This policy has been prepared by YUE CO LTD, a company incorporated under the laws of Malta and bearing company registration number C 57832 (hereinafter “YUE”, “we”, “us” or “our”).
YUE operates and manages a comprehensive wellness facility, which consists primarily of a state-of-the-art fitness gym, an aquatic centre, and a range of clinical services designed to support overall health and well-being.
We fully operate and manage the fitness gym and the aquatic centre (“YUE Services”). On the other hand, with respect to the clinical services offered within our premises (“Clinical Services”), we solely provide the infrastructure (premises and booking assistance) but the Clinical Services are provided directly and independently by third party professionals.
For further information about the YUE Services and the Clinical Services, we encourage you to reach out to our contact centre or alternatively seek the relevant information on our website.
This policy provides an overview of the personal data we process when we act as data controllers, including when you visit our website or premises. This policy also outlines how we collect or otherwise procure this personal data, what we do with such personal data and generally how we comply with the provisions of laws relating to the protection of personal data as applicable to us, in particular Regulation (EU) 2016/679 (“GDPR”).
Throughout this document, we will be using certain specific terms. Since our intention is that this document is easily understood, we would like to clarify what these terms are intended to refer to. Naturally, if anything is unclear, please do not hesitate to get in touch with us.
In terms of the provisions of the GDPR, the term “personal data” is defined as ‘any information relating to an identified or identifiable natural person (‘data subject’)’. Furthermore, the term “processing” is also given a wide meaning and is defined as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.’ This includes collection, recording, storage, adaptation, and use of personal data.
We have grouped the personal data that we receive, use or otherwise process in the following categories:
[a] In relation to the YUE Services
| Title | Description | Source |
| Membership Information | We collect personal information such as your name, address, contact details, email address and date of birth to manage your membership. | Directly from you when you submit your application form. |
| Health & Fitness Data | We collect data concerning your physical and health data for two main reasons –(i) to assess whether you are fit to become a member and participate in our facilities and (ii) to be able to use such data in the case of an emergency. | Directly collected from members during fitness assessments (initial application form & questionnaire) and subsequent consultations. |
| Attendance Records | When attending our fitness gym, aquatic centre or class participation, we maintain records to monitor usage and manage memberships. | Automated collection through check-ins and attendance tracking systems. |
[b] In relation to the Clinical Services
| Title | Description | Source |
| Booking Details | To make a booking with one of the Third-Party Clinicians, we collect (a) your name, (b) your contact details, (c) the Third-Party Clinician you would like to set up an appointment with and (d) any additional details which is specifically requested by the particular Third-Party Clinician or which you choose voluntarily to provide. | Directly from you when you call us or get in touch with us to book an appointment. |
[c] Generally applicable
| Interaction Information | This comprises any information, data or material that is exchanged with us and is not covered in any of the other categories set out in this table. | Directly from your interactions and communications with us. |
| Payment Details | We collect payment details including credit/debit card information, billing address and VAT number, where applicable. | Directly collected from members during payment processing. |
| Security & Surveillance Data | We collect data through security surveillance systems, including CCTV footage. | Automated collection through security cameras and access control systems. |
| Usage Information | When you access our website, we also receive certain types of personal data automatically, such as the sections you have visited, the content you have accessed and the frequency and duration of your visits. In addition to the above, please note that we will also collect certain data about your device or browser automatically via log files, such as your Media Access Control (MAC) address, device ID, operating system name and version, browser type, and device manufacturer and model. We may also collect your IP address. We use data about your device to ensure our solutions function properly, diagnose server problems, and administer our software solutions and the services we provide. | Automatically as described in the second column. |
Our primary objectives in processing personal data are to manage the YUE facility and provide you with the YUE Services and the Clinical Services. Furthermore, we process personal data also to ensure compliance with our duties and obligations, whether legal or contractual.
We will process personal data when we have a proper reason for doing so. In particular, the legal basis we rely upon to process personal data is further set out in the table hereunder:
[a] In relation to the YUE Services
| Purpose | Type | Lawful basis |
| To set up, open and manage your membership
This includes setting up your membership and setting up your profile to enable you to access and utilise various services, such as the gym, the aquatic centre (if applicable) and book fitness classes. |
Membership Information; Interaction Information | Contractual necessity (GDPR Article 6(1)(b)).
Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to administer the account opening process; to safeguard our reputation. |
| To monitor attendance and manage memberships
This essentially relates to (i) monitoring when and how often members use the gym and other facilities to help manage capacity and maintain a quality service environment and (ii) Managing the active status of memberships, updating member profiles, and ensuring compliance with membership terms. |
Membership Information; Attendance Records | Contractual necessity (GDPR Article 6(1)(b)).
Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – To ensure facilities are not overcrowded, maintain high service quality, and allocate resources effectively. |
| To assess fitness and health status
When you submit an application to join our YUE facilities, we conduct an initial evaluation of members’ physical capabilities and health conditions to ensure that they are healthy and fit to become members. Regular updates may also be done particularly to tailor fitness programs. From time to time, we may also perform health screenings to ensure members are fit for physical activities and to identify any potential health risks that require attention. |
Membership Information; Health & Fitness Data | Contractual necessity (GDPR Article 6(1)(b)).
Necessary for our legitimate interests and that of our members (GDPR, Article 6(1)(f)) – to improve service quality; to enhance the safety and well-being of our members. To protect the vital interests of our members (GDPR, Article 6(1)(d); Article 9(2)(c)). Explicit consent (GDPR, Article 9(2)(a)). |
| To provide wellness programs
When requested, we can also create customised wellness plans based on individual health assessments, fitness goals, and dietary preferences to help members achieve their health objectives. |
Membership Information; Interaction Information; Attendance Records; Health & Fitness Data | Consent (GDPR, Article 6(1)(a)).
Necessary for our legitimate interests and that of our members (GDPR, Article 6(1)(f)) – to promote health and wellness among members, which can lead to improved member satisfaction and retention. |
| To engage outsourced personal trainers
Upon your request, we can also assist with the engagement of third-party personal trainers that can help you further your fitness needs. We will be undertaking the following activities: (a) Managing agreements with third-party personal trainers who operate independently from the gym facilities; (b) Facilitating communication between members and personal trainers for scheduling, session planning, and feedback; (c) Allowing personal trainers to develop personalized training programs based on the fitness assessments and goals of the members; and (d) Monitoring the performance and professionalism of personal trainers to maintain high service standards. |
Membership Information; Interaction Information; Attendance Records; Health & Fitness Data | Contractual necessity (GDPR Article 6(1)(b)).
Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to enhance the quality of fitness services offered, ensuring customer satisfaction and competitive service offerings. |
[b] In relation to the Clinical Services
| Purpose | Type | Lawful basis |
| To manage bookings.
This relates to our role in facilitating the booking process for customers who wish to access services provided by healthcare specialists using the clinic’s facilities. We collect essential information such as names, contact details, and the nature of your visit to ensure smooth scheduling and to communicate effectively about appointments. This information helps tailor your visit to your specific needs and ensures that you receive appropriate care from the right specialist. |
Booking Details;Interaction Information | Contractual necessity (GDPR Article 6(1)(b)).
Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to administer the account opening process; to safeguard our reputation. |
| To monitor and manage appointments
We process personal data so that we ensure that appointments are scheduled in a manner that prevents overcrowding and maximizes the availability of our healthcare providers. |
Booking Details; Interaction Information | Contractual necessity (GDPR Article 6(1)(b)).
Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – To ensure facilities are not overcrowded, maintain high service quality, and allocate resources effectively. |
| To coordinate with outsourced health specialists
Our service includes coordinating the interaction between patients and outsourced health specialists. We manage the logistical aspects of this engagement, such as scheduling, space allocation, and ensuring the specialists have the necessary tools and facilities at their disposal to provide high-quality care. |
Booking Details; Interaction Information | Contractual necessity (GDPR Article 6(1)(b)).
Necessary for our legitimate interests and that of our members (GDPR, Article 6(1)(f)) – to improve service quality; to enhance the safety and well-being of our members. To protect the vital interests of our members (GDPR, Article 6(1)(d); Article 9(2)(c)). Explicit consent (GDPR, Article 9(2)(a)). |
[c] Applicable in general
| To ensure that our offerings and any of our engagement complies fully with all applicable laws.
We strive to manage our operations in compliance with relevant standards and legal requirements. |
Membership Information; Booking Details; Interaction Information; Usage Information | Legal obligation (GDPR Article 6(1)(c))
Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to safeguard our reputation |
| To manage payments and fees
We process fees and payments you make to us in relation to the YUE Services. Furthermore, we also collect fees for and on behalf of third party professionals who provide Clinical Services from within the YUE Complex. We also process refunds where applicable. |
Membership Information; Booking Details; Payment Details; Interaction Information | Contractual necessity (GDPR Article 6(1)(b))
Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to collect the payment due to us. |
| To deploy emergency assistance
In the case of an emergency, we facilitate the rapid deployment of emergency assistance to ensure the safety and well-being of individuals on our premises. |
Membership Information; Health & Fitness Data; Booking Details; Health-Related Data; Interaction Information. | Consent (GDPR, Article 6(1)(a))
Vital Interests of yourself or the other person in distress (GDPR, Article 6(1)(d)) |
| To manage our relationship with you, including the provision of customer service
This encompasses ongoing customer support, handling inquiries, and ensuring satisfactory communication. |
Membership Information; Booking Details; Interaction Information | Legal obligation (GDPR Article 6(1)(c))
Contractual necessity (GDPR Article 6(1)(b)) Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to keep our records updated. Consent (GDPR, Article 6(1)(a)). |
| To maintain our contact database for marketing
We manage and update our list of contacts to send you information about special offers, and upcoming events through various communication channels. |
Membership Information; Booking Details; Interaction Information | Consent (GDPR, Article 6(1)(a)).
Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to keep our records updated; to enhance our business and client-base. |
| Business Intelligence & Analytics
To collect and anonymize data for statistical and benchmarking purposes. |
Usage Information; Attendance Records; Booking Details. | Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to improve user experience and offerings). |
| To safeguard our interests
This includes keeping our infrastructure secure, through security monitoring to detect, prevent and respond to suspicious activity, fraud, intellectual property infringement, violations of our terms or law and for other similar purposes; to establish, exercise or defend legal claims. |
All categories | Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to safeguard our interests and infrastructure).
Legal obligation (GDPR Article 6(1)(c)) |
| To facilitate business transactions
To make certain information available to third parties that may be interested in acquiring our business (either prior to or as part of the transaction). This includes, amongst others, any merger, sale, restructure, acquisition, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock. |
All categories | Necessary for our legitimate interests (GDPR, Article 6(1)(f)) – to ensure that we are able to sell our business, should we decide to do so). |
Change of purpose
We will use and process personal information solely for the purposes for which it was initially collected, unless we reasonably believe there is a need to use it for a different yet compatible reason. In the event we intend to use personal information for an unrelated purpose, we will inform the relevant data subjects and provide an explanation of the legal basis that permits us to do so.
We will use and process personal information solely for the purposes for which it was initially collected, unless we reasonably believe there is a need to use it for a different yet compatible reason. In the event we intend to use personal information for an unrelated purpose, we will inform the relevant data subjects and provide an explanation of the legal basis that permits us to do so.
We typically only collect personal data of our customers and clients. However, there may be occasions where you choose to provide us with details of third parties, such as when you make a booking on their behalf. If you do so or otherwise provide us with personal data of third parties, you are binding yourself that, prior to sharing such personal data with us (i) you are to inform such third parties of the personal data concerning them that our direct contact will be sharing with us; (ii) you are fully authorised by such third parties to share their details with us (iii) you are to ensure that such third parties are aware of their rights with respect to such information and (iv) you are to provide such third parties with a copy of this Privacy Notice.
Under the GDPR, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is deemed to be “special categories of personal data” and require a higher level of protection. We need to have further justification for collecting, storing and using this type of personal information. We have in place appropriate safeguards which we are required by law to maintain when processing such data.
As indicated in point 3 and 4 above, we collect certain health data that is necessary for us to carry out our obligations and comply with our legal duties.
No
We will share personal data with third parties where required by law, where it is necessary to administer the relationship with our clients, and as otherwise provided hereunder.
Furthermore, we will also share your personal data as follows:
(a) Personal Trainers – We engage a number of third-party personal trainers who can assist you with your fitness requirements. When you book a personal training session, we will provide the third-party personal trainer with your details so that the booking process can be facilitated. We also keep records of all sessions that you attend. However, we do not keep records of the actual sessions or your performance. You are encouraged to seek information directly from the personal trainer that you interact with regarding their data handling policies, as these may differ from ours.
(b) Health care professionals – When you make a reservation to attend an appointment with one of the practitioners within the YUE Complex, we share your details with the appropriate practitioners so that we can manage your booking efficiently. Further details about the information we share is indicated in points 3 and 4 above. Please understand and acknowledge that our role is solely that of facilitating the booking process. We do not keep records of your treatment outcomes. You are encouraged to seek information directly from the practitioner regarding their data handling policies, as these may differ from ours.
(c) Emergency personnel – In the case of an emergency, we may share your details with emergency personnel (such as medical and security teams) to ensure that your needs are attended efficiently.
(d) Third-party service providers – From time to time, and always subject to us complying in full with Article 28 GDPR, we engage a number of third parties to provide us with certain services and in doing so, certain types of personal data may be required to be provided to such third-party service providers. These include third parties providing legal advice, audit banking services, sales and marketing, customer support & IT services.
(e) Our insurers and insurance brokers.
(f) Regulatory authorities, departments or law enforcement agencies, when we are required, or permitted to do so by law.
(g) Any other person or entity but solely when we are expressly authorised to do so, such as when you provide us with your consent.
(h) A prospective buyer or any of its advisors, where relevant, in the course of a due diligence exercise or as part of a corporate transaction. In this situation we will, so far as possible, share anonymised data with the other parties before the transaction completes.
We may also process your personal data to comply with our regulatory requirements or in the course of dialogue with our regulators as applicable, which may include disclosing your personal data to government, regulatory or law enforcement agencies in connection with enquiries, proceedings or investigations by such parties anywhere in the world or where compelled to do so. Where permitted, or unless to do so would prejudice the prevention or detection of a crime, we will direct any such request to you or notify you before responding.
Prior to sharing data with a third-party service provider, we require them to commit in implementing appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions. YUE is not responsible for the data processing practices of any third-party, which may differ from the contents of this document.
Currently, all personal data is processed in Malta and the European Economic Area (EEA). It is however possible that personal data will be made available or otherwise processed outside of the EU, namely when we engage third-party contractors.
If we do so, we will take adequate measures to ensure that personal data is safeguarded to the same standards as it would have been if processed in the EU, by relying on one of the following:
(a) We will ensure that personal information is sent to a country that is considered to provide an adequate level of data protection, in terms of any adequacy decision adopted by the European Commission, in accordance with the provisions of article 45 of the GDPR;
(b) We will enter into agreements that impose a legal obligation on the recipient to protect personal data in accordance with the provisions of the GDPR.
The GDPR grants data subjects a number of rights that can be exercised in certain circumstances, including:
(a) Right of access (subject access request) – This right allows data subjects to request and obtain confirmation on whether we are processing their personal data. Data subjects can also access details about the processing and receive a copy of the data being held.
(b) Right of rectification – data subjects have the right to request that we correct any inaccuracies or incomplete personal data held about them.
(c) Right of erasure – In terms of this right, commonly known as the “Right to be Forgotten,” data subjects can request the deletion of their personal data under certain circumstances, particularly when the data is no longer necessary for the purpose for which it was collected.
(d) Right of erasure – In terms of this right, commonly known as the “Right to be Forgotten,” data subjects can request the deletion of their personal data under certain circumstances, particularly when the data is no longer necessary for the purpose for which it was collected.
(e) Right to object – This right enables the data subjects to object to the processing of their personal data, including profiling, for reasons related to their particular situation.
(f) Right of data portability – data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format.
We do not carry out any fully automated decision-making or profiling.
In those occasions where we have indicated that we are basing our processing on our legitimate interest, please note that in terms of Article 21 GDPR, data subjects have the right to object to that processing.
Where the legal basis of processing is based solely on the data subject’s consent, the data subjects may withdraw such consent at any time by notifying us accordingly. This shall be without prejudice to the lawfulness of processing based on consent before such withdrawal.
For more information about these rights and how to exercise them (when we are acting in our capacity as data controllers), kindly contact us on the contact details set out hereunder.
The length of time for which we hold personal data depends on a number of factors, such as regulatory rules and any legal requirements. We also consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which we process personal data and whether we can achieve those purposes through other means.
For further information about our data retention policies, please get in touch with our data privacy manager on the contact details set out hereunder.
If you need more information about this this privacy notice or how we handle personal information, please contact our data privacy manager, on fabian.vella@yuemalta.com or 22589812.
Our registered address is situated at:
YUE Co. Ltd
LABOUR AVENUE
NAXXAR
NXR 9027
Malta
Privacy and data protection is a two-way street, and while we strive to uphold it diligently, the active participation of everyone is crucial. This means that along with enjoying privacy rights, data subjects also have certain responsibilities. As part of these obligations, we anticipate that data subjects take reasonable measures to assist us in effectively safeguarding and managing your privacy.
For instance, to ensure that we maintain accurate, complete, and up-to-date personal information, we kindly you to promptly notify us if personal details previously submitted to us become inaccurate, incomplete, or outdated.
We go to great lengths to ensure that we handle personal data responsibly. If there are any concerns or issues with anything related to these matters, please do not hesitate to get in touch with us and we assure you that we will do our utmost to address your concerns.
In any case, if you are not satisfied with the way we manage personal data, you have the right to file a complaint with any relevant data protection authority (particularly the one situated where you habitually reside). Contact details of the competent authority in Malta are as follows:
Address – Information and Data Protection Commissioner, Floor 2, Airways House, High Street, Sliema, SLM 1549, Malta.
Telephone – (+356) 2328 7100
Email – idpc.info@idpc.org.mt
Version 2
Date: 17.06.2025
Changes to the Privacy Policy – We may alter these terms at any time, but in any case we will inform you accordingly, by means we deem reasonable in the circumstances. In the event of any conflict between the current version of these terms and any previous version(s), the provisions current and in effect shall prevail unless it is expressly stated otherwise.
