Controller & Processor Agreement
The GDPR regulations make a distinction between a Data Controller and a Data Processor.
Regarding the processing of your uploaded data, HLR Lookup is the Data Processor and you, the client, are the Data Controller.
By using our website to validate your phone numbers you are agreeing to this contract.
Nature and Purpose of Processing
HLR Lookup will process your data in accordance with your instructions. By sending your data to HLR Lookup, you are giving us your permission to view your data, before extracting any valid telephone numbers from your data.
It is necessary for us to send the telephone number(s) you load into our platform to the telephone network who originally allocated the telephone number. The telephone network is a third party and may therefore reside in the country where the telephone number was originally allocated.
Therefore, it is important you understand that in order for us to obtain the information you need with regards to the validation of your phone number(s) we must send the number(s) to a network that could be located anywhere in the world. Each network is responsible for the control and management of their own HLR and it is this we query to obtain information on the telephone numbers(s) you enter into our platform.
Be aware that we send only the telephone number and no other data to the telephone networks. However, we strongly advise that when you load your numbers into our platform, you remove any other associated data that you hold alongside that number.
In order for a HLR Lookup to be performed, it is not necessary for us to receive any other associated data, other than the number you want to check.
Personal Data and The Principles of Processing
Not withstanding the Personal Data you provide for your account with HLR Lookup, as covered in our Privacy Policy, it is the Client's responsibility to ensure that by instructing HLR Lookup as the processor of their phone numbers that the Client does so having considered Article 5 (Principles relating to processing of personal data) and Article 6 (Lawfulness of processing) before sending HLR Lookup their phone numbers.
HLR Lookup understands that a phone number falls under the scope of Personal Data as per the scope of GDPR.
1. Definition of Personal Data:
The GDPR defines personal data as "any information relating to an identified or identifiable natural person (‘data subject’)." An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier.
2. Phone Number as Personal Data:
A phone number can be used to identify an individual, either directly or indirectly. For example, a phone number in conjunction with other data can easily lead to the identification of a specific individual.
Given this potential for identification, phone numbers fall under the scope of personal data as per the GDPR.
The UK Information Commissioner’s Office offers guidance on how to determine if data is personal data which can be viewed by following this link:
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-data/what-is-personal-data/#pd1
Duration of Processing
HLR Lookup will only process the customer data, or stop processing it, at the request of the customer.
HLR Lookup will not process data after the customer has requested HLR Lookup to stop processing data.
Retention of your HLR results
HLR Lookup will delete all HLR results after 30 days. It is your responsibility to download the results from your account and save internally if you require access for longer than 30 days.
To enable us to provide reporting functionalities across your account we will log various statistical information relating to the results received. It is necessary for us to store this information for longer than 30 days after the related phone numbers have been removed.
Your Obligations and Rights as the Data Controller
You will:
register with your relevant data protection authority;
hold a data protection policy;
be accountable for compliance in line with the GDPR legislation;
ensure that personal data is only obtained for a specified and lawful purpose; which is usually detailed in a fair processing notice, and supported by obtaining consent from the individual;
ensure that personal data collected is kept accurate and up-to-date;
ensure that the personal data is only processed in a way that is compatible with the original purpose for which it was collected;
provide an individual with access to the information held about them (Subject Access Request);
ensure that the personal data collected is adequate, relevant and not excessive;
protect personal data against accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks, and these protection measures must ensure a level of protection appropriate to the data;
ensure that data is not transferred outside of the European Economic Area (EEA), unless adequate protections are in place.
ensure that anyone processing the data is subject to a duty of confidence.
Our Obligations as the Data Processor
We will:
only act on the instruction of the data controller;
ensure that anyone responsible for processing the data is subject to a duty of confidence;
take appropriate measures to ensure the security of processing;
only engage with a third party where necessary to provide the service to our clients specifically to obtain information from the HLR and only send them the MSISDN (telephone number) and no personal data;
assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR legislations;
assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
delete or return all personal data to the controller, as requested at the end of the contract;
provide the controller with the information it requires to ensure they are meeting their Article 28 obligations, and inform the controller immediately if we are asked to do something which infringes GDPR or other data protection law of the EU or a member state;
co-operate with supervisory authorities (such as the UK Information Commissioner’s Office) in accordance with Article 31;
ensure the security of our processing in accordance with Article 32;
keep records of our processing activities in accordance with Article 30.2;
notify any personal data breaches to the controller in accordance with Article 33;
not employ a data protection officer, as this is not required for in accordance with Article 37.
To provide you with an account at HLR Lookup, we gather and process information about you, which may be personal information. For this purpose, HLR Lookup is the controller of the data we hold about you for your account.
Our role as the Data Controller is covered under our Privacy Policy.