Toggle Nav

MY TANITA AGREEMENTS

Data Processing Agreement & Privacy Policy

This Data Processing Agreement is entered into between TANITA Europe B.V., a Dutch limited liability company with corporate seat in Amsterdam and registered office at Hoogoorddreef 56 E, 1101 BE Amsterdam, the Netherlands and registered with the Dutch Chamber of Commerce under no. 34283024 (the “Data Processor”);

And you as a user of the Tanita Pro App. For the purpose of this agreement you will be referred to as the Data Controller.


Data Controller and Data Processor, each a "
Party" and together referred to as the "Parties".

 

 

WHEREAS:

 

  1. The Data Controller and Data Processor have concluded the Agreement relating to the use, by the Data Controller, of an app distributed by the Data Processor for the Data Controller’s commercial purposes;

 

  1. The Data Controller’s use of the Data Processor’s app will involve the collection of third party personal data, including Sensitive Personal Data. This data will be processed, on the Data Controller’s behalf and on its instruction, by the Data Processor;

 

  1. Under article 14 of the Dutch Data Protection Act and, as from 25 May 2018, the General Data Protection Regulation, parties are required to conclude a data processing agreement;

 

  1. Parties will enter into this Data Processing Agreement in order to fulfil their obligations under the Dutch Data Protection Agreement and, as from 25 May 2018, the General Data Protection Regulation.

 

  1. DEFINITIONS

 

The following terms as used in this Data Processing Agreement shall, unless the context clearly indicates to the contrary, have the meanings set forth in this Clause:

 

"Agreement" means the end user licence agreement and general terms and conditions of use applicable to the Data Controller’s use of the Data Processor’s app, including any changes thereto and any further agreement agreed to between the Parties that refers to this Data Processing Agreement;

 

"Applicable Laws" means all laws, including the Dutch Data Protection Act and, as of 25 May 2018, the GDPR, that are applicable to the Processing of Personal Data.

 

"Data Breach" means any breach of security leading to or that may have led to accidental or unlawful destruction, loss, alteration, compromise, disclosure of, or access to Personal Data, stored, transmitted or otherwise processed in the context of the Agreement;

 

Data Processing Agreement” means the present data processing agreement including the annexes hereto;

 

GDPR” means the General Data Protection Regulation (Regulation (EU) No 2016/679);

 

"Personal Data" means any information relating to an identified or identifiable natural person, obtained in relation to the Agreement, as set out in Annex 1;

 

"Processing" or "Process" means any operation or set of operations which is performed on Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction;

 

"Sensitive Personal Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life;

 

"Sub Processor" means any processor, as defined in the GDPR, engaged by the Data Processor who agrees to Process Personal Data on behalf of the Data Controller;

 

"Technical and Organisational

Measures" means the technical and organisational measures as defined in the GDPR.

 

 

  1. OBLIGATIONS OF THE DATA PROCESSOR

 

  1.  

  2.  

    1. The Data Processor shall:

 

  1. Process Personal Data in accordance with Applicable Laws;

 

  1. not Process any Personal Data other than in accordance with the Data Controller’s instructions as set out in Annex 1;

 

  1. only store the Personal Data for as long as the Data Controller requires and correct, anonymise, block or delete the relevant Personal Data at the Data Controller’s instructions; and

 

  1. ensure that the only persons able to process or access any particular Personal Data in Data Processor’s or Sub Processor’s possession, custody or control in the performance of the Agreement are the Data Processor’s or Sub Processor’s employees who need to process or access such Personal Data in order to carry out their duties in connection with the Agreement.

  1. TECHNICAL AND ORGANISATIONAL MEASURES

 

  1.  

    1. The Data Processor shall:

 

  1. adopt and maintain suitable Technical and Organisational Measures.

 

  1. taken into account the nature of the processing as well as with all the means at its disposal provide the Data Controller with all reasonable assistance in ensuring compliance with regard to the obligations arising from Applicable Laws, especially articles 32 up to and including 36 of the GDPR when applicable.

 

    1. The Data Processor shall ensure that the Technical and Organisational Measures are:

 

      1. appropriate, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of persons, that, where appropriate, may include, but are not limited to:

      1. the pseudonymisation and encryption of personal data;

      2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

      3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

      4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

 

    1. adopted and applied in such a way that the Data Controller, with regard to the processing that is entrusted to the Data Processor, constantly acts in compliance with the Applicable Laws.

 

    1. The Data Controller may request that the Data Processor take additional security measures.

  1. USE OF SUB CONTRACTORS

 

  1.  

  2.  

  3.  

    1. The Data Controller grants general authorisation to the Data Processor to engage Sub Processors. The Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of sub processors; the Data Controller may object to such changes.

 

    1. The Data Controller grants specific authorisation to the Data Processor to make use of, cloud server services from Amazon Web Services, (currently operating in Germany, Ireland and the UK), for Data Processing purposes.

 

    1. In the event Data Processor enters into data processing agreements with relevant sub processors, the sub processor will abide by the same obligations as the data processor under this data processing agreement, meeting the requirements of relevant legislation.

  1. TRANSFER OF PERSONAL DATA

 

  1.  

  2.  

  3.  

  4.  

  5.  

    1. The Data Processor may not transfer Personal Data to a country outside the European Economic Area (the ‘EEA’), unless the Data Controller instructs the Data Processor in writing prior to the transfer or the Data Processor is obliged to transfer Personal Data pursuant to a legal obligation. In case a legal obligation requires the processor to transfer personal data outside the EEA, the Data Processor will inform the Data Controller prior to the transfer, unless it is unable or unauthorised to do so.

 

    1. If the Data Controller instructs the Data Processor to transfer personal data to a country outside the EEA the Data Processor is only permitted to transfer and process personal data to this country where:

 

  1. The country in question offers an adequate level of protection according to the EU ‘white list’ of countries offering adequate data protection standards; or

 

  1. EC Model Clauses are concluded between the Data Controller and the Data Processor or a Sub Processor, as set out under article 46(2)(c) and (d) GDPR; or

 

  1. The transfer is allowed based on another legal ground under Applicable Laws and the Data Controller has explicitly consented with a transfer based on such legal ground.

 

    1. Where Personal Data is transferred to a Sub Processor located in a country outside the EEA and there are no EC Model Clauses as set out under Clause 5.2(b) available that regulates the transfer between two processors, the Data Controller instructs and authorises the Data Processor to instruct the Sub Processor in Data Controller’s name and vis-a-vis the Sub Processor’s to conclude EC Model Clauses.

  1. AUDITS

 

  1.  

  2.  

  3.  

  4.  

  5.  

  6.  

    1. The Data Controller may audit the Data Processor’s compliance with this Data Processing Agreement, in particular, the implementation of the Technical and Organisational Measures under this Agreement at any time, subject to a written request stating the Data Controller’s reasonable reasons for the audit, provided at least 30 days prior to the date of the intended audit.

 

    1. The Data Processor shall provide the Data Controller and its auditors with all reasonable cooperation, access to its Processing facilities and assistance in relation to each audit. Audits must not involve any unjustified interference with Processor’s rights, business development, facilities, procedures and systems.

 

    1. The Data Controller shall cover all expenses in connection with any such audit, including any expenses incurred by the Data Processor.

  1. CONFIDENTIALITY

    1. The Data Processor shall keep all Personal Data strictly confidential and ensures, prior to the disclosure of Personal Data to its employees, subcontractors or employees of subcontractors, that these persons are bound by the same conditions of confidentiality.

 

    1. Subject to Clause 7.1, the Data Processor may disclose Personal Data when a law requires the Data Processor to disclose Personal Data or when the Data Controller instructs the disclosure of Personal Data.

 

    1. The obligation of confidentiality shall also apply after termination of this Data Processing Agreement.

  1. NOTIFICATION OF A DATA BREACH

 

    1. As part of the obligations incumbent on the Data Processor with regard to the security of personal data, the Data Processor shall establish and maintain procedures designed to reasonably detected Data Breaches and then implement the correct measures, including recovery measures.

 

    1. The Data Processor will promptly, as soon as possible under the circumstances, notify the Data Controller, as set out in Clause 8.3, about (i) any legally binding request for disclosure of Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation, and (ii) a Data Breach.

 

    1. The Data Processor will notify the Data Controller about every Data Breach as well as:

 

  1. the start and end time and date and the location of such event;

 

  1. the nature and scale of such event;

 

  1. the department or part of the system in which the event occurred;

 

  1. the time needed to reverse damage of the Data Breach;

 

  1. the nature and scope of Personal Data records concerned;

 

  1. the categories and approximate number of data subjects concerned;

 

  1. the likely consequences of such event, including the consequences for the Data subject and a proposal to prevent damage and other negative consequences;

 

  1. measures taken or to be taken to mitigate the consequences of the Data Breach; and

 

  1. the name and contact details of the data protection officer or other contact point where more information about the Data Breach can be obtained.

 

    1. The Data Processor shall, within 48 hours of discovery of an Data Breach notify, as set out under Clause 8.2 and 8.3, the Data Controller and subsequently keep the Data Controller fully informed about any progress of the recovery or other relevant developments with respect to such event.

 

    1. The Data Processor shall without delay take all reasonable measures to reduce and recover the negative impact of a Data Breach. The Data Processor is obliged to inform Data Controller of these measures.

 

    1. Unless required under Applicable Law, the Data Processor shall not, on its own initiative, notify data subjects that are affected or likely to be affected by a Data Breach or the supervisory authority that is competent to take notice of a Data Breach.

  1. REQUESTS BY DATA SUBJECTS

 

    1. The Data Processor will provide all reasonable assistance to ensure that the Data Controller is able to fulfil its legal obligations when a data subject exercises his or her rights under the Applicable Laws.

 

    1. As soon as the Data Processor receives a request as mentioned in Clause 9.1, the Data Processor shall promptly inform the Data Controller. The Data Processor shall not respond to the request without the consent of the Data Controller.

 

    1. On the instruction of the Data Controller, the Data Processor shall, without delay, correct, erase or otherwise adjust or process the Personal Data.

 

    1. The Data Processor will promptly inform the Data Controller about any request or complaint of the Data Subject with respect to the processing of its Personal Data.

  1. LIABILITY

 

    1. The Data Processor shall only be liable for damage to the extent that it is caused through a breach of obligations specifically applicable to processors under the GDPR or where it has acted in breach of this Data Processing Agreement. The Data Controller shall indemnify and hold the Data Processor harmless from all other damage, including fines imposed by regulators, which arise from or in connection with any act or omission in relation to the Data Processing. In particular, the Data Processor shall not be liable for any damage caused by a breach of the Data Controller’s legal obligations.

 

    1. In determining the factual responsibility for any event giving rise to damage within the meaning of Clause 10.1, logs and measurements generated by the Data Processor’s systems shall be decisive, in the absence of any evidence of greater objective probative value provided by the Data Controller.

  1. TERM AND TERMINATION

 

    1. This Data Processing Agreement is concluded on the moment the Parties signed the same and is effective until termination of the Agreement.

 

    1. Parties agree that on the day of termination of this Data Processing Agreement, the Data Processor shall, at the choice and the costs of the Data Controller return all Personal Data and the copies thereof, by means of the Data Controllers choice, to the Data Controller or a third party designated by the Data Controller.

 

    1. After the return of the Personal Data, a written rejection of the return of the Personal Data by the Data Controller, or if the Data Controller does not respond within one month after the offer to return the data, the Data Processor will promptly destroy all Personal Data. On request of the Data Controller, the Data Processor will confirm to the Data Controller in writing that it has destroyed the Personal Data.

  1. MISCELLANEOUS

 

    1. This Data Processing Agreement shall be governed by, and construed in accordance with, the laws of the Netherlands. The competent court in Midden-Nederland, the Netherlands shall exclusively settle disputes.

 

    1. No term of this Data Processing Agreement shall be amended or modified, unless such amendments or modifications are made in writing with express reference to this Data Processing Agreement and signed by both parties.

 

    1. The Data Processer shall accept any modification of this Data Processing Agreement which is incorporated for the purpose of compliance with Applicable Laws.

 

 

Annex 1 DESCRIPTION OF PROCESSING OPERATIONS

 

Categories of personal data

The Personal Data processed concern the following categories of data:

 

Name, address, email, date of birth, sex, height, address, country, telephone

Weight, Body fat, Body water, Muscle mass, Physique Rating, Metabolic age, Visceral fat, BMI, Muscle Quality score, Basal Metabolic Rate, Bone mass, BIA, Phase Angel

 

Processing operations

 

The Personal Data are collected by the Data Controller by means of its use of the Data Processor’s app. The app is used in the course of the Data Controller’s profession for purposes including the collection, storage and evaluation/analysis of information, including Personal Data, relating to the Data Controller’s clients/patients.

 

 

 

 

 

 

 

 

 

Consumer Privacy Statement

of TANITA Europe B.V.

  1. Identity of the collector of the data

 

    1. This document is the Privacy Statement of the Dutch limited liability company TANITA Europe B.V., with corporate seat at Amsterdam and registered office at Hoogoorddreef 56 E, 1101 BE Amsterdam, the Netherlands and is registered with the Dutch Chamber of Commerce under no. 34283024 (“Tanita”).

 

    1. Tanita is the data controller (de verantwoordelijke) of Personal Data within the meaning of s. 1(d) of the Dutch Personal Data Protection Act (de Wet bescherming persoonsgegevens) and the General Data Protection Regulation (Regulation EU 2016/679).

 

    1. Tanita processes personal information collected by the users (“Users”) of its app (My Tanita” or the “App”) on behalf of the User for the purposes set out below, and in accordance with the terms of this Privacy Statement.

 

    1. My Tanita is an app for mobile devices which allows Users to collect, store and process personal data, including sensitive health data.

 

    1. All correspondence with regard to this Privacy Statement should be directed to either info@tanita.eu or:

 

TANITA Europe B.V.

Hoogoorddreef 56 E

1101 BE Amsterdam

The Netherlands

 

  1. Principles for processing Personal Data

 

    1. Tanita takes your privacy and the protection of your Personal Data very seriously. In this Privacy Statement we will outline the purpose of our collection of your Personal Data, and the conditions under which we collect and use your Personal Data. The collection of your Personal Data is, if reasonably possible, subject to confidentiality. We will do our outmost to ensure that such collection will be done in accordance with all relevant mandatory data protection legislation.

 

    1. When collecting your data, we take all reasonably possible technical and organisational precautions to ensure that your data does not become accessible to unauthorized third parties. We note that it is impossible to guarantee complete data security in the case of e-mail correspondence. We would therefore recommend that you send us any confidential information by registered post.

 

  1. Personal Data

 

    1. For the purposes of this Privacy Statement, “Personal Data” means any information relating to, or possibly relating to, an identified or identifiable natural person, such as a name, age, postal address, email address, telephone number etc.

 

  1. Collecting and using Personal Data

 

    1. We collect different types of your Personal Data depending on the purpose of the collection. You can always request an outline of which purpose(s) we are collecting and using your Personal Data.

 

    1. We may collect your name and email address for the purpose of:

 

      1. contacting you after you have filled in a contact form;

 

      1. informing you of changes to our products or any applicable terms and conditions;

 

      1. maintaining our technical administration;

 

      1. sending you our newsletter, if requested;

 

      1. sending you our information on our products and events, if consented to;

 

      1. analysis and research.

 

    1. For the purpose of registering your user account on our App and connecting that account to one of our products, we may collect your name, address, telephone number, e-mail address, age, nationality and occupation on one of our online storage facilities in the EU. The data transmission is encrypted!

 

    1. For the functioning of the App’s health measurement functions, we may collect your weight and other health data on one of our online storage facilities in the EU. The data transmission is encrypted!

 

    1. If Tanita introduces a new process or application that will result in the processing of Personal Data for purposes that go beyond the purposes as described above, Tanita will inform you of such new process or application for which your Personal Data will be used.

 

  1. Passing on Personal Data

 

    1. If you have provided us with Personal Data, this is only passed on or otherwise transferred to third parties if it is essential for performance of our services, or if you have given your explicit prior consent.

 

    1. For (physical or digital) storage purposes, your Personal Data may be transferred to selected third parties of Tanita, either within the European Union or outside of the European Union. Tanita ensures that these third parties comply, or have assured to comply, with all applicable privacy legislation. With regard to third parties domiciled in the United States, Tanita ensures that these third parties comply, or have assured to comply, with all the Privacy Shield Principles of the Privacy Shield and have taken the necessary actions to register within the Privacy Shield framework.

 

  1. Cookies

 

    1. Parts of our website may use so-called cookies. Cookies are small text files which are deposited on your computer and which your browser stores. Cookies help us to adapt our offer to your interests, save your personal settings and make our website more user-friendly, efficient and secure.

 

    1. Most of the cookies we use are so-called “session cookies”. They are automatically deleted following your visit. Other cookies, so-called “permanent cookies” remain stored on your end device until you delete them. These cookies enable us to recognise your browser during a subsequent visit.

 

    1. Your browser enables you to disallow cookies, to allow cookies for specific websites or specific cases only or to allow cookies which are automatically deleted after your visit to a website. You can also prevent cookies from being stored at all by setting your browser to “don’t accept any cookies”. We point out that deactivating cookies may limit the functionality of our website and services.

 

    1. The following URLs give you more information on how you can manage your cookie-settings:

 

Internet Explorer

Mozilla Firefox

Google Chrome

Safari

 

  1. Protection of your Personal Data and reporting obligation of data leaks

 

    1. In the event your Personal Data is collected and stored, we ensure that we make use of adequate security measurements to assure appropriate protection of your Personal Data.

 

    1. In the event of a quantitative and qualitative loss, permanent or temporary damage, breach or unlawful use of Personal Data (a “Data Leak”), we are obligated to file a report with the Dutch Data Protection Authority. Should we or the Dutch Data Protection Authority consider that such a Data Leak may negatively affect your privacy, we are obligated to inform you as well. Such notification cannot, in any way, be considered as an acceptance of liability for possible damages arising from the data leak.

 

  1. Period of collection of your Personal Data

 

    1. Tanita only collects your Personal Data for the necessary or legally allowed period, to be determined by the purpose of the data collection.

 

    1. The Personal Data as described under 4.3 and 4.4. of this Privacy Statement will no longer be stored and immediately deleted after deletion of deregistration of your user account.

 

  1. Newsletter

 

    1. You may withdraw your previously granted consent to receive our newsletter by clicking on the “unsubscribe” link in the newsletter or by clicking this link.

 

    1. This shall entail no additional costs other than any transmission costs charged by your provider.

 

  1. Your rights

 

    1. At any point and free of charge, you have the right to obtain information from us with regard to the collection of your Personal Data, the origin and recipient of that data as well as the purpose of the data collection.

 

    1. You also have the right to correct, lock, limit, delete or object to the collection of your Personal Data. You may correct and/or complete your data at any time. Stored Personal Data will be deleted if you withdraw your previously granted consent to this Privacy Statement, if the data is no longer necessary to complete the purpose for which the data was originally stored or if the storage is in any way impermissible for other legal reasons.

 

    1. In some cases, you may have the right to data portability which means that we must present you your Personal Data in a structured, functional and eligible format. Upon your request, we will inform you on your right to data portability.

 

    1. You may withdraw your consent or address any questions or modifications to us in written or electronic form at any time by sending a mail to info@tanita.eu or the address mentioned in 1.3 of this Privacy Statement.

 

    1. This shall entail no additional costs other than any transmission costs charged by your provider.

 

    1. At any point you have the right to file a complaint with the Dutch Data Protection Authority with regard to our collection of your Personal Data.

 

  1. Right of modification of this Privacy Statement

 

    1. Tanita reserves the right to amend this Privacy Statement in accordance with the applicable legal data protection provisions at any time. Should such amendment have an impact on the scope of use of your Personal Data, the implementation of any modifications shall be subject to your prior consent.

 

    1. If you have questions about this privacy policy or concerns about how we collect, use or protect your personal information, please contact us at info@tanita.eu.

Disclaimer

Tanita disclaims any and all liability for any damage directly or indirectly suffered by you, in connection with or related to your use of any of Tanita’s websites, products, services and/or applications. You must assume total responsibility for your use of the Tanita, websites, products, services and applications. Your only remedy against Tanita for any dissatisfaction or deception with all or parts of the Tanita websites, products, services and applications or any content, directly or indirectly linked to it, is to stop using it.

 

The information and materials contained on the App are provided “as is” and “as available”. Tanita hereby disclaims all warranties, whether express or implied, with respect to the information and functionality contained on the App, including but not limited to non-infringement of proprietary and other rights, merchantability and fitness for a particular purpose. Without limiting the foregoing, Tanita does not warrant the accuracy, timeliness, completeness, reliability or availability of the App or the information and results obtained from use of the App, or that the App is virus-free or error-free.

 

For more information on data protection, privacy policy, terms and conditions, go to www.tanita.eu