DATA PROCESSING ADDENDUM (DPA)
This Data Processing Addendum ("DPA") forms part of and is incorporated into the Gymnastics Leaders & Gymnastics Growth Academy Membership Agreement ("Membership Agreement") between Gymnastics Growth Limited ("Processor") and the Member Club ("Controller").
This DPA applies where Gymnastics Growth Limited processes personal data on behalf of the Member Club in connection with the Programme and related services.
This Addendum is entered into in accordance with Article 28 of the UK General Data Protection Regulation ("UK GDPR").
Roles of the Parties
1.1 For the purposes of this DPA, the Member Club is the Data Controller and Gymnastics Growth Limited is the Data Processor.
1.2 The Controller determines the purposes and means of processing personal data relating to its staff, users and authorised participants.
1.3 The Processor shall process such data only on documented instructions from the Controller except where otherwise required by law.
Subject Matter and Duration
2.1 The subject matter of processing includes staff account management, onboarding, coaching participation, programme administration, certifications, assessments, surveys, benchmarking activities, reporting, analytics, communications, participation monitoring and related support services.
2.2 Processing shall continue for the duration of the Membership Agreement unless otherwise required by law.
Nature and Purpose of Processing
3.1 The Processor processes personal data for the purpose of:
(a) providing access to Programme services;
(b) administering memberships and authorised users;
(c) delivering coaching, onboarding and support services;
(d) managing certifications and assessments;
(e) providing reporting, analytics and benchmarking tools;
(f) facilitating community participation;
(g) supporting organisational development activities;
(h) providing customer support and operational services.
3.2 The Processor shall not use personal data for its own independent purposes where acting as Processor.
Categories of Data Subjects
4.1 Data subjects may include:
(a) coaches; (b) managers; (c) club owners; (d) directors; (e) administrative staff; (f) authorised users; (g) contractors and volunteers where added by the Controller.
Categories of Personal Data
5.1 Personal data processed may include:
(a) names; (b) email addresses; (c) job titles and roles; (d) club affiliation; (e) login credentials (encrypted); (f) participation records; (g) certification and assessment records; (h) onboarding information; (i) survey responses; (j) benchmarking submissions; (k) coaching notes; (l) transcripts and recordings where applicable; (m) platform usage information; (n) communications and support records.
5.2 The parties do not intentionally process special category data and Members should avoid submitting such information unless necessary and lawful.
Processor Obligations
6.1 The Processor shall:
(a) process personal data only on documented instructions; (b) ensure authorised personnel are subject to confidentiality obligations; (c) implement appropriate technical and organisational security measures; (d) maintain appropriate access controls; (e) assist the Controller in responding to data subject requests where reasonably required; (f) notify the Controller without undue delay following awareness of a personal data breach affecting Controller data; (g) assist the Controller with compliance obligations where reasonably required; (h) delete or return personal data upon termination where required and subject to lawful retention obligations; (i) provide information reasonably necessary to demonstrate compliance.
AI-Assisted Processing
7.1 The Controller acknowledges that the Processor may utilise trusted AI-assisted technologies to support transcription, summarisation, organisation, analysis, reporting and service delivery functions.
7.2 Such technologies shall operate under appropriate contractual and data protection safeguards.
7.3 AI-assisted processing shall remain subject to human oversight and shall not constitute solely automated decision-making.
Sub-Processors
8.1 The Controller acknowledges that the Processor may utilise trusted third-party service providers including:
(a) hosting providers; (b) cloud storage providers; (c) CRM systems; (d) analytics providers; (e) payment providers; (f) video conferencing providers; (g) email service providers; (h) AI service providers; (i) transcription providers; (j) customer support platforms.
8.2 All sub-processors shall be subject to contractual obligations consistent with applicable data protection laws.
International Transfers
9.1 Where personal data is transferred outside the United Kingdom, appropriate safeguards shall be implemented in accordance with UK GDPR requirements.
Liability
10.1 Liability arising under this DPA shall be subject to the liability provisions contained within the Membership Agreement.
Order of Precedence
11.1 In the event of conflict between this DPA and the Membership Agreement, this DPA shall prevail in respect of data protection matters.