DEV Community

Custodia-Admin
Custodia-Admin

Posted on

GDPR for Personal Trainers: How to Handle Client Health Data Compliantly

#gdpr #fitness #privacy #health

GDPR for Personal Trainers: How to Handle Client Health Data Compliantly

If you're a self-employed personal trainer or fitness coach, you collect some of the most sensitive personal data in any profession — and the law treats it accordingly.

Client health questionnaires, body measurements, injury history, progress photos, workout logs, nutrition diaries, and biometric data all fall under the strictest protections in UK and EU data protection law. Most personal trainers have never had a conversation about GDPR, and most aren't compliant. That's a problem — not just because of the theoretical risk of a fine, but because your clients trust you with deeply personal information about their bodies and health.

This guide covers everything a self-employed PT or fitness coach needs to know: what the law actually says, what it means in practice for your specific situation, and what you need to do before your next client session.

Start by scanning your website at Custodia to see what data your digital presence is already collecting. That takes 60 seconds and costs nothing.

Why Health Data Is Different: Article 9 Special Category Data

Under GDPR Article 9 (and the equivalent provisions in UK GDPR), certain categories of personal data are classified as special category data because of their particular sensitivity. Health data is the most significant category for personal trainers.

What counts as health data in a PT context:

  • Medical conditions, diagnosed illnesses, chronic diseases
  • Injury history and current physical limitations
  • Medications that affect exercise (beta-blockers, blood thinners, etc.)
  • Mental health conditions disclosed during sessions
  • Pregnancy status
  • Pre-existing cardiovascular conditions

What might also be treated as health data:

  • Physical measurements (height, weight, body fat percentage) — these sit in a grey area, but when used to assess physical condition they are generally considered health-related
  • Fitness test results and physical performance data
  • Nutrition intake and dietary restrictions related to medical conditions

Processing special category data requires not only a standard lawful basis under Article 6, but also a specific condition under Article 9. For personal trainers, the most relevant conditions are:

  • Explicit consent (Article 9(2)(a)) — the client has given explicit, specific consent to you processing their health data for a defined purpose
  • Vital interests (Article 9(2)(c)) — processing is necessary to protect life in an emergency

The critical word is explicit. This is a higher standard than the ordinary consent you might rely on for marketing emails. Explicit consent must be separate, clearly worded, and must describe exactly what health data you're collecting and why.

Lawful Basis: Getting It Right for Different Types of Data

Not all the data you collect as a PT has the same lawful basis. Here's how to think about it:

Contract (Article 6(1)(b)) — for session administration:
Name, contact details, session bookings, payment information — you process this to deliver the service your client has contracted with you to provide. No separate consent needed for this category.

Explicit consent (Articles 6(1)(a) + 9(2)(a)) — for health information:
Injury history, medical conditions, physical measurements collected for health assessment purposes — you need explicit, specific consent. This should be documented in your intake process.

Legitimate interests (Article 6(1)(f)) — limited application:
Legitimate interests can apply to some things (like keeping basic business records), but cannot be used for special category health data. Don't try to use it as a shortcut for sensitive information.

The common mistake: Lumping everything into a single "I agree to the terms" checkbox in your client contract. That doesn't constitute explicit consent for health data. You need separate, granular consent for sensitive information.

Your Client Intake Form: What It Needs to Say

Your client intake form is where you collect most of your sensitive data, and it needs to be redesigned if GDPR compliance is your goal.

The form must include:

  1. A clear privacy notice — before they fill in anything, clients should understand: who is collecting their data, what you'll use it for, how long you'll keep it, their rights under GDPR, and how to contact you with questions.

  2. Separate consent for health information — a specific consent statement for health data, separate from agreement to your service terms. Example: "I consent to [Your Name] collecting and processing my health information, including injury history and medical conditions, for the purpose of designing safe and effective training programmes. I understand I can withdraw this consent at any time."

  3. No bundled consents — you cannot say "tick here to agree to my terms AND consent to health data processing." Each purpose needs its own consent.

  4. Retention information — tell clients how long you'll keep their data. A reasonable approach: active client records kept while the relationship continues plus 6 years after (for insurance purposes), health questionnaires reviewed and updated annually.

  5. Withdrawal rights — inform clients they can ask you to delete their data, access what you hold, or correct inaccuracies.

Fitness Apps and Tracking Tools: You're Responsible for Your Processors

When you use third-party software to manage client data, those providers become your data processors under GDPR Article 28. You remain responsible as the data controller — meaning if they handle client data badly, you're implicated.

Common PT software and what you need to check:

TrainHeroic: Used for programming and client tracking. Check their Data Processing Agreement (DPA) — it should be available in your account settings or via their legal documents. Confirm where data is stored (EU/UK servers or US?).

PT Distinction: A popular all-in-one PT platform. They should have a DPA available. Review their data retention settings — what happens to client data if you cancel your subscription?

Trainerize: Acquired by ABC Fitness. Has DPA documentation. Check whether client data stored on the platform is accessible to the parent company and under what terms.

MyFitnessPal: If you ask clients to log nutrition on MyFitnessPal and share data with you, be aware that MyFitnessPal is a separate data controller with its own terms. You don't have a direct processing relationship — but you should tell clients in your privacy notice that you may view data they choose to share from third-party apps.

What you need to do for each platform:

  • Obtain and sign (or accept) a Data Processing Agreement
  • Confirm the platform processes data in a jurisdiction with adequate protections (EU, UK adequacy decision, or Standard Contractual Clauses for US transfers)
  • Know how to export or delete client data if a client exercises their rights

If a platform doesn't offer a DPA, that's a red flag. You may need to switch providers or limit what client data you enter into that system.

Online Coaching Platforms and Data Storage

Many PTs have moved to fully remote or hybrid models, using platforms like Google Workspace, Notion, Dropbox, or custom coaching apps to store client programmes, notes, and communications.

Key questions for any storage solution:

  • Where is data physically stored? (US-based cloud services require additional safeguards for EU/UK data transfers)
  • Who can access client files? (End-to-end encryption is preferable for sensitive health notes)
  • What happens to the data if you stop using the service?
  • Do you have a DPA with the provider? (Google Workspace and Microsoft 365 both offer DPAs — activate them)

Practical guidance:

Don't store client health information in unencrypted Google Sheets shared broadly. Use password-protected documents or platforms with proper access controls. Keep health notes separate from general programme files if possible.

If you use Google Drive, sign Google's Workspace DPA and ensure your client data folder permissions are set to "only you" — not "anyone with the link."

Progress Photos: These Are Biometric Data

Progress photos are one of the most significant compliance issues for personal trainers, and almost nobody handles them correctly.

Why photos are sensitive under GDPR:
Photos of a client's body can reveal health conditions, physical characteristics, and identifiable biometric features. Depending on context, they may constitute special category biometric data. Even if they don't meet the Article 9 biometric threshold, they are clearly sensitive personal data requiring careful handling.

What you must do:

  1. Get explicit consent before taking any photos. This cannot be buried in your initial terms. It should be a specific consent request: "I consent to [Your Name] taking progress photographs of me for the purpose of tracking my fitness progress. I understand these photos will be stored securely, shown only to me, and deleted at my request or when our coaching relationship ends."

  2. Specify storage and access. Where are the photos stored? On your phone? Cloud backup? A PT platform? Who else can see them? The client has a right to know.

  3. Never post progress photos publicly — including on social media, your website, or marketing materials — without separate explicit consent for that specific use. The consent to take photos for progress tracking is not consent to use them for marketing.

  4. Delete them when asked. If a client asks you to delete their progress photos, you must do so. No exceptions.

  5. Secure the storage. Progress photos should not sit in an unprotected camera roll that's backed up to a shared cloud account. Consider a dedicated, password-protected folder or a PT platform with proper access controls.

WhatsApp Communications: The Compliance Problem Nobody Talks About

WhatsApp is the default communication channel for most UK personal trainers. It's convenient, clients already have it, and it feels informal. It's also a significant GDPR headache.

The issues:

  • WhatsApp processes message data, including metadata about who you communicate with, on Meta's servers — largely in the US
  • Client health information shared via WhatsApp (injury updates, how they're feeling, what they ate) is being processed by a third party under Meta's terms, not under a DPA you've signed
  • WhatsApp's end-to-end encryption protects messages in transit, but Meta retains metadata

The practical reality:

Most supervisory authorities recognise that complete WhatsApp avoidance is impractical for small businesses. The key is to:

  1. Include reference to WhatsApp in your privacy notice: "I may communicate with you via WhatsApp. Please be aware that WhatsApp processes message metadata. Avoid sharing sensitive medical information via WhatsApp where possible."

  2. Don't use WhatsApp as your primary record-keeping system for health information. If a client discloses something significant about their health via WhatsApp, note it in your secure client file — don't rely on WhatsApp message history as your records.

  3. Consider using a more privacy-friendly alternative for sensitive communications, such as Signal (which has stronger privacy protections) or your PT platform's built-in messaging.

Payment Processing

Payment data is processed by your payment provider (Stripe, Square, PayPal, SumUp, etc.) — they are your data processor for this purpose.

What you need:

  • A DPA with your payment provider (Stripe, Square, and PayPal all offer these — check their developer/business documentation)
  • To tell clients in your privacy notice that payment data is processed by [Provider Name] and link to their privacy policy
  • Not to store full card numbers or CVV codes yourself — ever. If you're using a payment platform correctly, you won't be handling raw card data

For invoicing software (QuickBooks, FreeAgent, Xero, Wave), similar rules apply — obtain DPAs and reference these processors in your privacy notice.

Marketing to Past Clients

When a client stops working with you, you cannot automatically continue sending them marketing emails or messages. Under GDPR (and PECR in the UK), direct marketing requires either:

  • Explicit consent given at the time of signing up, with a clear option to opt out
  • Soft opt-in (for email only) — you can send marketing to past clients about similar services if they were a client, you gave them a clear opt-out at the time, and you continue to offer an easy opt-out in every message

What this means practically:

  • Add a clear marketing consent checkbox to your client intake process (separate from health data consent and service terms)
  • Include an unsubscribe mechanism in every marketing email
  • Don't message past clients on WhatsApp with promotional content unless they've consented to this specifically
  • Keep a record of who has consented to marketing and when

If a past client asks to be removed from your marketing list, remove them immediately and don't contact them again for marketing purposes.

What Happens to Client Data When You Retire or Change Careers?

This is the question almost no personal trainer thinks about — and it's one of the most important.

If you retire, move into a different career, or close your PT business, you cannot simply leave client data sitting on your phone or in a cloud account indefinitely. GDPR requires you to have a plan.

Your obligations:

  1. Define a retention period. Health records and client files should be kept for a defined period after the coaching relationship ends — typically 6 years for most records (for insurance and legal purposes), after which they should be deleted. Don't retain data indefinitely by default.

  2. Communicate your closure. If you're retiring or closing your business, tell your clients and give them the option to request their data or confirm deletion.

  3. Delete or anonymise securely. Simply deleting files from your desktop doesn't erase them securely. Use a proper deletion method — most operating systems have secure deletion options, and cloud services have processes for permanent deletion.

  4. If you're transferring your client list to another PT, you cannot transfer client data without the clients' consent. Personal data cannot be passed to a successor business without a lawful basis for that transfer.

  5. Cancel your DPAs and platform subscriptions properly — check what each provider does with your data on account closure, and follow up to confirm deletion.

GDPR Compliance Checklist for Personal Trainers

Work through this before your next client session:

Intake and consent:

  • [ ] Privacy notice given to all clients before collecting any data
  • [ ] Separate explicit consent for health data, distinct from service terms
  • [ ] Separate consent for progress photography if applicable
  • [ ] Separate marketing consent with genuine opt-out

Data processors:

  • [ ] Data Processing Agreement in place with PT software provider (PT Distinction, Trainerize, TrainHeroic, etc.)
  • [ ] DPA with payment processor (Stripe, Square, PayPal)
  • [ ] DPA with any cloud storage provider (Google Workspace, Dropbox, etc.)
  • [ ] Reference to WhatsApp and other communication tools in privacy notice

Storage and security:

  • [ ] Client health records stored securely with restricted access
  • [ ] Progress photos stored in password-protected location
  • [ ] No client health data in unprotected shared folders
  • [ ] Clear process for responding to data deletion requests

Retention:

  • [ ] Defined retention period for client records (e.g. duration of relationship + 6 years)
  • [ ] Annual review of inactive client records
  • [ ] Secure deletion process documented

Marketing:

  • [ ] Marketing consent recorded separately from service agreement
  • [ ] Unsubscribe mechanism in all marketing emails
  • [ ] Process for honouring opt-out requests within 30 days

Ongoing:

  • [ ] Register with ICO as a data controller (required in the UK if you process personal data — fee is £35/year for most small businesses)
  • [ ] Privacy notice kept up to date as you adopt new tools

Scan Your Website for Free

If you have a website where clients can enquire, book sessions, or sign up to your mailing list, your website is also collecting data — and it may be doing so in ways you're not aware of. Contact forms, booking widgets, email capture tools, and embedded trackers can all be collecting data without clear disclosure.

Run a free privacy scan at app.custodia-privacy.com/scan to see exactly what your website is collecting, what third parties it's sharing data with, and what you need to disclose. No signup required — results in 60 seconds.

This post provides general information about GDPR obligations for personal trainers. It does not constitute legal advice. Your specific obligations will depend on your individual circumstances, the data you collect, and the jurisdictions in which you operate. Consult a qualified data protection professional for advice tailored to your situation.

Top comments (0)