Escolar Documentos
Profissional Documentos
Cultura Documentos
Version 1.1
Date: 14/04/2018
Version History:
Approvals:
This document must be approved by the following:
Related Documents:
These documents will provide additional information.
Title Version
Overview ................................................................................................................................................. 4
Purpose ................................................................................................................................................... 4
Scope ....................................................................................................................................................... 4
GDPR Information for Legend ................................................................................................................. 5
This document provides the information required by Legend customers as part of their assessment of suppliers
in line with GDPR.
For the purpose of this document:
The Legend Customer is the Data Controller
Legend Club Management Systems is the Data Processor
Purpose
This document will be available to Legend customers wishing to validate Legends approach to GDPR and to
assist Legend customers in the development of their own GDPR documentation.
Scope
This statement applies to the Legend Club Management software system (Legend) and the services offered by
Legend Leisure Services (LLS) covering the processing of Direct Debit Payments and the provision of media
marketing services.
Please detail any training that Legend employees have undertaken in respect to Data Protection
and Information Security in the last 12 months.
Legend Club Management Systems holds the ISO9001:2015 and ISO27001:2013 certifications which
are both externally assessed by BSi. As part of our Information Security Management System (ISMS)
we undertake regular briefings and training for staff and cover Information Security as part of our
induction processes. Training is in the form of presentations and questionnaires to all staff. As part
of our ISMS culture we encourage staff to take a keen interest in security matters.
How is customers data kept secure? How is it stored? Are there any security / encryption
measures in place?
Legend systems and data is stored at secure Tier III datacentres located in Leeds and Northampton.
Both datacentres hold ISO9001 and ISO27001 certifications. Each location has perimeter security
with CCTV coverage. Access is strictly controlled and only by prior appointment. Legend data is
stored on Legend owned co-located servers within our own secure cabinets in the datacentre. There
are a number of security measures in place to protect the data and we will be completing the option
to enable data encryption at rest for the database during 2018.
How will Legend dispose of any paper or digital copies of our information?
Legend will rarely print any copies of personal data. Where this is required we operate a policy of
shredding any information which might contain personal data.
Digital data is only ever stored at our datacentres and we have a policy of not storing customer data
on any standalone devices. Should a customer move away from Legend the digital data will be
removed to an agreed process and timeline agreed with the customer. Any redundant disks will be
destroyed and certified destroyed by an appropriately approved data destruction company.
Where data is to be removed in line with the customer data retention policy, personal information is
redacted from the database. This is under the control of the customer by the setting of data
redaction rules. These can cater for redaction on an individual or club basis.
Does Legend hold any ISO Accreditations that are relevant to data protection?
Yes. Legend holds the following ISO/IEC accreditations:
ISO9001:2015
ISO27001:2013
Does Legend hold any data outside of the United Kingdom or the European Economic Area (EEA)?
No. Legend data is stored within the datacentres in Wakefield and Northampton.
Note that we can only answer for data stored by Legend. Customers should validate this area with
third parties who they wish to use with links to Legend.
Does Legend have any other provisions in place in relation to protection / compliance under the
General Data Protection Regulations that has not been covered above?
No.
Has Legend conducted a Data Protection Privacy Impact Assessment (PIA) on its system?
Yes. Legend has conducted a Privacy Impact Assessment is such a manner that its customers can
adapt it for their own use in relation to data stored in the Legend system.
Can data be exported from Legend in line with an information access request from an individual?
Yes. There is a standard report in the New Reports section that allows a single members personal
data to be extracted in printed form or electronic such as CSV or XLSX. Note that it is the customers’
responsibility to validate the authenticity of, and to put in place suitable approval processes for such
requests.
Legend will not initiate any such release of data unless at the express request of the Data Controller.