WW Policy 100-07: Data Privacy
NOTE: If you need an alternative method of accessing this privacy policy, please call (+1).217.862.9709 or +49 (0)811/99 73 90 extension 4709. You can also e-mail ComplianceNotifications@LRS.com
Introduction
This WW Policy 100-07: Data Privacy Policy (the “Policy”) was amended in November 2023 to comply with new data privacy laws such as the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA) and the Data Protection Frameworks (DPF) while remaining compliant with existing data privacy laws including the European Union's General Data Protection Regulation (“EU GDPR”), the applicable national data protection acts of the relevant member states, the UK’s adopted form of GDPR (“UK GDPR”) and the Swiss GDPR.
Levi, Ray & Shoup, Inc (“LRS”) is committed to protecting your privacy. We publish this Policy so that you can understand our privacy practices and how they help protect your privacy. In this Policy “Personal Data” means information relating to an identified or identifiable natural person or a particular household, as defined in GDPR or other applicable law. Examples include your name, telephone number and email address.
Additionally, in our section on Online Information, we disclose how we gather and use all information gathered online even if it is not Personal Data and how we collect Personal Data where third-party cookies are used. LRS will not deviate from this Policy if applicable laws are less stringent than this Policy.
We will always protect your information, and we will never sell, lease or rent your Personal Data. We will never authorize another person or company to sell, lease or rent your Personal Data.
General Protections
Data Integrity and Purpose Limitation. We will only collect and retain Personal Data which is relevant to the purposes for which the information is collected, and we will not use it in a way that is incompatible with such purposes unless such use has been subsequently authorized by you. We will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current. We may occasionally contact you to determine that your data is still accurate and current.
Objection: You have the right to object to our processing of your Personal Data for direct marketing purposes. If you make such an objection, we will cease communicating with you for this purpose. You also have the right to object to any other processing and you have the right to set guidelines for the retention and communication of your Personal Data after your death. If you object, this may affect our ability to carry out tasks for your benefit or to conduct business and provide services to the customer/supplier for whom you are acting or to consider applications of employment candidates and/or hire you. If you make such an objection, we will cease to process the Personal Data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
Access: You have the right to obtain confirmation that we process Personal Data related to you and you have a right to a copy of that data. One free copy will be provided during a 12-month period.
Rectification/Correction: You have the right to have any inaccurate Personal Data about you be rectified/corrected.
Erasure: You have the right of erasure of your Personal Data when that data is no longer needed in relation to the purposes for which the data were collected or when you withdraw consent for consent-based processing. You do not have the right of erasure when processing is necessary for compliance with a legal obligation or if another legal exception applies.
Discrimination: We will not discriminate or retaliate against you for exercising your rights under this Policy.
DISCLOSURES TO THIRD PARTY PROCESSORS
You may choose (opt-in or opt-out) whether your Personal Data is 1) disclosed to a third party (other than an LRS agent doing work at our direction), or 2) to be used for a purpose that is materially different than that for which it was collected or subsequently authorized by you. Although we do not ever anticipate providing sensitive Personal Data to a non-agent third party or using it for a purpose other than that for which it was collected, we will never do so without first allowing you to affirmatively and explicitly consent (opt-in) to such transfer or use. The only exception to this choice for both sensitive and non-sensitive Personal Data would be where we are required to disclose your Personal Data pursuant to governmental or judicial order, law, or regulation.
A listing of current third-party processors can be viewed at www.lrs.com/SubProcessors. LRS has disclosed personal information to these third-party processors in the past, including the preceding twelve months.
LRS shall remain liable if its third-party processor processes your Personal Data in a manner inconsistent with the Data Privacy Framework Principles, unless LRS proves that it is not responsible for the event giving rise to the damage.
LRS has disclosed Personal Data to these third-party processors in the past, including the preceding twelve months.
In general, you may visit our website without providing any Personal Data. However, you may choose to provide us with Personal Data by completing on-line forms. At the point of collection, we will inform you of how your Personal Data will be used via this Policy unless the use is obvious. Apart from these uses, LRS will only use your Personal Data in accordance with the terms of this Policy.
Session Cookies
LRS sometimes uses "session cookies" on our website. Session cookies are text strings that a browser and web server exchange. At LRS, session cookies are stored in memory only until the browser session is closed. We use this information from visits to our website to help us maintain user status between web pages and to enhance the effectiveness of our website and customer service.
LRS also collects and analyses the number of visits to our website and the various web pages. However, this information is not personal, and we only analyse it to attempt to discern usage trends and the effectiveness of our website.
Tracking Cookies
For web pages where we ask you to accept cookies, LRS uses third party tracking cookies to track visitor activities on these web pages. The information is collected and stored by Microsoft Dynamics 365 Marketing and LRS has access to this information. To understand what cookies are placed on your browser and their use and expiration, please visit:
https://learn.microsoft.com/en-us/dynamics365/customer-insights/journeys/cookies
We do not use cookies related to videos you may encounter on our web pages.
The collected data may include information that identifies you as an individual, including name, title, company name, job function, expertise, postal address, telephone number, or email address. The information may also include other data that does not reveal your specific identity or does not directly relate to an identifiable individual such as browser and device information, information collected through cookies, pixel tags, and other technologies, and demographic information. If you do not want these web pages to place a cookie on your browser and track your activity, you may refuse to accept cookies and leave the web page or you may browse the web pages using privacy mode in your web browser. To learn how to use privacy mode, please refer to the website of the browser you use.
If you fill out a web form on these web pages, your information will be stored in our system and some amount of your past browsing on these web pages may be available to our personnel to determine your interests so we may more effectively engage with you and improve our website. However, if you use private browsing as described above, you may provide us your information without making your past browsing activity available to us. If you do not wish for us to have your Personal Data, please do not fill out any of the web forms on the website.
If you opt-in to our newsletter or any of our other marketing emails, clicking on a link in any of these emails may cause you to be personally identified on our site and may cause some part of your past browsing history on our site to be available to our personnel to determine your interests so we may more effectively engage with you and so we may improve our site. If you do not wish for this tracking to occur, you can unsubscribe from our mailings or use private browsing mode to avoid tracking.
Technical and Organizational Measures
To ensure an appropriate level of data security, LRS has implemented technical and organizational measures to protect the Personal Data we process.
Data controllers transferring files to LRS that may contain Personal Data are requested to utilize our secure transfer option available on the LRS website via the “File Transfer” link. This option supports a mechanism to encrypt the transmission of files sent to LRS.
LRS has in place security controls which safeguard data behind its firewall including security measures such as encryption, multi-factor authentication and access control.
- Measures to ensure confidentiality
- At LRS headquarters where some data is stored, LRS utilizes key cards to restrict physical access to employees who need physical access to the server rooms. Server rooms in our other offices are also restricted against physical access.
- At LRS headquarters where some data is stored, LRS utilizes key cards to restrict physical access to employees who need physical access to the server rooms. Server rooms in our other offices are also restricted against physical access.
- LRS policies prohibit unauthorized access, copying, or removing data. LRS logs access and our Compliance Department audits the access logs.
- All LRS employees are contractually obligated to maintain confidentiality of data at LRS. These obligations continue after the termination of employment.
- Measures to ensure availability and resilience
- LRS has implemented a data backup plan. When necessary, LRS can recover data from the backup process. In the data centre at LRS’ headquarters, we utilize an uninterruptible power supply (UPS) including generators to increase data availability. We replicate important servers at remote office locations. Data stored using cloud-based services utilizes the replication inherent in those services.
- Encryption of Personal Data
- Personal Data within the LRS network is encrypted in transit and while at rest.
- Procedures for periodical review, assessment and evaluation
- The LRS Compliance Department conducts periodic audits to ensure that policies, processes and procedures are followed by employees.
- Internal systems at LRS are designed with data protection in mind. The LRS Compliance Department conducts an independent review to assess and advise on the appropriate level of data protection during the design stage.
- LRS software licensed by customers is designed to support the security of data. Instructions on how to utilize the data security features are made available to customers who license our software.
- Adherence to LRS policies
- LRS’ employee Policy manual embodies our code of conduct. Employees are provided with training on policies, procedures, and privacy/security of data.
Transfer of Personal Data
LRS is a trans-national business headquartered in the United States. Our management structure and business processes cross borders. Some of our technological systems and databases are shared between our US, European and other branch offices as listed on our website http://www.lrs.com/Offices/LRS-Offices. Our customer, prospect, supplier, employee and candidate Personal Data is transferred across borders.
When Personal Data that is subject to the EU GDPR, Swiss GDPR and/or UK GDPR is transferred internationally, we are required to ensure that such data is afforded equivalent protection to that provided in Switzerland, the UK and EEA.
LRS complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. LRS has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. LRS has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/. The Federal Trade Commission has jurisdiction over LRS’ compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
Transfer of Personal Data originating in countries outside of the European Union, Switzerland and the United Kingdom will be conducted according to the laws of the countries from which the information is being transferred. LRS will put in place any necessary new, different and/or additional measures to support international transfers.
Information for Customers and Prospects
General
This section describes how LRS uses Personal Data of our customers (including partners, resellers, distributors, agents and/or prospects), what categories of Personal Data we process and our legal basis for processing.
We collect Personal Data directly from individuals, such as when you ask us for information about our products or register with us for an event. We may also collect Personal Data from other sources such as from business contacts, partners and publicly available sources including websites and marketing data providers.
Legal Basis: Consent
We may need your consent to use your Personal Data for a specific purpose such as direct email marketing.
Legal Basis: Contractual Performance
We may use your Personal Data during pre-contractual discussions and contract negotiation with the customer for whom you are acting. We may also use your data to support contract performance and billing administration of the contract with the customer for whom you are acting.
Legal Basis: Legal obligation
We may be required to process Personal Data to comply with a governmental or judicial order, law or regulation.
Legal Basis: Legitimate interest
We process Personal Data for certain legitimate business purposes:
- to protect and defend the rights or property of LRS
- to enhance the security of our network and information systems
- to share information about our products and services
Categories of Data
LRS processes the below listed Personal Data categories of an individual acting for our customers and/or prospects:
- Full name, preferred name, gender
- Business e-mail address
- Function / role / job title / department
- Business telephone number (mobile phone, landline and fax)
The recipients of Personal Data are the sales department, the marketing department and the technical department. The legal and administration departments receive Personal Data to manage the contractual onboarding and ongoing contract administration. The administration department will receive Personal Data for invoicing and payment purposes.
Data Retention
|
EU and UK Customer Personal Data
|
Purpose of Processing
|
Retention Period
|
Customer
Full name and preferred name; e-mail address; Function / role / job title / department; Telephone number including fax number; Gender
|
contract management; accounting
|
11 years after end of contract for tax reasons; indefinitely if you receive a payment from LRS or your name appears on an invoice.
|
Prospective Customer
Full name and preferred name; e-mail address; Function / role / job title / department; Telephone number including fax number; Gender
|
marketing; contract negotiations
|
4 years after last contact, or six months after determining that the prospect no longer works for the customer. Your name and contact information will be kept indefinitely if you request that we not contact you in the future.
|
NOTE: If the Personal Data is involved in legal action or a tax carry-forward situation, the Personal Data may be retained until the related matter is resolved.
Information for Suppliers
General
This section describes how LRS uses Personal Data of our suppliers and prospective suppliers (including independent contractors and consultants), what categories of Personal Data we process and the legal basis for processing.
We collect Personal Data directly from individuals, such as when you contact LRS to offer your products or services or when LRS contacts you to obtain similar information. We may also collect Personal Data from other sources, such as from business contacts or publicly available sources.
Legal Basis: Legitimate interest
We process Personal Data for certain legitimate business purposes:
- to enable us to communicate with you to assess whether the services, products or goods provided by you (or the company for whom you are acting) are of interest to LRS
- to enable us to respond to a (potential) supplier’s marketing communications
Legal Basis: Contract Performance
- pre-contractual discussions and contract negotiation with the supplier company for whom you are acting
- contract performance and billing administration of the contract with the supplier for whom you are acting
Legal Basis: Legal obligation
We may be required to process Personal Data to comply with a governmental or judicial order, law or regulation.
Categories of Data
LRS processes the below listed categories of Personal Data of individuals acting for a supplier or as an independent contractor/consultant
- Full name, gender
- Business e-mail address
- Function / role / job title
- Business telephone number(s)
- Bank or other payment details of supplier
The recipients of Personal Data are the managers of the department in need of the supplier's service. The legal and administration departments receives Personal Data to manage the contractual onboarding and the agreement signed with the supplier. The administration department will receive the bank account and other payment details.
If Personal Data is not provided, we may not be able to conduct any contract negotiations or perform a contract with a supplier and/or we may have to terminate an existing supplier contract.
Data Retention
|
Supplier Personal Data
|
Purpose of Processing
|
Retention Period
|
Supplier/independent contractor
Full name and preferred name; E-mail address; Function / role / job title / department; Telephone number / fax number, Gender
Independent contractor only
Bank Name and bank account details
|
contract management
|
Years after end of Contract:
- Austria, France, Germany, Italy, Sweden 12 years
- Republic of Ireland, United Kingdom 8 years (12 years for deeds)
- Spain 15 years
- indefinitely if supplier received a payment from LRS
|
Supplier/independent contractor
Full name and preferred name; E-mail address; Function / role / job title / department; Telephone number / fax number, Gender
|
respond to Supplier marketing communication; contract negotiations
|
6 months after end of contract
|
NOTE: If the Personal Data is involved in legal action or a tax carry forward situation, the Personal Data may be retained until the related matter is resolved.
Information for Job Candidates
General
This section describes how LRS uses Personal Data of our job applicants, what categories of Personal Data we process and the legal basis for processing.
Personal Data of job candidates may be collected from resume databases, by an independent recruitment agency or received directly from the job candidate.
Legal Basis: Legitimate interest
We process Personal Data of job candidates for certain legitimate business purposes. As part of the LRS recruitment process we assess and record information about a candidate’s qualifications in order to decide to whom to offer the position.
Legal Obligation
LRS may be required to process certain Personal Data as part of the hiring process. For example, we may need to check that a successful candidate has the right to reside and work in the country in which the candidate has applied.
Categories of Data
We may process the following categories of data for job candidates:
- Full name, preferred name, maiden name
- Private telephone (including. fax) number and private e-mail address
- Employment history, references, certificates, documents
- Work permit detail (if relevant)
- Date of birth and age
- Identification numbers such as Social Security numbers in the USA
The recipients of Personal Data are the recruiters, the managers of the department initiating and conducting the recruitment process and the superiors of the manager. The legal and administration departments receive Personal Data of candidates to manage the onboarding of the candidate as an employee.
If Personal Data is not provided, we may not be able to consider your application for employment or verify your eligibility for employment.
Data Retention
| Job Candidate Personal Data | Purpose of Processing | Retention Period |
|---|
US Job Candidate
Full name and preferred name; E-mail address; Telephone number; Resume/CV
| Potential employment; to address a legal challenge in respect to a recruitment decision; compliance with federal regulations; assisting with understanding, analyzing and improving our recruitment process | 10 years if we have no record of communications with you. If we have a reason to designate you as someone not to contact, either because you requested that we not contact you or you are not eligible for hire/rehire, we will indefinitely keep minimal information about you and the reason for such a designation. |
Non-US Job Candidate
Full name and preferred name; E-mail address; Telephone number; CV/Resume
| Potential employment; to address a legal challenge in respect to a recruitment decision | 12 months after a successful candidate has signed an employment agreement or 12 months after the position for which you were considered is closed without a hire. |
Successful Candidates
Full name and preferred name; E-mail address; Telephone number; Resume/CV
| Same as for employee data and to address a legal challenge in respect to a recruitment decision; compliance with federal regulations; assisting with understanding, analyzing and improving our recruitment process | Same as for employee data |
NOTE: If the Personal Data is involved in legal action, the Personal Data may be retained until the related matter is resolved.
Information for Employees
Additional information about employee data will be found in WW Policy 100-32 Privacy Notice for Employees and Similar Individuals. If you need assistance obtaining a copy of this policy, please submit a request to ComplianceNotifications@LRS.com.
Additional Data Privacy Information
Data Protection Officer
In accordance with the German Data Protection Act, we have appointed a data protection officer to address the data protection issues of the German Branch. The contact details are:
Phone: +49 (0)811/99 73 90 extension 4709
Email: EuropeDataProtection@lrs.com
If you wish to confirm that LRS has Personal Data relating to you, or if you wish to correct your Personal Data if it is inaccurate, or you wish to request deletion of your Personal Data (where permissible) please notify us at LRSLegal@LRS.com or call us at 800-793-3838, (US) or at +44-(0)1242-537-500 (UK); ask for Data Protection Compliance Officer. California residents can also submit a request via this link: https://www.lrs.com/california-consumer-privacy-act-request
For residents of California, you can designate an authorized agent to submit a request on your behalf. We will require a copy of your written authorization to the agent prior to responding to any requests submitted by an authorized agent.
Once we have verified your identity using information we have on file, we will conduct a review of our data and will respond to your request within a reasonable time.
Recourse, Enforcement and Liability
Since we are committed to protecting your privacy as set forth in this Policy, if you think we are not in compliance with our Policy, or if you have any question or if you wish to take any other action concerning this Policy or your Personal Data, we encourage you to contact us using the contact information in this Policy. We will investigate your complaint, take appropriate action, and report back to you within 45 days.
If the Personal Data in question was transferred from EU, UK or Switzerland to the United States, and you are not satisfied with our response, we have agreed to participate in the dispute resolution procedures of the EU Data Protection Authorities or the Swiss Federal Data Protection and Information Commissioner as applicable. Contact details for the EU data protection authorities can be found at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. Contact details for the UK data protection authorities can be found at www.ico.org.uk. LRS will cooperate with the appropriate Data Protection Authorities during investigation and resolution of complaints.
These recourse mechanisms are available at no cost to you. Damages may be awarded in accordance with applicable law. An individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms. For additional information visit : https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2
LRS will conduct annual compliance audits to verify adherence to this Policy and the Data Privacy Framework Principles. Any LRS Employee who violates this Policy will be subject to disciplinary action up to and including termination of employment.
Right to Change Policy
Changes will be made to this Policy to address new or modified laws or new or modified business procedures. Additionally, we reserve the right to amend, modify, or otherwise change this Policy at any time.
Revision History
|
Version
|
Date
|
Author
|
Description
|
|
2
|
November 2023
|
Pier
|
Combined WW and Europe privacy Policies, compliance with Texas, California, and Colorado privacy laws, and compliance with the Data Privacy Framework (DPF).
|