Get HCM digital magazine and ezines FREE
Sign up here ▸
Jobs   News   Features   Products   Magazine      Advertise  
Customer data
The right to be forgotten

From 2018, individuals will be able to tell their gym to hand their personal data directly to a competitor’s club, without storage of that data. Tom Walker secures a free legal briefing on this change in law

By Tom Walker | Published in Health Club Management 2016 issue 5


New data protection rules, introduced by the European Commission and coming into force in 2018, could have a big impact on health and fitness businesses.

One of the key items in the regulations involves the transferring of personal, portable data. It stipulates that individuals have the right to have their personal data transferred from one business to another on request, and without storage/processing.

In practice, this means that a health club user who has given over personal information can have that data wholly and safely transferred to a new health club on their request.

We speak to data and sports law firm Couchmans, as well as health and fitness industry experts, on the potential effects of the new legislation.

THE LEGAL BRIEFING

 

Nick White
 
Nick White Head of IP and digital Couchmans LLP

With smart technology on the rise, many businesses, including gyms and leisure facilities, are now harvesting vast quantities of data from customers – something that can benefit both customers and businesses. However, new European data protection rules could potentially necessitate a wholesale review of data policies.

In December 2015, the European Parliament, Commission and Council announced new legislation governing data protection. This new General Data Protection Regulation (or GDPR), replaces the outdated data protection laws that have been in place since 1995 and, from 2018, will apply to all businesses that process in any way the data of EU citizens.

Data portability
One of the key elements of the new rules is the right of ‘data portability’. Essentially, this means individuals will have the right – albeit a limited right – to require a business to transfer personal data directly to another business, even where that other business is a competitor.

Gyms, for example, hold individual details such as name, address, contact details, date of birth and bank details. They might also hold data on customers’ weight, height and limited medical information, and possibly even details of the kinds of activity they want to do or the results they want to achieve. The gym may hold other data too, including dates and times of all the customer’s visits and, potentially, detailed exercise plans produced with a PT.

All of this is personal data – but, importantly, not all of it is portable data in the legal sense. Any data not actually provided by the individual to the gym – which would potentially include any exercise plans and usage logs – would be exempt from the portability rule. It will, however, still be covered by the less potent ‘right of access’, which will only require the operator to provide the data to the customer, on request, in electronic format – without the obligation to provide the data direct to another business.

So, the customer’s right to data portability only applies to data that he or she has actually provided to the data controller – in this case the gym.

The customer will have the right to demand that this data be transmitted directly to another operator should they decide to switch gyms.

The legislation does provide that this obligation will only be imposed where such transmissions are ‘technically feasible’, but what this will mean in practice is far from clear at present. The guidance on this should be forthcoming.

New technology
The GDPR also requires a privacy impact assessment (PIA) to be carried out where the introduction of a new process or technology is likely to cause a high risk to personal rights or freedoms. As more fitness operators introduce wearables and other connected devices, they will have to consider carefully whether they first need to conduct a PIA.

The key message for gyms and leisure facilities is that they must endeavour to understand the types of personal data they process, and what regulations currently, and will shortly, apply. There’s no need to worry unduly but, as 2018’s implementation date draws closer, operators should begin to plan now.


"Gyms must endeavour to understand the types of personal data they process, and what regulations apply"


WHAT DOES THIS MEAN FOR GYMS?

 

Tom Withers
 
Tom Withers Managing director Gladstone Health and Leisure

This new legislation is not unexpected. In today’s digital age, consumers are increasingly dependent on their data being passed seamlessly from one business to another, in everything from utilities to banking.

The GDPR extends beyond data portability; it also enshrines the customer’s right to be forgotten. In future, when businesses ask people to share personal details, there will be new rules for obtaining valid consent that will require simple wording and an expiry date. Neither silence nor inactivity will be construed as consent. Depending on the volume of data held, it may be necessary for a company to employ a data protection officer. Clearly, the implications are far-reaching.

At Gladstone, we’re more prepared than most. Data in our membership management systems can already be purged for customers who are no longer active. Consent is actively sought in online joining applications. Bank details can be removed automatically as part of an automated cancellation process. And we already have tools that allow data to be called securely from a database in order to be transferred to a third party.  

Of note on the issue of portability is the proviso that portability should be provided where it is ‘technically feasible’. Gladstone can call and receive data, but transferring it to other businesses would require other systems to be capable of doing the same, and to share a common leisure industry framework. We’re confident that we’ll be able to leverage our software to meet the requirements of the regulations.


"Transferring data to other businesses will require a common leisure industry framework"

 


PHOTO: SHUTTERSTOCK.COM

Gladstone already actively seeks consent in online joining applications


Jon Johnston Managing director Matrix

 

Jon Johnston
 

Data security is an increasingly big issue. A lot of emphasis is placed on hacked data, but it’s also important for consumers to be protected from businesses trading in their data without adequate protection.

In terms of portability of data, it makes sense to me that a consumer will want to take their personal workout stats with them. A lot of consumer data is now shared between apps anyway – with consumer consent – so it’s natural to want to be able to port data between operators.

Some products are already independent of operators or equipment suppliers, like MyFitnessPal and Netpulse, so it can be relatively easy to move from one connected facility to another and keep continuity. Obviously some operators and suppliers are less open, but I don’t see data portability being a big problem.


"A lot of consumer data is shared between apps anyway, so it’s natural to want to port data between operators" - Jon Johnston



Ben Beevers Associate director Everyone Active

 

Ben Beevers
 

The last five to 10 years have become increasingly data-intensive in delivering services to customers and understanding their behaviours and preferences. It allows us to communicate with them effectively and support their activity.

We work with a data consultancy to ensure our systems are robust and effective, and we’re well placed for these changes in legislation. We believe we already comply with the GDPR principles of transparency for the customer about processing and accountability of data controllers and processors. We have clear privacy policies, data collection statements and measures in place to protect customers’ data. We make these as accessible as possible and detail in simple terms how their data will be managed.

Perhaps the biggest challenges for our industry will lie in obtaining the ‘unambiguous consent’ that the new regulation requires. This could mean the industry gets better at communicating with customers by using less, but better targeted, interaction.

The requirement for data portability could be tricky for complex data. The measure is designed to help customers account-switch, but as there’s no obligation to provide the data in a consistent format, data from one gym provider may not be compatible with the systems of another.



WANT TO KNOW MORE?
For more information on the new data protection regulations, contact Nick White, partner at specialist sports law firm Couchmans LLP – www.couchmansllp.com

White advises sports personalities including Mo Farah, Sir Chris Hoy and Sir Clive Woodward, governing bodies including FIFA, the International Tennis Federation and Basketball England and brands such as Rapha and Skins. [email protected]

FEATURED SUPPLIERS

Cornerstone Connect helps Active Blackpool tackle health inequalities
Active Blackpool is deploying Cornerstone Connect, a new digital interface allowing disparate information from multiple systems to be aggregated into one dataset, to support its focus on reducing health inequalities and improving healthy life expectancy. [more...]

Legends never die: four legends, four philosophies of life
Panatta brought together four of the most influential figures in bodybuilding history on the stage of RiminiWellness 2026: Phil Heath, Lee Haney, Ronnie Coleman and Hany Rambod. [more...]
+ More featured suppliers  
COMPANY PROFILES
ukactive

ukactive is the UK’s leading trade body for the physical activity sector, bringing together more tha [more...]
Life Fitness/Hammer Strength

Life Fitness / Hammer Strength works with some of the world’s most recognised hospitality brands, su [more...]
+ More profiles  
CATALOGUE GALLERY
 
+ More catalogues  

DIRECTORY
+ More directory  
DIARY

 

23-26 Aug 2026

Elevate Spa Riviera Maya Edition

The Riviera Maya Edition Kanai, Playa del Carmen, Mexico
10-12 Sep 2026

ASEAN Patio Pool Spa Expo 2026

MITEC Kuala Lumpur,Malaysia, Malaysia
+ More diary  
 
ABOUT LEISURE MEDIA
LEISURE MEDIA MAGAZINES
LEISURE MEDIA HANDBOOKS
LEISURE MEDIA WEBSITES
LEISURE MEDIA PRODUCT SEARCH
 
HCM
LEISURE OPPORTUNITIES
HEALTH CLUB HANDBOOK
PRINT SUBSCRIPTIONS
FREE DIGITAL SUBSCRIPTIONS
ADVERTISE . CONTACT US

Leisure Media
Tel: +44 (0)1462 431385

©Cybertrek 2026
Get HCM digital magazine and ezines FREE
Sign up here ▸
Jobs    News   Products   Magazine
Customer data
The right to be forgotten

From 2018, individuals will be able to tell their gym to hand their personal data directly to a competitor’s club, without storage of that data. Tom Walker secures a free legal briefing on this change in law

By Tom Walker | Published in Health Club Management 2016 issue 5


New data protection rules, introduced by the European Commission and coming into force in 2018, could have a big impact on health and fitness businesses.

One of the key items in the regulations involves the transferring of personal, portable data. It stipulates that individuals have the right to have their personal data transferred from one business to another on request, and without storage/processing.

In practice, this means that a health club user who has given over personal information can have that data wholly and safely transferred to a new health club on their request.

We speak to data and sports law firm Couchmans, as well as health and fitness industry experts, on the potential effects of the new legislation.

THE LEGAL BRIEFING

 

Nick White
 
Nick White Head of IP and digital Couchmans LLP

With smart technology on the rise, many businesses, including gyms and leisure facilities, are now harvesting vast quantities of data from customers – something that can benefit both customers and businesses. However, new European data protection rules could potentially necessitate a wholesale review of data policies.

In December 2015, the European Parliament, Commission and Council announced new legislation governing data protection. This new General Data Protection Regulation (or GDPR), replaces the outdated data protection laws that have been in place since 1995 and, from 2018, will apply to all businesses that process in any way the data of EU citizens.

Data portability
One of the key elements of the new rules is the right of ‘data portability’. Essentially, this means individuals will have the right – albeit a limited right – to require a business to transfer personal data directly to another business, even where that other business is a competitor.

Gyms, for example, hold individual details such as name, address, contact details, date of birth and bank details. They might also hold data on customers’ weight, height and limited medical information, and possibly even details of the kinds of activity they want to do or the results they want to achieve. The gym may hold other data too, including dates and times of all the customer’s visits and, potentially, detailed exercise plans produced with a PT.

All of this is personal data – but, importantly, not all of it is portable data in the legal sense. Any data not actually provided by the individual to the gym – which would potentially include any exercise plans and usage logs – would be exempt from the portability rule. It will, however, still be covered by the less potent ‘right of access’, which will only require the operator to provide the data to the customer, on request, in electronic format – without the obligation to provide the data direct to another business.

So, the customer’s right to data portability only applies to data that he or she has actually provided to the data controller – in this case the gym.

The customer will have the right to demand that this data be transmitted directly to another operator should they decide to switch gyms.

The legislation does provide that this obligation will only be imposed where such transmissions are ‘technically feasible’, but what this will mean in practice is far from clear at present. The guidance on this should be forthcoming.

New technology
The GDPR also requires a privacy impact assessment (PIA) to be carried out where the introduction of a new process or technology is likely to cause a high risk to personal rights or freedoms. As more fitness operators introduce wearables and other connected devices, they will have to consider carefully whether they first need to conduct a PIA.

The key message for gyms and leisure facilities is that they must endeavour to understand the types of personal data they process, and what regulations currently, and will shortly, apply. There’s no need to worry unduly but, as 2018’s implementation date draws closer, operators should begin to plan now.


"Gyms must endeavour to understand the types of personal data they process, and what regulations apply"


WHAT DOES THIS MEAN FOR GYMS?

 

Tom Withers
 
Tom Withers Managing director Gladstone Health and Leisure

This new legislation is not unexpected. In today’s digital age, consumers are increasingly dependent on their data being passed seamlessly from one business to another, in everything from utilities to banking.

The GDPR extends beyond data portability; it also enshrines the customer’s right to be forgotten. In future, when businesses ask people to share personal details, there will be new rules for obtaining valid consent that will require simple wording and an expiry date. Neither silence nor inactivity will be construed as consent. Depending on the volume of data held, it may be necessary for a company to employ a data protection officer. Clearly, the implications are far-reaching.

At Gladstone, we’re more prepared than most. Data in our membership management systems can already be purged for customers who are no longer active. Consent is actively sought in online joining applications. Bank details can be removed automatically as part of an automated cancellation process. And we already have tools that allow data to be called securely from a database in order to be transferred to a third party.  

Of note on the issue of portability is the proviso that portability should be provided where it is ‘technically feasible’. Gladstone can call and receive data, but transferring it to other businesses would require other systems to be capable of doing the same, and to share a common leisure industry framework. We’re confident that we’ll be able to leverage our software to meet the requirements of the regulations.


"Transferring data to other businesses will require a common leisure industry framework"

 


PHOTO: SHUTTERSTOCK.COM

Gladstone already actively seeks consent in online joining applications


Jon Johnston Managing director Matrix

 

Jon Johnston
 

Data security is an increasingly big issue. A lot of emphasis is placed on hacked data, but it’s also important for consumers to be protected from businesses trading in their data without adequate protection.

In terms of portability of data, it makes sense to me that a consumer will want to take their personal workout stats with them. A lot of consumer data is now shared between apps anyway – with consumer consent – so it’s natural to want to be able to port data between operators.

Some products are already independent of operators or equipment suppliers, like MyFitnessPal and Netpulse, so it can be relatively easy to move from one connected facility to another and keep continuity. Obviously some operators and suppliers are less open, but I don’t see data portability being a big problem.


"A lot of consumer data is shared between apps anyway, so it’s natural to want to port data between operators" - Jon Johnston



Ben Beevers Associate director Everyone Active

 

Ben Beevers
 

The last five to 10 years have become increasingly data-intensive in delivering services to customers and understanding their behaviours and preferences. It allows us to communicate with them effectively and support their activity.

We work with a data consultancy to ensure our systems are robust and effective, and we’re well placed for these changes in legislation. We believe we already comply with the GDPR principles of transparency for the customer about processing and accountability of data controllers and processors. We have clear privacy policies, data collection statements and measures in place to protect customers’ data. We make these as accessible as possible and detail in simple terms how their data will be managed.

Perhaps the biggest challenges for our industry will lie in obtaining the ‘unambiguous consent’ that the new regulation requires. This could mean the industry gets better at communicating with customers by using less, but better targeted, interaction.

The requirement for data portability could be tricky for complex data. The measure is designed to help customers account-switch, but as there’s no obligation to provide the data in a consistent format, data from one gym provider may not be compatible with the systems of another.



WANT TO KNOW MORE?
For more information on the new data protection regulations, contact Nick White, partner at specialist sports law firm Couchmans LLP – www.couchmansllp.com

White advises sports personalities including Mo Farah, Sir Chris Hoy and Sir Clive Woodward, governing bodies including FIFA, the International Tennis Federation and Basketball England and brands such as Rapha and Skins. [email protected]

LATEST NEWS
UK updates physical activity guidelines with focus on daily movement
The UK's four Chief Medical Officers have published a refreshed edition of Physical activity guidelines: UK Chief Medical Officers' report, updating the evidence that underpins the nation's physical activity recommendations and placing greater emphasis on strength, balance, reducing sedentary behaviour and, for the first time, supporting people taking weight loss medications.
Places Leisure is working with Roberts Limbrick to build £60m wellness flagship in Basingstoke
Places Leisure has exchanged contracts to build and operate a flagship £60m water and leisure destination on behalf of Basingstoke and Deane Borough Council.
PureGym announces expansion into Ireland
The Republic of Ireland will become the latest market in PureGym’s expanding international portfolio, with the first launch planned for Dublin in 2027.
Total Fitness CEO Sophie Lawler launches leadership coaching venture
Sophie Lawler, CEO of Total Fitness, has launched a leadership coaching business aimed at helping women realise their professional potential.
Anytime Fitness targets Europe after opening a club a day in 2025
Anytime Fitness opened more than one club a day in 2025 and is on track to maintain this rate of growth this year, as parent company Purpose Brands targets further international expansion.
Everyone Active opens £33.9 million next-generation leisure and wellbeing hub
The £33.9 million Leighton Leisure and Community Centre has opened in Leighton Buzzard, UK, creating a next-generation public leisure, health and wellbeing hub for the local community.
YogaSix responds to Pilates boom with launch of strength-focused Y6 Core class
YogaSix, the yoga brand of Xponential Fitness, has launched a heated, Pilates-inspired class called Y6 Core.
Bromley’s £17m Walnuts revamp adds EGYM, rehab and recovery
Walnuts Leisure Centre in Orpington, in the London Borough of Bromley, has reopened following a £17m transformation designed to secure the long-term future of the public leisure asset and reposition it as a community wellbeing hub.
The Gym Group breaks the million members mark for the first time
The Gym Group, has announced that it's sustained positive trading momentum has continued through the first half of 2026 and the company remains confident about the outlook.
Hyrox offers charity spots in sold-out races
Hyrox has announced it will be working with a second charity in the upcoming season and offering charity spots in sold-out races.
Amped Fitness debuts Amped Universe flagship
US low-cost operator, Amped Fitness, has launched a flagship location in Texas, debuting its multi-sensory Amped Universe design architecture.
X-Club gears up to open its flagship site in central London
Luxury boutique Pilates and wellness studio, X-Club, officially launches a 4,000sq ft flagship at Marylebone on 16 July Built around X-Club’s four pillars of wellness – mind, movement, nutrition and therapy – the facility features two group exercise studi
+ More news   
 
FEATURED SUPPLIERS

Cornerstone Connect helps Active Blackpool tackle health inequalities
Active Blackpool is deploying Cornerstone Connect, a new digital interface allowing disparate information from multiple systems to be aggregated into one dataset, to support its focus on reducing health inequalities and improving healthy life expectancy. [more...]

Legends never die: four legends, four philosophies of life
Panatta brought together four of the most influential figures in bodybuilding history on the stage of RiminiWellness 2026: Phil Heath, Lee Haney, Ronnie Coleman and Hany Rambod. [more...]
+ More featured suppliers  
COMPANY PROFILES
ukactive

ukactive is the UK’s leading trade body for the physical activity sector, bringing together more tha [more...]
+ More profiles  
CATALOGUE GALLERY
+ More catalogues  

DIRECTORY
+ More directory  
DIARY

 

23-26 Aug 2026

Elevate Spa Riviera Maya Edition

The Riviera Maya Edition Kanai, Playa del Carmen, Mexico
10-12 Sep 2026

ASEAN Patio Pool Spa Expo 2026

MITEC Kuala Lumpur,Malaysia, Malaysia
+ More diary  
 


ADVERTISE . CONTACT US

Leisure Media
Tel: +44 (0)1462 431385

©Cybertrek 2026

ABOUT LEISURE MEDIA
LEISURE MEDIA MAGAZINES
LEISURE MEDIA HANDBOOKS
LEISURE MEDIA WEBSITES
LEISURE MEDIA PRODUCT SEARCH
PRINT SUBSCRIPTIONS
FREE DIGITAL SUBSCRIPTIONS