Personal Data Protection Clauses
1.1. In this Form, unless the context otherwise requires, the following terms shall have the meanings assigned to them below:
- “Consultant” means any BodyEngineers’ employee conducting sales;
- “Client” means any person engaging BodyEngineers for personal training;
- “Client Personal Data” means Personal Data which the Client discloses to the Consultant, or which the Consultant processes on behalf of the Client, including:
- All documents containing Client’s information such as, but not limited to, contracts and forms.
- Information shared between Client and Consultant on other forms of communication platforms such as, but not limited to, Whatsapp and social media.
- Information handed over to the respective trainer in charge of Client’s personal training via means mentioned in both above points.
- “PDPA” means the Personal Data Protection Act 2012; and
- “Personal Data” means data, whether true or not, about an individual who can be identified: (a) from that data alone; or (b) from that data and other information which the Consultant and/or BodyEngineers has or is likely to have access.
2. HANDLING AND PROTECTION OF PERSONAL DATA
2.1. Compliance with PDPA.
The Consultant shall comply with all its obligations under the PDPA at its own cost.
2.2. Process, Use and Disclosure.
The Consultant shall only process, use or disclose Client Personal Data:
- strictly for the purposes of fulfilling its obligations and providing the services required in this Form;
- with the Client’s prior written consent; or
- when required by law or an order of court but shall notify the Client as soon as practicable before complying with such law or order of court at its own costs.
2.3. Transfer of Personal Data Outside Singapore.
The Consultant shall not transfer Client Personal Data to a place outside Singapore without the Client’s prior written consent. [If the Client provides consent, the Consultant shall provide a written undertaking to the Client that the Client Personal Data transferred outside Singapore will be protected at a standard that is comparable to that under the PDPA. If the Consultant transfers Client Personal Data to any third party overseas, the Consultant shall procure the same written undertaking from such third party].
2.4. Security Measures.
The Consultant shall protect Client Personal Data in the Consultant’s control or possession by making reasonable security arrangements (including, where appropriate, physical, administrative, procedural and information & communications technology measures) to prevent unauthorised or accidental access, collection, use, disclosure, copying, modification, disposal or destruction of Client Personal Data, or other similar risks. The Consultant shall only permit respective authorised involved in this Form such as, but not limited to, the personal trainer in charge, administrative personnel of BodyEngineers, manager of the personal trainer and key appointment holder of BodyEngineers to access Client Personal Data on a need to know basis.
2.5. Access to Personal Data.
The Consultant shall provide the Client with access to the Client Personal Data that the Consultant has in its possession or control, as soon as practicable upon Client’s written request.
2.6. Accuracy and Correction of Personal Data.
Where the Client provides Client Personal Data to the Consultant, the Client shall make reasonable effort to ensure that the Client Personal Data is accurate and complete before providing the same to the Consultant. The Consultant shall put in place adequate measures to ensure that the Client Personal Data in its possession or control remain or is otherwise accurate and complete. In any case, the Consultant shall take steps to correct any errors in the Client Personal Data, as soon as practicable upon the Client’s written request.
2.7. Retention of Personal Data.
The Consultant shall not retain Client Personal Data (or any documents or records containing Client Personal Data, electronic or otherwise) for any period of time longer than is necessary to serve the purposes of this Form. The Consultant shall, upon the request of the Client:
- return to the Client, all Client Personal Data; or
- delete all Client Personal Data in its possession,
and, after returning or deleting all Client Personal Data, provide the Client with written confirmation that it no longer possesses any Client Personal Data. Where applicable, the Consultant shall also instruct all third parties to whom it has disclosed Client Personal Data for the purposes of this Form to return to the Consultant or delete, such Client Personal Data.
2.8. Notification of Breach.
The Consultant shall immediately notify the Client when the Consultant becomes aware of a breach of any of its obligations in Clauses [2.2 to 2.7].
The Consultant shall indemnify the Client and its officers, employees and agents, against all actions, claims, demands, losses, damages, statutory penalties, expenses and cost (including legal costs on an indemnity basis), in respect of:
- the Consultant’s breach of Clauses [2.2 to 2.7]; or
- any act, omission or negligence of the Consultant or its sub-Consultant that causes or results in the Client being in breach of the PDPA.