GDPR issues for an online BMI calculator...

Myuser01

Registered User
Messages
27
Creating an online BMI calculator that'll store details like email, height, current weight, goal weight, age, sex on a server.

What exactly are my GDPR/Legal obligations with regards to this information? The idea is that the user receives a BMI reading from their details along with a fitness plan.

I will of course have the user tick a box to receive marketing messages. They'll be able to unsubscribe and will have access to a privacy policy and terms of service for the site.

thanks,
 
Creating an online BMI calculator that'll store details like email, height, current weight, goal weight, age, sex on a server.

What exactly are my GDPR/Legal obligations with regards to this information? The idea is that the user receives a BMI reading from their details along with a spamspamspamspam plan.

I will of course have the user tick a box to receive marketing messages. They'll be able to unsubscribe and will have access to a privacy policy and terms of service for the site.

thanks,

What you're proposing includes the collection and processing health data and would therefore fall under the requirements governing "special category" data under GDPR. There are lots of requirements relating to the processing of such data. The UK's ICO generally has very good and easy to understand information in relation to GDPR. I would recommend giving this a read. This probably won't give you much detail on the technical aspects of safeguarding the information though so you'll have to look at how the information will be stored on the server, who has access, how it will be protected (passwords, firewalls, physical infrastructure, standard of encryption) )how long it is kept for, where is is backed up etc. This would all have to be summarised in the privacy statement with specifics for the data that relates to health.
 
Beyond the email address of an opt in marketing request, you should not store anything else. There is no need to do so and you have no justification for retaining it.
 
Not sure if this helps for gdpr but What about storing email only on server and put others in a client side cookie.

Worst case occasionally your customers have to answer the same question.
 
You main checklist items are included here. As long as you everything safe, allow data subjects access to it and set a limit on the retention of the data you should be ok.
You've obviously determined that none of the data mentioned is classed as sensitive personal data before giving that advice?
 
You'll be grand with any kind of sensitive data
So long as you have explicit consent, and the collection / processing of the data is necessary to fulfill your obligations, etc...

The processing of sensitive data is prohibited under GDPR except is specific circumstances.

These things are always 'grand' until they're not.
 
You need to do a DPIA before doing this as you are going to process special category data.
 
Most of the 'specific circumstances' that you allude to are exactly what I mentioned.
It wasn't very clear to me in your post.
Your advice in summary is it's all perfectly legal, so long as what you're doing is legal?

You provided a link that only mentions that you should check if article 9 applies. Not what it means. That's exactly the kind of data we're talking about here.
 
Last edited:
ou have to laugh though, fairness that a regional German data protection authority fines a computer retailer €10.4m for using CCTV to monitor staff but we decided to fine Twitter €300k for not adhering to breach reporting requirements.

Would that not some way reflect a deliberate and massive invasion of privacy versus an administrative error? Severe penalties around disclosure failings will lead to more companies hiding breaches.
 
Back
Top