GDPR – list of subprocessors
Third Party Privacy Notice
Last Updated: 2 January 2024
Lane Clark & Peacock LLP (“LCP”) uses certain subprocessors in the general running of its business and to assist it in providing its services to its clients. A subprocessor is a third party service provider or data processor engaged by LCP, who has or potentially will have access to or process personal data. LCP engages different types of subprocessors to perform various functions as explained in the table below.
Contractual safeguards
LCP requires its subprocessors to enter into agreements that satisfy the requirements of Article 28 of the General Data Protection Regulation, including but not limited to obligations to:
- process personal data in accordance with LCP’s documented instructions;
- ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- not engage a subprocessor without prior specific or general written authorisation of LCP and when engaging a subprocessor, impose the same data protection obligations as are in place between itself and LCP;
- provide regular training in security and data protection to personnel to whom they grant access to personal data;
- implement and maintain appropriate technical and organisational measures to ensure the security, integrity and confidentiality of personal data;
- promptly inform LCP about any actual or potential security breach; and
- cooperate with LCP in order to deal with requests from LCP’s clients, data subjects or data protection authorities, as applicable.
Subprocessors
The following is an up-to-date list (as at the date at the top of this page) of the names of LCP’s key subprocessors and the purposes for which they process personal data, as well as which clients these are potentially applicable to.
Entity Name | Purpose | Clients |
Box-It UK Ltd |
Box-It provide paper archiving services to LCP. Box-It personnel are not authorised to view any materials in boxes in storage. They are certified with ISO 27001. |
All clients. |
BPR Group Europe Ltd |
BPR Group is LCP’s confidential paper shredding service provider for its office in London. Staff carry out all shredding on-site at LCP’s London office. |
All clients. |
Civica Election Services Limited
|
Civica provides electoral voting services to LCP. Whilst LCP maintains the contractual relationship with Civica, personal data is, where possible, sent directly from our clients’ pensions administrators and / or the sponsoring employer to Civica. Civica is certified to ISO27001. |
Clients utilising LCP’s outsourced pensions management services in relation to trustee election exercises. |
CORVID PayGate Limited |
PayGate provide LCP with electronic pension payment services to pensioners located within the UK. All transactions processed via any of their secure payment web services are encrypted using the latest SSL encryption. This encrypts all data sent from the browser to PayGate in such a way that only their servers can read it. |
Pensions Administration clients. |
Crown Agents Bank Limited |
Crown Agents Bank Limited provide LCP with electronic pension payment services, in local currency, to pensioners located outside the UK. Their cyber security strategy is aligned with ISO 27001 and they are a member of the Cybersecurity Information Sharing Partnership (CISP) of the UK National Cybersecurity Network (NCSC). |
Pensions Administration clients. |
Datasite UK Ltd |
Datasite provide LCP and our de-risking clients with a secure online data room for our longevity de-risking projects. All data uploaded to the data room is hosted within the EEA and both Datasite and its data rooms are certified to ISO 27001:2013. |
De-risking clients. |
Data Protect UK Limited |
Data Protect provide off-site backup media storage services to LCP. All backup media sent to Data Protect is encrypted. |
All clients. |
Druva Europe Limited |
To provide LCP with a comprehensive, secure, cloud-based, back-up and restore solution in respect of its Microsoft 365 data. |
All clients. |
DocuSign |
LCP may use DocuSign eSignature to send and sign agreements securely. DocuSign eSignature complies with the EU eIDAS Regulation and automatically generates and maintains a robust audit trail for every agreement. |
All clients. |
Egress Software Technologies Limited |
Egress provides LCP with a data loss prevention tool which uses machine learning to help protect data shared by email. Egress AI systems use email message metadata only, which is anonymised and converted into hashed IDs. |
All clients. |
Equisoft Limited |
Equisoft provides LCP with a pension payroll solution, to enable the processing of multiple payroll cycles and to support flexible payroll frequency, employers and administration functions. Equisoft provides detailed tax workings, calculations, supports flexible processing for pre and post tax deductions, provides fully automated support for RTI reporting, HMRC data updates and FPS submissions. Equisoft is certified to ISO27001. |
Pensions Administration clients where we provide payroll services. |
Eserve.IT Limited |
Eserve.IT are used for the destruction of all data hardware that is disposed of (eg disk arrays, servers, PCs, laptops, backup tapes). Data is destroyed either by physical destruction (ie hard disk shredding) or erased using specialist software. The disposal of IT equipment follows the requirements of the EU Waste Electrical and Electronic Equipment (WEEE) Directive. Certificates of media destruction are provided to LCP. |
All clients. |
eShare Ltd |
eShare are an ISO 27001 certified software company, who provide online trustee meeting packs, known as ‘BoardPacks’, software to LCP. All eShare equipment uses encrypted disks. |
Trustee clients that use our Logs service. |
Greens Ltd
|
Greens Ltd are an ISO 27001 and Cyber Essentials certified printing company, providing off-site printing and mailing services to LCP. |
All clients. |
Mailjet SAS |
Mailjet provides email delivery services for LCP Horizon. Mailjet is ISO 27001 certified and all data exchanged is encrypted. |
Clients using the LCP Horizon service. |
Microsoft |
Microsoft provides LCP with cloud services. Their compliance offerings in respect of information security are numerous and can be found here https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings |
All clients. |
NetDocuments Ltd |
NetDocuments is a document and email management platform providing LCP with email management software. |
All clients. |
Optichrome Ltd
|
Optichrome Ltd are an ISO 27001 certified printing company, providing off-site printing and mailing services to LCP. |
All clients. |
Passageways (UK) Ltd |
Passageways is an ISO 27001 certified software company, who provide an online board management portal, known as "OnBoard", to LCP as agent for relevant subscribing clients. |
Relevant subscribing clients. |
Pureprint Group Limited |
Pureprint are an ISO 27001 and Cyber Essentials Plus certified printing company, providing off-site printing services to LCP. |
All clients. |
Shred-It Limited |
Shred-It is LCP’s confidential paper shredding service provider for its office in Winchester. All Shred-It employees are screened to BS 7858:2012 which provides comprehensive staff vetting assurances. |
All clients. |
Sterling Technology Limited |
Sterling provide LCP and our de-risking clients with a secure online data room for our longevity de-risking projects. All data uploaded to the data room is hosted within the EEA and both Sterling and its data rooms are certified to ISO 27001:2013. |
De-risking clients. |
Target Professional Services UK Ltd |
Target provide a variety of services to LCP, including member tracing, mortality screening and verification of member data. They are ISO 27001 certified and client data is encrypted with 256-bit AES encryption. |
All clients. |
VideoSmart Ltd |
VideoSmart produces a range of videos (including avatar and interactive videos) for LCP's clients to assist them with producing tailored member communications. Videos are hosted on VideoSmart's online software. VideoSmart holds ISO27001 and all videos are held on a secure server. |
All clients. |
Zest Technology Ltd |
Zest provides LCP with a flexible benefit system which is provided to some clients. They are certified with ISO 27001. |
Clients using LCP’s flexible benefit portal. |
Software providers, network providers and consultancies
LCP also uses a number of software providers, network providers and consultancy firms that, in instances where support is provided, may be able to access LCP’s systems and incidentally see personal data.