1.1 In the course of undertaking its business activities, Legit Fit collects,
receives and processes information a) about its customers, being individuals
who use the services of Legit Fit as a professional business hub (“Customers”)
and b) about the customers and clients of its Customers (“Consumers”) who,
through the Customers, link into and use the Legit Fit’s platforms and
software functionality as part of the services that the Customers provide to
their own Consumers. Legit Fit is legally responsible for ensuring that this
information ("personal data") is held and processed in accordance with the law
and with individuals' rights.
1.2 This Policy sets out how Legit Fit complies with the key rules governing
the use of such data, including the requirements of the General Data
Protection Regulation 2018 ("GDPR"). For the purposes of this Policy, "Data
Protection Legislation" shall be taken to mean GDPR and any UK law concerning
the protection of personal data, including any legislation which supplements
or replaces GDPR and the Data Protection Act 1998 and laws relating to
E-Privacy. In preparing this Policy, Legit Fit has taken into account guidance
available at the time from the Information Commissioner's Office (“ICO”) and
has taken advice. 1.3 Words and phrases, such as "data controller" and "data
processor" as used in this Policy shall have the meanings given to them in
GDPR.
1.3 Legit Fit believes it is principally a "data processor" for personal data
it holds and, with its Customers agreement, is required to hold that data for
the Customer’s purposes. It also processes data of Consumers through their
registration to the Customer and enables access to Legit Fit’s services.
However, Legit Fit can also collect and hold such personal data itself, at
which time it would be a "data controller".
1.4 Legit Fit also processes the personal data of employees or appointed
agents or consultants to Legit Fit who in effect work as part of Legit Fit and
the term "employee" will be used to refer to such persons.
1.5 This Policy does not document every part of GDPR which may be relevant,
but focuses on the key parts applicable to Legit Fit and its aim is to make
Legit Fit compliant and to eliminate so far as is reasonably possible
potential Data Protection Legislation breaches by Legit Fit and any harm or
loss to Customers, Consumers or the employees of Legit Fit.
1.6 Legit Fit may review and amend this policy from time to time as it thinks
fit, and will review it on at least an annual basis.
Under Data Protection Legislation, Legit Fit is responsible for ensuring that
personal data is held and processed in accordance with the data protection
principles within the Data Protection Legislation. In summary, these
principles are that personal data:
(a) should be processed lawfully, fairly and in a transparent manner;
(b) should be collected for specified, explicit and legitimate purposes, and
must be processed in accordance with those purposes;
(c) should be adequate, relevant and limited to what is actually necessary for
the legitimate purpose for which it is collected;
(d) must be accurate and kept up to date;
(e) will be stored for no longer than is necessary and in a form that permits
identification of data subjects;
(f) must be processed in a lawful manner; and
(g) shall be subject to appropriate security and safety measures.
For the purposes of GDPR, "processing" includes collecting and storing
personal data.
3.1 When processing personal data, under Article 6 GDPR, Legit Fit may only
process where one or more lawful grounds apply.
3.2 Having considered GDPR and the business activities of Legit Fit, Legit Fit
has concluded that its processing of personal data in undertaking its business
activities is lawful on the following GDPR grounds:
(a) the processing is necessary for the performance of a contract to which the
data subject, being either a Customer or a Consumer, is party or will be (see
Article 6(1)(b) GDPR). Legit Fit’s ‘Subscription Agreement’ is its direct
contract created online with a Customer allowing the Customer to provide
services to its Consumers; the Customer’s contract with a Consumer which
contractually provides Consumers access to and use of Legit Fit’s platforms,
software and services, is the contract to which the Consumer as a data subject
is party.
(b) the processing is necessary for the purposes of the legitimate interests
(for the purposes of Article 6(1(f) GDPR) pursued by Legit Fit as instructed
by its Customers on agreed terms in providing its services to Customers (and
allowing the Consumers direct access to Legit Fit’s platforms and software) to
help the Customers provide their own services to the Consumers. Providing such
services for clients would not be possible without Legit Fit controlling and
processing the Customer’s and the Consumer’s personal data, reviewing and
evaluating the information to assist the Consumer in receiving the fitness and
training services of Legit Fit. Clients clearly benefit from Legit Fit’s
services and assistance in relation to which they have used Legit Fit; and
(c) separately, Legit Fit processes employee’s personal data for the purposes
of their salaries, bonuses, pensions and their employment records generally.
3.3 As a result, Legit Fit’s management has reasonably concluded that the
legal basis for it processing personal data will be individual consent, except
where this is otherwise necessary (see section 3.4 below) and that such
consent is given by:
(a) the Customer executing the Subscription Agreement in which Data Protection
Legislation binding provisions and safeguards will be agreed; and
(b) the Consumer:
(i) executing its agreement in whatever form with the customer in which Legit
Fit will require the Customer to obtain the positive consent of the Consumer
to allow Legit Fit to hold and process the Consumer’s personal; data; and/or
(ii) when first accessing Legit Fit’s online website and services and signing
up as a registered user, the Consumer giving a positive consent to Legit Fit
holding and using their personal data for the specific reasons concerned.
3.4 As it is possible that Consumers may submit to Legit Fit certain special
categories of personal data and in particular medical records or histories,
then Legit Fit recognises the need to obtain such explicit consent to the
processing of that type of personal data for the purposes of Article 9 GDPR as
described in paragraph 3.3(b)(ii) above.
4.1 Legit Fit is required to maintain a record of its processing of personal
data activities containing specified information (see Article 30 GDPR). To
enable Legit Fit to comply with this requirement it will:
(a) ascertain what personal data is held by Legit Fit and which employees may
have access to it or involvement (for the purposes of providing Legit Fit’s
services to the Customer and the Consumer);
(b) analyse what personal data may be transferred on by Legit Fit or processed
for Legit Fit by a third party, for what reason and identifying such person or
organisation ("Data Processors");
(c) have each Data Processor comply with the GDPR provisions in respect of a
data processor as regards (among other things), the categories of processing
carried out for Legit Fit; what procedures are in place to test and maintain
accuracy of the personal data; and whether the personal data controlled or
processed by the Data Processor is (or may be) transferred to a third-party
processor or transferred outside the European Economic Area.
5.1 Legit Fit recognises that personal data should not be held longer than is
necessary. In general terms, very little physical hard copy personal data is
held at all, and if so it is for a variety of periods of time depending upon
the nature and type of the matter concerned. Such physical information – and
thus the hard copy personal data within it - will be kept by Legit Fit for six
years and then destroyed as such minimum period of time is required from tax
and regulatory rules, guidance, codes and good industry practice, in addition
to the fact that six years is often the limitation period in relation to
claims. Legit Fit’s public liability insurers also require it.
5.2 As regards personal data in electronic digital form, the same principles
apply. Digital personal data is securely encrypted and password-protected
using one of the leading tailored IT software systems and Legit Fit will keep
abreast of technological developments.
6.1 Legit Fit will ensure that all Customers receive, in their Subscription
Agreement with Legit Fit, full notice and details under Article 14 GDPR
containing information about how the Customer’s personal data (and that of the
Consumers) will be used. It will also contain a tick box under which they give
Legit Fit consent to use their personal data to send them Legit Fit’s
marketing and promotional information.
6.2 Legit Fit will ensure that the terms of the Subscription Agreement will
also contain clear instructions to the Customers that their specific contracts
with their Consumers shall contain suitable, adequate and appropriate express
positive consent being given by the Consumer at sign up/registration stage to
their personal data (and any special data) being passed to, held and processed
by Legit Fit as the platform and service provider for the Customer, such
details being sufficient under Article 14.
6.3 For further compliance, Legit Fit will, at the initial registration of a
Consumer to use Legit Fit’s platform, software and services through the
benefit of their contract with the Customer, obtain a clear positive consent
of that Consumer allowing and agreeing to Legit Fit’s collection, use and
processing of such personal data for the specific purposes which will be
indicated (and any special personal data being so collected will have its own
separate clear description as to purpose, how it is held and for how long.
6.4 Legit Fit engages third party PR and marketing agencies to promote Legit
Fit, including through printed matter and by email sent to individuals. Legit
Fit is aware of the individual’s consent, whether Customer, Consumer or
otherwise, that it needs to do this. All such recipient databases containing
those individuals who have consented to receiving such information will be
held by the third-party agency and in addition any emails sent out will
include the appropriate notices concerning continuing consent.
6.5 Legit Fit does not intend to sell or pass to a third party any personal
data for the purposes of that third party’s advertising to individuals.
6.6 The information in the Subscription Agreement and registration with Legit
Fit’s platforms will include, amongst other things:
(a) Legit Fit’s details (as a data controller and processor);
(b) details of the purposes for which Legit Fit holds and processes personal
data and the legal basis for that processing (as set out in section 3 above);
(c) the likely recipients of personal data;
(d) the period of time for which Legit Fit intends to hold the data; and
(e) any supplementary information required by Article 13 GDPR or by other
applicable Data Protection Legislation.
6.7 Legit Fit will review this information in its Subscription Agreement and
website registration processes annually and will amend it to reflect any
changes in Data Protection Legislation or in Legit Fit’s practice.
6.8 Legit Fit will keep this approach under review – including taking into
account any guidance produced by ICO and industry standards set by appropriate
bodies.
6.9 This Policy will be available upon request to all and placed on the Legit
Fit website and platform.
7.1 Data subject access requests
(a) Individuals are entitled to access their personal data held by Legit Fit
on request (Article 15 GDPR). The response Legit Fit gives to a data subject
access request must also include certain other information, such as the
purposes of the processing; the recipients (or categories of recipient) to
whom the personal data has or will be disclosed; and individuals’ rights to
have their data corrected, deleted or to restrict the processing of their
data.
(b) Legit Fit has noted that, under GDPR, the information must be provided to
individuals free of charge and within one month of the request.
(c) Legit Fit will maintain a record of data subject access requests.
7.2 Right to be forgotten
(a) Under GDPR, individuals have the general right to require Legit Fit
to erase all data held in respect of them in various circumstances (Article 17
GDPR). The circumstances include if the individual withdraws consent to
processing the data, the retention no longer being necessary for the original
purpose for which it was collected and there is no other legitimate ground to
justify the processing (see section 3 above). However, Legit Fit need not
delete the data if an exception applies, including that the processing is
necessary to comply with a legal obligation.
(b) Legit Fit considers it unlikely that any individual will seek to
exercise this right and has decided to review any request, and take advice,
should the situation arise. However, the starting assumptions will be i) is
the data is still necessary to be retained for the applying period with regard
to the legitimate reason exception as described (and for the reasons given)
above; and ii) for the establishment, exercise or defence of legal claims in
the future, whether by or against Legit Fit.
7.3 Right to rectification
(a) Individuals have the right to have incorrect personal data about
them corrected without undue delay (Article 16 GDPR). Legit Fit endeavours
to have its data as up to date and correct as possible and to comply with the
expectations of the ICO. Where an error is discovered, Legit Fit already
corrects this as soon as possible.
7.4 Right to data portability
(Individuals have the right, in certain circumstances, to access their
data in machine-readable format and, where technically possible, to have
their data transferred directly from Legit Fit to another data controller
(Article 20 GDPR). Legit Fit has decided to take no action in relation to
data portability at the current time but will monitor the situation and take
advice should this become necessary in future.
8.1 System perimeter security will be secured using an advanced Firewall
device setup to prevent non-essential assess via port access restrictions. All
data is stored on secure servers provided by AWS (Amazon Web Services) –
please refer to https://aws.amazon.com/security/. The Firewall provides an
Intrusion Prevention System, logging all activity.
8.2 Legit Fit will have up to date device and server security. Endpoint
devices are protected with TLS 1.2 (SHA256) protocol security software which
includes protection for the following:
(a) data controls - prevents the flow of sensitive data outbound;
(b) device controls – prevents access to ROMS, USB and Wi-Fi;
(c) anti-virus – protects the device from malicious content and files types
including Malware, Phishing and Viruses;
(d) web controls – prevents access to websites classified as potentially
dangerous and/or offensive; and
(e) ‘Windows’ updates – device operating systems (i.e. ‘Windows’) will be kept
patched up to date using the ‘Windows Update Service’.
8.3 User access to Legit Fit’s systems will be controlled with a best practice
“strong” password policy, which includes password complexity and renewal
period rules. Access to application software will be controlled with two
factor authentication rules.
8.4 Legit Fit will use G-Suite, supplied and provided by Google (please refer
to https://gsuite.google.co.uk/intl/en_uk/security/?secure-by-design_activeEl=data-centers)Email
Security’ which gives extensive email security measures. These include:
(a) targeted threat protection – sandbox for both email attachments and URLs
within emails providing additional protection from Ransomware style attacks
and other types of malicious threats;
(b) attachment management – this prevents the flow of dangerous file types and
(c) anti-virus, phishing, malware and spoofing emails are trapped at the
gateway before reaching endpoint devices; and
(d) strong anti-spam protection following rules based policies.
9.1 The employees all have responsibility to ensure that in performing their
duties they do not endanger the safety and security of personal data Legit Fit
holds and processes and at all times act in an appropriate manner concerning
the Data Protection Legislation generally and their individual obligations.
9.2 Legit Fit gives all employees a Privacy Notice which covers not only the
Privacy Notice required by GDPR Article 14 as regards Legit Fit’s use of their
own personal data, but also the obligations of Legit Fit which they must
uphold and adhere to. A ‘Do’s and Don’ts’ list is also given to employees. All
employees must be aware and cognisant of personal data security and confidence
and this will be reinforced by training.
9.3 All Legit Fit employees will undertake mandatory formal training on data
protection (and other issues) at suitable intervals and other training as
Legit Fit considers appropriate.
9.4 Legit Fit will undertake Data Protection Impact Assessments (as defined in
GDPR) (“DPIA”) as and when appropriate.
10.1 Legit Fit shall ensure that it has a written contract which meets the
requirements of GDPR in place with each data processor to which it may pass
personal data to be processed. In particular, Legit Fit will expect each data
processor to guarantee that it will meet the requirements of GDPR and will
protect clients’ and other individuals’ rights.
10.2 Before engaging a new data processor, Legit Fit will check that:
(a) the geography and location of the data processor and where the personal
data will be processed;
(b) the data processor has appropriate technical and organisational measures
in place to keep personal data secure; and
(c) the data processor's staff who will be engaged in processing personal data
in relation to the Scheme are subject to a duty of confidentiality and are
aware of data protection matters and their obligations.
10.3 Legit Fit will seek appropriate assurances from each data processor as to
the security arrangements it has in place. This may take the form of:
(a) for an existing data processor, a short summary of its key data security
measures;
(b) for a new data processor, before entering into a new contract, a short
statement of its key data security measures; and
(c) subsequent confirmation from each continuing data processor every 36
months of what, if any, changes there have been to its security arrangements.
10.4 Legit Fit recognises that its data processors may wish to sub-contract
some services, which may include sub-contractors processing data on behalf of
the data processor. Legit Fit will ensure that its contract with a data
processor wishing to do this will contain provisions concerning
sub-contracting which meet the requirements of GDPR.
11.1 Legit Fit takes seriously the need to deal with any data breach swiftly
and appropriately to minimise or eliminate risk of detrimental impact on any
data subjects. For this purpose, a data breach may include (but is not limited
to) unauthorised disclosure of or access to personal data; or accidental or
unlawful destruction of personal data; or loss or alteration of personal data.
11.2 Legit Fit shall require its employees and its data processors to report
data breaches or complaints to Legit Fit’s Data Protection Officer promptly
and to assist Legit Fit in ensuring compliance with the requirements of GDPR.
11.3 On being notified of a data breach or complaint, the Legit Fit Data
Protection Officer will as soon possible notify Legit Fit’s senior management
and Legit Fit shall initially deal with it through the process outlined in
Legit Fit’s GPDR Complaints Policy.
11.4 Notwithstanding the initialisation of the procedure outlined in Legit
Fit’s GDPR Complaints Policy, in any event where a data breach has occurred,
Legit Fit shall consider whether it is necessary or appropriate to notify the
Information Commissioner's Office ("ICO") or the affected individual in the
event of a data breach, and will take professional advice as a matter of
urgency where required.
11.5 Legit Fit will maintain a record of any data breaches and complaints and
action taken in relation to each breach and complaint in inventory form.
11.6 Legit Fit will act reasonably in assisting data controllers of
information it holds and its appointed sub-processors in investigating and
resolving any breaches of this Policy or GDPR generally and will review,
update and amend this Policy (and others) in the light and context of any
breaches or issues arising.
12.1 Legit Fit has considered the sections under Data Protection Legislation
to appoint a data protection officer ("DPO") or to carry out a data protection
impact assessment ("DPIA") in certain circumstances.
12.2 Legit Fit, having considered the possibility of appointing a Data
Protection Officer as described in GPDR, has concluded that it is required to
appoint a DPO.
12.3 Under GDPR, organisations are required to undertake a DPIA "where a type
of processing in particular using new technologies, and taking into account
the nature, scope, context and purposes of the processing, is likely to result
in a high risk to the rights and freedoms of natural persons."
12.4 Legit Fit does not believe that at the present time the nature of its
processing (which - as set out in section 3 above - is fundamentally to
provide a central database and hub for service users of its Consumers as
required by its Subscription Agreement obligations is such that there is
likely to be a high risk to the rights and freedoms of individuals and it has
concluded that it is not necessary for it to undertake any DPIAs at the
present time.
The Data Protection Act 1998, its anticipated successor and the General Data
Protection Regulations 2018 (“GDPR Laws”) do not specify specific periods for
data retention, deletion or destruction. The policy of data retention under
the Data Retention (EC Directive) Regulations 2009 applies to a wide range of
sources. This Legit Fit Data Retention & Destruction Policy will define how
Legit Fit stores, retains, archives, retrieves and disposes of personal data
(as defined in the GDPR Laws) that is receives, holds, uses and processes as
it performs its services for consumers and those registered to use Legit Fit
services on its website at legitfit.com.
Inappropriate retention of such personal data may lead to a breach of contract
as well as a breach of legislation leading to potential financial or
reputational loss. Should Legit Fit be subject to unexpected events such as
business continuity issues or litigation there may be occasions where it needs
to have access to the original personal data to protect its interests and
those of its direct counterparties and other consumers who by agreement can
use Legit Fit’s website services.
The DP Laws aim to reduce the time that personal data is held by entities
after the original consented purpose of it being held or processed has
finished. Legit Fit has considered the nature of the data it holds, the
services it provides, the methods and reasons for clients and its and their
individual consumers giving their consent to Legit Fit and how such consented
purposes ceases alongside the justified general legal (contract and tortious)
and practical need to retain it. The conclusions of Legit Fit and its working
policy is shown in the table in Section 3 below.
Directors and senior management of Legit Fit will ensure all employees are
aware of this Data Retention & Destruction Policy and of the personal data
retention periods as stated in this Policy. All personal data that is no
longer required or used in accordance with the consent of the data subject (as
defined in the DP Laws) will be destroyed in accordance with this Data
Retention & Destruction Policy. Any personal data held in hard copy will be
stored in locked cabinets or offsite in a secure location until that time.
It is incumbent upon all Legit Fit staff to ensure accurate records are
maintained electronically to match any hard copy records held within Legit Fit
and that the location of the file is recorded.
Personal data will, so far as technologically possible at the time be
deleted/redacted or otherwise destroyed as soon as reasonably practicable
after the said retention period. This Data Retention and Destruction Policy
comes into force on 25 May 2018 and will be reviewed annually to by the Legit
Fit Data Protection Officer ensure it remains fit for purpose. May 2018
This Version 1.1 of this Policy was adopted by the directors of Legit Fit
Limited on 23 May 2018.
16.1 The Subscriber shall pay the Subscription Fees and / or Support fees
to the Supplier on a monthly or annual basis in accordance with the payment
plans available legitfit.com/pricing
16.2 The Subscriber shall on the Effective Date provide to the Supplier
valid, up- to-date and complete credit or debit card or bank account details or
approved purchase order information acceptable to the Supplier and any other
relevant valid, up-to-date and complete contact and billing details and, if the
Subscriber provides its credit or debit card or bank account details to the
Supplier, the Subscriber hereby authorises the Supplier to bill such credit or
debit card or to debit the Supplier’s bank account in accordance with the
payment plan selected by the Subscriber.
16.3 If the Supplier has not received payment within 14 days after any
due date, and without prejudice to any other rights and remedies of the
Supplier: the Supplier may, without liability to the Subscriber, disable the
Subscriber’s password, account and access to all or part of the Services and
the Supplier shall be under no obligation to provide any or all of the Services
while the invoice(s) concerned remain unpaid; and interest shall accrue on a
daily basis on such due amounts at an annual rate equal to 3% over the then
current base lending rate of Allied Irish Banks Plc from time to time,
commencing on the due date and continuing until fully paid, whether before
or after judgment.
16.4 If the Supplier then receives payment for the outstanding
Subscription Fees, the Supplier reserves the right to charge a Reconnection
Fee commensurate to the Subscriber’s monthly Subscription Fee in the
Subscriber’s territory.
16.5 All amounts and fees stated or referred to in this Agreement:
Shall be payable in the Subscriber’s local currency;
Are non-cancellable and non-refundable;
Are exclusive of any taxes, levies or duties required or accessible in the
Subscriber’s territory. If the Supplier is legally required to charge and
collect any taxes, any relevant sum shall be added to the Supplier’s
invoice(s) at the appropriate rate.
16.6 The Supplier shall be entitled to increase the Subscription Fees,
at the start of each Renewal Period upon 30 days’ prior notice to the
Subscriber.