Sport activity monitoring products and services are based on the processing of personal data of the user and, typically, of data concerning health (e.g. heart rate, blood pressure, stress level), for which current legislation offers enhanced protection.
In this sense, the development and offer of ‘fitness tracker’ devices and apps require that significant attention be paid to personal data protection aspects, which, by virtue of the principles and obligations of privacy by design and by default, must be taken into account right from the design stage and in the context of any activity based on the processing of personal data.
On the side of the privacy obligations required from companies operating in this sector, the indications offered by the Italian Data Protection Authority (“Garante Privacy”) in the information sheet on Apps and fitness tracker devices and personal data protection are particularly useful.
These include, for instance, duties of transparency, such that those offering such tools must make their privacy policy available in multiple contexts, including the device packaging, their website and the app store.
As part of the Internet of Things (IoT), such tools can ‘talk’ and exchange data with other apps and devices: this factor increases the risk posed by such processing to data subjects and therefore needs to be carefully considered in complying with data protection provisions and, especially, in the continuous process of Data Protection Impact Assessment (DPIA). This, as well as ‘social’ functionalities, which, by providing for the sharing of data generated through the technologies in question on social media services provided by third parties, often established in non-EU territories, also expose the rights and freedoms of data subjects to greater risks.
Further profiles to be taken into account concern the use of cookies and other tracking tools: fitness tracking devices and apps, in fact, like other IoT technologies, may provide for the use of such tools and therefore require compliance with the relevant privacy requirements in electronic communications, as highlighted by the Garante in the 2021 guidelines on cookies and similar tracking tools.
