Privacy Policy
Effective June 2, 2021
Lighthouse Privacy Policy
Our commitment
Lighthouse (referred to as “We, “Our,” or “Us”) is committed to protecting the privacy and security of your personal information. We take care to protect the privacy of our customers and users of our products, websites, and social media platforms, as well as event attendees and those that contact us through email or over the phone.
We have therefore developed this Lighthouse Privacy Policy to inform you of the data we collect, what we do with your information, and what we do to keep it secure, as well as the rights and choices you have over your personal information.
Throughout this Lighthouse Privacy Policy, we refer to Data Protection Legislation, which means the Data Protection Act (DPA) 2018, United Kingdom General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any legislation implemented in connection with the aforementioned legislation. Where data is processed by a controller or processor established in the European Union or comprises the data of people in the European Union, it also includes the EU General Data Protection Regulation (EU GDPR). Where data is processed by a controller or processor established in the European Union or comprises the data of people in the European Union, it also includes the EU General Data Protection Regulation (EU GDPR). Where data is processed by a controller or processor established in California or comprises the data of California consumers, it also includes the California Consumer Privacy Act – please see section 13. This includes any replacement legislation coming into effect from time to time.
Lighthouse is based in the USA and UK. Our UK office is registered with the Information Commissioner’s Office (the ICO) with registration number ZA500797.
Our contact information for the Data Protection Officer (DPO) is:
The DPO Centre Ltd.
50 Liverpool Street
London EC2M 7PY
UK
Phone: 0203 797 1289
Website: www.dpocentre.com
Lighthouse is the controller for the personal information we collect, unless otherwise stated. You can contact us either by email or post.
As per our requirements under the EU GDPR, we have appointed a European Representative. If you are based in the European Economic Area you can contact our representative through the following channels:
Postal Address: Friedrichstrabe 88, Excellent Business Centre, Berlin,10117, Germany
Phone number: ++49 304 0817 3000
Email: eurep@lighthouse.com
1. The information we collect and when
We only collect personal information that we know we will genuinely use and in accordance with the Data Protection Legislation. The type of personal information that we will collect, and that you voluntarily provide to us on this website may include some or all of the following:
· Your name
· Address
· Telephone number(s)
· Email address
· Survey responses
· Internet Protocol (IP) address
For information on how we manage cookies, please see our Cookie Policy.
We may, in further dealings with you, extend this personal information to include your address; services used; subscriptions; and records of conversations, agreements, and payment transactions.
· You are under no statutory or contractual requirement or obligation to provide us with your personal information; however, we require at least the information above to interact with you as a prospect or service user in an efficient and effective manner.
· The legal basis for collecting and processing your data is based on either:
- Your consent;
- The performance of a contract with you;
- To fulfill our legal obligations; or
- To fulfill our legitimate business interests.
We will have stated our legal basis at the point the information was initially provided, therefore we will not store, process, or transfer your data unless we have an appropriate lawful reason to do so.
We may, in the provision of Services to our Clients, also collect personal information for processing in accordance with our Client’s instructions for performance of a contract. Please see our Data Processor Compliance Statement for more information.
Our website is not intended for or targeted at children, and we do not knowingly or intentionally collect personal data about children. If you believe that this website has collected data about a child, please contact us, so that we may delete the personal data.
2. How we use your information
· To contact you, following your enquiry, reply to any questions, suggestions, issues, or complaints you have contacted us about;
· To make available our products and services to you;
· To receive payment from you or provide you a refund;
· To personalize your website experience, for example we may provide you with details of products that match a product, which you may have purchased or inquired about previously;
· For statistical analysis and to get feedback from you about our products, websites, and other services and activities. For example, occasionally we may invite you to review one of our products or services. If we do, it's possible that we'll use independent research and feedback providers to act on our behalf;
· To power our security measures and services so you can safely access our website;
· To help us understand more about you as a customer, and the products and services you consume, so we can serve you better;
· To contact you about our products and services;
· To provide you with online advertising and promotions; and
· To help answer your questions and solve any issues you may have.
3. With whom we may share this information
We will not share your information with any third parties for the purposes of direct marketing.
We may share your personal data with other organizations in the following circumstances:
· If the law or a public authority says we must share the personal data;
· If we need to share personal data to establish, exercise, or defend our legal rights (this includes providing personal data to others for the purposes of preventing fraud and reducing credit risk); or
· From time to time, to employ the services of other parties for dealing with certain processes necessary for the operation of the website. However, all the information we share will be collected and anonymized, so neither you nor any of your devices can be identified from it.
· We use data processors who are third parties who provide elements of services for us. We will have Data Processor Agreements in place with our data processors prior to disclosure of your personal data. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organization apart from us or further sub-processors who must comply with our Data Processor Agreement. They will securely hold your personal data and retain it for the period we instruct.
· We may share your information with our parent, affiliates, and subsidiaries for operational purposes (i.e., to ensure that we can fulfill our services to you accurately and efficiently), as well as for marketing purposes, notification about events, or recruiting purposes. We will have Intra-Company Data Processor Agreements, including “standard contracting clauses” in place between our parent, affiliates, and subsidiaries prior to disclosure of your personal data.
4. How we protect the transfer of your data
Your personal data may be stored in your region or in any other country where we, or our service providers, have facilities. We may also allow employees and service providers located around the world to access personal data as provided in this notice. If you are in the UK or the EU, we will ensure your legal rights and protections travel with any such “transfer”of your personal data outside the UK/European Economic Area (EEA). We do this by signing “standard contractual clauses” that give personal data the same protection it has in the UK/EEA.
Since July 2020, the EU-US Privacy Shield Framework and Swiss-US Privacy Shield Framework have been invalidated. Lighthouse continues to adhere to the requirements of the Privacy Shield in addition to establishing other lawful transfer mechanisms to ensure that it is in the best position to adhere to a new Privacy Shield in the future. See our Privacy Shield Policy
5. How we keep you updated on our products and services
We will send you relevant news aboutour products and services in a number of ways including by email, but only if you have previously consented to receive these marketing communications. Whenyou register with us, we will ask if you would like to receive marketing communications, and you can change your marketing choices online or in writing at any time.
If you wish to amend your marketing preferences, you can do so by clicking on this link.
6. Your rights over your information
Right to be informed about our collection and use of personal data
You have the right to be informed about the collection and use of your personal data. We ensure we do this with our internal data protection policies and through our external website policy. These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.
Right to access your personal information
You have the right to access the personal information that we hold about you in many circumstances, by making a request. This is sometimes termed ‘Subject Access Request.’ If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you or the other party free of charge and aim to do so within one month from when your identity has been confirmed.
We would ask for proof of identity and sufficient information about your interactions with us so we can locate your personal information.
If you would like to exercise this right, please contact us as noted below.
Right to rectify your personal information
If any of the personal information about you that we hold is inaccurate, incomplete, or out of date, you may ask us to correct it.
If you would like to exercise this right, please contact us as noted below.
Right to stop or limit our processing of your data
You have the right to object to us processing your personal information for particular purposes, to have your information deleted if we are keeping it too long, or to have its processing restricted in certain circumstances.
If you would like to exercise this right, please contact us as noted below.
Right to erasure
You have the right to have your personal data erased. This is also known as the ‘right to be forgotten.’ The right is not absolute and only applies in certain circumstances.
If you would like to exercise this right, please contact us as noted below.
Right to portability
The right to portability gives you the right to receive personal data that you have provided to a controller in a structured, commonly used, and machine-readable format. It also gives you the right to request that a controller transmits this data directly to another controller.
If you would like to exercise this right, please contact us as noted below.
For more information about your privacy rights in the UK and the EU:
The Information Commissioner's Office (ICO) regulates data protection and privacy matters in the UK. They make a lot of information accessible to consumers on their website and they ensure that the registered details of all data controllers such as ourselves are publicly available. You can access them here: https://ico.org.uk/for-the-public. If you are based anywhere else within the EU (or EEA), a list of supervisory authorities can be found here: https://edpb.europa.eu/about-edpb/board/members_en).
You can make a complaint to a supervisory authority at any time about the way we use your information. However, we hope that you would consider raising any issue or complaint you have with us first. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.
7. How long we keep your information
We retain a record of your personal information in to provide you with a high-quality and consistent service. We will always retain your personal information in accordance with the Data Protection Legislation and will never retain your information for longer than is necessary. Unless otherwise required by law, your data will be stored for a minimum period of four years after our last contact with you, at which point it will be deleted.
8. Giving your review and sharing your thoughts
When using our websites, you may be able to share information through social networks like Facebook, LinkedIn, and Twitter. For example, when you ‘like,’ ‘share,’ or review our services. When doing this, your personal information may be visible to the providers of those social networks and/or their other users. Please remember it is your responsibility to set appropriate privacy settings on your social network accounts so you are comfortable with how your information is used and shared on them.
9. Security
Data security is of great importance to us, and to protect your data we have put in place suitable physical, electronic, and administrative controls to safeguard and secure your collected data.
We take security measures to protect your information, including:
· Limiting access to our buildings to those that we have determined are entitled to be there (by use of passes, key card access, and other related technologies);
· Implementing access controls to our information technology;
· Using appropriate procedures and technical security measures (including strict encryption, anonymisation, and archiving techniques) to safeguard your information across all our computer systems, networks, websites, offices. and stores;
· Never asking you for your passwords;
· Advising you never to enter your account number or password into an email; and
· Certification to security frameworks in place across our organizational network, including SOC2 and ISO 27001.
10. What happens if our business changes hands
We may, from time to time, expand or reduce our business, and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part; and the new owner or newly controlling party will, under the terms of this Lighthouse Privacy Policy, be permitted to use that data only for the purposes for which it was originally collected by us.
11. Changes to our Lighthouse policy
We may change this Lighthouse Privacy Policy from time to time (for example, if the law changes). We recommend that you check this Lighthouse Privacy Policy regularly to keep up-to-date.
12. California Consumer Privacy Act
This section applies only to California consumers. It describes how we collect, use, and share California consumers' Personal Information in our role as a business, and the rights applicable to such residents. The California Consumer Privacy Act ("CCPA") requires businesses to disclose whether they sell Personal Data. Lighthouse is a business, it and does not sell Personal Data. We may share Personal Data with third parties if those third parties are authorized service providers or business partners who have agreed to our contractual limitations as to the irretention, use, and disclosure of such Personal Data. If you are unable to access this Privacy Policy due to a disability or any physical or mental impairment, please contact us and we will arrange to supply you with the information you need in an alternative format that you can access.
For purposes of this section "personal information" has the meaning given in the CCPA.
How we collect, use, and share your personal information
We may have collected the following statutory categories of Personal Information in the past twelve (12) months:
· Your name
· Address
· Telephone number(s)
· Email address
· Survey responses
· IP address
· Browsing and search history for pages you visit on our websites
The business purposes for which we collect this information are described in Section 1 of this Privacy Policy. The categories of third parties to whom we disclose this information for a business purpose are described in Section 2 of this Privacy Policy.
Your California rights
Right to access your personal information
You have the right to access the personal information that we hold about you in many circumstances, by making a request. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you free of charge.
Right to deletion
You have the right to have personal data deleted. The right is not absolute and only applies in certain circumstances.
If you would like to exercise this right, please contact us as set out in Section 12.
Right to non-discrimination
The right to non-discrimination means that you will not receive any discriminatory treatment when you exercise one of your privacy rights.
How to Exercise your California Rights
You can exercise your rights yourself or you can alternatively designate an authorized agent to exercise these rights on your behalf. Please note that to protect your personal information, we will verify your identity by a method appropriate to the type of request you are making. We may also request that your authorized agent have written permission from you to make requests on your behalf, and we may also need to verify your authorized agent's identity to protect your personal information. To contact us to exercise your rights, please see Section 12.
13. How to contact us
If you would like to exercise one of your rights as noted above, or you have a question or a complaint about this Lighthouse Privacy Policy or the way your personal information is processed, please contact us by one of the following means:
By email: Privacy@lighthouseglobal.com
By mail in the USA:
Lighthouse Document Technologies Inc.
51 University Street, Suite 400
Seattle, WA 98101
USA
By post in the UK or EU:
Lighthouse eDiscovery Europe, Ltd.
1 King William Street
London EC4N 7AF
UK
Thank you for taking the time to read our Lighthouse Privacy Policy.
Privacy Shield Policy
On July 16, 2020, the European Union Court of Justice (CJEU) invalidated the EU-US Privacy Shield in its decision in Facebook Ireland v. Schrems (Schrems II). On September 8, 2020, the Swiss Data Protection Authority (the Federal Data Protection and Information Commissioner, “FDPIC”), announced in a position statement that it no longer considers the Swiss-US Privacy Shield adequate for the purposes of transfers of personal data from Switzerland to the US. Despite these findings, Lighthouse continues to adhere to the requirements of the Privacy Shield in addition to establishing other lawful transfer mechanisms.
The following Privacy Shield Privacy Policy (the “Privacy Shield Policy”) describes the principles Lighthouse, and its subsidiary Liffey Thames Group, LLC, d/b/a Discovia, agrees to follow with respect to the collection, preservation and transfer of personal data from the European Union (“EU”), the European Economic Area (“EEA”), the United Kingdom (“UK”), and/or Switzerland (as applicable) to the United States for electronic data discovery processing, web hosting, and related services. This Privacy Shield Policy is in addition to, not instead of, any other lawful transfer mechanism Lighthouse has agreed to. All terms in within this Privacy Shield Policy shall have the definition as provided in the Privacy Shield Framework.
Lighthouse commits to comply with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce for the collection, use, and retention of personal information transferred from the EU, UK, or Switzerland to the United States. Lighthouse has certified that it complies with each of the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability. In the event of any conflict between the provisions of this Privacy Shield Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the EU-US Privacy Shield program, and to view Lighthouse’s certification, please visit www.privacyshield.gov.
Lighthouse’s participation in the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework applies to all personal data that is subject to Lighthouse’s Privacy Policy and is received from the EU, EEA, UK, and Switzerland. Lighthouse will comply with the Privacy Shield Principles in respect of such personal data. The Federal Trade Commission has jurisdiction over Lighthouse’s compliance with this Privacy Shield Policy, the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework.
1. Background
The European Union’s General Data Protection Regulation (“GDPR”) superseded the EU’s 1995 Data Protection Directive on May 25, 2018. Article 45 of the GDPR provides for the continuity of adequacy determinations made under the EU’s 1995 Data Protection Directive, one of which was the adequacy decision on the EU-U.S. Privacy Shield. GDPR limits the transfer of personal data to countries outside of the EU for processing to only those countries that can ensure an adequate level of protection for an individual’s personal data. Swiss data protection law imposes similar limits on the transfer of personal data outside of Switzerland. The US Department of Commerce, in consultation with the EU, UK, and separately with Switzerland, has developed the Privacy Shield Framework regarding personal data privacy and security that, when followed, permit an organization to certify that it provides adequate protection for the transfer of EU personal data to the US for processing. Lighthouse fully commits to follow the Privacy Shield Principles with respect to all personal data received from any individual or entity in the EU, the EEA, UK, or Switzerland.
2. The information Lighthouse collects
This notice applies to all information collected or submitted on the Lighthouse website and online application portals. On some pages, you can make inquiry requests and register to receive materials. The types of personal information collected at these pages include:
· Name
· Company name
· Address
· Email address
· Phone number
3. The way Lighthouse uses collected information
Lighthouse uses the information you provide about yourself only to fulfill the request. Lighthouse does not share this information with outside parties except to the extent necessary to complete the request. Lighthouse uses return email addresses to answer the email Lighthouse receives. Such addresses are not used for any other purpose and are not shared with outside parties. Finally, Lighthouse never uses or shares the personally identifiable information provided to Lighthouse online in ways unrelated to the ones described above without also providing you an opportunity to opt-out or otherwise prohibit such unrelated uses.
As an eDiscovery company, the majority of the data Lighthouse collects and stores is provided to Lighthouse by Lighthouse’s clients. Any data received from Lighthouse’s clients is used solely for the business purpose defined in Lighthouse agreements with Lighthouse’s clients. It is not shared with third parties unless agreed upon with Lighthouse’s clients. Any individual who is attempting to access data provided to Lighthouse by Lighthouse’s client in order to correct, amend, or delete inaccurate data should contact Lighthouse’s client directly. Any individual who would like to request any limits on sharing or use of their data should contact Lighthouse’s client directly.
4. Who we might share your information with
We will not share your information with any third parties for the purposes of direct marketing. We may share your personal data with other organizations in the following circumstances:
· If the law or a public authority says we must share the personal data;
· If we need to share personal data in order to establish, exercise, or defend our legal rights (this includes providing personal data to others for the purposes of preventing fraud and reducing credit risk); or
· From time to time, employ the services of other parties for dealing with certain processes necessary for the operation of the website. However, all the information we share will be collected and anonymised, so neither you nor any of your devices can be identified from it.
· We use data processors who are third parties who provide elements of services for us. We will have Data Processor Agreements in place with our data processors prior to disclosure of your personal data. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organization apart from us or further sub-processors who must comply with our Data Processor Agreement. They will hold your personal data securely and retain it for the period we instruct.
· We may share your information with our parent, affiliates, and subsidiaries for operational purposes (i.e., to ensure that we can fulfill our services to you accurately and efficiently), as well as for marketing purposes, notification about events, or recruiting purposes. We will have Intra-Company Data Processor Agreements, including “standard contracting clauses” in place between our parent, affiliates, and subsidiaries prior to disclosure of your personal data.
5. Our commitment to data security
To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, Lighthouse has implemented appropriate physical, electronic, and managerial procedures to safeguard and secure the information Lighthouse collects online. To protect your privacy and security, Lighthouse will take reasonable steps to verify your identity before granting access to any system.
6. Notice and choice
When acting as a data processor within the meaning of GDPR, Lighthouse reserves the right to process personal information on behalf of and under the direction of Lighthouse’s clients without providing notice to individuals or data protection authorities to the extent permitted by the Privacy Shield Principles. When collecting data in the EU, UK, and/or Switzerland, Lighthouse acts on behalf of and under the direction of Lighthouse’s clients, to collect only data relevant to the litigation or other matter at hand. Individuals and business entities from which Lighthouse collects data are provided with information regarding the purpose for which data is being collected, how it will be used and the type of non-agent third parties, if any, to which Lighthouse discloses personal information. These individuals or entities are also provided with information about the choices and means offered by Lighthouse for limiting the use or disclosure of their personal data.
When Lighthouse is acting as a data controller within the meaning of GDPR, individuals have the choice to opt out of collection or to limit the use and disclosure of their information.
7. Limits on disclosure and transfer
Lighthouse limits access to personal data to those persons in Lighthouse’s organization, or Lighthouse’s agents, who have a specific business purpose for maintaining and processing such personal data. Individuals who have been granted access to personal data are aware of these responsibilities to protect the security, confidentiality, and integrity of that information and have been provided training and instruction on how to do so. Lighthouse takes appropriate measures to protect the security of personal data in order to ensure it is only accessed for its intended use.
As a processor, Lighthouse will not disclose an individual’s personal data to any third party without the consent of Lighthouse’s clients unless one or more of the following are true:
· The individual has consented, in writing, to the disclosure;
· The disclosure is required by law or other professional standards;
· The personal data is publicly available;
· The disclosure is reasonably necessary for the establishment or defense of legal claims;
· The transferee provides an adequate level of protection for the personal data within the meaning of GDPR or has agreed in writing to provide an adequate level of protection for the personal data consistent with the options provided in GDPR, for transfers pursuant to written agreements;
· In the event of a sale or transfer of assets in connection with an acquisition, merger, reorganization, sale, or bankruptcy, Lighthouse reserves the right to make such disclosure upon providing notice to the law firm and/or corporate clients for whom such data is being held.
As a data controller, Lighthouse does not provide an individual’s personal data to any third-parties.
Lighthouse limits disclosure of personal data to employees and other EU-US Privacy Shield and Swiss-US Privacy Shield participants that have a specific business purpose for collecting, maintaining, and processing such personal data. Lighthouse may disclose personal data as required by law or regulation. Lighthouse may also disclose personal data to law enforcement officials in response to a lawful request made pursuant to national security interests or law enforcement requirements. Lighthouse acknowledges its potential liability in cases of its onward transfer of personal data to third parties that do not meet the criteria set forth in the above paragraph.
8. Access
Lighthouse agrees to offer individual citizens of the EU, EEA, UK, or Switzerland with access to their personal data for purposes of correcting, amending, or deleting inaccurate information unless the cost or burden of providing the access and changing or deleting the data proves unreasonable in view of the risk to the individual’s privacy. A reasonable fee compensating Lighthouse for resource use related to accessing, changing, or deleting the personal information may be imposed. Lighthouse may determine the form of the disclosure. Lighthouse will only deny access requests as allowed by the EU-US Privacy Shield or the Swiss-US Privacy Shield.
9. Security
Lighthouse takes reasonable precautions to protect personal information from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Lighthouse’s security measures include physical, electronic, workflow, and managerial protocols to safeguard and secure the personal data Lighthouse processes.
10. Data integrity
Lighthouse processes personal information only in ways that are compatible with the purpose for which the data was collected or subsequently authorized by the individual. Lighthouse will take reasonable steps to ensure information is relevant to its intended use and remains accurate, complete, and current.
11. Compliance
Lighthouse will follow any advice given by the Data Protection Authorities, including remedial or compensatory measures for individuals affected by non-compliance, and will provide the Data Protection Authorities with written confirmation that such corrective action has been taken, subject to the Company’s right to dispute the requested actions or remedial measures with the Federal Trade Commission.
12. Enforcement
Pursuant to the EU-US and Swiss-US Privacy Shield’s recognized approach of self-assessment, Lighthouse understands and agrees that individuals shall have the opportunity to directly submit written complaints regarding Lighthouse’s handling of their personal data. Lighthouse will review all complaints received in writing for purposes of determining whether Lighthouse’s preservation and storage of the individual’s data has been consistent with Lighthouse Privacy Policy. If Lighthouse determines that any actions Lighthouse has taken are in fact inconsistent with Lighthouse’s Privacy Policy, Lighthouse will immediately take appropriate steps to remedy the issue Lighthouse may have caused.
In compliance with the Privacy Shield Principles, Lighthouse commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Lighthouse at:
David Binder, COO
Phone: (206) 535-6539
Email: privacy@lighthouseglobal.com
Lighthouse has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU and Switzerland in the context of the employment relationship.
Lighthouse has further committed to refer unresolved privacy complaints under the EU-US and Swiss-US Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by Lighthouse, please visit the BBB EU PRIVACY SHIELD web site at www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. There is no cost to you to utilize the BBB EU PRIVACY SHIELD complaint resolution process. In certain circumstances, there may be the possibility for you to be able to invoke binding arbitration.
Finally, should Lighthouse at any time find that an internal process causes us to be in breach of Lighthouse Privacy Policy, Lighthouse will take immediate action to alleviate the issue. Should Lighthouse determine that any employee of Lighthouse has failed to adhere to the terms of this Privacy Shield Policy, such employee may be subject to disciplinary action up to and including termination.
Processor compliance statement
Lighthouse (referred to as “We, “Our,” or “Us”) is committed to ongoing compliance with the principles of the General Data Protection Regulation (GDPR) and upholding our obligations under the Data Protection Act 2018 and any other relevant data protection legislation or regulations (“Data Protection Law”) that apply to our processing of personal data when acting on behalf of our clients.
For further details regarding how we manage our own data protection requirements as a controller, please see our Privacy Policy.
1. Our commitment to data protection as a processor
Lighthouse is dedicated to ensuring the protection and security of the personal data we are directed to process on behalf of our clients at all times. We have established an effective framework for monitoring compliance and implementing best practices across all of our processing functions.
The purpose of this statement is to inform our clients of the actions we have undertaken and measures we have put in place to ensure we uphold our responsibilities as a processor.
2. Data protection management
As part of our commitment to ensuring compliance with Data Protection Law and assisting our clients with any data protection matters, we have appointed a Data Protection Officer who can be contacted via the following means:
Email: advice@dpocentre.com
Telephone: 0203 797 1289
It is the ongoing responsibility of our Data Protection Officer to monitor Lighthouse’s ongoing data protection practices to ensure we meet our obligations to data subjects, our clients, our legal obligations, and our supervisory authority.
With the help of our Data Protection Officer, we maintain a suite of policies, privacy notices, and standard operating procedures we have created to protect the personal data we process on behalf of clients. These policies are available on request. Our staff receive regular training on these policies and are expected to confirm their compliance with them as part of their ongoing job role. Our staff also receive data protection awareness training and will operate under a contractual duty of confidentiality at all times.
We record all of our processing activities undertaken on behalf of clients, and at the end of our contract with you, all personal data will be returned and deleted from our systems within 30 days.
3. Security accreditations
Globally, Lighthouse operates an Information Security Management System which conforms to the requirements of ISO 27001 and is certified by Schellman and Company LLC. This provides external verification of the measures we have taken to ensure we hold all information – including the personal data that we process on behalf of our clients – securely.
In addition, for our US operations, Lighthouse has achieved SOC 2 compliance, which ensures that we are securely processing and managing the data of our clients, protecting their interests, and respecting the privacy of clients’ customers. For our UK operations, Lighthouse has achieved Cyber Essentials compliance, which ensures that we are protected against the vast majority of common cyber attacks.
4. Technical and organizational security measures
In addition to implementing and maintaining our accreditations, we ensure technical and organizational security measures are in place to meet the requirements of Data Protection Law.
We encrypt all data at rest and in transit using strong encryption, typically AES-128 or higher. We use external data centres which are ISO 27001 accredited.
All servers are protected by industry standard firewalls and access monitoring with IP blocking capabilities.
We restrict access to personal data being processed to only those members of staff who are required in the provision of services to our clients. Access to our production environment is controlled by multi-factor authentication methods and passwords regulated by an automated password policy. Employee logins and network (including cloud systems) access is examined frequently, and abnormal activity is monitored and flagged automatically.
All data held on behalf of our clients is backed up periodically to a secure backup solution and maintained on a 30-day rolling retention period.
5. Breach management and assistance
We have created and implemented a detailed Data Protection Policy and Breach Notification Policy which covers our breach identification and reporting procedures to our clients and to our supervisory authority, if required.
Lighthouse maintains an active breach log to record all actual and suspected data breaches of personal data.
6. Transfer of data and sub-processors
Lighthouse will only transfer data outside of the EEA/UK when protected by an appropriate safeguard, of which we will inform you as part of our contractual agreement or otherwise prior to the transfer.
We may use a limited number of sub-processors to provide services to you, as outlined in your agreement for services. We will only engage a sub-processor with a written contract which imposes the same data protection obligations as are contained in the agreement between you and Lighthouse. We will only use sub-processors who are able to provide sufficient guarantees that the requirements of the Data Protection Law will be met and the rights of data subjects protected. We will keep you informed about the sub-processors we use. Lighthouse has appropriate written contracts with all of its sub-processors.
7. Your responsibilities as data controller
Clients of Lighthouse will normally act as controllers for any personal data processed by Lighthouse as part of our service to you.
As a controller, it is your responsibility to comply with your obligations under any applicable Data Protection Law. Controllers’ obligations may relate to the main GDPR principles including lawfulness, fairness and transparency, purpose limitation, data minimization, and accuracy, as well as fulfilling data subjects’ rights with respect to their data. Lighthouse will only ever act upon the written instructions of our clients and ensure we inform our clients if we consider that any of these instructions risk compliance with Data Protection Law.
If we receive communications from your customers that relate to your activities as a data controller, we will inform you as soon as possible.