1. Home Page
  2. Legal
  3. Transfer Impact Assessment (TIA)

Transfer Impact Assessment (TIA)

February 7, 2023

For Lusha’s Processing activities as a Data Processor 

Lusha takes the protection of our Customers’ information seriously. We have taken steps to comply with applicable EU and UK laws regarding international data transfers.

Lusha Systems Inc., a company established in the state of Delaware, U.S., processes personal data provided by our Customers.

Introduction

For our Customers who are data exporters from the European Economic Area/European Union (“EU”) or the United Kingdom (“UK” and collectively, “Europe”), this document is designed to provide information about key issues for transfers made to Lusha, and support our Customers as they complete data transfer impact assessments pursuant to the Schrems II decision and EU standard contractual clauses.

For more details about Lusha’s data privacy compliance program, please visit our Privacy Center.

ICO’s guidance on transfer risk assessment provides that there are two alternative approaches that can be used by companies involved in cross-border data transfer: (i) Transfer Risk Assessment Tool developed by ICO, or (ii) EDPB’s Transfer Impact Assessment (“TIA”). The ICO will continue to recognise risk assessments that follow the EDPB approach. This document is prepared based on the EDPB’s TIA.

Please note that it is the responsibility of the Controller, i.e. the Customer, to conduct a TIA and this document only serves as useful information for such purpose.

What kind of cross-border data transfer is Lusha involved in?

Lusha provides subscriptions to our business intelligence platform to search for new business contacts information (via a prospecting tool) or enrich existing prospects, manage lists, and provide other functionalities available to our Customers as part of the Lusha platform (“Lusha Services”). Where Lusha provides its services to Customers from the European Economic Area/European Union (“EU”) or the United Kingdom (“UK” and collectively, “Europe”), Lusha is the importer of data and a data processor. Our Customers from Europe act as data controllers and exporters.

Data subjects whose personal data is processed

We process personal data that Customers upload to the Lusha platform that relates to Customers’ End Users, including their employees and contractors if applicable. If Customers enrich their prospects/candidates’ data via Lusha tools, Lusha will also process those details. Lusha does not process the data of children.

What types of personal data does Lusha process as your processor?

We process the following personal data of End Users provided by our Customers: name, professional email address, professional phone number, IP address, user activity, referred friend’s professional email address and name (only if you use our referral service), and any other information that the user provided to us voluntarily

Customers are responsible for compliance requirements that may apply to such uploaded data, including ensuring a lawful basis for processing. 

We process the following personal data of prospects/candidates provided by our Customers: Name, email, phone number, employer and job title, seniority, and location (country). 

Purpose of the processing activities

We use the personal data of End Users provided by our Customers to create accounts for the End Users on our platform and to enable the End Users to access and use our Database.

We use the personal data of prospects/candidates provided by our Customers to enrich Customers’ data via our platform.

Nature of processing activities

The data processing primarily concerns the recording, storage, consultation, use, disclosure by transmission, and erasure of the data controller’s personal data. 

Lusha processes personal data governed by GDPR and UK GDPR as a data processor (on behalf of our Customers), in accordance with our obligations under part 1 of Lusha Data Processing Addendum, including our Standard Contractual Clauses (SCCs).

Where do we store and otherwise process data?

We store and otherwise process personal data provided by our Customers in the United States. Once transferred to the U.S. personal data is retained during the retention period specified below. 

Onward transfers

We also disclose the data to Lusha employees in Israel and to our subprocessors. 

Information about our subprocessors and their locations is available here.

Transfer tools

Lusha is based in the U.S. where neither the EU nor the UK has issued an adequacy decision to permit transfers of, respectively, EU or UK personal data to. Therefore, Lusha has adopted standard contractual clauses, as approved by the relevant supervisory authority or applicable law, to be the transfer safeguard instead.

  • For transfers from the EU, we have implemented the standard contractual clauses from the European Commission’s Decision of 2021/914 of 4 June 2021 (“EU SCCs”), with the appropriate module(s) selected (e.g. controller-to-processor, or processor-to-processor). 
  • For transfers from the UK, we have implemented the UK International Data Transfer Addendum issued by the ICO and laid before the UK Parliament in accordance with s119A of the Data Protection Act 2018 of the UK on 2 February 2022.

Where applicable data protection requirements change, we may update these transfer mechanisms to comply with applicable law.

Where personal data originating from Europe is transferred by Lusha to third-party subprocessors, Lusha enters into SCCs with those parties.

What controls do we have in place with subprocessors?

We make onward transfers to subprocessors and take steps to agree to appropriate transfer safeguards, such as relevant SCCs, with each subprocessor. We take measures to evaluate the privacy and security practices of our subprocessors, including 

  • Each subprocessor is required to agree to a data processing agreement (DPA) with us, or SCCs where applicable;
  • We evaluate the data privacy and security practices of each subprocessor prior to engaging and onboarding such subprocessor;
  • We conduct periodic audits of key subprocessors throughout the terms of our respective agreements with them.

Information about Lusha’s sub-processors and their locations is available here

How long is data retained?

Customer data is retained for the term of the agreement and 3 years following the last login to Lusha’s platform.

How do we manage requests from data subjects to exercise their GDPR rights?

We have processes to receive, analyze, and respond to data subject requests (DSRs) from our employees, Customers, and marketing prospects. Additionally, our Customers may delete and export data from their Lusha Services account as described here.  

What U.S. laws apply to Lusha with respect to data transferred from the EU or the UK?

Lusha’s Customers, as data exporters, should assess whether anything in the law or practices of the third country (i.e. the U.S.) may impact the effectiveness of relying on the standard contractual clauses as a transfer tool. Exporters should assess whether the level of protection in the recipient country (i.e. the U.S.) is essentially equivalent to what is guaranteed under the UK and/or EU GDPR, as applicable – or, if not, what supplementary measures will be required.

Lusha is a United States Corporation formed and registered in the state of Massachusetts and is subject to United States law. 

The United States legislation allows for certain regulated interferences with the right to privacy, authorizing public authorities to access personal data held by the private sector. Below we provide a summary of key considerations.

Section 702 of the Foreign Intelligence Surveillance Act (Procedures for targeting certain persons outside the United States other than United States Persons) (“FISA 702”). 

FISA 702: authorizes the U.S. public authority to acquire information about non-US persons located outside of the U.S. through compelled assistance of electronic communications service providers. The purpose is to obtain specified types of foreign intelligence information. We do not believe that Lusha Services processes personal data of interest to U.S. authorities and if that were to be the case, the data in question would be held by other entities, and U.S. authorities would likely approach those other entities directly. As detailed in the US Department of Commerce White Paper on this subject, for most companies, concerns about U.S. government access to company data are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”

FISA 702 requires an independent court – Foreign Intelligence Surveillance Court (FISC), to authorize a specific type of foreign intelligence data acquisition that is generally unrelated to commercial information. 

FISC supervises whether individuals are properly targeted under FISA 702 and the government must record in every case the reasons a specific person was targeted. Targeting procedures are approved annually by the FISC and governmental access to personal data under FISA 702 is limited to the particular purpose(s) approved by the FISC.

The additional guarantees were introduced into FISA 702 in 2018:

  1. a) the government must submit and the FISC must approve querying procedures, targeting procedures, and minimisation procedures every year to obtain its annual FISA 702 certification; 
  2. b) additional steps including notification to Congress before the government may resume acquisition of “about” collection under FISA 702;
  3. b) amending the enabling statute for the PCLOB to allow it to better exercise its advisory and oversight functions;
  4. b) requirements for agencies to maintain Privacy and Civil Liberties Officers to advise on privacy issues and ensure there are adequate procedures to receive, investigate and redress complaints from individuals who allege that the agency violated their privacy or civil liberties; and 
  5. c) disclosure and reporting requirements, e.g. to provide annual good faith estimates of the number of FISA 702 targets.

In the event that United States public authorities were interested in the data that Lusha processes, the aforesaid requirements would protect data from excessive surveillance.

Executive Order 12333 (United States intelligence activities) (“EO 12333”).

EO 12333 authorizes U.S. intelligence agencies to conduct surveillance outside of the US. In particular, it provides authority for U.S. intelligence agencies to collect foreign “signals intelligence” information – information collected from communications and other data passed or accessible by radio, wire, and other electromagnetic means. However, bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333, and EO 12333 contains no authorization to compel private companies (such as Lusha) to disclose personal data to US authorities.

We are not aware that the U.S. government has collected any signals intelligence from Lusha’s communications or other data. Moreover, we do not believe that Lusha Services processes personal data of interest to U.S. authorities. We do not voluntarily disclose any Customers’ personal data to U.S. authorities without the consent of the Customer.

In view of the above, the chances of Lusha being subject to any request to disclose personal data to any U.S. government agency are extremely low. Personal data handled by Lusha is unlikely to be of any interest to U.S. government agencies.

Lastly, we continually monitor legislative developments and enforcement practices in the United States that relate to the disclosure of personal data.

Risks to data subjects

The transfer of personal data which Lusha receives from its Customers is associated with low harm risks to individuals. Such information (i.e. business contact details) is usually publicly available on social media (LinkedIn) and/or corporate websites.

In the highly unlikely event that a U.S. government requests personal data, we can make available limited personal data that will have minimal impact on the data subject.

There is a low likelihood that our Customers and data subjects would need to enforce the transfer tool (i.e. SCC) in the United States.

How can individuals seek redress for infringement of their privacy?

Under Section 1810 of FISA, the individuals who have been subject to FISA 702 surveillance and whose communications are used or disclosed unlawfully are empowered to seek compensatory damages, punitive damages, and attorney’s fees against the individual who committed the violation.

Section 2712 of the Electronic Communications Privacy Act provides for a separate cause of action for compensatory damages and attorney’s fees against the government for willful violations of various FISA provisions.

Individuals may also challenge unlawful government access to personal data, including under FISA, through civil actions under Section 702 of the Administrative Procedure Act (“APA”), which allows persons “suffering legal wrong because of” certain government conduct to seek a court order enjoining that conduct.

How do we respond to government requests to access personal data of our Customers?

As per the last updated date at the top of this page, Lusha has never received a FISA Section 702 or EO 12333 data access request from the United States public authority.

Lusha publishes the annual Government Data Access Report with information about government requests to access data.

If we were to receive a request from a governmental authority for personal data that we process on behalf of a Customer, Lusha will follow its Government Access Policy and promptly notify the Customer in writing, unless prohibited by law from doing so. In any such notice, we would include information about the personal data requested, the requesting authority, the legal basis for the request, and the response provided. Where legally permissible, we would also notify the Customer if we became aware of any direct access by public authorities to personal data that we process on behalf of the Customer.  

If we were to be prohibited by law from doing so, we would use reasonable efforts to obtain a waiver of the prohibition with a view to communicating as much information as possible to our Customer in an expeditious manner. In addition:

  • Lusha will make all reasonable efforts to redirect the requesting authority to obtain the personal data directly from the data subject;
  • Lusha will provide such reasonable assistance as the Customer may require in responding to the request;
  • Where permitted by applicable law, Lusha will notify the data subject (if the data subject’s identity is known to Lusha) of the request;
  • If Lusha is prohibited by applicable laws from notifying the Customer of the request, Lusha will use reasonable efforts to seek relevant permission to allow the Customer to intervene in the proceedings, and reject or contest any request that is not valid, legally binding and lawful;
  • Lusha will reject the request if, to our knowledge: (i) the request is illegal: (ii) the requesting authority lacks jurisdiction; or (iii) the request was unduly served;
  • If any attempt to contest, or to seek to narrow the request is not successful, Lusha will take reasonable steps to ensure that the personal data disclosed or to which access is provided is proportionate and limited to the minimum amount strictly necessary for the purpose of complying with the request. 

What measures does Lusha take to protect personal data?

Lusha undertakes technical and organizational measures to secure Customer data as described in Schedule 1 of Lusha’s Data Processing Addendum, including:

  • Encryption of data both at rest and in transit;
  • Lusha maintains a Government Data Access Policy which governs how Lusha responds to government requests for the disclosure of personal data;
  • Lusha reviews the legality of government authority requests and can challenge such requests where they are considered to be unlawful. Please review section 15 above to know how we handle government requests;
  • Lusha stores access logs and actions for a reasonable period of time, based on criticality;
  • Lusha ensures that its security infrastructure is consistent with leading industry standards.

Lusha’s contractual measures are set out in our Data Processing Addendum which incorporates the SCCs. These include

  • Technical measures: Lusha is contractually obligated to have appropriate technical and organizational measures to safeguard personal data.
  • Transparency: Lusha is obligated under our SCCs to notify our Customers in the event we are made subject to a request for government access to Customer personal data from a government authority. In the event Lusha is legally prohibited from making such a disclosure, we will use reasonable efforts to obtain the right to waive the prohibition to communicate as much information to you as possible.

Lusha will periodically review and, if necessary, reconsider the risks involved and the measures it has implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.