With effect from 25 May 2018, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (together with applicable implementing laws, “GDPR”) will apply, to the extent relevant, to the processing of personal data by LumRisk S.A. (“LumRisk”) in the course of its businesses, and certain other persons. This notice sets out information relating to those activities.
LumRisk is a controller of personal data for the purposes of the GDPR and will, in the course of its business, process personal data. Information regarding such processing is set out herein. Any person seeking information with respect to control or processing of personal data by LumRisk or seeking to exercise any rights afforded to them under GDPR should contact LumRisk (FAO Chief Compliance Officer) at firstname.lastname@example.org. Under GDPR, any person wishing to is entitled to make a complaint with respect to LumRisk’s control or processing of personal data directly to the relevant supervisory authority for data protection issues. In the UK this is the Information Commissioner’s Office (“ICO”). Contact details for the ICO may be found at www.ico.org.uk. The policies and procedures adopted by LumRisk with respect to the control or processing of personal data may be amended from time to time. Similarly, the purposes for which LumRisk may control or process personal data may change from time to time. If any changes would require a material amendment to the information set out herein, details of such changes will be made available in the current version of this document from time to time.
Summary of Personal Data
For the purposes of GDPR, personal data means any information about an individual from which that person can be identified. In the course of its business, LumRisk may collect, use, store and transfer personal information from individuals that are employees, directors, officers or other representatives or agents of market counterparties, professional services and other service providers, trade associations, public bodies and other entities or undertakings. Such personal data is typically limited in scope, and includes, for example, the name and contact details of such individuals, as well as some technical data (such as internet protocol addresses), usage data and information about marketing and communication preferences. In addition, LumRisk may also use, store and transfer personal information concerning former applicants for positions of employment at or membership of, or former employees or members of, LumRisk. Such personal data may include some or all of the following: name and contact details, information about employment and educational history, performance records, salary data, references, account details, identification data, tax information, social security numbers and information regarding immigration status. LumRisk will endeavour contact those former job applicants or former employees if the personal data processed in relation to the same is material in order to inform them of the continued processing of their personal data, the nature of that processing, the lawful basis upon which the processing is taking place, and their rights under the GDPR with respect to such processing.
Collection of Personal Data
LumRisk may collect personal data through a range of means. These may include direct interactions (where a person provides personal data to LumRisk through correspondence or other direct methods of communication), through third-party service providers (for example, recruitment agents) or publicly available sources (where LumRisk receives personal data through a publicly available source such as a website or publicly-available registry).
Use of Personal Data
LumRisk will only process personal data in circumstances where it has established a lawful basis under GDPR to do so. These circumstances include where the processing of the relevant data relates to a legitimate interest of LumRisk, further described below. In such circumstances LumRisk will have established that the processing is necessary for the relevant purpose, and not inconsistent with the interests, rights or freedoms of a relevant data subject. In accordance with the above, LumRisk has determined that the lawful bases for its processing of personal data are the legitimate interests of LumRisk to undertake activities necessary and ancillary to the carrying on of a risk management business. In addition, LumRisk may also control or process personal data where necessary to comply with legal or regulatory obligations applicable to them under the laws of the European Union or any member state of the EEA, or in order to give effect to a contract, or to take necessary pre-contractual steps with a view to potentially entering into a contract (including in its capacity as an employer or a prospective employer), to the extent applicable. LumRisk may from time to time control or process personal data for the purposes of operating its business and entering into contractual arrangements. Any person subject to GDPR who does not wish their personal data to be processed for marketing purposes may opt out of such processing by notifying the Chief Compliance Officer of LumRisk at email@example.com. LumRisk will only use personal data for the purposes that it has been collected for, unless it reasonably considers that it needs to use it for another reason and that reason is compatible with the original purpose of the control or processing. Any person requiring information with respect to any additional purpose for which personal data may be controlled or processed may obtain such information from the Chief Compliance Officer of LumRisk. If LumRisk needs to control or process personal data for an unrelated purpose, LumRisk will use its reasonable endeavours to notify affected persons and to explain the basis on which it is permitted to undertake the same.
Disclosure of Personal Data
LumRisk may share personal data with certain third parties for the purposes set out above. The relevant third parties with whom such personal data may be shared include entities appointed to provide services to LumRisk and its affiliates, and regulatory, legal and tax authorities. Further details of the third parties with whom personal data may be shared are available on request from the Chief Compliance Officer of LumRisk. Wherever possible, personal data will only be disclosed by LumRisk to a third party in circumstances where that third party has agreed to respect the security of personal data and treat it in accordance with applicable law. LumRisk will seek to ensure that third parties to whom any personal data may be disclosed will not use personal data for their own purposes and only process personal data for specified purposes and otherwise in accordance with the instructions of LumRisk and/or with the GDPR.
Transfer of Personal Data outside the European Economic Area
The activities of LumRisk are such that it may be necessary for personal data to be transferred and/or processed outside the EEA.
In circumstances where LumRisk transfers personal data outside the EEA, it will seek to ensure a similar degree of protection is afforded to it by ensuring that personal data is generally transferred only to persons in countries outside the EEA in one of the following circumstances.
- To persons and undertakings in countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- To persons and undertakings to whom the transfer of such personal data is made pursuant to a contract that is compliant with the model contracts for the transfer of personal data to third countries from time to time approved by the European Commission.
- To persons and undertakings based in the United States
- Are part of the EU-U.S. Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the United States.
Further information on specific mechanisms utilised by LumRisk transferring personal data outside the EEA and the countries to which such transfer may be made (which may include, but are not limited to Switzerland and the United States) may be obtained from the Chief Compliance Officer of LumRisk upon request.
LumRisk will retain personal data for as long as necessary to fulfil the purposes for which it has been collected. This will include any period of retention required to satisfy any legal, regulatory, taxation, accounting, regulatory or reporting requirement applicable to LumRisk. In determining the appropriate retention period for any personal data, LumRisk will consider the amount, nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure of the data, the purpose for which the relevant data is being processed, the extent to which the purposes for which the relevant data is being processed can be achieved by other means and any applicable legal requirements. Without prejudice to the generality of the foregoing, LumRisk has determined that it will retain records for at least five years. Details of retention periods applicable to personal data subject to GDPR are available upon request from the Chief Compliance Officer of LumRisk. In some circumstances, a person may request that LumRisk delete any personal data retained by it. Further, in some circumstances, LumRisk may anonymize personal data for research or statistical purposes, in which case such information may be retained and utilised indefinitely without further notice.
Rights of Persons
Under GDPR, persons whose data is processed by LumRisk will have certain rights. These rights include the right to access personal data, the right to require correction of personal data, the right to require erasure of personal data in certain circumstances, the right to restrict processing of personal data, and the right to require a transfer of personal data. In addition, if the processing of personal data is based on a legitimate interest of LumRisk, a person will have the right to object to the processing of that personal data. Any person seeking to exercise any such right should contact the Chief Compliance Officer of LumRisk. In certain circumstances, LumRisk may charge reasonable fees if any such request is clearly unfounded, repetitive or excessive.