Vous êtes sur la page 1sur 12

Name and address of controller Please use this form for all activities where the

Responsible for this Name of Data


Record of Processing [Insert name and contact details] Protection Officer (if
Activities any)

If applicable: name and Categories of personal


Department Name of IT System address of the joint
(eg HR, IT etc) Software data
controller

Legend (provided by See Legend personal


Legend Club data summary
Management Systems) Name & Address
Gender, DOB, email
Contact details
Contact preferences
Photo
Bank details
medical informatiom
Goals & eligibilities
ethnicity, occupation
marital status
s form for all activities where the company is acting as a data controller

Nameof Data Protection


[Insert name and contact details] [Insert name and contact details]
Representative

Mandatory fields in Record of Processing Activities according to Article 30 of the GDPR

Categories of recipients (include Transfer to other


Categories of data
Purpose of processing recipients in other countries and country or international
subjects organisations) organisation (name)

Membership Members of leisure Fitness equipment providers Not applicable


Management facility Payment processors
Mail processors
Letter mail processors
Card schemes
Business Intelligence systems
Specialist membership systems
Libraries
Finance systems
and contact details]

of the GDPR Data Collection

If applicable:
Time limits for erasure General description of
Documentation of the technical and Was data collected on
suitable safeguards for for each category of organisational security basis of consent?
exceptional transfer to data measures
third country

Legend is ISO27001 Data retention policy


certified. Exceptional Data redacted in line
only with written with this. On cessation
agreement between of contract with Legend
legend and controller agreement reached on
deletion date. Backups
at Legend deleted 7 days
later.
Data Collection (Own Data Storage)

Has information to the Server operated by Legal basis for storing


Data Subject been Location of Server (company name and the data on that
provided? registered address) server/service
Data Processor

Subprocessors name,
Name and contact Legal basis for
Location of Server contact details, location
details of the Processor processing the data of server. Legal basis

Legend Club Wakefield datacentre Legend Club Complete with sub


Management Systems (primary). Management Systems processor names
Northampton datacentre
(secondary)
Data Access Privacy Impact Assessment Comments/Action Points

Legal justification for Executed


transfer / operational Required? (See Document Comments
access to the data Register)

Data processor for the


Data controller in
accordance with service
contract
omments/Action Points

To do/responsible
Name and address of processor

Responsible for this Paul Simpson


Record of Processing Chief Operating Officer
Activities paul.simpson@legendware.co.uk

Mandatory fields in Record of P

If acting as a data processor: name and


Department Name of IT System contact details of the controller and
(eg HR, IT etc) Software Data Protection Officer

Legend (provided by Paul Simpson


Legend Club Chief Operating Officer
Management Systems) paul.simpson@legendware.co.uk
Please use this form for all activities where the company is acting as a data processor

Name of Data Paul Simpson Nameof Data Protection


Protection Officer (if Chief Operating Officer Representative
any) paul.simpson@legendware.co.uk

Mandatory fields in Record of Processing Activities according to Article 30 of the GDPR

If applicable:
Categories of processing Transfer to other Documentation of Time limits for erasure
carried out for the country or international suitable safeguards for for each category of
controller organisation (name) exceptional transfer to data
third country

Hosting of and None Legend is ISO27001 Data retention policy


maintenance of certified and has a established by
Membership formal Information controller. Data redacted
Management Software. Security Management in line with this. On
Where applicable System (ISMS). cessation of contract
processing of Direct Exceptional only with agreement reached on
Debits and mailing written agreement deletion date. Backups
services between Legend and deleted 7 days later.
controller
[Insert name and contact details]

Data Storage

General description of Server operated by Legal basis for storing


the technical and Location of Server (company name and the data on that
organisational security registered address) server/service
measures

ISO9001 and ISO27001 Wakefield datacentre Legend Club Data processor for the
certifications in place. (primary). Northampton Management Systems Data controller in
Regular penetration datacentre (secondary) accordance with service
tests, network scans and contract
staff training conducted.
Suppliers are assessed
for appropriate
certifications
Comments/Action Points

Comments To do/responsible
Version Control

Date Version Commentary Author


2/1/2018 1.0 Initial version drafted for commentary COO
4/14/2018 1.1 Issued for distribution approval COO