodge a complaint with the Supervisory Authority (Art. 77): www.garanteprivacy.it (Italian Data Protection Authority)
Requests to exercise these rights may be sent to: privacy@dynamilab.com or by registered mail to the registered office. Dynami will respond within 30 days, extendable by a further 60 days in the case of complex requests.
10. Updates
This notice may be updated. In the event of substantial changes, Dynami will notify data subjects through the usual channels. The current version is always available at the registered office and on the Dynami website.