Overview
At Laser Products industries (LPI), nothing is more important to us than our customers’ success and the protection of their data. With customers throughout the world, we go to great lengths so ensure our compliance with local privacy and data protection laws.
As an organization offering services to, and processing the personal data of, individuals in the EU, LPI has developed a robust privacy program in line with the requirements of European data protection laws, including the General Data Protection Regulation (GDPR).
Following Brexit, the GDPR was incorporated into local UK law, creating what is known as the “UK GDPR”. Currently, the UK GDPR contains very similar requirements to the EU GDPR. When we refer to “the GDPR” we are referring both to the EU GDPR and to the UK GDPR.
Roles and Responsibilities
The GDPR distinguishes between two roles as relating to the processing of personal data. Under the GDPR, such roles are defined as the “Data Controller” and “Data Processor”. A Data Controller determines the purposes and means for the processing of personal data, while a Data Processor processes the personal data on behalf, and under the instruction, of the Controller.
Customers who are using LPI’s services to process personal data for their own purposes and means will typically be considered the “Data Controller”, and are primarily responsible for meeting all applicable GDPR requirements. LPI serves as its customers’ “Data Processor”, for the processing of personal data submitted onto LPI’s platform (for example, via lpicloud.com jobs). The extent of our roles and responsibilities with respect to each of our Data Subjects and customers is further detailed in our Terms of Service, Privacy Policy and Data Processing Addendum.
How does LPI comply with the GDPR?
At LPI, we regularly monitor and review our practices to ensure ongoing compliance with the GDPR, including by:
- Embedding a robust privacy program and regularly reviewing and updating policies and procedures to ensure the program remains appropriately targeted and fit for purpose.
- Maintaining a vendor onboarding process requiring all vendors to comply with relevant data protection obligations.
- Reviewing and strengthening our security infrastructure and processes, data encryption in transit and at rest, backup, logs, and security alerts.
- Conducting periodical risk assessments and data mapping processes to ensure proper management of personal data in accordance with the GDPR’s requirements.
- Regularly monitoring guidance around GDPR compliance and ensuring ongoing compliance with the GDPR through our internal procedures, processes and controls and recurring internal training sessions.
- Engaging external auditors to audit, on an annual basis, our various compliance certificates, including our SOC 2 Type II security certification from the American Institute of Certified Public Accountants (AICPA), ISO 27001 ISMS (information security management system) and ISO 27018 (for protecting personal data in the cloud).
- Ensuring transparency around collection, use and disclosure of personal data, including via our Privacy Policy.
- Notifying customers and Data Subjects when any substantive changes are made to public-facing policies to align with updated data handling practices and regulatory requirements.
- Having a robust Data Processing Addendum (DPA) in place to ensure the protection of personal data, according to customary industry standards, and such appropriate lawful mechanisms and contractual terms in compliance with the GDPR. Such DPAs allow us to perform our role as a data Processor for our customers, and similar DPAs allow the same when we act as the Controller and engage with our data processing vendors, in compliance with the GDPR.
- Regularly performing security and privacy assessments of our sub-processors to ensure their adherence to GDPR principles.
- Entering the Standard Contractual Clauses (SCCs) with customers and vendors for the international transfers of personal data.
- Enabling our customers to respond to data subject requests to exercise their privacy rights, and having a process in place to respond to data subject requests where we act as the Controller of such data.
- Designating a representative in the EU and UK, and appointing a Data Protection Officer (DPO) for monitoring and advising on LPI’s ongoing privacy and data protection compliance and serving as a point of contact in relation to data protection and privacy matters for individuals and supervisory authorities.
- Having procedures for handling suspected breaches concerning personal data, limiting use, disclosure and retention of personal data, and regularly conducting privacy training for all relevant members of our staff.