SHINDIG DATA PROCESSING ADDENDUM
Effective: May 1, 2020
This Data Processing Addendum (“Addendum”) including its Annexes and Appendices forms part of the Services Agreement or other written electronic agreement, and is made by and between:
- Shindig, Inc. (“SHINDIG”), a Delaware corporation, with its principal office at 433 Broadway - Suite 505, New York, NY 10013 (the “Data Processor”); and
- The data controller, identified in the signatory block of this Addendum (the “Data Controller”).
WHEREAS, both Data Controller and Data Processor may be collectively referred to as the Parties;
WHEREAS, the Parties have agreed that it will be necessary for the Data Processor to process certain personal data on behalf of the Data Controller; and
WHEREAS, in light of this processing, the Parties have agreed to the terms of this Addendum to address the compliance obligations imposed upon them pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016;
NOW THEREFORE, the Parties hereby agree as follows.
- SUBJECT MATTER OF THIS DATA PROCESSING ADDENDUM
- This Data Processing Addendum applies exclusively to the processing of personal data that is subject to EU Data Protection Law in the scope of the Addendum between the Parties for the provision and service management of video conferencing services (“Services”) (the “Service Agreement”).
- The term Data Protection Law shall mean the following:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data , and repealing Directive 95/46/EC (hereinafter, “General Data Protection Regulation” or “GDPR”); and
- Any national data protection law implemented by an EU/EEA member to supplement the GDPR such as but not limited to the United Kingdom’s Data Protection Act 2018 (regardless of Brexit), Germany’s Bundesdatenschutzgesetz (BDSG), Denmark’s Data Protection Act, etc. as relevant to the jurisdiction and the processing of personal or sensitive information according to the scope of the Services Agreement.
- Terms such as “Processing”, “Personal Data”, “Data Controller” and “Processor” shall have the meaning ascribed to them in the EU Data Protection Law.
- Insofar as the Data Processor will be processing Personal Data subject to EU Data Protection Law on behalf of the Data Controller in the course of the performance of the Service Agreement with the Data Controller the terms of this Data Processing Addendum shall apply. An overview of the categories of Personal Data, the types of Data Subjects, and purposes for which the Personal Data are being processed is provided in Annex 2.
- THE DATA CONTROLLER AND THE DATA PROCESSOR
- The Data Controller will determine the scope, purposes, and manner by which the Personal Data may be accessed or processed by the Data Processor. The Data Processor will process the Personal Data only as set forth in Data Controller’s written instructions.
- The Data Processor will only process the Personal Data on documented instructions of the Data Controller (including with regard to transfers of personal data to a third country or an international organization, unless required to do by Union or Member State law to which the Data Processor is subject) in such manner as, and to the extent that, this is appropriate for the provision of the Services, except as required to comply with a legal obligation to which the Data Processor is subject. In such a case, the Data Processor shall inform the Data Controller of that legal obligation before processing, unless that law explicitly prohibits the furnishing of such information to the Data Controller. The Data Processor shall never process the Personal Data in a manner inconsistent with the Data Controller’s documented instructions. The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.
- The Parties have entered into a Service Agreement in order to benefit from the expertise of the Processor in securing and processing the Personal Data for the purposes set out in Annex 2. The Data Processor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, subject to the requirements of this Data Processing Addendum.
- Data Controller warrants that it has all necessary rights to provide the Personal Data to Data Processor for the Processing to be performed in relation to the Services. To the extent required by Applicable Data Protection Law, Data Controller is responsible for ensuring that any necessary data subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by the data subject, Data Controller is responsible for communicating the fact of such revocation to the Data Processor, and Data Processor remains responsible for implementing any Data Controller instruction with respect to the further processing of that Personal Data.
- Without prejudice to any existing contractual arrangements between the Parties, the Data Processor shall treat all Personal Data as strictly confidential and it shall inform all its employees, agents and/or approved sub-processors engaged in processing the Personal Data of the confidential nature of the Personal Data. The Data Processor shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
- Taking into account the state of the art, the costs of implementation and the nature, scope,
and purposes of processing as well as the risk of varying likelihood and severity for the rights
and freedoms of natural persons, without prejudice to any other security standards agreed upon
by the Parties, the Data Controller and Data Processor shall implement appropriate technical and
organizational measures to ensure a level of security of the processing of Personal Data
appropriate to the risk. These measures shall include as appropriate:
- measures to ensure that the Personal Data can be accessed only by authorized personnel for the purposes set forth in Annex 2 of this Data Processing Addendum;
- In assessing the appropriate level of security account shall be taken in particular of all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, processing, access or disclosure of Personal Data;
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of Personal Data;
- measures to identify vulnerabilities with regard to the processing of Personal Data in systems used to provide services to the Data Controller; and
- the measures agreed upon by the Parties in Annex 3.
- The Data Processor shall at all times have in place an appropriate written security policy with respect to the processing of Personal Data, outlining in any case the measures set forth in Section 4.1.
- At the request of the Data Controller, the Data Processor, shall demonstrate the measures it has taken pursuant to this Section 4 shall allow the Data Controller to audit and test such measures. The Data Controller shall be entitled on giving at least 14 days’ notice to the Data Processor to carry out, or have carried out by a third party who has entered into a confidentiality agreement with the Data Processor, audits of the Data Processor´s premises and operations as these relate to the Personal Data. The Data Processor shall cooperate with such audits carried out by or on behalf of the Data Controller and shall grant the Data Controller´s auditors reasonable access to any premises and devices involved with the Processing of the Personal Data. The Data Processor shall provide the Data Controller and/or the Data Controller´s auditors with access to any information relating to the Processing of the Personal Data as may be reasonably required by the Data Controller to ascertain the Data Processor´s compliance with this Data Processing Addendum.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the Parties, the Data Controller and Data Processor shall implement appropriate technical and organizational measures to ensure a level of security of the processing of Personal Data appropriate to the risk. These measures shall include as appropriate:
- IMPROVEMENTS TO SECURITY
- The Parties acknowledge that security requirements are constantly changing, and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Data Processor will therefore evaluate the measures as implemented in accordance with Section 4 on an on-going basis and will tighten, supplement and improve these measures in order to maintain compliance with the requirements set out in Section 4. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in applicable data protection law or by data protection authorities of competent jurisdiction.
- Where an amendment to the Service Agreement is necessary in order to execute a Data Controller instruction to the Data Processor to improve security measures as may be required by changes in applicable data protection law from time to time, the Parties shall negotiate an amendment to the Service Agreement in good faith.
- DATA TRANSFERS
- The Data Processor shall immediately notify the Data Controller of any (planned) permanent or temporary transfers of Personal Data to a country outside of the European Economic Area without an adequate level of protection and shall only perform such a (planned) transfer after obtaining authorization from the Data Controller, which may be refused at its own discretion. Annex 5 provides a list of transfers for which the Data Controller grants its consent upon the conclusion of this Data Processing Addendum.
- To the extent that the Data Controller or the Data Processor are relying on a specific statutory mechanism to normalize international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Data Controller and the Data Processor agree to cooperate in good faith to promptly terminate the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.
- INFORMATION OBLIGATIONS AND INCIDENT MANAGEMENT
- When the Data Processor becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Services Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.
- The term “incident” used in Section 7.1 shall be understood to mean in any case:
- a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law;
- an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent;
- any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data;
- any breach of the security and/or confidentiality as set out in Sections 3 and 4 of this Data Processing Addendum leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place;
- where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject.
- The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where the incident is reasonably likely to require a data breach notification by the Data Controller under applicable EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 24 hours of having become aware of such an incident.
- Any notifications made to the Data Controller pursuant to this Section 7 shall be addressed to
employee of the Data Controller whose contact details are provided in Annex 1 of this Data
Processing Addendum, and shall contain:
- a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
- the name and contact details of the Data Processor’s data protection officer or another contact point where more information can be obtained;
- a description of the likely consequences of the incident; and
- a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.
- CONTRACTING WITH SUB-PROCESSORS
- The Data Controller authorizes the Data Processor to engage sub-processors (Annex 4) for the Service-related activities specified as described in Annex 2. Data Processor shall not add or replace any such sub-processors listed in Annex 4 without giving the Data Controller an opportunity to object to such changes.
- The Data Processor shall not engage in any future subcontracting of its Service-related activities related to the processing of the Personal Data or requiring Personal Data to be processed by any third party without the prior written authorization of the Data Controller.
- Notwithstanding any authorizations by the Data Controller within the meaning of the preceding paragraphs, the Data Processor shall remain fully liable vis-à-vis the Data Controller for the performance of any such subprocessor that fails to fulfil its data protection obligations.
- The consent of the Data Controller pursuant to paragraphs 8.1 and 8.2 shall not alter the fact that consent is required under Section 6 for the engagement of sub-processors in a country outside the European Economic Area without a suitable level of protection.
- The Data Processor shall ensure that the sub-processor is bound by the same data protection obligations of the Data Processor under this Data Processing Addendum, shall supervise compliance thereof, and must in particular impose on its sub-processors the obligation to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of EU Data Protection Law.
- The Data Controller may request that the Data Processor audit a Third Party Subprocessor or provide confirmation that such an audit has occurred (or, where available, obtain or assist customer in obtaining a third-party audit report concerning the Third Party Subprocessor’s operations) to ensure compliance with its obligations imposed by the Data Processor in conformity with this Addendum.
- The Data Processor shall not engage any Subprocessors located outside of European Economic Area without employing an acceptable instrument for cross-border data transfers such as Standard Contractual Clauses or the EU-US Privacy Shield (if the destination is located within the United States).
- 9 RETURNING OR DESTRUCTION OF PERSONAL DATA 9.1 Upon termination of this Data Processing Addendum, upon the Data Controller’s written request, or upon fulfillment of all purposes agreed in the context of the Services whereby no further processing is 5 required, the Data Processor shall, at the discretion of the Data Controller, either delete, destroy or return all Personal Data to the Data Controller and destroy or return any existing copies. 9.2 The Data Processor shall notify all third parties supporting its own processing of the Personal Data of the termination of the Data Processing Addendum and shall ensure that all such third parties shall either destroy the Personal Data or return the Personal Data to the Data Controller, at the discretion of the Data Controller.
- ASSISTANCE TO DATA CONTROLLER
- The Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights under the GDPR.
- The Data Processor shall assist the Data Controller in ensuring compliance with the obligations pursuant to Section 4 (Security) and prior consultations with supervisory authorities required under Article 36 of the GDPR taking into account the nature of processing and the information available to the Data Processor.
- The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the Data Processor’s obligations and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
- LIABILITY AND INDEMNITY
- The Data Processor indemnifies the Data Controller and holds the Data Controller harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Data Controller and arising directly or indirectly out of or in connection with a breach of this Data Processing Addendum and/or the Applicable Data Protection Law by the Data Processor. The Data Controller indemnifies the Data Processor and holds the Data Process harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Data Processor and arising directly or indirectly out of or in connection with a breach of this Data Processing Addendum and/or the Applicable Data Law by the Data Controller.
- DURATION AND TERMINATION
- This Data Processing Addendum shall come into effect as of the date of this contract execution as noted in the signature block.
- Termination or expiration of this Data Processing Addendum shall not discharge the Data Processor from its confidentiality obligations pursuant to Section 3.
- The Data Processor shall process Personal Data until the date of termination of the Service Agreement, unless instructed otherwise by the Data Controller, or until such data is returned or destroyed on instruction of the Data Controller.
- In the event of any inconsistency between the provisions of this Data Processing Addendum and the provisions of the Service Agreement, the provisions of this Data Processing Addendum shall prevail.
- This Data Processing Addendum is governed by the laws noted in the Services
NOW THEREFORE, the Parties hereby execute this addendum.
|Signed for and on behalf of the Data Controller||Signed for and on behalf of the Data Processor (Shindig, Inc.)|
|Signed for and on behalf of the Data Controller|
Annex 1: Contact Information
Contact privacy or security officer details, if applicable, of Shindig, Inc., as the Data Processor.
Contact information of the privacy / security officer of the Data Controller.
Annex 2: Description of Personal Data Processed
Personal data that will be processed in the scope of the Service Agreement and the purposes for which these data will be processed is defined as follows:
Subject Matter: Virtual meeting room services with dial-in capabilities.
Purpose of processing: Processor processes Personal Data on behalf of the Controller in order to provision and provide virtual meeting room services to the Controller. According to the Service Agreement, the subject matter, purpose of data processing, nature of data processing, and categories of data subjects are defined below.
Nature of data processing: Personal Data may be collected according to the Services Agreement to support the Shindig service, and the processing activity may involve collection, storage, duplication, electronic viewing, deletion and destruction of Personal Data.
Categories of Data Subjects: The categories of data subjects may include employees of the Controller and its affiliates, including partners and contractors and, Controller’s meeting participants.
Provisioning Data: The following provisioning data is collected to establish services for Shindig video users. This information is stored and associated with an individual’s profile.
- Contact Name
- Email Address
- Phone Number
- Geographic Location
- Dialing Address
Meeting Metadata: The following information is collected only if a person uses the portal to schedule a meeting and invite other participants.
- Meeting Title
- Meeting participant names
- Call log details
- Display name of participants
- Inbound URIs and/or IP addresses of participants
- Call duration
Conference Media: The following media may be processed during any videoconferencing session:
- Audio streams
- Video streams
- Content sharing
- Online presence
Meeting Chat Messages: The following information may be collected if a person uses the chat tool to relay instant messages to others or groups attending the meeting.
- Participant Name
- Chat Message
- Timestamp of Message
- Files transferred (when applicable)
Reporting Data: The following information is stored in a database to facilitate generating a report for the purpose of support and audit, and to provide utilization metrics in regards to the Shindig service.
- Meeting Title
- Meeting Participant Names
- Call Log Details
- Display Name of Participants
- Inbound URIs and/or IP Addresses of Participants
- Call Duration
Recording When Applicable: The following information is only applicable if a user records a video meeting; this must be initiated by the users, and at the time of recording initiation, all participants in the meeting are notified that the session is being recorded.
- Email Address
- Call Log Details (Display name, URI, duration, stream title, stream viewer IP, IP address);
- Virtual Meeting Room Dialing Information
- Virtual Meeting Room Pin Code (if applicable)
- Customer meta data (Meeting title, meeting participant names, index tag)
- Audio Media
- Video Media
- Content Sharing Media
Support Data: The following data could be associated with incident management (ticketing), if a user opens a ticket with the support desk and requests help to redress a conference issue.
- Contact Name
- Email Address
- Phone Number
- Geographic location
- Call/Meeting Data
- Device logs
- Call log details if applicable for troubleshooting, which usually includes H323 and SIP call negotiation and maintenance events from the local and remote terminals.
- Device specific details such as applications, operating system, hardware components, performance metrics, and firmware, application names for applications that are able to be shared from the end users device, global contact/address lists associated to the device.
Annex 3: Security Measures
Annex 3 describes the adopted security measures cemented in an Information Security Management System (ISMS) for the purpose of protecting Personal Data and information, primarily with a view to meeting pre-defined requirements of applicable data protection and privacy law across Controller markets. These requirements have largely been derived from legislation across Controller markets mandating fundamental security measures for the protection of Personal Data and are intended to provide a harmonized and single standard.
These requirements are applied for the protection of Personal Data on behalf of the Controller.
- A person responsible for the overall compliance with these minimum-security requirements shall be designated as the Security Officer. This person shall be suitably trained and experienced in managing information security and provided with appropriate resources to effectively ensure compliance.
- The contact details of the Security Officer shall be promptly provided to the Controller.
Security Plan and Document
- The measures adopted to comply with these minimum-security requirements shall be the subject of a security plan and set out in a security document, which shall be kept up to date, and revised whenever relevant changes are made to the Information System or to how it is organized. The security document shall record significant changes to the security measures or the processing activities.
- The security plan shall address security measures relating to the modification and maintenance of the system used to Process Personal Data, including the development and maintenance of applications, appropriate vendor support, an inventory of hardware and software, and physical security, including security of the buildings or premises where data Processing occurs, security of data equipment and telecommunication infrastructure and environmental controls.
- Data security mechanisms for securing the integrity and confidentiality of the data, classification of the data.
- Security of computers and telecommunication systems including procedures for managing back-up copies, procedures dealing with computer viruses, procedures for managing signal/codes, security for software implementation, security related to databases, security for connecting systems to the Internet, inspection of circumvention of data system, mechanisms for keeping account of attempts to break system security or gain unauthorized access.
- The security plan shall include:
- a Disaster Recovery Plan which shall set out: measures to minimize interruptions to the normal functioning of the system; limit the extent of any damage and disasters; enable a smooth transition of Personal Data from one computer system to another; if necessary, provide for alternative means of operating a computer system; educate, exercise and familiarize personnel with emergency procedures; provide for fast and smooth system recovery, and minimize the economic effects of any disaster event.
- a Contingency Plan which must address the following possible dangers to the system and appropriate criteria to determine when the Plan should be triggered: the critical functions and systems, the strategy for protecting the system and priorities in the event the Plan is activated; an inventory of relevant staff members to be called upon during an emergency, as well as telephone numbers of other relevant parties; a set of procedures for calculating the damage incurred; realistic time management plans to enable the recovery of the system; clearly allocated staff duties; possible use of alarms and special devices (e.g., air filters, noise filters); in the event of a fire, special equipment should be available (e.g., fire extinguisher, water pumps, etc.); devices or methods for determining temperature, humidity and other environmental factors (e.g., air conditioning, thermometers, etc.); special security software to detect breaches of security; special generators for dealing with power cuts; retention of copies of software or materials in other protected buildings to avoid inadvertent loss.
- The security document shall be available to staff who have access to Personal Data and the Information
Systems, and must cover the following aspects as a minimum:
- The scope, with a detailed specification of protected resources;
- The measures, standards, procedures, code of conduct rules and norms to guarantee security, including for the control, inspection and supervision of the Information Systems;
- The functions and obligations of staff;
- The structure of files containing Personal Data and a description of the Information Systems on which they are Processed;
- The purposes for which the Information Systems may be used;
- The procedures for reporting, managing and responding to incidents;
- The procedures for making back-up copies and recovering data including the person who undertook the process, the data restored and, as appropriate, which data had to be input manually in the recovery process.
- The security document and any related records and documentation shall be retained for a minimum period of 5 years from the end of the Processing.
Functions and Obligations of Staff
- Only those employees who have demonstrated honesty, integrity and discretion should be Authorized Users or have access to premises where Information Systems or media containing Personal Data are located. Staff should be bound by a duty of confidentiality in respect of any access to Personal Data.
- The necessary measures shall be adopted to train and make staff familiar with these minimum-security requirements, any relevant policies and applicable laws concerning the performance of their functions and duties in respect of the Processing of Personal Data and the consequences of any breach of these requirements.
- The functions and obligations of staff having access to Personal Data and the Information Systems shall be clearly defined and documented.
- Authorized Users shall be instructed to the effect that electronic equipment should not be left unattended and made accessible during Processing sessions.
- Physical access to areas where any Personal Data are stored shall be restricted to Authorized Users.
- The disciplinary measures for a breach of the security plan shall be clearly defined and documented and communicated to staff.
- Only those employees who have a legitimate operational need to access the Information Systems or carry out any Processing of Personal Data shall be authorized to do so (“Authorized Users”).
- An authorization system shall be used where different authorization profiles are used for different purposes.
- Every Authorized User must be issued with a personal and unique identification code for that purpose (“User ID”).
- A User ID may not be assigned to another person, even at a subsequent time.
- An up-to-date record shall be kept of Authorized Users, and the authorized access available to each, and identification and authentication procedures shall be established for all access to Information Systems or for carrying out any Processing of Personal Data.
- Authorized Users shall be allowed to Process Personal Data if they are provided with authentication credentials such as to successfully complete an authentication procedure relating either to a specific Processing operation or to a set of Processing operations.
- Authentication must be based on a secret password associated with User ID, and which password shall only be known to the Authorized User; alternatively, authentication shall consist in an authentication device that shall be used and held exclusively by the person in charge of the Processing and may be associated with either an ID code or a password, or else in a biometric feature that relates to the person in charge of the Processing and may be associated with either an ID code or a password.
- One or more authentication credentials shall be assigned to, or associated with, an Authorized User.
- There must be a procedure that guarantees password confidentiality and integrity. Passwords must be stored in a way that makes them unintelligible while they remain valid. There must be a procedure for assigning, distributing and storing passwords.
- Passwords shall consist of at least eight characters, or, if this is not technically permitted by the relevant Information Systems, a password shall consist of the maximum permitted number of characters. Passwords shall not contain any item that can be easily related to the Authorized User in charge of the Processing and must be changed at regular intervals, which intervals must be set out in the security document. Passwords shall be modified by the Authorized User to a secret value known only to the Authorized User when it is first used as well as at least every six months thereafter.
- The instructions provided to Authorized Users shall lay down the obligation, as a condition of accessing the Information Systems, to take such precautions as may be necessary to ensure that the confidential component(s) in the credentials are kept secret and that the devices used and held exclusively by Authorized Users are kept with due care.
- Authentication credentials shall be de-activated if they have not been used for at least six months, except for those that have been authorized exclusively for technical management and support purposes.
- Authentication credentials shall be also de-activated if the Authorized User is disqualified or de-authorized from accessing the Information Systems or Processing Personal Data.
- Where data and electronic equipment may only be accessed by using the confidential component(s) of the authentication credential, appropriate instructions shall be given in advance, in writing, to clearly specify the mechanisms by which the controller can ensure that data or electronic equipment are available in case the person in charge of the Processing is either absent or unavailable for a long time and it is indispensable to carry out certain activities without further delay exclusively for purposes related to system operationality and security. In this case, copies of the credentials shall be kept in such a way as to ensure their confidentiality by specifying, in writing, the entities in charge of keeping such credentials. Such entities shall have to inform the person in charge of the Processing, without delay, as to the activities carried out.
- Only Authorized Users shall have access to Personal Data, including when stored on any electronic or portable media or when transmitted. Authorized Users shall have authorized access only to those data and resources necessary for them to perform their duties.
- A system for granting Authorized Users access to designated data and resources shall be used.
- Authorization profiles for each individual Authorized User or for homogeneous sets of Authorized Users shall be established and configured prior to the start of any Processing in such a way as to only enable access to data and resources that are necessary for Authorized Users to perform their duties.
- It shall be regularly verified, at least at yearly intervals, that the prerequisites for retaining the relevant authorization profiles still apply. This may also include the list of Authorized Persons drawn up by homogeneous categories of task and corresponding authorization profile.
- Measures shall be put in place to prevent a user gaining unauthorized access to, or use of, the Information Systems. In particular, firewalls and/or intrusion detection systems reflecting the state of the art and industry best practice should be installed to protect the Information Systems from unauthorized access. Measures shall be put in place to identify when the Information Systems have been accessed or Personal Data has been Processed without authorization, or where there have been unsuccessful attempts at the same.
- Operating system or database access controls must be correctly configured to ensure authorized access.
- Only those staff authorized in the security document shall be authorized to grant, alter or cancel authorized access by users to the Information Systems.
Management of Media
- Information Systems and physical media storing Personal Data must be housed in a secure physical environment. Measures must be taken to prevent unauthorized physical access to premises housing Information Systems.
- Organizational and technical instructions shall be issued with regard to keeping and using the removable media on which the data are stored in order to prevent unauthorized access and Processing.
- Media containing Personal Data must permit the kind of information they contain to be identified, Inventoried (including the time of data entry; the Authorized User who entered the data and the person from whom the data was received; and the Personal Data entered) and stored at a physical location with physical access restricted to staff that are authorized in the security document to have such access.
- When media are to be disposed of or reused, the necessary measures shall be taken to prevent any subsequent retrieval of the Personal Data and other information stored on them, or to otherwise make the information intelligible or be re-constructed by any technical means, before they are withdrawn from the inventory. All reusable media used for the storage of Personal Data must be overwritten three times with randomized data prior to disposal or re-use.
- The removal of media containing Personal Data from the designated premises must be specifically authorized by the controller.
- Media containing Personal Data must be erased or rendered unreadable if it is no longer used or prior to disposal.
Distribution of Media and Transmission
- Media containing Personal Data must only be available to Authorized Users.
- Printing/copying Processes must be physically controlled by Authorized Users, to ensure that no prints or copies containing Personal Data remain left in the printers or copying machines.
- Media containing Personal Data or printed copies of Personal Data must contain the classification mark “Confidential”.
- Encryption (128-bit or stronger) or another equivalent form of protection must be used to protect Personal Data that is electronically transmitted over a public network or stored on a portable device, or where there is a requirement to store or Process Personal Data in a physically insecure environment.
- Paper documents containing Personal Data must be transferred in a sealed container / envelope that indicates clearly that the document must be delivered by hand to an Authorized User.
- When media containing Personal Data are to leave the designated premises as a result of maintenance operations, the necessary measures shall be taken to prevent any unauthorized retrieval of the Personal Data and other information stored on them.
- A system for recording incoming and outgoing media must be set up which permits direct or indirect identification of the kind of media, the date and time, the sender/recipient, the number of media, the kind of information contained, how they are sent and the person responsible for receiving /sending them, who must be duly authorized.
- Where Personal Data is transmitted or transferred over an electronic communications network, measures shall be put in place to control the flow of data and record the timing of the transmission or transfer, the Personal Data transmitted or transferred, the destination of any Personal Data transmitted or transferred , and details of the Authorized User conducting the transmission or transfer.
Preservation, Back-up copies and Recovery
- Tools must be in place to prevent the unintended deterioration or destruction of Personal Data.
- Procedures must be defined and laid down for making back-up copies and for recovering data. These procedures must guarantee that Personal Data files can be reconstructed in the state they were in at the time they were lost or destroyed.
- Back-up copies must be made at least once a week, unless no data have been updated during that period.
Anti-Virus / Intrusion Detection
- Anti-virus software or intrusion detection systems should be installed on the Information Systems to protect against attacks or other unauthorized acts in respect of Information Systems. Antivirus software and intrusion detection systems should be updated regularly in accordance with the state of the art and industry best practice for the Information Systems concerned (and at least every six months).
- The software, firmware and hardware used in the Information Systems shall be reviewed regularly in order to detect vulnerabilities and flaws in the Information Systems and resolve such vulnerabilities and flaws. This review shall be carried out at least annually.
- A history of Authorized Users’ access to or disclosure of Personal Data shall be recorded on a secure audit trail.
Physical Access Record
- Only those staff duly authorized in the security document may have physical access to the premises where Information Systems and media storing Personal Data are stored. A record of staff who access such premises shall be maintained, including name, date and time of access.
Record of Incidents
- There shall be a procedure for reporting, responding to and managing security incidents such as data
breaches or attempts at unauthorized access. This shall include as a minimum:
- A procedure for reporting such incidents/ breaches to appropriate management within the processor;
- A clearly designated team for managing and co-ordinating the response to an incident led by the Security Officer;
- A documented and tested process for managing the response to an incident including the requirement to keep appropriate issues and action logs to include the time at which the incident occurred, the person reporting the incident, to whom it was reported and the effects thereof;
- The requirement on the processor to notify the controller immediately if it appears that Personal Data was involved in the incident or breach or may be impacted or affected in some way; and
- The processor security/ incident management team should where appropriate work together with the controller’s security representatives until the incident or breach has been satisfactorily resolved.
Annex 4: List of Approved Subprocessors
The following subprocessors have been vetted and may be involved in aspects of processing Personal Data according to the instructions of Shindig.
|Subprocessor||Purpose of Processing Activity||Registered Business Address||Location of Processing||Link to Privacy/Security Policy|