Skip to main content

Information for our clients

Data Privacy and GDPR at LEWIS


The General Data Protection Regulation (GDPR) is a regulation enacted by the European Union (EU) to strengthen data privacy rights. All organisations that process personal data of individuals in the EU are required to comply with the GDPR.

The GDPR strengthens individuals’ privacy rights through limits to the processing of their personal data by third parties, expanding their rights over their data, and providing transparency into the nature, purpose, and use of the data.

We understand that data protection is important to our Clients. As part of preparing for the new regulations, we are reviewing our privacy and data protection policies, and we will work with our Clients in line with changes to the law.

LEWIS, Data Protection and GDPR Compliance

As with existing data protection laws, GDPR compliance requires commitment from both LEWIS and our Clients. As a provider of marketing services, we have carefully examined the relevant provisions of the GDPR and we are closely tracking applicable GDPR guidance issued by governments, regulatory authorities and industry bodies. We are also in contact with our suppliers, many of whom are trusted providers in the industry, to achieve compliance.

How Does the GDPR apply to our work with our Clients?

It would be a necessary part of public relations and marketing services that there will be interactions between the Client, LEWIS as the service provider, and other third parties and members of the public. Interactions may occur that may result in the processing of personal information:

  • between LEWIS and the Client – for example, our daily interactions between our account servicing team and our Client contact, or our interactions between our finance staff and the Client’s finance contacts
  • between LEWIS and a third party – this could be one of our suppliers, a journalist, an influencer. It would be a member of the public, for example, if we ask for an opinion about a Client’s product
  • between the Client and the third party – LEWIS may facilitate the interaction between the Client and the supplier, journalist, influencer or member of the public as stated above.

EU privacy law and the GDPR differentiates between organisations that are “data controllers” and “data processors”. Both controllers and processors carry legal obligations regarding data privacy.

LEWIS could be a “data processor” of content generated, requested or published, where we are following client instructions, using client provided materials, and otherwise on the client’s behalf. The Client would be in control of how the data is collected, used and processed. In such cases, the Client would be the “data controller”.

There are also situations where LEWIS may be a “data controller”, where LEWIS determines the purposes and means of processing personal data. For example: our media contacts or our staff profiles. In cases where such data is passed on to the Client, then the Client will act as the “data processor”.

Media Contacts

We are constantly reviewing whether LEWIS has a lawful basis for processing data in our business.

Of particular interest to our Clients is our media contacts, which is central to many services we provide. Our media contacts are built through a combination of our long term suppliers (whom other leading members in our industry also engage with), as well as our long term relationships with the many media titles that we work with in each market.

The details we hold for media are primarily public domain information, being name, title, organisation, business social media handles and business contact details. In some cases we also hold information which are not publicly available, for example, their contact preferences, their personal contact information, or information not available on their websites and obtained privately.

LEWIS will ensure that it has a lawful basis for using media contact details to provide services for our Clients. Whilst it is not common for media contact details to be passed on to the Client, LEWIS notes that it may not have a lawful basis to pass on those contact details to the Client directly, and will advise the Client if this is the case.

Special Category Data

EU Data Privacy Laws and the GDPR defines “special category data” as a special, more sensitive category of personal data demanding a higher level of protection. Details are set out in Article 9 of the GDPR.

The special categories are: revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

It is not in the nature of the LEWIS business to be processing any such data in our Client work. LEWIS staff have been trained regarding the definition of special category data, to avoid contact with such data in our work, and how to respond when coming across such data inadvertently.

Our policy on processing data in client work

When working with LEWIS and as set out under our standard terms of business, you will, unless otherwise agreed, follow this protocol:

  • LEWIS agrees to act as a data controller with respect to Media Contacts and our staff profiles only
  • Client will ensure that, where it is acting as the data controller, that any data provided to LEWIS will be compliant with applicable Data Privacy Laws
  • Written agreement will be required before LEWIS agrees to act as a data controller with our Clients for any other purpose
  • Written agreement will be required before LEWIS will act as either a data controller or processor for any special category data for any Client.

LEWIS and its work towards compliance

LEWIS appreciates the benefits of the new security and privacy laws. It will continue to assess, strengthen and improve the safeguards already in place in our organisation in May 2018 and beyond. We will work with our Clients to ensure the security and privacy of personal data that is associated with our work is protected.

We have been taking a closer look at service offerings, working side by side with our legal counsel to ensure that the regulations are followed, performing an organisational audit of all personal data processing within the company.

As part of our compliance process, LEWIS has committed to the following:

  • Implement technical and organizational measures to ensure personal data is protected
  • Provide timely data-breach notifications
  • Transfer personal data outside the EU only if there is a lawful transfer mechanism in place with the organization receiving the data.

Client Contracts

LEWIS has prepared a new Data Processing Addendum (DPA) in light of the GDPR to assist with compliance from both LEWIS and Client’s perspective. A draft of this DPA can be found on this link and please speak to your relevant agency contact to enter into this contract. For new clients, the DPA can be incorporated into our standard client agency service agreements.

How we’ll use information regarding our Clients

We frequently contact our Clients and where our Client is an individual, or for individuals employed or otherwise working with our Clients, we will be processing personal data in doing so. The main purposes are as follows:

  • to provide any products and services you’ve requested
  • to carry out your instructions
  • to contact you regarding the administration of our client agency relationship, including contracting, fee payment, finance processes
  • to inform you about and offer you new products, services, tools that the LEWIS group and our third party partners offer
  • to inform you regarding events, thought leadership, newsletters, blogposts and other materials produced or organised by LEWIS group from time to time
  • to improve our products and services.

We’ll only use your information where we’re allowed to by law. For example, carrying out an agreement or contract we have with you, fulfilling a legal obligation, where we have a legitimate business interest or where you agree to it.

Transferring your information overseas

Information provided by our clients may be transferred and stored in countries outside the European Economic Area, including some that may not have laws that provide the same level of protection for personal information. When we do this, we’ll ensure it has an appropriate level of protection, in compliance with the conditions for transfer set out in EU Data Privacy Law.


Under EU Data Privacy Law, relevant individuals have a number of rights relating to their own information. This includes seeing what LEWIS holds and to object to or restrict processing of it. Further details are set out in the Privacy Centre.

Changing or removing your information

You have the choice to change your contact preferences at any time, to update your contact information, or for us to stop contacting you. We will update your details if you submit these details to us. These requests should be addressed to the Data Protection Officer at [email protected].

Back to LEWIS Privacy Centre

Contactez-nous à HelloParis(a) ou complétez le formulaire ci-dessous