GDPR compliance

How we comply with the EU General Data Protection Regulation.

We recognise trust is the foundation of our relationship with our customers. We value the confidence you have put in us and take the responsibility of protecting your information seriously. Respect for security and privacy has been built into our business from the beginning. As we have grown, our emphasis on protecting and managing the data our customers entrust to us has continued to be a top priority.

The GDPR is coherent with how we think and operate. Security practices have been established from the beginning to comply with the most widely adopted standards and regulations.

Legado is Fully GDPR Compliant

In May 2018, the General Data Protection Regulation (GRPR) legislation came into force. It is a European privacy law that requires organisations from across the world to comply with EU privacy and data management practices. Legado is supportive of our customers own GDPR compliance. Legado customers can have certainty and confidence that the handling of personal data is of the GDPR’s security standards.

We have ensured the most comprehensive set of compliance offerings have been established and are in enabled for customers to ensure support for your compliance initiatives. In particular, in accordance with article 5 of the GDPR, Legado has ensured that personal data is:

  • Processed lawfully on the basis of Legitimate Interests
  • Adequate, relevant and limited to what is necessary
  • Collected only for specified, explicit and legitimate purposes
  • Accurate and kept up to date
  • Held only for the absolute time necessary and no longer
  • Processed in a manner that ensures appropriate security of the personal data

What is Legado doing today on GDPR Compliance

Legado has undertaken and executed a comprehensive evaluation and audit of all our systems and practices in connection with the personal data of our customers and have put in place the appropriate procedures and infrastructure to ensure full compliance with the requirements of the GDPR.

In particular, Legado has:

  • Placed the greatest level of importance on data protection and we have a track record of staying ahead of the compliance curve – built with GDPR in mind.
  • Directed our Legal, Trust and Privacy teams to prudently analyse the GDPR and have taken the essential steps to ensure that we comply.
  • Has been built to ensure we have met and will continue to meet the requirements of the GDPR.
  • Confirmed with our suppliers that each vendor itself has taken the necessary steps to achieve GDPR compliance.

Professional Advisers and GDPR Compliance

Legado has been built with Professional Advisers GDPR compliance in mind. You do not have to worry about GDPR compliance when retrieving or storing documents on your client’s behalf. As your client controls their Legado account, they give explicit consent to share their data and information with you, therefore whilst using Legado, you and they are GDPR compliant.

Legado and the GDPR – Frequently Asked Questions

This section will provide a summary on the new data protection requirements which apply under GDPR and how the GDPR applies to the services offered by Legado.

What is personal data under the GDPR?

Personal data is at the heart of the GDPR. Personal data is information that relates to an identified or identifiable person who could be identified, directly or indirectly based on the information. For example, your name, address, and date of birth were all already considered personal identifiers under the Data Protection Act 1998. The GDPR broadened the definition of what counts as personal data. Personal data includes an identifier such as:

  • your name
  • an identification number, such as your National Insurance Number or passport number
  • your location data, such as your home address or mobile phone GPS data
  • an online identifier, such as your IP or email address

Sensitive personal data is also covered in GDPR as special categories of personal data. The special categories, which relate to Legado, specifically include:

  • genetic data relating to the inherited or acquired genetic characteristics which give unique information about a person’s health of that person
  • data concerning health which reveals information about your health status, including both physical and mental health and the provision of health care services
  • racial or ethnic origin
  • religious or philosophical beliefs

What types of personal data does Legado collect?

The personal data which Legado collects depends upon the level of engagement a customer has with Legado. Legado typically will collect individuals’ contact details such as name, email address and payment details (where applicable). Legado has no access to details or folders which are placed in a customer’s digital vault.

Our collection and processing of personal data is for the purposes of Legado’s legitimate interest in the commercial provision of our services pertaining to our digital vault, our services for end-of-life and legacy planning and the improvement of our guides and content and to the extent necessary for the continuous performance improvement of our services.

What is the difference between a data processor and a data controller?

The GDPR is applicable to data controllers and data processors. A controller is the entity that regulates the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.

Our usual practice respects that Legado is the Data Processor and Legado customers are designated as Data Controllers.

What are the rights of data subjects?

Data subjects are the individuals who are identified or identifiable by reference to the personal data they provide. Data subjects have the following rights under the GDPR:

  • Breach Notification – Notification of a data breach is mandatory where it is likely to result in a risk for the rights and freedoms of individuals. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, without undue delay after first becoming aware of a data breach.
  • The right to be informed – Individuals have the right to be informed about the collection and use of their personal data.
  • The right to rectification – A right for individuals to have inaccurate personal data rectified or completed if it is incomplete.
  • Data Portability – This is the right for a data subject to receive the personal data concerning them which they have previously provided in a commonly used and machine-readable format and the right to transmit that data to another controller.
  • The right to restrict processing – Individuals have the right to request the restriction or suppression of their personal data.
  • Right to Access -Data subjects have a right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller must provide a copy of the personal data, free of charge, in an electronic format.
  • The right to object – Individuals have the right to object to processing of personal data for direct marketing purposes.
  • Right to be Forgotten – The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

Legado has and will apply procedures to ensure that it will comply with all data subject rights in accordance with the requirements under the GDPR.

What security measures does Legado have in place to protect personal data?

Legado has employed robust security measures to maintain and ensure the confidentiality and integrity of customer data. These include, but are not limited to, tiered two-factor authentication, regular security and system audits (including third party reviews), password access which is regularly changed, session time-outs, use of the latest encryption software and recording systems which monitor platform access.

Does Legado have a privacy policy?

Our privacy policy sets out how we collect, use and process personal data. Our privacy policy can be accessed here.

Is Legado maintaining Data Processing Records?

Legado fully complies with the requirements under the GDPR to maintain records of processing activities carried out on behalf of our customers. This includes a comprehensive audit trail of all data processing records, including the type of processing and any transfers of personal data.

We contractually require our approved sub-processors to comply with the same requirements.

Can Legado customers delete their personal data from our systems?

Legaco customers can directly access their digital vault and delete the personal data that has been uploaded. In addition, Legado customers can request for part, or all of their personal data that we store on our systems, to be deleted.

Legado will comply with all requests to delete personal data in accordance with the requirements of the GDPR.

Can Legado customers export their personal data from our systems?

Legado customers can directly access our systems to export personal data. In addition, Legado customers can request for an exported version of all their personal data that we store on our systems.

What will happen is Legado encounters an unauthorised breach of data?

Legado will immediately report any personal data breach to our customers in full compliance with the GDPR.

Who can I contact regarding Legado’s EU data protection representative?

We hope you found this article useful and informative. If you have any further questions or would like additional information about our GDPR compliance and our privacy procedures, please contact us at