Yours and Our GDPR Responsibilities
Introduction E-Limelight Ltd (“We”) are committed to protecting and respecting your privacy, and to ensure that our business, services and internal procedures are GDPR compliant.
When you use our website development, hosting and content management services to store or process your personal data (including customer’s or user’s data), you are the Data Controller and we are a Data Processor.
The rules on processing of personal data are set out in the General Data Protection Regulation (the “GDPR”).
Data controller – A controller determines the purposes and means of processing personal data.
Data processor – A processor is responsible for processing personal data on behalf of a controller.
Data subject – Natural person
Personal data – The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier (as explained in Article 6 of GDPR). For example name, passport number, home address or private email address. Online identifiers include IP addresses and cookies.
Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
- Our role as Data Processor
You are the owner of the data you submit to our services, (whether they are uploaded to our servers directly by you, or we act on your behalf as content managers).
When your data is placed on our servers, you are the Data Controller and E-Limelight Ltd, the Data Processor. Any processing that we do as a Data Processor is only in terms of the hosting services we provide to you. We do not use your data for any processing of our own.
For the avoidance of doubt, when we make agreed content changes to your website as part of our ongoing services, this type of data is not normally personal data, but rather information that you have decided belongs in the public domain on your website. However, if the supplied content does contain any personal data, then you as Data Controller are responsible for that data.
We do not share or provide access to any of your data with third parties unless required to do so by law. Where law enforcement or other authorised parties request access to our servers, we follow strict internal policies for dealing with such requests in line with existing UK law. Furthermore, the third parties are required to demonstrate they have a lawful reason to access the data and under what authority.
- Data Location
Any of your data that we process is on our own server hardware. We have server hardware co-located at Safehosts in Cheltenham in the UK, and backed up both there and securely to our office in Bristol. None of your data is stored or transferred outside the EEA.
We use our best endeavours to keep up-to-date with all technical aspects of security to ensure the ongoing robustness of our servers and systems. We regularly apply the latest security patches as a matter of priority, and always with data protection and privacy in mind, where appropriate.
Access to servers
Remote admin access to our servers is strictly restricted to key personnel. We will access a server only to resolve an issue reported by a client, or to resolve any other issue we have become aware of so as to maintain a high level of service and reliability.
Data centre staff have physical access to our servers, but do not have any login admin access. They are available to us if we ask them to carry out a visual check of our servers or carry out physical maintenance on the server itself. Physical maintenance may also be carried out by Dell, with whom we have a support agreement.
E-Limelight Ltd personnel
Personnel at E-Limelight Ltd are fully aware of their responsibilities under GDPR. This includes their responsibilities with regards to access, security and processing of any personal data stored on our servers.
- Third party services
Other than the data centre that hosts our servers, and the hardware supplier who may be called for a repair, E-Limelight Ltd does not use any third party suppliers or services that would have access to, or process, any data you process on our servers.
- Data breaches
In the unlikely event of a breach occurring (as defined in the GDPR) we will notify you within 48 hours of the breach coming to our attention. This will be enough time for you to consider your requirements under GDPR for reporting the breach to the ICO and Data Subjects.
- Data protection contact
If you require any further information regarding our GDPR compliance, please contact Stephen Lester, E-Limelight Ltd, 21 Guest Avenue, Emersons Green, Bristol BS16 7GA.
Revision Date: 8th November 2018