Annex 1 – Data Flow Overview (Art. 26 GDPR)
A. General Information
Systeme/Plattformen: Websites, iOS App, Android App, CMS, Trainer App, Kiosk/Terminal, Widgets (Membership/Appointment/Forms), API, Push-Infrastruktur
Database : MongoDB Atlas (AWS Region Frankfurt, eu-central-1)
Data categories : Inventory data, contact data, contract/membership data, payment data, usage/device data, communication data, training data, health data (special categories according to Art. 9 GDPR)
Affected persons : Users/interested parties, members, guests, trainers/studio staff (CMS), support requesters
B. Data Flow Table (Process & Legal Basis Matrix)
I'm writing this using the same logic as your sheet, but in a legally consistent way (e.g., Art. 6/Art. 9 clearly separated, storage logic clear, role model clear).
1) Classic registration (website/app)
Case : Classic registration – mobile apps/websites
Description : User registration in websites, Android and iOS mobile applications
Data category : User data
Affected data : Username, email address, password (hashed), registration time, verification status
Data source : User
Purpose : Creation and management of the user account; authentication
Data recipient : Fitness Nation (platform operator)
Process : User registers → Email activation link → Activation within 24 hours → otherwise, pending registration is deleted.
Legal basis : Art. 6(1) b GDPR (contract/account provision) and Art. 6(1) f GDPR (IT security, abuse prevention)
Storage period : Pending accounts max. 24 hours; active accounts until deletion/termination + statutory retention obligations.
Role model : joint responsibility (insofar as community/platform purposes are concerned), otherwise independent responsibility of each party.
Legitimate interest : Operational security, prevention of fake accounts, platform integrity
Notes : Passwords must be hashed; email verification is mandatory.
2) Facebook registration
Case : Facebook registration
Data affected : Email/phone number, profile picture, possibly name (depending on scope)
Source : User's Facebook profile
Purpose : Single Sign-On / Account Creation
Recipient : Fitness Nation
Legal basis : Art. 6(1) a GDPR (consent for social login), Art. 6(1) b GDPR (account creation)
Storage period : like user account
Role model : Data Processing Fitness Nation for studio, insofar as only studio-internal account management is involved; otherwise, shared responsibility for community functions.
3) Apple ID Registration
Case : Apple ID registration
Affected data : Email address (real or relay address), Apple ID identifier (technical)
Legal basis : Art. 6(1) a GDPR (SSO), Art. 6(1) b GDPR (account)
Storage period : like user account
4) Member registration frontend (status location assignment)
Case : Member registration – Front page
Data concerned : Username, email address, location/gym assignment, and any consents given.
Purpose : Assigning a user to a status location; activating location-specific functions; lead forwarding
Recipient : Fitness Nation + Studio
Legal basis : Art. 6(1) a GDPR (consent to transfer to Studio/Lead)
Storage period : until revoked or as long as the account exists.
Role model : shared responsibility
Notes : Must be clearly added to the privacy policy and consent text (data transfer and contact).
5) Member registration CMS/Trainer app
Case study : Member registration – CMS/Trainer app
Data affected : Email, username, status location, date, trainer name, signature, consents
Purpose : Member profile creation; studio management
Legal basis : Art. 6(1) b GDPR (membership/contract) + Art. 6(1) a GDPR (consent); for health data additionally Art. 9 para. 2 lit. a GDPR
Storage period : Contract duration + legal obligations; health data until revocation
Role model : AV Fitness Nation regularly provides technical support for the studio + potentially shared responsibility once community/platform-wide use occurs.
6) Edit profile
Case : Edit profile
Affected data : extensive master data including contact details, address details, bank details, profile picture, date of birth, gender, telephone number, WhatsApp, status location, workout ID, etc.
Purpose : Member management, coaching functions, workouts, kiosk functions, consistent data storage
Legal basis : Art. 6(1) a GDPR (consent for optional information), Art. 6(1) b GDPR (account management/contract); Art. 6(1) f GDPR (system integrity); for health data Art. 9 para. 2 lit. a GDPR
Storage period : until account deletion or contract termination; bank details retained for tax/commercial law purposes only to the extent necessary.
Role model : shared responsibility insofar as data is synchronized between the platform and the studio.
7) Reset password
Case : Password reset
Affected data : Email address; token; temporary password
Purpose : Authentication / Account Recovery
Legal basis : Art. 6(1) b GDPR; Art. 6(1) f GDPR (IT security)
Storage period : Reset tokens are short-term (e.g., 1h/24h)
8) Membership (Widget/CMS/Kiosk)
Case : Membership
Data concerned : Name, address, date of birth, gender, contact details, bank details, signature
Purpose : Completion/settlement of membership at the studio ↔ member
Recipient : Studio; possibly FN as a platform
Legal basis : Art. 6(1) b GDPR
Storage period : Contract duration + statutory retention
Role model : typically AV FN for Studio
9) Appointment scheduling (Widget/CMS/Kiosk)
Case : Appointment scheduling
Data concerned : Name, contact details, date/time, department, team member
Legal basis : Art. 6(1) b GDPR (pre-contractual/contractual)
Role model : AV FN for Studio
10) Trial training form / Contact forms / Callback / Bring-a-friend / Support forms
These cases are all very similar. I would group them neatly together in the appendix under:
Contact/Lead Forms (Studio)
Support-/Ticketformulare (Studio)
and then sub-cases for each form type as lines.
11) Push notifications
Case : Push notifications
Affected data : Device Token/ID, App ID
Legal basis : Art. 6(1) a GDPR (consent)
Role model : AV FN for Studio (if Studio Push); standalone FN (if FN's own Push)
12) Chat messages
Case : Chat messages
Data affected : Message content (potentially personal data), metadata (sender/recipient/time)
Purpose : Communication function
Legal basis : Art. 6(1) a GDPR (Consent/Use of feature)
Role model : AV FN for studio or FN as platform operator – no content evaluation takes place.
Storage period : define (e.g., until deletion by user / max. X months)
13) Health examination / medical history
Case : Health examination/medical history
Data affected : health status, illnesses, BMI, etc.
Legal Basis: Art. 9 Abs. 2 lit. a DS-GVO + Art. 6(1) a DS-GVO
Storage period : until revocation/deletion
Role model : AV FN for studio (if trainer is recorded); shared responsibility if FN coach/planner works with it.
14) Virtual Coach / Training Plan Generator
Case study : Virtual coach
Affected data : Training level, physical characteristics, routine data, preferences
Legal basis : Art. 6(1)(a) GDPR; where applicable, Art. 9(2)(a) GDPR
Storage period : until revoked
Role model : shared responsibility (when both studio and FN define coach purpose)
15) Newsletter
Case : Newsletter (3 scenarios)
Legal Basis: Art. 6(1) a DS-GVO
Storage period : until revocation; revocation as a blocking notice permanent (Art. 6(1) f)
Role model : dependent on a/b/c (as in your notes)
16) Check-in / Access
Fall: CheckIn
Affected data : RFID, Device ID, Check-in Device, Timestamps
Purpose : Access control; attendance verification; insurance documentation; evaluations (anonymized)
Legal basis : Art. 6(1) b GDPR (membership) + Art. 6(1) f GDPR (security/proof)
Storage period : 2 years (as specified)
Role model : AV FN for studio; FN only uses anonymized/statistical analysis.
17) Bodycheck Body Analysis (BIA)
Fall: Bodycheck
Data affected : weight, BMI, water, fat mass, muscle mass, etc.
Legal Basis: Art. 9 Abs. 2 lit. a DS-GVO + Art. 6(1) a DS-GVO
Storage period : until revocation/deletion
Role model : shared responsibility
Note : Personalized advertising only with separate consent/profiling transparency