Data Processing Agreement
NOW IT IS HEREBY AGREED as follows:
DEFINITIONS
In this Agreement: “Applicable Privacy Law” shall mean the relevant data protection and privacy law, regulations (including GDPR) and other regulatory requirements to which Vendor or Vendor’s customers are subject, and any guidance or statutory codes of practice issued by the relevant Privacy Authority/ies;
“Customer Security Requirements”
Shall mean the security policies of any Vendor customer in relation to whom the Services might be provided as communicated to and agreed upon in writing by Processor and such policies are attached in Schedule 5 of this Agreement or the related Processing Appendix (where the security policies of any specific Vendor customer are set forth in separate annexes, where each annex only applies for that specific Vendor customer and not to any other Vendor customer); “GDPR” shall mean Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
“Losses” shall mean any loss, damage, cost, charge, fine, fees, levies, award, expense or other liability of any nature (whether foreseeable or contingent or not) and including any direct, indirect or consequential losses;
“Master Agreement” shall mean the Master Agreement JUMP Vendor Partnership effective as of November 13th, 2023 between the parties;
“Personal Data” shall mean any information relating to an identified or identifiable natural person as defined by the Applicable Privacy Law and including the categories of data listed in the Processing Appendix together with any additional such personal data to which the Processor have access from time to time in performing the Services; “Privacy Authority shall mean the relevant supervisory authority with responsibility for privacy or data protection matters in the jurisdiction of Vendor and/or any Vendor Customer;
“Process”, “Processing” or “Processed”
Shall mean any operation or set of operations which is performed upon Personal Data whether or not by automatic means, including collecting, recording, organising, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data as defined in the Applicable
Privacy Law;
“Processing Appendix” shall mean each appendix in a format substantially as set out in Schedule 3, agreed by the parties and incorporated into Schedule 3 and subject to the terms of this Agreement as of the effective date specified in the relevant appendix, and “Processing Appendices” shall be construed accordingly; “Processor Group Company” shall mean Processor or any company or corporation in respect of which Processor or Processor’s ultimate holding company owns (directly or indirectly) any percentage of the issued share capital; “Services” shall mean the services provided by the Processor in relation to the Processing of Personal Data as described in a Processing Appendix from time to time; “Transfer Contract Clauses” shall mean the model contract clauses set out in the European Commission’s Decision of 5 February 2010 on standard contractual clauses for the transfer of Personal Data to data-processors established in third countries, under the Directive 95/46/EC on the protection of individuals with regard to the processing of personal “Vendor Customer” data and on the free movement of such data (such clauses being incorporated into Schedule 1) as may be amended or replaced by the European Commission from time to time; shall mean an enterprise customer of Vendor or its affiliates in relation to whom the Processor might Process Personal Data;
“Minimum Security Requirements”
Shall mean the security measures specified in Schedule 4 as may be updated or reissued from time to time by Vendor in accordance with the terms of this Agreement as well as any Customer Security
Requirements;
2 PROCESSING ACCORDING TO THE INSTRUCTIONS OF Vendor
2.1. The Processor warrants and undertakes in respect of all Personal Data that it Processes on behalf of Vendor that at all times:
2.1.1. it shall only Process such Personal Data for the purposes of providing the Services and as may subsequently be agreed by the parties in writing and, in so doing, shall act solely on the documented instructions of Vendor;
2.1.2. it shall not itself exercise control, nor shall it transfer, or purport to transfer, control of
such Personal Data to a third party, except as it may be specifically instructed, in documented form, to do so by Vendor;
2.1.3. it shall not Process, apply or use the Personal Data for any purpose other than as
required and is necessary to provide the Services;
2.1.4. it shall not Process Personal Data for its own purposes or include Personal Data in any product or service offered to third parties;
2.1.5. it shall complete a separate Processing Appendix for each Service that requires the
Processing of Personal Data.
2.2. To ensure that Vendor’s instructions in respect of any Personal Data can be carried out as required under this Agreement the Processor shall have in place appropriate processes and any associated technical measures that will ensure that Vendor’s instructions can be complied with, including the following:
2.2.1. requests by individual data subjects to Vendor, or any exercise of privacy rights, in respect of their Personal Data from time to time can be implemented;
2.2.2. provision of appropriate interfaces or support for other processes of Vendor in ensuring information is provided to data subjects as required by Applicable Privacy Law;
2.2.3. updating, amending or correcting the Personal Data of any individual upon request of Vendor from time to time;
2.2.4. Cancelling or blocking access to any Personal Data upon receipt of instructions from Vendor;
2.2.5. the flagging of Personal Data files or accounts to enable Vendor to apply particular rules to individual data subjects’ Personal Data, such as the suppression of marketing activity.
2.3. The Processor shall comply with the Applicable Privacy Law and any other relevant data protection and privacy law, regulations and other regulatory requirements, guidance or statutory codes of practice to which Processor is subject, and shall not perform its obligations
under this Agreement in relation to the Personal Data in such a way as to cause Vendor, its affiliates and/or any Vendor Customer to breach any of their obligations under Applicable
Privacy Law.
2.4. The Processor shall give Vendor such co-operation, assistance and information as Vendor may reasonably request to enable it to comply with its obligations and/or the obligation of the Vendor Customer under any Applicable Privacy Law and co-operate and comply with the directions or decisions of a relevant Privacy Authority, and in each case within such time as would enable that other party to meet any time limit imposed by the Privacy Authority.
2.5. Prior to commencing the Processing, and any time thereafter, the Processor shall promptly inform Vendor if, in its opinion,
2.5.1. an instruction from Vendor infringes any Applicable Privacy Law; or
2.5.2. the Processor is subject to legal requirements that would make it unlawful or otherwise impossible for the Processor to act according to Vendor’s instructions or to comply with
Applicable Privacy Law.
2.6. The Processor shall not be entitled for reimbursement of any costs which the Processor may incur as a result of or in connection with complying with Vendor’s instructions for the purposes of providing the Services and/or with any of its obligations under this Agreement or any Applicable Privacy Law and any other relevant data protection and privacy law, regulations and other regulatory requirements, guidance or statutory codes of practice to which Processor is subject.
2.7. The Processor shall provide within 5 (five) calendar days following the receipt of Vendor’s request a written record of the Processing of Personal Data by the Processor on behalf of Vendor, and unless otherwise specified in this Agreement (including in Schedule 2 and the Processing Appendices)., such record shall include:
2.7.1. the name and contact details of the Processor or processors and of each controller on behalf of which the Processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
2.7.2. the categories of processing carried out on behalf of each controller;
2.7.3. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organization.
2.8. The parties shall give each other written notice if the information included in Schedule 6 changes. Such notice shall be given no later than five (5) working days following the change taking effect.
2.9. The parties shall amend the respective Processing Appendix in the case of any change related to the details of the Processing (as stated in the given Processing Appendix) where agreed by the parties or otherwise permitted by this Agreement.
3. PERSONAL INFORMATION SECURITY
3.1. The Processor shall keep Personal Data logically separate to data Processed on behalf of any other third party.
3.2. The Processor shall maintain and shall continue to maintain appropriate technical and organisational security measures to protect such Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing, and in addition shall comply with the Minimum Security Requirements.
4. SECURITY OF COMMUNICATIONS
The Processor shall undertake appropriate technical and organisational measures to safeguard the security of any electronic communications networks or services provided to Vendor or utilised to transfer or transmit Personal Data (including measures designed to ensure the secrecy of communications and prevent unlawful surveillance or interception of communications and gaining unauthorised access to any computer or system and thus guaranteeing the security of the communications).
5.PROCESSOR EMPLOYEES – CONFIDENTIALITY
5.1. The Processor shall ensure the reliability of any employees and Sub-Processor personnel who access the Personal Data and ensure that such personnel have undergone appropriate training in the care, protection and handling of Personal Data and have entered into confidentiality provisions in relation to the Processing of Personal Data that are no less onerous than those found in the Master Agreement.
5.2. The Processor will remain liable for any disclosure of Personal Data by each such person as if it had made such disclosure.
6.PROCESSING OF PERSONAL DATA OUTSIDE OF THE EUROPEAN ECONOMIC AREA (EEA)
Where Personal Data originating in the European Economic Area is Processed by the Processor outside the European Economic Area or in a territory that has not been designatedby the European Commission as ensuring an adequate level of protection pursuant to Applicable Privacy Law, the Transfer Contract Clauses shall apply to that Processing. The Processor shall ensure that the Processing of Personal Data does not commence until Vendor has confirmed to the Processor that it has obtained any approvals required from relevant Privacy Authorities.
7.USE OF SUB-PROCESSORS
7.1. The Processor shall not sub-contract or outsource any Processing of Personal Data to any other person or entity, including Processor Group Companies (“Sub-Processor”) unless and
until:
7.1.1. the Processor has notified Vendor by way of formal written notice of the full name and registered office or principal place of business of the Sub-Processor by completing
Schedule 2;
7.1.2. the Processor has provided to Vendor details (including categories) of the processing to be carried out by the Sub-Processor in relation to the Services; and such other information as may be requested by Vendor in order for Vendor and/or Vendor Customer to comply with Applicable Privacy Law or for Vendor and/or Vendor Customer to notify the relevant Privacy Authority;
7.1.3. the Processor has imposed legally binding terms no less onerous than those contained in this Agreement on such Sub-Processor;
7.1.4. Vendor has not objected to the sub-contracting or outsourcing within ten (10) working days from receiving Processor’s written notification set forth in Clause 7.1.1 together with the information set forth in Clause 7.1.2; and
7.1.5. the Processor has entered into Transfer Contract Clauses with the sub-contracting thirdparty, where the scope of sub-contracting involves Personal Data of Vendor or Vendor Customer to be Processed or stored by any means in third countries.
7.2. No Sub-Processor shall carry out processing in relation to the Services other than as previously notified to, and not objected to, by Vendor.
7.3. If requested by Vendor, the Processor shall procure that any third party Sub-Processor appointed by Processor pursuant to this Clause 7 shall enter into a data processing agreement with Vendor on substantially the same terms as this Agreement.
7.4. In all cases, Processor shall remain fully liable to Vendor for any act or omission performed by Sub-Processor or any other third party appointed by it as if they were the acts or omissions ofthe Processor, irrespective of whether Processor complied with its obligations specified in the above Clause 7.1.
7.5. Where a breach of this Agreement is caused by the actions of a Sub-Processor, the Processor shall – if requested by Vendor – assign to Vendor the rights of the Processor to take action under the Processor’s contract with the Sub-Processor. Vendor may take action as it deems necessary in order to protect and safeguard Personal Data.
8. PERSONAL DATA BREACH AND NOTIFICATION REQUIREMENTS
8.1. The Processor shall notify Vendor in writing as soon as possible in the circumstances but no later than within 24 hours after becoming aware of any accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Personal Data (“Security Breach”).
Such notification shall include (i) a detailed description of the Security Breach, (ii) the type of data that was the subject of the Security Breach and (iii) the identity of each affected person (or, where not possible, the approximate number of data subjects and of Personal Data records concerned). The Processor shall communicate to Vendor in such notification (i) the name and contact details of the Processor’s data protection officer or other point of contact where more information can be obtained; (ii) a description of the likely consequences of the Security Breach; (iii) a description of the measures taken or proposed to be taken by the Processor to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects; and additionally in such notification or thereafter (iv) as soon as such information can be collected or otherwise becomes available, any other information Vendor may reasonably request relating to the Security Breach.
8.2. The Processor shall immediately investigate the Security Breach and identify, prevent and make best efforts to mitigate the effects of any Security Breach in accordance with its obligations under this Agreement and, subject to Vendor’s prior agreement, carry out any recovery or other action necessary to remedy the Security Breach. The Processor shall not release or publish any filing, communication, notice, press release, or report concerning any Security Breach in respect of Personal Data (“Publicity”) without Vendor’s prior written approval. The actions and steps described in this Clause 8 shall, without prejudice to Vendor’s right to seek any legal remedy (including the claim for reimbursement of Vendor’s costs of legal action against Processor or Sub-Processor) as a result of the breach, be undertaken at the expense of the Processor and the Processor shall pay for or reimburse Vendor for all costs, losses and expenses relating to the cost of preparing and publishing Publicity.
8.3. If the Security Breach will impact other of the Processor’s customers, the Processor shall prioritise Vendor in providing support and implementing necessary actions and remedies.
9. PRIVACY IMPACT ASSESSMENTS
Where requested to do so by Katura, the Processor shall make available to Vendor all information necessary to demonstrate Vendor and/or Vendor Customer’s compliance with the Applicable Privacy Law and shall assist Vendor to carry out a privacy impact assessment of the Services and work with Vendor to implement agreed mitigation actions to address privacy risks so identified.
10. RIGHT TO AUDIT
10.1. The Processor shall and shall procure that any Sub-Processor shall permit Vendor, its customers (including Vendor’s and Vendor Customer’s respective sub-contractors, auditors or other agents) (each an “Auditing Party”), to access to its premises, computer and other information systems, records, documents and agreements as reasonably required by the Auditing Party to check that the Processor and/or its Sub-Processors are complying with their obligations under this Agreement (or any subsequent sub-processing contract) or any Applicable Privacy Law. Any review in accordance with clause 10.1 shall not require the review of any third party data and that such reviewing entity enters into such confidentiality obligations with the Processor or with the relevant Sub-Processor as may be reasonably necessary to respect the confidentiality of the Processor’s or Sub-Processor’s business interests and third party data and information of which the reviewing entity may become aware in the course of undertaking the review. The Auditing Party shall bear its own costs in relation to such audit, unless the audit reveals any non-compliance with Processor’s or Sub-Processor’s obligations under any Applicable Privacy Law or this Agreement or any subsequent sub-processing contract, in which case the costs of the audit shall be borne by the Processor.
10.2. The Processor shall and shall procure that any Sub-Processor shall permit at its own costs the Privacy Authorities to conduct a data protection audit with regards to the Processing carried out by Processor or Sub-Processor in accordance with the Applicable Privacy Law.
11. DELETION OF PERSONAL DATA
11.1. The Processor shall delete Personal Data from the Service(s) in accordance with the retention policies set out in the relevant Processing Appendix for the Service(s) and at such other times as may be required from time to time by Vendor.
11.2. Upon termination or expiry of any of the relevant Services, in respect of such Services any remaining Personal Data shall, at Vendor’s option, be destroyed or returned to Vendor, along with any medium or document containing Personal Data.
11.3. Upon termination or expiry of the Agreement, any remaining Personal Data shall be destroyed or returned to Vendor, along with any medium or document containing Personal Data unless otherwise requested by Vendor.
12. NOTICES
12.1. Formal written notices to be given under or in connection with this Agreement shall be made in writing in English and shall be deemed to have been duly given: (i) when delivered, if delivered by messenger during the hours of 9.00am to 5.00pm; (ii) when sent, if transmitted by facsimile transmission (transmission confirmed) during the hours of 9.00am to 5.00pm; and (iii) on the fifth business day following posting, if posted by signed for (postage pre-paid) mail or the equivalent in the country of posting. The addresses for services shall be set out in the relevant Processing Appendix.
12.2. Communications not requiring formal written notices may be effected by e-mail.
13. THIRD PARTY REQUESTS FOR DISCLOSURE OF PERSONAL DATA
13.1. Requests from governmental authorities or data subjects: The Processor shall, and shall procure that the Sub-Processor shall, inform Vendor promptly (and in any event within one (1) business day of receipt or sooner if required to meet with any earlier time-limit) of any inquiry, communication, request or complaint from:
13.1.1. any governmental, regulatory or supervisory authority, including Privacy Authorities or the U.S. Federal Trade Commission; and/or
13.1.2. any data subject; relating to the Services, any Personal Data or any obligations under Applicable Privacy Law and any other relevant data protection and privacy law, regulations and other regulatory requirements, guidance or statutory codes of practice to which Processor is subject, and shall provide all reasonable assistance to Vendor free of costs to enable Vendor and/or Vendor Customer to respond to such inquiries, communications, requests or complaints and to meet applicable statutory or regulatory deadlines. The Processor shall not, and it shall procure that any Sub-Processor shall not, disclose Personal Data to any of the persons or entities in 13.1.1 or 13.1.2 above unless it is obliged by law or a valid and binding order of a court or other legal judicial process to disclose Personal Data and has otherwise complied with the obligations in this clause 13.1.
13.2. Requests at law:Where the Processor or any Sub-Processor is required by law, court order, warrant, subpoena,or other legal judicial process (“Legal Request”) to disclose any Personal Data to any person or entity other than Vendor, the Processor shall, and shall procure that any Sub-Processor shall, notify Vendor promptly (and in any event within one (1) business day of receipt or sooner if required to meet with any time-limit in the Legal Request) and shall provide all reasonable assistance to Vendor to enable Vendor and/or Vendor Customer to respond or object to, or challenge, any such demands, requests, inquiries or complaints and to meet applicable statutory or regulatory deadlines. The Processor shall not, and it shall procure that any Sub- Processor shall not, disclose Personal Data pursuant to a Legal Request unless it is obliged by law or a valid and binding order of a court or other legal judicial process to disclose Personal Data and has otherwise complied with the obligations in this clause 13.2.
14. INDEMNITY
Notwithstanding any other indemnity provided by the Processor in connection with the Processing contained in the Master Agreement, the Processor shall indemnify Vendor (and each of their respective officers, employees and agents) against all Losses arising out of or in connection with any failure by the Processor (and by any Sub-Processor, of whatever tier) to comply with the provisions of this Agreement or any Applicable Privacy Law.
15. DURATION
15.1. This Agreement shall commence on the Commencement Date and shall continue in full force and effect until the later of (i) the termination or expiration of the Master Agreement; or (ii) the termination of the last of the Services or work packages to be performed pursuant to the Master Agreement. The provisions of this Agreement shall apply to any Processing of Personal Data received prior to execution of the Agreement or the Commencement Date, including during any transitional or migration phase.
15.2. The parties may agree to terminate one or more individual Processing Appendices as and when a relevant part of the Services is to terminate, in which case such termination with respect to such Processing Appendix or Appendices shall take effect on the date agreed by the parties in writing. Termination of one or more individual Processing Appendices shall not affect any other provision or other Processing Appendix of this Agreement and the parties shall continue to be bound by and to perform the obligations set out therein.
16. COUNTERPARTS
16.1. The parties acknowledge that they shall use an electronic signature process to sign this Agreement and agree to be bound by any such electronic signature which they have applied to the Agreement.
16.2. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument. A counterpart signature page of this Agreement executed by a party and the execution version of the Agreement transmitted electronically in Portable Document Format (PDF) shall be treated as an original, fully binding and with legal force and effect. The parties waive any rights they may have to object to such treatment.
17. GOVERNING LAW
This Agreement shall be governed by and construed in accordance with the laws of Spain and shall be subject to the exclusive jurisdiction of the Courts of Spain.
18. MISCELLANEOUS
18.1. If Processor processes Personal Data of any Vendor Customer operating in one of the countries listed in Schedule 7, the terms specified in Schedule 7 in respect of the given country (“Country Specific Terms”) shall be applicable for every Processing carried out under the Agreement in addition to the terms of the Agreement. In case of any conflict or ambiguity between the applicable Country Specific Terms and any other terms specified in the body and in other schedules of the Agreement, the applicable Country Specific Terms shall take precedence.
18.2. Clause and other headings in this Agreement are for convenience of reference only and shall not constitute a part of or otherwise affect the meaning or interpretation of this Agreement. Schedules to this Agreement shall be deemed to be an integral part of this Agreement to the same extent as if they had been set forth verbatim herein.
18.3. Unless the context otherwise requires, in the Agreement:
18.3.1. use of the singular includes the plural and vice versa;
18.3.2. a reference to any relevant data protection and privacy law, regulations (including GDPR) and other regulatory requirements, and guidance or statutory codes of practice issued by the relevant Privacy Authority/ies shall be construed as referring to such as amended and in force from time to time and/or as re-enacted or consolidated with or without modification;
18.3.3. any phrase introduced by the terms “including”, “include”, “in particular” or any similar expression are deemed to have the words “without limitation” following them and shall be construed as illustrative and shall not limit the sense of the words preceding those terms.
18.4. This Agreement is personal to the Processor and the Processor shall not under any circumstances assign, novate or otherwise transfer any of its rights or obligations under this Agreement without Vendor’s prior express written consent.
18.5. This Agreement, including the Schedules attached hereto and any subsequent properly executed Processing Appendices agreed between the parties, constitutes the entire agreement between the parties pertaining to the subject matter hereof and supersedes all prior agreements, understandings, negotiations and discussions of the parties. For the avoidance of doubt, the terms and conditions of the Master Agreement are not incorporated in this Agreement.
18.6. The provisions of this Agreement are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this Agreement shall remain in full force and effect.
18.7. The provisions of this Agreement shall endure to the benefit of and shall be binding upon the parties and their respective successors and assignees.
SCHEDULE 1.
Transfer Contract Clauses Standard Contractual Clauses for Data Processors Located outside of the European Economic Area. The following Clauses provide adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in the Processing Appendix.
Clause 1 Definitions
For the purposes of the Clauses: (a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 1;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other sub processor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration,unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2 Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in the Processing Appendix which forms an integral part of the Clauses. 1 Parties may reproduce definitions and meanings contained in Directive 95/46/EC within this Clause if they considered it better for the contract to stand alone.
Clause 3 Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3.The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4.The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4 Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the
Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the
Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of
Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5 Obligations of the data importer 2
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
2 Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article
13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix
2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with
Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
Clause 6 Liability
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph
3. against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Clause 7 Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by
the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is
established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8 Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if
it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9 Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established,
Clause 10 Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11 Subprocessing
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses 3. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
2. This requirement may be satisfied by the subprocessor co-signing the contract entered into between the data exporter and the data importer under this Decision.
3. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
5. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority. Clause 12 Obligation after the termination of personal data processing services
6. The parties agree that on the termination of the provision of data processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
7. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph.
SCHEDULE 2
LIST OF APPROVED SUB-PROCESSORS
TO
DATA PROCESSING AGREEMENT
(Contract ID )
Master
Agreement ID
Name of Sub-Processor
Registered business address
Actual location of the Processing
Link to their Security Policy
SCHEDULE 3
TEMPLATE DATA PROCESSING APPENDIX TO DATA PROCESSING AGREEMENT
Services offered: JUMP data driven video Solution
This Appendix, including any relevant attachment, describes the types of Personal Data, and the purposes for which that Personal Data may be Processed by the Processor.
Vendor is: A leader in the OTT TV (Over the Top TV), OVP (Online Video Platform), EdVP (Education Video Platform) and EVP (Enterprise Video Platform) markets. Vendor is deployed globally in thousands of enterprises, media companies, service providers and educational institutions and engages hundreds of millions of viewers at home, in work, and at school.
The Processor is: A Data processor that provides a SAAS cloud solution to provide video service providers with insights and analytics to help them in the daily business decision-making process. Personal Data will be processed for the purpose of providing analysis of the performance of the video service under the Agreement including the following purposes:
– Driving internal business insights for the video service business owners
– Clustering users to group them into different segments
Special categories of data:
No categories of Sensitive Personal Data as defined by Applicable Privacy Law shall be processed for the purposes of this Processing Appendix. Personal Data Processing Activities
Master Agreement contract ID
Purpose of the Processing
Categories and estimated
volume of Personal Data processed
Data Subjects
Location of the Processing
Approved Sub-Processor
Retention Period for the Personal Data
TBD
Data on the use of the videoservice (e.g. browser, device type, platform, and model, etc);
Category: Generic and Anonymous Hardware and Software data for statistical purposes. Volume: All End Users
All End Users and devices used
Europe Not Applicable 1 year
TBD
Data on the use of apps that run the
Category: UX interactions data All End Europe Not Applicable 1 year video service (e.g. navigation through the different sections of the app, usage of key features such as sharing, favourites or search engines); for statistical purposes. Volume: All End Users per device used per UX Interactions. Users and devices used
TBD
Data of the interactions with the video service (e.g.: subscription and cancellation to a commercial package, transactionall operations related to rentals or buys of content, etc.)
Category: Subscriptions and Billing data for statistical purposes. Volume: All EndUsers All End Users Europe Not Applicable 1 year
TBD
Data related to the content catalogue of the video service
Category: Content Metadata Volume: All Catalogue All Catalogue Europe
Not Applicable 1 year
TBD
Video viewership data (e.g.: content viewed inside the video service, date and time when each content was viewed, the profile of the user that was viewing a content, time of each playback session, completion of each playback session, etc.)
Category: Playback data for statistical purposes. Volume: All End Users per device used per Playbacks
All End Users and devices used
Europe Not Applicable 1 year
For full clarification of the data that the supplier may the process below are the specific data sources from each Vendor Customer the Processor will have access:
Type Data source Description
Group Device_Monitoring Data regarding an active monitorization of all deployed devices for Group Devices Data regarding a full list of provisioned devices Group EDR
Data regarding the monetary transaction events for rentals Group EPG_Catalogue Electronic Programming Guide data (programs in the different channels)
Group Subscription_Catalogue Data regarding available contents for subscribed users
Group Subscriptions Data regarding subscription events
Group User_Conversion Data regarding frontend playback activities
Group User_Navigation Data regarding the navigation within the frontend applications
Group User_Recording Data regarding recording events from the frontend applications
Group VOD_Catalogue Data regarding available contents in the VOD catalog
End-user devices ARM Logs
Internal log files generated in Set Top Boxes
End-user devices Vendor Consumption Report Vendor report including daily VOD playback sessions for devices End-user devices
vod_catalog VOD Content catalog available for devices End-user devices
epg_data Electronic Programming Guide data for devices
Notices: ● If to Vendor: XXX
SCHEDULE 4
Minimum Security Requirements and Customer Security Requirements
Background to this Document Purpose This document describes the minimum security measures that have to be adopted for the purpose of protecting Personal Data and information, primarily with a view to meeting minimum pre-defined requirements of applicable data protection and privacy law and to fulfil the requirements of Vendor Customers. Compliance with these minimum security measures does not guarantee that an appropriate level of protection has been provided – a holistic and comprehensive assessment of security must be undertaken depending upon the circumstances, type of data and Processing to be performed.
Information security techniques, and the threats to security, are continually evolving. Security must therefore be continually assessed in the light of the specific circumstances at hand to determine the appropriate level of protection.
These requirements are to be applied by entities that Process Personal Data on behalf of Vendor, such entities referred to as “Processors”. Vendor is referred to as the “controller”.
These requirements are also to be read in conjunction with any other general security requirements agreed with Vendor, such as any further security requirements as are identified in any pre or post contract security assessment.
Many of these requirements are not intended to be specific to the Processing operations undertaken on behalf of Vendor and/or Vendor Customers. Rather, Processors are expected to adopt these standards as appropriate standards to ensure a secure operating environment to handle Personal Data. Definitions In this document, the following definitions are used:
Authorised Users has the meaning defined in security requirement 16.
Content means the content of an electronic communication by an user, including the content of electronic messages, such as SMS, MMS and email, and web pages requested to the extent that it is not Traffic Data, and references to Personal Data shall include Content;
Information Systems means all systems used to access, store or otherwise Process Personal Data, including temporary files;
Judicial Data means any Personal Data processed in the context of judicial administration or judicial investigation;
Location Data means any data Processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service, geographic location derived from mobile network cell ID data, and coordinates provided by GPS, pico-cell, femto-cell or WiFi hotspots with known or presumed coordinates for the cells or hotspots to which users are connected, and references to Personal Data shall include Location Data;
Media means a physical object likely to be Processed in an Information System and on which data may be recorded or from which they may be retrieved;
Security document means the document containing the security plan;
Security plan means the measures adopted to comply with these minimum security requirements;
Sensitive Personal Data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or sex life and data consisting of information as to the commission or alleged commission of any offence or any proceedings for any offence or alleged offence or the disposal of such proceedings or the sentence of any court in such proceedings; and references to Personal Data shall include Sensitive Personal Data;
Traffic Data means any data Processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof, and references to Personal Data shall include Traffic Data; and User ID has the meaning defined in security requirement 18.
All other definitions used are defined in Clause 1 of the Data Processing Agreement.
Security Categories These security requirements are divided into three categories to reflect the sensitivity of different types of data – Standard, Medium and High. The data types to which these three security categories apply are described below. Standard The standard security requirements apply to all Personal Data, including those categories of Personal Data referred to below in relation to the Medium and High categories.
Medium The medium security requirements apply to the following categories of Personal Data, including those categories of Personal Data referred to below in relation to the High category:
– Relating to Judicial Data or investigations, enquiries or disclosures for law enforcement purposes.
– Sufficient to permit an assessment of an individual’s personality.
– Bank account, debit, credit or other payment card information.
High
The high security requirements apply to the following data categories:
– Sensitive Personal Data.
– Judicial Data or data relating to investigations, enquiries or disclosures for law enforcement purposes where such data is also Sensitive Personal Data and/ or Traffic Data.
Traffic Data.
Location Data.
Content.
Order of precedence
In the event that the security requirements conflict, the higher standard shall take precedence.
Scope of these requirements The security measures required for access to Personal Data via communications networks must guarantee a level of security equivalent to that applying to local access. Such remote access shall be expressly authorised by the controller.
Standard Security Measures Organisational measures
Security Officer
1. A person responsible for the overall compliance with these minimum security requirements shall be designated as the Security Officer. This person shall be suitably trained and experienced in managing information security and provided with appropriate resources to effectively ensure compliance.
2. The contact details of the Security Officer shall be provided to the controller within ninety (90) days of the parties entering into the relevant processing agreement and any amendment to such details shall be communicated promptly.
Security Plan and Document
3. The measures adopted to comply with these minimum security requirements shall be the subject of a security plan and set out in a security document, which shall be kept up to date, and revised whenever relevant changes are made to the Information System or to how it is organised. The security document shall record significant changes to the security measures or the Processing activities.
4. The security plan shall address: Security measures relating to the modification and maintenance of the system used to Process Personal Data, including development and maintenance of applications, appropriate vendor support and an inventory of hardware and soft Physical security, including security of the buildings or premises where data Processing occurs, security of data equipment and telecommunication infrastructure and environmental controls.
5.Data security mechanisms for securing the integrity and confidentiality of the data, classification of the data.
6. Security of computers and telecommunication systems including procedures for managing back-up copies, procedures dealing with computer viruses, procedures for managing signal/codes, security for software implementation, security related to databases, security for connecting systems to the Internet, inspection of circumvention of data system, mechanisms for keeping account of attempts to break system security or gain unauthorized access.
7. The security plan shall include:
a ) Disaster Recovery Plan which shall set out: measures to minimize interruptions to the normal functioning of the system; limit the extent of any damage and disasters; enable a smooth transition of Personal Data from one computer system to another; if necessary, provide for alternative means of operating a computer system; educate, exercise and familiarize personnel with emergency procedures; provide for fast and smooth system recovery, and minimize the economic effects of any disaster event.
b) a Contingency Plan which must address the following possible dangers to the system and appropriate criteria to determine when the Plan should be triggered: the critical functions and systems, the strategy for protecting the system and priorities in the event the Plan is activated; an inventory of relevant staff members to be called upon during an emergency, as well as telephone numbers of other relevant parties; a set of procedures for calculating the damage incurred; realistic time management plans to enable the recovery of the system; clearly allocated staff duties; possible use of alarms and special devices (e.g., air filters, noise filters); in the event of a fire, special equipment should be available (e.g., fire extinguisher, water pumps, etc.); devices or methods for determining temperature, humidity and other environmental factors.
(e.g., air conditioning, thermometers, etc.); special security software to detect breaches of security; special generators for dealing with power cuts; retention of copies of software or materials in other protected buildings to avoid inadvertent loss.
8. The security document shall be available to staff who have access to Personal Data and the Information Systems, and must cover the following aspects as a minimum:
a) The scope, with a detailed specification of protected resources;
b) The measures, standards, procedures, code of conduct rules and norms to guarantee security, including for the control, inspection and supervision of the Information Systems;
c) The functions and obligations of staff;
d) The structure of files containing Personal Data and a description of the Information Systems on which they are Processed;
e) The purposes for which the Information Systems may be used;
f) The procedures for reporting, managing and responding to incidents;
g) The procedures for making back-up copies and recovering data including the person who undertook the process, the data restored and, as appropriate, which data had to be input manually in the recovery process.
9. The security document and any related records and documentation shall be retained for a minimum period of 5 years from the end of the Processing. Functions and Obligations of Staff
10. Only those employees who have demonstrated honesty, integrity and discretion should be Authorised Users or have access to premises where Information Systems or media containing Personal Data are located. Staff should be bound by a duty of confidentiality in respect of any access to Personal Data.
11. The necessary measures shall be adopted to train and make staff familiar with these minimum security requirements, any relevant policies and applicable laws concerning the performance of their functions and duties in respect of the Processing of Personal Data and the consequences of any breach of these requirements.
12. The functions and obligations of staff having access to Personal Data and the Information Systems shall be clearly defined and documented.
13.Authorised Users shall be instructed to the effect that electronic equipment should not be left unattended and made accessible during Processing sessions.
14. Physical access to areas where any Personal Data are stored shall be restricted to Authorised Users.
15. The disciplinary measures for a breach of the security plan shall be clearly defined and documented and communicated to staff.
Technical Measures Authorisation
16.Only those employees who have a legitimate operational need to access the Information Systems or carry out any Processing of Personal Data shall be authorised to do so (“Authorised Users”).
17. An authorisation system shall be used where different authorisation profiles are used for different purposes.
Identification
18. Every Authorised User must be issued with a personal and unique identification code for that purpose (“User ID”).
19. A User ID may not be assigned to another person, even at a subsequent time.
20. An up-to-date record shall be kept of Authorised Users, and the authorised access available to each, and identification and authentication procedures shall be established for all access to Information Systems or for carrying out any Processing of Personal Data.
Authentication
21. Authorised Users shall be allowed to Process Personal Data if they are provided with authentication credentials such as to successfully complete an authentication procedure relating either to a specific Processing operation or to a set of Processing operations.
22. Authentication must be based on a secret password associated with User ID, and which password shall only be known to the Authorised User; alternatively, authentication shall consist in an authentication device that shall be used and held exclusively by the person in charge of the Processing and may be associated with either an ID code or a password, or else in a biometric feature that relates to the person in charge of the Processing and may be associated with either an ID code or a password.
23. One or more authentication credentials shall be assigned to, or associated with, an Authorised User.
24. There must be a procedure that guarantees password confidentiality and integrity. Passwords must be stored in a way that makes them unintelligible while they remain valid. There must be a procedure for assigning, distributing and storing passwords.
25. Passwords shall consist of at least eight characters, or, if this is not technically permitted by the relevant Information Systems, a password shall consist of the maximum permitted number of characters. Passwords shall not contain any item that can be easily related to the Authorised User in charge of the Processing and must be changed at regular intervals, which intervals must be set out in the security document. Passwords shall be modified by the Authorised User to a secret value known only to the Authorised User when it is first used as well as at least every six months thereafter.
26. The instructions provided to Authorised Users shall lay down the obligation, as a condition of accessing the Information Systems, to take such precautions as may be necessary to ensure that the confidential component(s) in the credentials are kept secret and that the devices used and held exclusively by Authorised Users are kept with due care.
27. Authentication credentials shall be de-activated if they have not been used for at least six months, except for those that have been authorised exclusively for technical management and support purposes.
28. Authentication credentials shall be also de-activated if the Authorised User is disqualified or de-authorised from accessing the Information Systems or Processing Personal Data.
29. Where data and electronic equipment may only be accessed by using the confidential component(s) of the authentication credential, appropriate instructions shall be given in advance, in writing, to clearly specify the mechanisms by which the controller can ensure that data or electronic equipment are available in case the person in charge of the Processing is either absent or unavailable for a long time and it is indispensable to carry out certain activities without further delay exclusively for purposes related to system operationality and security. In this case, copies of the credentials shall be kept in such a way as to ensure their confidentiality by specifying, in writing, the entities in charge of keeping such credentials. Such entities shall have to inform the person in charge of the Processing, without delay, as to the activities carried out.
Access Controls
30. Only Authorised Users shall have access to Personal Data, including when stored on any electronic or portable media or when transmitted. Authorised Users shall have authorised access only to those data and resources necessary for them to perform their duties.
31. A system for granting Authorised Users access to designated data and resources shall be used.
32. Authorisation profiles for each individual Authorised User or for homogeneous sets of Authorised Users shall be established and configured prior to the start of any Processing in such a way as to only enable access to data and resources that are necessary for Authorised Users to perform their duties.
33. It shall be regularly verified, at least at yearly intervals, that the prerequisites for retaining the relevant authorisation profiles still apply. This may also include the list of Authorised Persons drawn up by homogeneous categories of task and corresponding authorisation profile.
34. Measures shall be put in place to prevent a user gaining unauthorised access to, or use of, the Information Systems . In particular, firewalls and intrusion detection systems reflecting the state of the art and industry best practice should be installed to protect the Information Systems from unauthorized access. Measures shall be put in place to identify when the Information Systems have been accessed or Personal Data has been Processed without authorization, or where there have been unsuccessful attempts at the same.
35. Operating system or database access controls must be correctly configured to ensure authorised access.
36.Only those staff authorised in the security document shall be authorised to grant, alter or cancel authorised access by users to the Information Systems
Management of Media
37. Information Systems and physical media storing Personal Data must be housed in a secure physical environment. Measures must be taken to prevent unauthorized physical access to premises housing Information Systems.
38. Organisational and technical instructions shall be issued with regard to keeping and using the removable media on which the data are stored in order to prevent unauthorised access and Processing.
39. Media containing Personal Data must permit the kind of information they contain to be identified, Inventoried (including the time of data entry; the Authorised User who entered thedata and the person from whom the data was received; and the Personal Data entered) and stored at a physical location with physical access restricted to staff that are authorised in the security document to have such access.
40. When media are to be disposed of or reused, the necessary measures shall be taken to prevent any subsequent retrieval of the Personal Data and other information stored on them, or to otherwise make the information intelligible or be re-constructed by any technical means, before they are withdrawn from the inventory. All reusable media used for the storage of Personal Data must be overwritten three times with randomised data prior to disposal or re-use.
41. The removal of media containing Personal Data from the designated premises must be specifically authorised by the controller.
42. Media containing Personal Data must be erased or rendered unreadable if it is no longer used or prior to disposal.
Distribution of Media and Transmission
43. Media containing Personal Data must only be available to Authorised Users.
44. Printing/copying Processes must be physically controlled by Authorised Users, to ensure that no prints or copies containing Personal Data remain left in the printers or copying machines.
45. Media containing Personal Data or printed copies of Personal Data must contain the classification mark “Confidential”.
46. Encryption (128-bit or stronger) or another equivalent form of protection must be used to protect Personal Data that is electronically transmitted over a public network or stored on a portable device, or where there is a requirement to store or Process Personal Data in a physically insecure environment.
47. Paper documents containing Personal Data must be transferred in a sealed container / envelope that indicates clearly that the document must be delivered by hand to an Authorised User.
48. When media containing Personal Data are to leave the designated premises as a result of maintenance operations, the necessary measures shall be taken to prevent any unauthorised retrieval of the Personal Data and other information stored on them.
49. A system for recording incoming and outgoing media must be set up which permits direct or indirect identification of the kind of media, the date and time, the sender/recipient, the number of media, the kind of information contained, how they are sent and the person responsible for receiving /sending them, who must be duly authorised.
50. Where Personal Data is transmitted or transferred over an electronic communications network, measures shall be put in place to control the flow of data and record the timing of the transmission or transfer, the Personal Data transmitted or transferred, the destination of any Personal Data transmitted or transferred , and details of the Authorised User conducting the transmission or transfer.
Preservation, Back-up copies and Recovery
51. Tools must be in place to prevent the unintended deterioration or destruction of Personal Data.
52. Procedures must be defined and laid down for making back-up copies and for recovering data. These procedures must guarantee that Personal Data files can be reconstructed in the state they were in at the time they were lost or destroyed.
53. Back-up copies must be made at least once a week, unless no data have been updated during that period.
Anti-Virus and Intrusion Detection
54. Anti-virus software and intrusion detection systems should be installed on the Information Systems to protect against attacks or other unauthorised acts in respect of Information Systems. Antivirus software and intrusion detection systems should be updated regularly in accordance with the state of the art and industry best practice for the Information Systems concerned (and at least every six months).
Software Updates
55. The software, firmware and hardware used in the Information Systems shall be reviewed regularly in order to detect vulnerabilities and flaws in the Information Systems and resolve such vulnerabilities and flaws. This review shall be carried out at least annually.
Record Keeping
Access Record
56. A history of Authorised Users’ access to or disclosure of Personal Data shall be recorded on a secure audit trail.
Physical Access Record
57. Only those staff duly authorised in the security document may have physical access to the premises where Information Systems and media storing Personal Data are stored. A record of staff who access such premises shall be maintained, including name, date and time oaccess. Record of Incidents
58. There shall be a procedure for reporting, responding to and managing security incidents such as data security breaches or attempts at unauthorised access. This shall include as a minimum:
a) A procedure for reporting such incidents/ breaches to appropriate management within the processor;
b) A clearly designated team for managing and co-ordinating the response to an incident led by the Security Officer;
c) A documented and tested process for managing the response to an incident including the requirement to keep appropriate issues and action logs to include the time at which the incident occurred, the person reporting the incident, to whom it was reported and the effects thereof;
d) The requirement on the processor to notify the controller immediately if it appears that Personal Data was involved in the incident or breach or may be impacted or affected in some way; and
e) The processor security/ incident management team should where appropriate work together with the controller’s security representatives until the incident or breach has been satisfactorily resolved.
Medium Security Measures
Technical Measures
Identification and Authentication
59. Passwords shall be modified at least every three months.
60. The software, firmware and hardware used in the Information Systems shall be reviewed at least every six months in order to detect vulnerabilities and flaws in the Information Systems and resolve such vulnerabilities and flaws.
61. Mechanisms shall be set up that permit unequivocal, personalised identification of any user who attempts to access the information system and a check to establish whether each user is authorised.
62. Limits shall be placed on the scope for repeating attempts to gain unauthorised access to the Information System. After, at most, 6 failed attempts to authenticate, the associated User ID must be blocked.
Tests with Real Data
63. Testing prior to the implementation or modification of the Information Systems Processing Personal Data shall not use real or ‘live’ data unless such use is necessary and there is no reasonable alternative. Where real or ‘live’ data is used, it shall be limited to the extent necessary for the purposes of testing and the level of security corresponding to the type of
Personal Data Processed must be guaranteed.
Audit
64. Regular audits of compliance with these minimum security requirements, at least at two yearly intervals, should be performed and delivered in the form of an audit report.
65. The audit report must provide an opinion on the extent to which the security measures and controls adopted comply with these minimum security requirements, identify any shortcomings and (if any) propose corrective or supplementary measures as necessary. It should also include the data, facts and observations on which the opinions reached and the recommendations proposed are based.
66.The audit report shall be analysed by the Security Officer who shall refer the conclusions to the controller and the Security Officer shall remain at the disposal of the controller.
SCHEDULE 5
Customer Security Requirements
[INTENTIONALLY OMITTED]
SCHEDULE 6
Information related to identity of data protection officer
Vendor:
– Identity of the chief or principal data protection officer: [email protected]
– Identity of any data protection representative appointed and the location in which the representative is registered: N/A
Processor:
Identity of the chief or principal data protection officer:
José María López Pol
Chief Operating Officer
– Identity of any data protection representative appointed and the location in which the representative is
registered:
Not applicable.
SCHEDULE 7
COUNTRY SPECIFIC TERMS
If Processor processes Personal Data for or on behalf of a Vendor Customer that operates in one of the countries listed below, the respective Country Specific Terms shall be applicable in line with Clause 18.1 of the Agreemen
