DATA PROTECTION ADDENDUM–CONTROLLER-PROCESSOR
a. Central Spot Trading Ltd., a limited liability company incorporated under the laws of the Republic of Cyprus bearing registration number HE 325259 having its registered office at 6 Tassou Papadopoulou, Flat/Office 22, Agios Dometios, 2373, Nicosia Cyprus a Cyprus Investment Firm authorized and regulated by the Cyprus Securities Exchange Commission (CySEC) with license number 238/14 or its Affiliates (“Company”) and Partner are parties to the Agreement (each “Party”), to which this Data Protection Addendum applies. If Partner Processes Personal Data, or if Partner has access to Personal Data in the course of its performance under the Agreement, Partner shall comply with the terms and conditions of this Data Protection Addendum (“Data Protection Addendum”).
b. This Data Protection Addendum may include the Standard Contractual Clauses and related Exhibits (“Attachments”). By signing this Data Protection Addendum, Partner shall qualify as the Data Processor, as this term is defined under Data Protection Laws. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
All capitalized terms not defined in this Data Protection Addendum have the meanings set forth in the Agreement.
a. “Affiliate” means any person or entity directly or indirectly controlling, controlled by, or under common control with a Party. For the purpose of this definition, “control” (including, with correlative meanings, the terms “controlling”, “controlled by” and “under common control with”) means the power to manage or direct the affairs of the person or entity in question, whether by ownership of voting securities, by contract or otherwise.
b. “Agreement” means the agreement between Company and Partner which involves Partner having access to or otherwise Processing Personal Data;
c. “Approved Jurisdiction” means a member state of the EEA, or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission currently found here:
d. “Breach Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
e. “Data Protection Laws” means any and/or all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or deferral or national level, pertaining to data privacy, data security and/or the protection of Personal Data, including the Data Protection Directive 95/46/EC and the Privacy and Electronic Communications Directive 2002/58/EC (and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), including any amendments or replacements to them, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).
f. “EEA” means those countries that are member of the European Economic Area.
g. “Partner” refers to the legal entity, regardless of the form of organization, identified in the Agreement.
h. “Personal Data” or “personal data” means any information that is about, or can be related to, an identifiable individual. It includes any information that can be linked to an individual or used to directly or indirectly identify an individual, natural person. Personal Data shall be considered Confidential Information regardless of the source.
i. “Process” or “process” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, access to, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction. “Processes” or “processes” and “Processing” or “processing” shall be construed accordingly.
j. “Special Categories of Data” means personal data that requires an extra level of protection and a higher duty of care under Data Protection Laws, for example, information on medical or health conditions, certain financial information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual preferences, or information related to offenses or criminal convictions.
3. DATA PROTECTION AND PRIVACY
a. If Partner has access to or otherwise Processes Personal Data, then Partner shall:
i. Only Process the Personal Data in accordance with Company’s documented instructions and on its behalf, and in accordance with the Agreement and this Data Protection Addendum and related Attachments;
ii. Take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process, Personal Data; ensure persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and ensure that such personnel are aware of their responsibilities under this Data Protection Addendum and any Data Protection Laws (or Partner’s own written binding policies are at least as restrictive as this Data Protection Addendum);
iii. Assist Company as needed to cooperate with and respond to requests from supervisor authorities, data subjects, customers, or others to provide information (including details of the services provided by Partner) related to Partner’s Processing of Personal Data;
iv. Notify the Company without undue delay, and no later than twenty four (24) hours, after becoming aware of a Breach Incident;
v. Provide full, reasonable cooperation and assistance to Company in:
a. Allowing data subjects to exercise their rights under the Data Protection Laws, including (without limitation) the right of access, right to rectification, restriction of Processing, erasure, data portability, object to the Processing, or the right not to be subject to an automated individual decision making;
b. Ensuring compliance with any notification obligations of personal data breach to the supervisory authority and communication obligations to data subjects, as required under Data Protection Laws;
c. Ensuring compliance with its obligation to carry out data protection impact assessments with respect to the Processing of Personal Data, and with its prior consultation with the supervisory authority obligation (as applicable).
vi. Only process or use Personal Data on its systems or facilities to the extent necessary to perform its obligations under the Agreement;
vii. As required under Data Protection Laws, maintain accurate written records of any and all the Processing activities of any Personal Data carried out under the Agreement (including the categories of Processing carried out and, where applicable, the transfers of Personal Data), and shall make such records available to the applicable supervisory authority on request;
viii. Make all reasonable efforts to ensure that Personal Data are accurate and up to date at all times while in its custody or under its control, to the extent Partner has the ability to do so;
ix. Not lease, sell or otherwise distribute Personal Data;
x. Promptly notify Company of any investigation, litigation, arbitrated matter or other dispute relating to Partner’s information security or privacy practices as it relates to the Processing of Personal Data;
xi. Promptly notify Company in writing and provide Company an opportunity to intervene in any judicial or administrative process if Partner is required by law, court order, warrant, subpoena, or other legal or judicial process to disclose any Personal Data to any person other than Company;
xii. Upon termination of the Agreement, or upon Company’s written request at any time during the term of the Agreement, Partner shall cease to Process any Personal Data received from Company, and within a reasonable period will at the request of Company: (1) return the Personal Data; or 2) securely and completely destroy or erase all Personal Data in its possession or control (including any copies thereof), unless and solely to the extent the foregoing conflicts with any applicable laws. At Company’s request, Partner shall give Company a certificate confirming that it has fully complied with this clause.
a. Partner shall not subcontract its obligations under this Data Protection Addendum to another person or entity (“Contractor(s)”), in whole or in part, without Company’s prior written approval or general written authorization, and shall inform the Company of any intended changes concerning the addition/replacement of other processors.
b. Partner will execute a written agreement with such approved Contractor containing equivalent terms to this Data Protection Addendum and the applicable Attachments (provided that Partner shall not be entitled to permit the Contractor to further sub-contract or otherwise delegate all or any part of the Contractor’s processing without Company’s prior written consent at Company’s sole discretion) and which expressly provides Company with third party beneficiary rights to enforce such terms and/or require Partner to procure that the Contractor enters into a Data Protection agreement with Company directly.
c. Partner shall have a written security policy that provides guidance to its Contractors to ensure the security, confidentiality, integrity and availability of Personal Data and systems maintained or processed by Partner.
d. Company may require Partner to provide Company with full details of the proposed Contractor’s involvement including but not limited to the identity of the Contractor, its data security record, the location of its processing facilities and a description of the access to Personal Data proposed.
e. Partner shall be responsible for the acts or omissions of Contractors to the same extent it is responsible for its own actions or omissions under this Data Protection Addendum.
5. THE TRANSFER OF PERSONAL DATA
a. If the Partner is required to transfer Personal Data to a third country or an international organization under applicable laws, it shall inform the Company of that legal requirement before processing; If, subject to Company’s prior consent, Partner Processes Personal Data from the EEA in a jurisdiction that is not an Approved Jurisdiction, Partner shall ensure that it has a legally approved mechanism in place to allow for the international data transfer. If Partner intends to rely on Standard Contractual Clauses, the following additional terms will apply to Partner and Partner’s partners and/or affiliates (where subcontracting or performance is allowed by the Agreement):
i. The Standard Contractual Clauses set forth in the Attachments will apply. If such Standard Contractual Clauses are superseded by new or modified Standard Contractual Clauses, the new or modified Standard Contractual Clauses shall be deemed to be incorporated into this Data Protection Addendum, will replace the then-current Attachments, and Partner will promptly begin complying with such Standard Contractual Clauses. Partner will abide by the obligations set forth under the Standard Contractual Clauses for data importer and/or sub-processor as the case may be.
ii. If Partner subcontracts any Processing of Personal Data (as allowed by the Agreement and Applicable Law), it will:
a. Notify and obtain Company’s advance written permission before proceeding; and
b. Ensure that it has a legally approved mechanism in place to allow for the international data transfer, or that Contractors have entered into the Standard Contractual Clauses with Partner set forth in the Attachments.
6. SECURITY STANDARDS
a. Partner shall implement and maintain commercially reasonable and appropriate physical, technical and organizational security measures to protect Personal Data against accidental or unlawful destruction; accidental loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed; all other unlawful forms of Processing; including (as appropriate): (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
b. To the extent that Partner Processes Special Categories of Data, the security measures referred to in this Data Protection Addendum shall also include, at a minimum (i) routine risk assessments of Partner’s information security program, (ii) regular testing and monitoring to measure and confirm the effectiveness of the information security program’s key controls, systems, and procedures, and (iii) encryption of Special Categories of Data while “at rest” and during transmission (whether sent by e-mail, fax, or otherwise), and storage (including when stored on mobile devices, such as a portable computer, flash drive, PDA, or cellular telephone).
a. If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this Data Protection Addendum, and Partner will promptly begin complying with such Data Protection Laws.
b. Any ambiguity in this Data Protection Addendum shall be resolved to permit Company to comply with all Data Protection Laws. In the event and to the extent that the Data Protection Laws impose stricter obligations on the Partner than under this Data Protection Addendum, the Data Protection Laws shall prevail.
c. If this Data Protection Addendum does not specifically address a particular data security or privacy standard or obligation, Partner will use appropriate, generally accepted practices to protect the confidentiality, security, privacy, integrity, availability, and accuracy of Personal Data.
d. Partner agrees that, in the event of a breach of this Data Protection Addendum, neither Company nor any relevant Company’s customer will have an adequate remedy in damages and therefore either Company or an affected customer shall be entitled to seek injunctive or equitable relief to immediately cease or prevent the use or disclosure of Personal Data not contemplated by the Agreement and to enforce the terms of this Data Protection Addendum or ensure compliance with all Data Protection Laws.
e. If Partner is unable to provide the level of protection as required herein, Partner shall immediately notify Company and cease processing. Any non-compliance with the requirements herein shall be deemed a material breach of the Agreement and Company shall have the right to terminate the Agreement immediately without penalty.
f. Company, shall have the right to: (a) require from Partner all information necessary to, and (b) conduct its own audit and/or inspections of Partner (including its facilities or equipment involved in the Processing of Personal Data) in order to: demonstrate compliance with the Data Protection Addendum and the applicable Attachments. Such audit and/or inspection shall be conducted with reasonable advanced notice to Partner, and shall take place during normal business hours to reasonably limit any disruption to Partner’s business.
IN WITNESS WHEREOF, this Data Protection Addendum has been signed by the Partner:
EXHIBIT A – STANDARD CONTRACTUAL CLAUSES (PROCESSOR)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
For purposes of this Exhibit A:
any reference to “data exporter” means Company, acting as data exporter, and
any reference to “data importer” means Partner or Partner’s Contractor
each a “party”; together “the parties”.
The parties have agreed on the following Standard Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in
Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix
2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorized access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data controller is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third- party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be
governed by the law of the Member State in which the data controller is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
The parties agree that if data exporter is held liable for a violation of the clauses committed by the data importer, the data importer will, to the extent to which it is liable, indemnify the data exporter for any cost, charge, damages, expenses or loss it has incurred.
APPENDIX 1 TO EXHIBIT A
This Appendix 1 forms part of the Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is Company. Activities relevant to the transfer include the performance of services for Company and customers.
The data importer is Partner. Activities relevant to the transfer include the performance of services for Company under the Agreement.
The personal data transferred may concern the following categories of data subjects:
□ Company’s end users
□ Company’s employees
□ Affiliates and partners
Categories of data
The personal data transferred may concern the following categories of data:
□ Profile data (name, age, gender, physical address, telephone number, email address)
□ Financial and payment data (e.g. credit card number, transactions and past transactions)
□ Governmental IDs (passport copy or driver’s license)
□ Other: [complete]
The personal data transferred may be subject to the following basic processing activities, as may be further set forth in contractual agreements entered into from time to time between the Company and customers:
□ Customer service activities, such as processing orders, providing technical support and improving offerings
□ Sales and marketing activities
□ Consulting, professional, security, storage, hosting and other related services
□Internal business processes and management, fraud detection and prevention, and compliance with governmental, legislative and regulatory bodies]
Data Importer Data Exporter
APPENDIX 2 TO EXHIBIT A
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(c), 4(d) and 5(c).
1. Security Management
Partner maintains a written information security management system (ISMS), in accordance with this Appendix, that includes policies, processes, enforcement and controls governing all storage/processing/transmitting of Personal Data, designed to (a) secure Personal Data against accidental or unlawful loss, access or disclosure; (b) identify reasonable foreseeable and internal risks to security and authorized access to Partner Network, and (c) minimize security risks, including through risk assessment and regular testing. The information security program will include the following measures:
Partner actively follows information security trends and developments as well as legal developments with regards to the services provided and especially with regards to Personal Data and uses such insights to maintain its ISMS, as appropriate.
To the extent Partner process cardholder or payment data (such as payment or credit cards), Partner will maintain its ISMS in accordance with the PCI DSS standard, augmented to cover Personal Data, or such other alternative standards that are substantially equivalent to PCI DSS for the establishment, implementation, and control of its ISMS. Additionally, Partner will be assessed against PCI DSS annually by an on-site assessment carried out by an independent QSA (Qualified Security Assessor) and upon Company’s request, not to exceed once annually, Partner will provide customer with PCI DSS Attestation of Compliance.
2. Maintain an Information Security Policy
Partner’s ISMS is based on its security policies that are regularly reviewed (at least yearly) and maintained and disseminated to all relevant parties, including all personnel. Security policies and derived procedures clearly define information security responsibilities including responsibilities for:
• Maintaining security policies and procedures,
• Secure development, operation and maintenance of software and systems,
• Security alert handling,
• Security incident response and escalation procedures,
• User account administration,
• Monitoring and control of all systems as well as access to Personal Data.
Personnel is screened prior to hire and trained (and tested) through a formal security awareness program upon hire and annually. For service providers with whom Personal Data is shared or that could affect the security of Personal Data a process has been set up that includes initial due diligence prior to engagement and regular (typically yearly) monitoring.
Personal Data has implemented a risk-assessment process that is based on ISO 27005.
3. Secure Networks and Systems
Partner has installed and maintains a firewall configuration to protect Personal Data that controls all traffic allowed between Partner’s (internal) network and untrusted (external) networks, as well as traffic into and out of more sensitive areas within its internal network. This includes current documentation, change control and regular reviews.
Partner does not use vendor-supplied defaults for system passwords and other security parameters on any systems and has developed configuration standards for all system components consistent with industry-accepted system hardening standards.
4. Protection of Personal Data
Partner keeps Personal Data storage to a minimum and implements data retention and disposal policies to limit data storage to that which is necessary, in accordance with the needs of its customers.
Partner uses strong encryption and hashing for Personal Data anywhere it is stored. Partner has documented and implemented all necessary procedures to protect (cryptographic) keys used to secure stored Personal Data against disclosure and misuse. All transmission of Personal Data across open, public networks is encrypted using strong cryptography and security protocols.
5. Vulnerability Management Program
Partner protects all systems against malware and regularly updates anti-virus software or programs to protect against malware – including viruses, worms, and Trojans. Anti-virus software is used on all systems commonly affected by malware to protect such systems from current and evolving malicious software threats.
Partner develops and maintains secure systems and applications by:
• Having established and evolving a process to identify and fix (e.g. through patching) security vulnerabilities, that ensures that all systems components and software are protected from known vulnerabilities,
• Developing internal and external software applications, including web-applications, securely using a secure software development process based on best practices, e.g. such as code reviews and OWASP secure coding practices, that incorporates information security throughout the software-development lifecycle,
• Implementing a stringent change management process and procedures for all changes to system components that include strict separation of development and test environments from production environments and prevents the use of production data for testing or development.
6. Implementation of Strong Access Control Measures
“Partner Network” means the Partner’s data center facilities, servers, networking equipment, and host software systems (e.g. virtual firewalls) as employed by the Partner to process or store Personal Data.
The Partner Network will be accessible to employees, contractors and any other person as necessary to provide the services to the Company. Partner will maintain access controls and policies to manage what access is allowed to the Partner Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. Partner will maintain corrective action and incident response plans to respond to potential security threats
Partner strictly restricts access to Personal Data by business need to know to ensure that critical data can only be accessed by authorized personnel. This is achieved by:
• Limiting access to system components and Personal Data to only those individuals whose job requires such access and
• Establishing and maintaining an access control system for systems components that restricts access based on a user’s need to know, with a default “deny-all” setting.
Partner identifies and authenticates access to all systems components by assigning a unique identification to each person with access. This ensures that each individual is uniquely accountable for their actions and any actions taken on critical data and systems can be traced to known and authorized users and processes. Necessary processes to ensure proper user identification management, including control of addition/deletion/modification/revocation/disabling of IDs and/or credentials as well as lock out of users after repeated failed access attempts and timely termination of idling session, have been implemented.
User authentication utilizes at least passwords that have to meet complexity rules, which need to be changed on a regular basis and which are cryptographically secured during transmission and storage on all system components. All individual non-console and administrative access and all remote access use multi-factor authentication.
Authentication policies and procedures are communicated to all users and group, shared or generic IDs/passwords are strictly prohibited.
7. Restriction of Physical Access to Personal Data
Any physical access to data or systems that house Personal Data are appropriately restricted using appropriate entry controls and procedures to distinguish between onsite personnel and visitors. Access to sensitive areas is controlled and includes processes for authorization based on job function and access revocation for personnel and visitors.
Media and backups are secured and (internal and external) distribution is strictly controlled. Media containing Personal Data no longer needed for business or legal reasons is rendered unrecoverable or physically destroyed.
8. Regular Monitoring and Testing of Networks
All access to network resources and Personal Data is tracked and monitored using centralized logging mechanisms that allow thorough tracking, alerting, and analysis on a regular basis (at least daily) as well as when something does go wrong. All systems are provided with correct and consistent time and audit trails are secured and protected, including file-integrity monitoring to prevent change of existing log data and/or generate alerts in case. Audit trails for critical systems are kept for a year.
Security of systems and processes is regularly tested, at least yearly. This is to ensure that security controls for system components, processes and custom software continue to reflect a changing environment. Security testing includes:
• Processes to test rogue wireless access points,
• Internal and external network vulnerability tests that are carried out at least quarterly. An external, qualified party carries out the external network vulnerability tests.
• External and internal penetration tests using Partner’s penetration test methodology that is based on industry-accepted penetration testing approaches that cover the all relevant systems and include application-layer as well as network-layer tests
All test results are kept on record and any findings are remediated in a timely manner.
Partner does not allow penetration tests carried out by or on behalf of its customers.
In daily operations IDS (intrusion detection system) is used to detect and alert on intrusions into the network and file-integrity monitoring has been deployed to alert personnel to unauthorized modification of critical systems.
9. Incident Management
Partner has implemented and maintains an incident response plan and is prepared to respond immediately to a system breach. Incident management includes:
• Definition of roles, responsibilities, and communication and contact strategies in the event of a compromise, including notification of customers,
• Specific incident response procedures,
• Analysis of legal requirements for reporting compromises,
• Coverage of all critical system components,
• Regular review and testing of the plan,
• Incident management personnel that is available 24/7,
• Training of staff,
• Inclusion of alerts from all security monitoring systems,
• Modification and evolution of the plan according to lessons learned and to incorporate industry developments.
Partner has also implemented a business continuity process (BCP) and a disaster recovery process (DRP) that is maintained and regularly tested. Data backup processes have been implemented and are tested regularly.
10. Physical Security.
Physical Access Controls. Physical components of the Partner Network are housed in nondescript facilities (“Facilities”). Physical barrier controls are used to prevent unauthorized entrance to Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and contractors are assigned are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorized employees or contractors while visiting the Facilities.
Limited Employee and Contractor Access. Partner provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of Partner of its affiliates.
Physical Security Protections. All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. Partner also maintains electronic intrusion detection systems designed to detect unauthorized access to the Facilities, including monitoring points of vulnerability (e.g., primary entry doors, emergency egress doors, etc.) with door contacts, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.
11. Continued Evaluation
Partner will conduct periodic reviews of the Security of its Partner Network and adequacy of its information security program as measured against industry security standards and its policies and procedures. Partner will continually evaluate the security of its Partner Network to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.