Ideally, anyone who visits a gym not only loses calories, builds muscle or actively engages in preventive healthcare, but also leaves behind a lot of personal data. Address and payment information when signing a contract, health details when taking a medical history, digital check-ins or app usage – all of this is collected in everyday gym life. Members naturally assume that this data will be treated confidentially.
But what does this look like in practice? With the revised Data Protection Act (DSG) in Switzerland, the requirements have become clearer. Studios and course providers must reliably protect all customer data, collect it only to the extent necessary and process it transparently. Those who are careful here protect themselves from penalties, but even more importantly: by handling customer data in accordance with the DPA, they build stable customer relationships in the long term.
What the DSG means for fitness providers
The revised Data Protection Act (DPA) has been in force in Switzerland since September 2023 and also affects fitness centers, course providers and chains. It stipulates how personal data may be collected, stored and processed so that members’ privacy is protected at all times.
The most important basic principles of the DPA:
- Lawfulness: Data may only be collected on a clear legal basis or with consent.
- Transparency: Members must know what data is stored and for what purpose.
- Earmarking: Information may only be used for the intended purpose – e.g. management of the membership contract or training planning.
- Data minimization: Only as much data should be collected as is actually necessary.
- Security: Providers must take organizational and technical measures to protect data from unauthorized access.
Particularly important: Health or training data is considered “particularly sensitive personal data”. Stricter requirements apply to them, for example, explicit consent must be given and increased security measures apply to the storage and processing of this data.
Knowing and respecting members’ rights
Data protection means that you take the rights of your members seriously. When the contract is concluded or at the latest when data is collected, new members must be clearly informed about what data is collected, how it is stored and what it is used for – as well as how long it will be stored.
Every member also has the right to request access to the stored data at any time. The right to correction or deletion is also important. Incorrect data must be corrected. Data that you no longer need should be deleted immediately.
Practical measures for protecting customer data in the studio
In practice, data protection depends on clearly defined rules and processes. From signing contracts to training operations, you should therefore consciously introduce structures that guarantee the protection of member data. With these tips, you can create a routine that offers you long-term legal certainty and can strengthen the trust of your members.
Pay attention to data protection for your own website
The first point of contact with a gym is often the website. Even here, you should make sure that everything complies with data protection regulations. Data is collected everywhere on websites – in the contact form, when registering online or when using cookies. A clearly visible privacy policy is mandatory. Particularly practical: there are
Obtain written consent for data collection
It should be clear from the start of membership what data the studio really needs and for what purpose. It is best to record this directly in the contract: Contact details for the organization, payment information for billing and, if necessary, health information for training planning.
Written consent should always be part of the contract. As a studio operator, you can also prove at any time that you have provided information about data protection in your studio.
Make a distinction between contract data and health data
The DPA clearly stipulates that only customer data that is really necessary for the collaboration may be collected. You should therefore make a clear distinction between contract data and optional health data.
Contract data such as your address, date of birth and payment information are essential for managing your membership. Health data such as information on your own fitness level or injuries can of course be important for training planning, but is voluntary and may only be stored with express consent. Anything that goes beyond this falls under “retained data” and unnecessarily increases the risk.
Use secure systems and technology
The protection of member data depends heavily on how it is managed technically. Digital systems such as member management, booking apps or newsletter tools must be updated regularly to close security gaps. Equally important are strong passwords and two-factor authentication.
The following also applies to end devices such as computers, tablets or smartphones: data should be stored in encrypted form so that it cannot be read in the event of loss or theft. Anyone working with external service providers, for example for cloud solutions, should check again in advance that they meet the GDPR requirements.
Protect analog data too
Even in the age of digitalization, there are still paper contracts, handwritten health questionnaires and notes from consultations. These documents in particular contain sensitive information and must be stored with particular care
Documents lying around openly at reception or in offices are an unnecessary risk. Keep papers in lockable cabinets or roll containers and only allow access to authorized persons.
Define clear deletion and retention periods
You may not store member data indefinitely. The DPA requires that information is only kept for as long as it is needed for the original purpose. After that, it must be reliably deleted or destroyed.
For fitness studios, this means that you must retain contract and billing data. Health or training data, on the other hand, must be deleted at the latest after termination of membership.
Train your employees
Data protection stands and falls with the behavior of the people who work with the data on a daily basis. Even the best system is useless if documents are lying around openly or information is simply passed on over the phone, for example. This is why it is so important that you regularly sensitize all employees to the issue of data protection.
Training courses help to establish clear rules in everyday life:
- Documents should not be visible on the counter
- Conversations about members do not take place in the reception area and
- Data may only be passed on with express consent
These instructions should be repeated regularly so that they are always present.
How swiss active supports fitness studios with data protection
The topic of data protection affects the entire fitness industry. swiss active supports its members in complying with uniform standards and implementing the legal requirements of the DPA in practice. As the industry association for Swiss fitness and health providers, swiss active provides guidance in the legal jungle, passes on up-to-date information and promotes exchange between providers.
Through regular industry talks, publications and the development of networks, swiss active offers a platform where industry players can share experiences and learn from each other. This results in a transfer of knowledge that benefits everyone – from individual centers to chain operators.
©swiss active – Legal action will be taken against copying or otherwise reproducing.
