GDPR for Personal Trainers: Everything You Need to Know

Whether you’re a freelance trainer in a gym or the owner of your own personal training studio, you need to know about GDPR for personal trainers. 

And yes, even after the UK leaves the EU, the GDPR will still apply to self-employed personal trainers in the UK, so it’s worth knowing how this law affects you! 

Regardless of the size of your business, understanding GDPR is important for all fitness professionals. Especially as any violations can be met with significant penalties and fines. 

In this post, we’re going to explain what GDPR is and how it affects personal trainers, fitness instructors, and other professionals in this industry.

We’ve included everything that you need to know about GDPR for personal trainers, starting with ‘what is GDPR?’, and why these regulations exist, how they affect your personal training businesses, and what you need to do to make sure that your business is compliant. 

Serious about developing your personal training business? Expand the services you offer starting with our Level 4 Sports Nutrition Course. 

Find out more by downloading our course prospectus here.

Disclaimer: The information in this blog post should not be taken as legal advice. You can find the UK Government's full guide to GDPR here.

What is GDPR?

The General Data Protection Regulation, more commonly referred to as GDPR, is a legal framework set by the European Union (EU) which sets the guidelines for the way that businesses collect and process personal information. 

Even if you don’t think you’re ‘processing’ data, under this law any storage or transfer or data counts as processing.

Although GDPR is an EU law, understanding GDPR is still important for anybody with a personal training business, even if that business is outside of the EU. So if you’re thinking that this won’t be relevant to you post-Brexit, unfortunately that’s not the case. 

Confused about why GDPR still applies to businesses based outside of the EU? Don’t worry, all will be explained.

We’re also going to discuss more about exactly what GDPR is and how it affects your personal training business, so stick with us!

But before we get into GDPR for fitness professionals properly, here are a couple of important definitions:

Controller: the ICO defines a controller as the person(s) who determines the purposes and means of processing personal data. 

Processor: a person(s) responsible for processing personal data on behalf of a controller.

Data Subject: according to eugdprcompliant.com, a data subject is any person whose personal data is being collected, held or processed. When we’re discussing GDPR for personal trainers, the data subject will usually be a client.

Personal Data: any piece of information that can be used to identify an individual. 

Why Does GDPR Apply to Fitness Professionals Outside of the EU?

An important thing to be aware of is that even if your business isn’t based in the EU, it’s still worth knowing about GDPR for personal trainers.

This is because the law will still apply to all of your clients or customers who are EU citizens regardless of where you and your business are based.

You might be thinking that it’s pretty much impossible that you would live in America, for example, and have clients from the EU. But GDPR applies to all EU citizens, so that includes those EU citizens who live outside of the EU. 

Not only that, training EU citizens isn’t at all farfetched for an online personal trainer. In fact, it’s very much a possibility. 

Even if you aren’t an online trainer, GDPR is relevant to all fitness professionals with a website as a result of the updated definition of personal data, which now includes online identifiers. 

The point we’re trying to make is that understanding GPDR is important for fitness professionals with all kinds of different business models, different size businesses and different ideas of the direction of where they want their business to go.  

So, let us explain what GDPR is in a little more detail.

GDPR For Fitness Professionals Explained 

GDPR came into place in May 2018. It was introduced to update the laws and regulations around data privacy, and it was intended to deal with long-standing legal questions around the collection of personal data, particularly data collected online, and how that data is used.

When the GDPR was put into place, the definition of ‘personal data’ was expanded. This change means ‘online identifiers’, like IP addresses and cookie identifiers, are now considered as personal data. 

According to Which, personal data also includes:

• Your name
• Email address
• An identification number, e.g. National Insurance 
• Location data, e.g. your address or mobile GPS data
• And finally, online identifiers 

This is not a definitive list because the GDPR defines personal data as any piece of ‘personally identifiable information’. Basically, any information that can be used to identify an individual should be collected, stored, and processed in a way that complies with GDPR.

How Does GDPR Affect Your Personal Training Business? 

If you are self-employed and make money as a personal trainer, any data that you collect which fits the EUs definition of ‘personal data’ should be collected, processed, and stored, in a way that satisfies the 6 data protection principles set out in Article 5 of the GDPR.

Those Six Principles Are:

1. Lawfulness, Fairness and Transparency 

When advertising or running any kind of promotion, you should be clear about exactly how data will be collected and what that data will be used for.

For example, if somebody submits an enquiry on your website by filling in their name, email address, and telephone number, you need to make it clear to them what you intend on doing with that data. 

This information should be clearly available when the person submits the enquiry.

The easiest way to ensure lawfulness, fairness, and transparency, is to have this information available in a privacy policy. Your privacy policy should outline the purpose of collecting this data in a way that accounts for all aspects of personal data processing. 

The privacy policy also needs to be written in a way that is clear and uses simple language, so that it is easy for all website users to understand. 

The privacy policy needs to be clear to all data subjects before they share their personal data, so it should be in a place that is clearly visible.

Below, you can see how we ensure individuals are aware of our privacy policy:

As you can see there is a link to the privacy policy. In order to make an enquiry, this box has to be ticked which ensures that the individual's attention is drawn to the privacy policy which they can view by clicking on the ‘privacy policy’ hyperlink.

2. Purpose Limitations 

Personal data can only be collected for a specific, explicit, and legitimate reason (or purpose). 

This purpose needs to be clearly stated and it should also be outlined in your privacy policy. 

For example, if you run a competition on your website and somebody gives you their name and email address, you can only use that information to contact them regarding that particular competition. 

In this instance, the purpose of collecting this data is so that you can email them about the results of the competition. 

An important aspect of this principle is that the data collected can only be used for the purpose stated. So, if you collect an email address for the sole purpose of that particular competition or offer, you can only use that data for that purpose.

You cannot then use that personal data for a new purpose, for example to try and sell them a different product or service, unless you acquire additional consent from the individual. 

The purpose limitations principle also applies to the length of time that the data collected is stored. For example, if you have a personal training client, you might collect their name and phone number to contact them about their sessions, training plan, etc. 

However, if you haven’t trained that client for 5 years, then you no longer have a purpose for retaining this data. This would be a potential issue for purpose limitations, as well as storage limitations – which we will explain shortly.

3. Data Minimisation 

Any company should only collect the minimal amount of data necessary to provide a service.

This principle fits hand in hand with ‘purpose limitations’ because not only should you have a legitimate purpose for collecting data, you should also only collect the minimal amount of data that you need to fulfil that purpose. 

What does this GDPR principle mean for fitness professionals? Let’s use a personal trainer as an example.

If you have a client, you might collect some personal data, like their email address, because that’s necessary for you to provide your service. However, asking your client for their mother’s maiden name is not minimal because you have no justifiable reason for needing that data – which could be an issue of data minimisation. 

A really basic way of ensuring data minimisation is to only collect the information you need. If you don’t need it, don’t ask for it. It really is that simple.

4. Accuracy 

All personal data must be kept accurate and up-to-date, and all necessary steps and processes must be taken to maintain the accuracy of data. 

These steps could include asking clients to update their contact information, or simply asking them to confirm that their information hasn’t changed since you collected it.

If you do find that any data that you have stored is inaccurate, then this data should either be erased or updated as soon as possible.

5. Storage Limitation 

You must not store any personal data for any longer than you need it to fulfil your services to the client. 

Once you no longer need an individual’s personal data to provide a service, the data must then be deleted.

There is no set timescale for deleting personal data. How long you should store data for largely depends on circumstances that are individual to your business and service, as well as the reason why you collected the data in the first place.

For example, if the purpose of you storing a client’s data was to contact them about the service you are providing, for example personal training sessions, then once that individual is no longer a client using your service, then you no longer have a purpose for that data and you should delete it.

However, in some circumstances a business may store data for longer. This is ok as long as the data is still required to serve a purpose, provided that the purpose was clear when the data was collected. 

For example, if we have a student who completes their personal training course, we may store their data for a set period of time following their completion of the course despite them no longer being a current student. 

Although that student has completed their course, their data may still be required in the future e.g. if they lose their certificate and we have to order them a replacement. Therefore, the data still serves a purpose and there is no issue with storage limitation. 

6. Integrity and confidentiality

Finally, all data must be stored securely. If you have your own business or you’re self-employed, then you must ensure that you have appropriate security measures in place to protect the personal data that you store.

The confidentiality and integrity of the personal data must always be maintained and controlling access to data is necessary in order to ensure this.

This could be ensuring that any personal data that you have stored is kept securely in a filing cabinet, or if you have any digital data then you would need to have data stored on a password protected CRM system.

GDPR for Fitness Professionals: How to Ensure Compliance

The 6 principles of data protection are at the core of GDPR, so hopefully you now have a better understanding of them and how they apply to the way that you deal with your client’s personal data. 

As you can see, there is a lot of crossover between some of these principles, for example data minimisation and purpose limitations, and purpose limitations and storage limitation. However, you still need to ensure that you satisfy each of the 6 principles.

As a sole trader or an LTD company, it is your responsibility as the ‘controller’ to comply with these principles. Not only that, you will also need to demonstrate that compliance.

For that reason, it’s recommended that you have a policy in place that covers all of these points. It’s best to get a privacy policy from a site such as lawbite.co.uk.

If you're enjoying this article, we think you'll enjoy these too!

• Personal Trainer Business Registration
• Personal Trainer Tax Expenses
• Personal Trainer Business Names

Processing Conditions

Not only do you need to deal with personal data in a way that satisfies the data protection principles of GDPR, you also need to ensure that you have a lawful basis for processing that personal data.

That means that you need to have one of the following legal grounds for processing personal data:

1. Consent
2. Contractual Performance
3. Legal Obligation
4. Vital Interests
5. Public Interest 
6. Legitimate Interest

Here’s how that can apply to personal trainers and other fitness professionals with their own business:

1. Consent 

The data subject must give explicit consent that their personal data can be stored and processed. They must also be able to refuse or withdraw their personal data without being penalised.

Consent needs to be freely given and informed, and there should be a specific and stated purpose that is clear to the data subject. The data subject needs to give this consent with an affirmative action. 

For example:

If somebody visits your website to make an enquiry, and you want to send them marketing emails, then you will need to get their clear and informed consent.

What can you do? A good way of making sure that you satisfy this processing condition is by using a tick-box. By ticking the box, your potential client is taking an affirmative action and giving their consent to receive emails from you.

The purpose that this data will be used for should be clearly stated next to the tick box, which ensures that this consent is fully informed.

By unsubscribing to these emails or ‘opting out’, this consent is then withdrawn.  

2. Contractual Performance

In this condition, data can be processed on the lawful bases that it is needed in order to enter a contract or to perform a contract. 

This can apply to any fitness professionals with their own gym or studio with members who have a monthly membership. 

In this example, you would need to store and process personal data, such as contact information and payment information, to process a payment, so that you can bill clients or members for their monthly contract.

As long as all processing is necessary to fulfil the contract, then you have a legitimate reason for processing personal data according to the GDPR.

3. Legal Obligation

A controller can process personal data if they have a legal obligation to do so.

For example, if somebody signs up to one of our personal training courses, then we have a legal obligation to process their data for the purpose of completing our service.

That means, we would need that individuals name, address, date of birth, and gender. This is so that we can do things like set them up on our online platform, process and post their certificates, and ensure that they pay for the service we are providing.

4. Vital Interests

In this case, data processing is necessary to protect the vital interests of the data subject. This condition requires that the processing of personal data is absolutely necessary, and it cannot be used as a legitimate reason if the data subject is able to consent. 

Since we’re focusing on GDPR for personal trainers and other fitness professionals, this condition isn’t really relevant as it’s an absolute last resort solution used in a life or death situation, and so it only really applies to medical professionals.

For example, in the case of a medical emergency where the data subject is not conscious and accessing the subject’s medical history is necessary, vital interests could be used as legal grounds for data processing. 

5. Public Interest 

When we’re talking about GDPR for fitness instructors, PTs, and other professions in the fitness industry, it’s very unlikely that this condition would ever apply.

This is because this condition only concerns tasks that are carried out in public interest, so any processing that fits this condition is carried out by public authorities or other bodies with “official authority”.

6. Legitimate Interest

The final condition of data processing is legitimate interest. According to this condition, there are legal bases for processing data if the controller or a third party can demonstrate that processing is necessary for a legitimate interest.

As long as this interest is legitimate and can be demonstrated, and it does not compromise the rights of the data subject, then there are legal grounds for processing.

This condition might not be directly relevant for self-employed fitness instructors or PTs, but it’s worth understanding as it might affect you as your business expands. 

For example, if you open your own studio and install CCTV cameras into the property, then you would need to demonstrate a legitimate interest for doing so.

Sensitive Data 

Finally, another important aspect of GDPR for fitness professionals to be aware of concerns the processing of sensitive data.

Sensitive data includes data such as religious beliefs, ethnicity, sexual orientation, and any data that concerns health, genetic data, or biometric data. 

This applies to personal trainers, or any other fitness professionals, who ask an individual to complete a form which asks about medical and health data, for example a PAR-Q.

Because these kinds of forms and questionnaires collect health and medical data which is considered “sensitive data”, you have to take extra considerations when dealing with it.

When you’re processing this sensitive data, you have to satisfy one of the processing conditions above, as well as one of the special data conditions below:

• Employment Purposes
• Health Purposes
• Public Health
• Archiving and Research

Does GDPR Affect Me?

The simple answer to this question is - yes!

GDPR doesn’t just apply to big chain gyms, it applies to every single business that deals with any kind of personal data.

Regardless of whether you have one client or one hundred members at your own studio, this regulation applies.

Even if you’re a freelance personal trainer operating in a gym, you may not be covered by the GDPR of the business that you work for. 

If you aren’t a freelance PT, then you can skip this short section and go straight to ‘What Do You Need To Do?’.

But if you are a PT working in a gym, and you’re confused about why you might still need to understand this regulation, then stick with us.

GDPR for Freelance Personal Trainers Operating In A Gym

Despite being ‘employed’ by a big chain gym, you won’t always be covered by the businesses GDPR as a freelance trainer.

For example, if you’re working on the gym floor and you obtain a client's information because you want to send them emails or direct messages, then GDPR still applies. 

As a freelance PT working in the gym, you are technically a business owner and so you would be responsible for making sure that the way that you process that personal data complies with GDPR.

To make sure that you aren’t in breach of this regulation, the best thing to do is to get the informed consent of the individual before you take their information. 

For example, explain why you want their information and what you intend on contacting them about, and then ask for their verbal consent.

So, What Do You Need To Do?

Now that you’ve read about the the rules and regulations at the core of GDPR, you’re probably wondering ‘what do I need to do?’ and rightly so. 

Obviously you don’t want to be fined for breaching this regulation, so ensuring that you comply with GDPR is a pretty big deal.

At the same time, there are tons of benefits of email marketing for PTs so it’s important to know how to go about this without being in breach of GDPR.

We’ll answer all your questions about whether you can still use email marketing shortly, but first here are a couple of things that you need to do:

Create A Privacy Policy 

Regardless of the size of your business, if you don’t have a privacy policy then you need one. Even if you’re a self-employed PT with no employees and a couple of clients, this still applies!

If you do have a privacy policy, then review it to make sure that it complies with GDPR (and update it if necessary).

Within your privacy policy you should explain how personal data will be processed, demonstrate the legal basis for this data processing and explain the data subjects rights under the GDPR (for example, they have the right for their data to be erased should they wish).

Rather than searching the internet for a GDPR template for personal trainers and trying to create a privacy policy yourself, it’s best to seek legal advice. This way, you can ensure that everything is covered and you are fully compliant.

As we mentioned above, a website like lawbite is a good place to start. 

Link To Your Privacy Policy

Once you have a proper privacy policy in place, you need to make sure that it is visible to anybody who shares their personal data with you.

Privacy policies can be quite lengthy as they have to include multiple disclaimers. For that reason, it isn’t always practical to have the full privacy policy on every webpage. 

Often, a link to the privacy policy is your best option.

Using our course enquiry form as an example, we make sure that the privacy policy is available and clearly visible to potential data subjects by having a link to the privacy policy on or next to every enquiry form, for example as shown below:

Perform A Data Audit

A good way of ensuring that you are following GDPR regulations is to have a data audit. When you carry out this audit, you need to answer these important questions:

• What personal data do we have?
• Where is it stored?
• What is it used for?
• Who can access it?

You might find that you’re storing more data than necessary, whether that be data that you no longer have a purpose for or information that isn’t really necessary for the services that offer.

A data audit is a good way of highlighting any issues that need correcting. From there, you can put plans in place to securely delete any data you no longer need, or update enquiry / enrollment forms accordingly.

Can I Still Use Email Marketing?

This is one of the biggest questions around GDPR. The short answer is yes, you can! But it’s not as simple as it used to be.

Here’s what you need to do: 

Ask For Additional Consent For Marketing Purposes

When GDPR came into place, a lot of people believed that it was the end of email marketing. But clearly, that has not been the case. 

Although GDPR introduced stricter regulations which meant that you can no longer use an individuals data however you like, email marketing is still very much effective.

The main difference is that now, individuals must give additional consent or ‘opt in’ before you can use their data for marketing purposes.

For example, before GDPR came into place, you could submit an enquiry to a website for a Level 2 Fitness Instructor Course, and then the company could use the data you provided to contact you about that course, but also a Sports Massage Qualification or the latest offer on a completely unrelated CPD.  

Now (because of GDPR) that company would only be able to contact you regarding that Fitness Instructor Course, unless you give additional consent to receive updates on other offers.

Just as with any data processing, this consent needs to be given by an affirmative action which means that the day of pre-ticked boxes are over!

If you want to use email marketing, then you need the explicit consent of the data subject. The means they have to choose to opt in, for example by ticking the box highlighted below:

As long as you are clear about your intention to use data for the purpose of direct marketing, and data subjects consent to their personal data being used for this purpose, then you’re in the clear!

How Does GDPR Affect Social Media?

Social media platforms, like Facebook and Instagram, are also a brilliant way to market your services and create relationships with prospective clients.

Most of the time, GDPR is covered by the terms and conditions and the privacy policy set out by each individual social media platform. 

For example, if you have a business page on facebook and somebody messages you about becoming a client, you can communicate with them via that platform without creating any issues around GDPR.

However, if you want to move this communication to another platform, for example email, you cannot do so without satisfying the legal grounds above and complying with one of the 6 data protection principles. 

What this means is that you can’t communicate with somebody over facebook, and then take their email address and add it to your mailing list. 

If you wanted to take information from a social media platform and use it for lead generation, for example to email an individual, then the process is no longer covered by the GDPR of the social platform, and the data protection principles and the conditions of processing apply.

The best way to deal with this issue is to get informed consent before you take any personal data out of a social media platform, and ensure that you comply with the data protection principles that we explained earlier. 

Before You Go!

If you're thinking of starting or expanding your own PT business, enquire about our Level 4 Sports Nutrition Course.

Alternatively, download our course prospectus to see everything we offer to help you build your business.