General Data Protection Regulation (GDPR) comes into force on 25th May 18. It concerns every company who processes the personal data of EU citizens. The regulation builds on existing data protection laws and broadens citizens power’s to access, remove, update and control how their data is processed by companies such as LetsHost. Companies such as LetsHost have extra responsibilities to this data under GDPR and within this statement, we clarify our position on the key points.
For more information about the GDPR, please see https://www.dataprotection.ie/docs/GDPR/1623.htm and http://gdprandyou.ie/. These websites have both been produced by the Data Protection Commissioner of Ireland.
Some of the more commonly known elements of the GDPR are: The right to be forgotten, data portability and the right to rectification. We have outlined in specific KB articles how our systems can assist with these items. https://kb.letshost.ie/?s=gdpr
Personal data is described as “any information that relates to a living individual”. It also includes any data that can be used with other sets of data to identify an individual. Examples of personal data are name, PPS number, home or business address, online customer number or email address.
“Processing” relates to operations carried out on personal data including collection, organising, recording, storing, structuring and using. Processing does not entail automated or computerised methods only, but includes non-digital, paper-based systems or processes for data processing.
A “Data Subject” is the individual whose personal data is being processed
A “Data Controller” is the organisation which determines how personal data is processed. LetsHost is a data controller. LetsHost customers are data controllers of the data they store on LetsHost systems.
A “Data Processor” is an organisation which processes data on behalf of a Controller. This typically means a third party who is used by the Controller to process their data (for example, a third party company used to send out marketing materials or a courier service sending parcels on behalf of an online shop.
LetsHost as a Data Controller
A data controller according to the GDPR is “the natural or legal person, public authority,
agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”
LetsHost collects information from all clients at sign-up for the sole purpose of provisioning the service selected and providing means to bill on a recurring basis. LetsHost does not collect any data on individuals which is not required for the provision of these services and actively works to minimize the information we store which is classified as “personal data”. LetsHost seeks to be transparent with our customers with respect to the personal data we collect at all times. LetsHost is registered with the data protection commissioner 9636/A
What we collect as part of our service:
Name, Company Name, Postal Address, Email address, Phone number, Payment preferences and information, IP address, Call logs, Call recordings, Identification documents (on request).
- Phone Calls
LetsHost collects metadata around telephone calls including caller number and call duration. These logs are purged monthly. LetsHost may also record telephone conversations with prior notice and will inform callers if this is in force. Calls recorded in this manner are purged monthly.
- Domain registration
During the domain registration process we may be required to collect personal ID from you such as but not limited to: Passport, Drivers License, PPS number or Revenue documentation. This requirement is specific to IE domain registrations and is required to satisfy our contractual arrangements with the IEDR and their registration process. Documents provided for this purpose are kept solely for domain registration and are removed from our systems within 28 days.
- Account Management
As a result of a business sale, account ownership disputes and other account management queries, we may request identification from all parties engaged in the query. This will be to satisfy our requirement to verify account ownership. Data collected for this purpose is purged monthly and we will explain in advance why this is required.
From time to time LetsHost may request personal data from you as part of your relationship with LetsHost and the services we provide. When we do ask for this information, we will inform you in clear terms why we are requesting this and will inform you of relevant retention periods for this information. In some cases, such as compliance with Irish revenue, some information must be kept for a period of 7 years. Put simply, LetsHost do not want to store your personal data any longer than we must.
GDPR – Your responsibilities:
When you use LetsHost services to store or process your personal data (including customer’s or user’s data), you are the data controller and we are data processor. This is true for any personal data you place on our servers either directly, via a hosted website or by use of any of our other services.
The GDPR requires you, as a data controller, to ensure that any data processor services you use to process personal data are GDPR compliant. This means that when you use any of our services to process personal data you need to carry out due diligence on our services and ensure certain contractual terms are in place.
This GDPR statement helps you meet these GDPR regulatory requirements and offers you the assurance that we take GDPR and the security of your personal data as part of the everyday running of our services.
Our GDPR Promise
As an Irish company with customers within the EU, LetsHost are committed to ensuring our business and processes are compliant with the new data protection rule.
Before the GDPR implementation date, we will have in place:
- Data protection training for LetsHost employees, to ensure they understand their role in data protection compliance.
- Revised internal policies relating to data protection and responsibilities within our organisation for ongoing GDPR compliance.
- Comprehensive review all our systems, processes and services to ensure they meet the requirements of GDPR. Particular focus on the security of data and our use of any external third-party services
- Procedures to ensure compliance after the GDPR deadline. Scheduled Reviews.
- Updated terms and conditions of services that meet the contractual requirements of GDPR in the Data Controller – Data Processor relationship
We are compliant because:
- We have fully reviewed our GDPR compliance both regarding the services we offer our customers and our internal policies and procedures
- We have implemented technical and personnel protocols to ensure the security of your data
- We carry out ongoing due diligence against our sub-processors or other third party processors we use to ensure their GDPR compliance (data centres, domain registries).
LetsHost as a Data Processor
A data processor according to the GDPR is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
You are the data controller for the data you store on our servers at the various locations we outlined below. This situation arises when you store personally identifiable data on your customers on our servers. In that situation, we are the data processor. We do not access your data on our servers and any processing is only related to the services we provide to you. We do not use the data you have placed on servers for any processing of our own.
We do not provide access to your data on our systems with any 3rd party save a case where we are instructed to by law. Such situations can include court orders or information requests from the relevant authorities. LetsHost has internal procedures for dealing with such requests and all such requests are handled within the current laws. Any such request will result in you as the data controller being notified.
Your Data’s location
LetsHost operate datacentres in the following locations. However, datacentres outside of the EU are for specific customers who are not typically EU based citizens.
- Dublin (Ireland)
- London (UK)
Each data centre we operate from has hardware security access including:
- 24/7/365 Manned Facilities
- CCTV covering inside, outside and all entrances of DataCenters
- Site and data room entrances are controlled by Perimeter Access Card (PAC) systems
- Site access and all servers are remotely monitored using our own systems.
- Entrances secured by electronic door access systems.
LetsHost employees are kept fully up to date with all aspects of business security and ensure the ongoing security of our servers 24/7/365. Security patches and updates are applied to our systems as a matter of priority and any changes or updates to our own systems are done so with data protection and data privacy in mind. Where we have an agreement in place with our customers to manage this element of their service, we also maintain the security of our customer’s servers.
In the unlikely event of a breach (as defined by the GDPR) we will notify you within 48 hours of the breach coming to our attention. As required by the GDPR, we will also report relevant breaches to the office of the Irish data protection commissioner.
GDPR / Data Protection Contact for LetsHost
If you require any further information about LetsHost’s GDPR compliance or wish to make a request under the GDPR, please use the details below and we will assist with your query.
General Queries: email firstname.lastname@example.org
For access requests, please write to us at:
GDPR Requests, LetsHost, 2nd Floor, 5 Ellis Quay, Dublin 7, D07 C2YP
- Access requests do not carry a fee and will be replied to within 30 days.
- Should we refuse your request, we will outline in detail why this is the case
- Should you wish to update any element of the data we have on file, you can do this through the functions available to you or as part of that request.
- Should you wish to request your data be deleted, you can do this through the functions available to you