GDPR

Last updated July 2018

At Fitbit, we have a long-standing commitment to privacy and data protection.
We take our obligation to safeguard users’ personal information very seriously and are committed to protecting the privacy and security of our users, while being transparent about our data practices.

The below FAQs are intended to provide some more information on Fitbit’s approach to compliance with the new European privacy law, the General Data Protection Regulation (GDPR), including as it relates to Fitbit Health Solutions (FHS).

Q: What is Fitbit’s position on GDPR?

  • Fitbit is committed to GDPR compliance. We take our obligation to safeguard users’ personal information very seriously and are committed to protecting the privacy and security of our users, while being transparent about our data practices.
  • We currently comply with the EU-US Privacy Shield framework and we believe that GDPR is an important step forward in strengthening and clarifying the rights of individuals regarding their personal data. In the European Economic Area, the UK and Switzerland, we provide our services to users through Fitbit International Limited, our Irish affiliate which is subject to the GDPR and the oversight of the Irish Data Protection Commission.
  • We do not share customer personal information except in the limited circumstances described in our Privacy Policy.

Q: What type of data will Fitbit obtain from consumer users?

  • To register an account or set up a new device, the user will need to agree to the Fitbit Terms of Service and Privacy Policy which outline the data they will share with Fitbit. Data types will vary depending on the specific product and features the user engages with, but will include self-entered and tracked activity data.

 Q: What data does Fitbit share with its business customers?

  • If a user with a Fitbit account is invited to join a corporate wellness software dashboard purchased by a FHS customer, Fitbit will ask that user for their consent to share their activity data with the customer and other participants. Upon obtaining that consent, we begin sharing a subset of the user’s activity data to the software dashboard, where our customer and other participants will be able to view it. Users are free to revoke their consent at any time.

Q: Do FHS customers have a choice about what data they receive?

  • FHS customers have the option to choose data presented in aggregate or individual formats. If an aggregate program is selected, only aggregate (non-identifiable) user data will be presented. If an individual program is selected, a user’s activity will be associated with their name and viewable to the FHS customer and other participants in the program.

 Q: Why is there no Data Processing Agreement between Fitbit and its FHS clients?

  •  Fitbit and our FHS clients are joint data controllers of the Fitbit user data under the GDPR, so the usual GDPR data processing language, used with data processors, isn’t applicable.