PLEASE READ THIS DATA PROCESSING AGREEMENT (HEREINAFTER CALLED THE “DPA" OR THIS “AGREEMENT”) CAREFULLY AS IT FORMS A BINDING CONTRACT BETWEEN THE SUPPLIER AND INSIGHT (AS EACH IS DEFINED BELOW). INSIGHT AND SUPPLIER ARE INDIVIDUALLY REFERRED TO AS “PARTY” AND COLLECTIVELY AS “PARTIES".
THIS AGREEMENT IS INCORPORATED INTO AND FORMS PART OF THE SUPPLY AGREEMENT (AS DEFINED BELOW) BETWEEN THE PARTIES. THE SUPPLY AGREEMENT BETWEEN THE PARTIES REQUIRES OR MAY REQUIRE THAT SUPPLIER PROCESSES OR MAY HAVE ACCESS TO PERSONAL DATA ON BEHALF OF INSIGHT. THIS DPA TOGETHER WITH ITS EXHIBIT(S) SPECIFY THE OBLIGATIONS OF THE PARTIES WHEN INSIGHT ACTS AS A CONTROLLER AND SUPPLIER AS A PROCESSOR.
The “Effective Date” of this DPA is the effective date of the Supply Agreement referencing this DPA.
AGREEMENT
This Data Processing Agreement has been entered into by and between the Insight entity (“Insight”) and the Supplier entity (“Supplier”) specified in the applicable Supply Agreement.
WHEREAS
THE PARTIES HAVE AGREED ON THE FOLLOWING:
1. Definitions
1.1. All capitalized terms not defined in this Agreement shall have the meanings set forth in the Supply Agreement. In this Agreement, the following terms shall have the following meanings:
(a) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control 50% of more of the voting interests of the subject entity.
(b) “Client” shall have the meaning given in section (a) of the preamble above.
(c) "controller", "processor", "data subject", "personal data", "processing" shall have the meanings given in the Data Protection Legislation.
(d) “Data” shall mean any and all information of any sort or nature that Insight provides or makes available to Supplier, that is otherwise accessed, or that Supplier (or its Sub-processors) creates on behalf of Insight, under or in connection with the Supply Agreement(s) or this Agreement, including but not limited to any Confidential Information (as defined in the Supply Agreement(s)), personal data, or other data or information, regardless of media in which such information is stored or how it may be transmitted.
(e) "Data Protection Legislation" shall mean as applicable to either Party or to the Services, any laws, rules or regulations relating to data privacy, trans-border data flow or data protection, including, but not limited to: (i) all applicable European and/or United Kingdom and/or Swiss data protection legislation including the UK Data Protection Act 2018 ("UK GDPR”), the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), the Swiss Federal Data Protection Act (“Swiss DPA”), and any national implementing laws, regulations and secondary legislation, as amended or succeeded from time to time, in the UK, Switzerland or the EU and any individual member state; (ii) any other privacy and data security law, rule, regulation, declaration, decree, directive, statute, or other enactment, order, mandate or resolution issued or enacted by any governmental entity (including any domestic or foreign, supra-national, state, county, municipal, local, territorial or other government) applicable to the protection of the personally identifiable information or data of natural persons or households, including, but not limited to, the Health and Insurance Portability and Accountability Act of 1996 1996 (42 U.S.C. §1320d) (“HIPAA”) and US state privacy laws including, without limitation, the California Consumer Privacy Act of 2018 and the California Consumer Privacy Rights Act of 2020 , Virginia’s Consumer Data Protection Act, Colorado Privacy Act, Connecticut’s Act Concerning Data Privacy and Online Monitoring, Utah Consumer Privacy Act; similar US state laws as they may be hereafter enacted and any implementing regulations of the foregoing (collectively “US State Comprehensive Privacy Laws”); and (iii) any laws, rules, regulations, declarations, decrees, directives, statutes, or other enactments, orders, mandates, or resolutions issued or enacted by any governmental entity (including any domestic or foreign, supra-national, state, county, municipal, local, territorial, or other government) that replace, extend, re-enact, consolidate or amend any of the foregoing.
(f) "Data Subject Request” shall have the meaning given in section 9.1 below.
(g) “EEA” shall mean the European Economic Area.
(h) “Security Incident” means the actual or suspected accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, and/or access to, the Data, or any other acts, omissions, events or circumstances that fall within the definition of “security incident,” “security breach,” “data breach,” and the like, under applicable Data Protection Legislation. Security Incident shall also include any incidents that present a risk to the security of the network and information systems of the entity.
(i) “Services” shall have the meaning given in section (a) of the preamble above.
(j) “Standard Contractual Clauses” means where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR ("UK SCCs"); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognised by the Swiss Federal Data Protection and Information Commissioner (the "Swiss SCCs").
(k) “Sub-processor” shall have the meaning given in section 6.1 below.
(l) “Supply Agreement” shall have the meaning given in section (a) of the preamble above.
(m) “TOMs” shall have the meaning given in section 5.1 below.
(n) “UK” shall mean the United Kingdom.
2. Relationship of the Parties:
2.1. Supplier shall comply with all applicable Data Protection Legislation. Insight is the data controller and Supplier is the processor of any Data processed by Supplier for the purpose of performing the Services. Except to the extent where Supplier is considered a data controller pursuant to Data Protection Legislation, Supplier shall process such Data as a data processor on Insight’s and/or Insight’s Affiliates’ behalf and in accordance with Insight’s documented instructions.
2.2. To the extent that Client is the data controller and Insight the data processor, Supplier shall be Insight’s sub-processor and the terms of this Agreement shall be interpreted accordingly.
3. Processing of Data
3.1. The subject-matter, nature and purpose of the data processing is described in Schedule 1, which may be further specified or superseded in a Services order or a subsequent agreement between the Parties.
3.2. Supplier shall only process Data on the written instructions of Insight and only to the extent, and in such manner, as is necessary for the supply of Services, unless the Supplier is otherwise obligated by Data Protection Legislation to process Data. Where the Supplier is so otherwise required, it shall promptly notify Insight in writing of this before performing the required processing unless otherwise prohibited.
3.3. In no event shall Supplier process Data for its own purposes or those of any third party.
4. Obligations of Supplier
4.1. Supplier shall:
a) process Data specifically for the performance of the Services; and shall not retain, use, or disclose such Personal Information for any purpose other than performing the Services under the Supply Agreement or as otherwise permitted under applicable Data Protection Legislation (including US State Comprehensive Privacy Laws), nor shall it retain, use, or disclose the Personal Information for a commercial or business purpose other than providing the Services as part of the direct business relationship between Insight and Supplier and unless otherwise permitted under the Supply Agreement;
b) in its provision of the Services to Insight, Insight’s Affiliates and/or Client under the Supply Agreement, Supplier shall comply with all Data Protection Legislation, including US State Comprehensive Privacy Laws as applicable to it if it is a service provider or processor as defined under relevant law, and Insight may take any reasonable steps to stop any unauthorized processing of Personal Information by Supplier as required under California Consumer Privacy Act of 2018 and the California Consumer Privacy Rights Act of 2020; and
c) ensure that all personnel of Supplier who access Data (i) have a need to know or access the Data as necessary for the purposes of performing and/or supporting the Services under the Supply Agreement or to comply with Data Protection Legislation, (ii) do so under obligations of confidentiality, (iii) have undergone comprehensive training in the care, protection, and handling of the Data and cybersecurity which training they receive on a regular basis, and (iv) where appropriate to the Services provided, have undergone a reasonable verification of their background.
Additionally, to the extent Supplier is a service provider or processor, and receives from Insight data that constitutes personal information, as defined under those laws (“Personal Information”), Supplier, in its role as a service provider or processor, will not (i) sell or share, as each such term is defined under those laws (“Sell”), such Personal Information and (ii) notify Insight if it cannot comply with its obligations under Data Protection Legislation.
5. Security measures
5.1. Supplier shall have in place all appropriate technical and organisational measures (“TOMs”), including without limitation to protect against unauthorised or unlawful processing of Data and against accidental loss or destruction of, unauthorized disclosure of, or access or damage to, the Data and against any cybersecurity incidents. Without limiting the foregoing, Supplier shall have taken and shall at all times maintain the TOMs contained in Schedule 2 to this Agreement.
5.2. TOMs must include as appropriate pseudonymising and encrypting the Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the TOMs adopted by Supplier. TOMs must also include appropriate cybersecurity measures, including with regard to the security of the Services. Supplier shall not make any material changes to security requirements, location of servers and functionality without prior written consent of Insight.
6. Sub-processors
6.1. Insight generally authorises Supplier (a) to appoint third parties to process Data (“Sub-processor(s)”) and (b) to transfer the Data to such Sub-processors as necessary for the performance of the Services, to the extent such Sub-processors are explicitly identified in the relevant Supply Agreement, together with a description of the services provided by them, and the duration and location of processing. Supplier shall make available an up-to-date list of the Sub-processors it has appointed upon written request from Insight and undertakes to notify Insight if it adds any new Sub-processors at least twenty (20) calendar days prior to allowing such Sub-processor to process Data by submitting a written notification to dpo@insight.com or to any other email address notified to Supplier by Insight for that purpose. Insight may object in writing to Supplier’s appointment of a new Sub-processor within twenty (20) calendar days of such notice. In such event, the Parties will discuss such concerns in good faith with a view to achieving resolution. If the Parties are not able to achieve resolution, Insight may terminate for convenience and without liability the specific Services supplied pursuant to the Supply Agreement that rely upon and cannot reasonably be provided in accordance with the Supply Agreement without the appointment of the new Sub-processor.
6.2. With respect to each Sub-processor, Supplier will:
a) Ensure that the arrangement between Supplier and the Sub-processor is governed by a written contract including terms which offer at least equivalent level of security and protection for Data as those set out in this Agreement and compliant with Data Protection Legislation; and
b) If that arrangement involves an international transfer of Data, ensure that the Standard Contractual Clauses, or other valid alternative transfer mechanism under Data Protection Legislation, are at all relevant times incorporated into the relevant agreement(s) between Supplier and the Sub-processor.
6.3. Supplier shall remain fully liable for all acts or omissions of any Sub-processors.
7. International transfers
7.1. Supplier shall not transfer any Data (protected by the GDPR, UK GDPR or Swiss DPA) outside of the EEA, the UK, or Switzerland unless the prior written consent of Insight has been given and the Supplier has taken such measures such that the transfer and resulting processing is subject to a compliant transfer mechanism where one is required by Data Protection Legislation.
7.2. If any Data (protected by the GDPR, UK GDPR or Swiss DPA) is transferred to any third party located in a country outside the EEA, the UK and/or Switzerland that the applicable authorities have not recognized as providing an adequate level of protection for personal data, then the Standard Contractual Clauses shall apply, or other alternative transfer mechanism (e.g., Binding Corporate Rules) permitted by Data Protection Legislation. To the extent that Insight within region is transferring Data directly to Supplier outside of the EEA, the UK or Switzerland and (where required) pursuant to the Data Protection Legislation, which direct transfer is reflected in, or reasonably follows from the (territorial) scope and purpose of the relevant Services agreement and/or as further detailed in (the manner of placing) Supply Agreement, Insight is considered a data controller and data exporter and Supplier is considered a data processor and data importer. Schedule 1 shall be used to document the subject-matter, nature and purpose of the data processing in respect of any such exports of Data, which may be further specified or superseded in a specific Supply Agreement.
7.3. In relation to transfers of Data protected by the GDPR, the EU SCCs shall apply, completed as follows:
7.3.1. Module Two – Controller to Processor will apply when Insight is considered the data controller and Supplier is considered the data processor; Module Three – Processor to Processor will apply when Insight is considered the data processor and Supplier is considered Insight’s sub-processor;
7.3.2. In Clause 7, the optional docking clause will not apply;
7.3.3. In Clause 9, Option 2 will apply and the time period for prior notice of Sub-processor changes shall be set out in Section 6.1 of this Agreement;
7.3.4. In Clause 11, the optional language will not apply;
7.3.5. In Clause 17, Option 1 will apply, and the EU SCCs will be governed by Dutch law;
7.3.6. In Clause 18(b), disputes shall be resolved before the courts of the Netherlands;
7.3.7. Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1 to this Agreement, as applicable; and
7.3.8. Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2 to this Agreement.
7.4. In relation to transfers of Data protected by the UK GDPR, the UK SCCs shall apply, completed as follows:
7.4.1. In Table 1 of the UK SCCs, the Parties’ details and key contact information is located in Annex 1(A) of Schedule 1 of this Agreement;
7.4.2. In Table 2 of the UK SCCs, information about the version of the Approved EU SCCs, modules and selected clauses which this UK International Data Transfer Agreement is appended to is located in Section 7.3 of this Agreement;
7.4.3. In Table 3 of the UK SCCs: The list of Parties is located in Annex 1(A) of this Schedule 1. The description of the transfer is set forth in Annex 1(B) (Nature and Purpose of the Processing) of Schedule 1 (Description of the Processing/Transfer). Annex II is located in Schedule 2; and
7.4.4. In Table 4 of the UK SCCs, both the importer and the exporter may terminate the UK SCCs in accordance with the terms of the UK SCCs.
7.5. In case of any transfers of Data from the United Kingdom and/or transfers of Data from Switzerland, (a) general and specific references in the EU SCCs to GDPR or EU or member state law shall have the same meaning as the equivalent reference in the Data Protection Legislation of the United Kingdom or Switzerland, as applicable; and (b) any other obligation in the EU SCCs determined by the member state in which the data exporter or data subject is established shall refer to an obligation under the UK GDPR or the Swiss DPA, as applicable. To extent that and for so long as the EU SCCs as implemented in accordance with this Agreement cannot be relied on by the Parties to lawfully transfer Data in compliance with the UK GDPR or the Swiss DPA, as applicable, the applicable standard data protection clauses issued, adopted or permitted under the UK GDPR or the Swiss DPA, as applicable, shall be incorporated by reference, and the annexes, appendices or tables of such clauses shall be deemed populated with the relevant information set out in Schedules 1 and 2 of this Agreement.
8. Access to Data by a Public Authority
8.1. Supplier represents and warrants that as of the date of this Agreement, it has not received any directive under Section 702 of the U.S. Foreign Intelligence Surveillance Act, codified at 50 U.S.C. § 1881a or EO 12.333.
8.2. Supplier shall implement appropriate technical and organizational safeguards to protect Data against any interference that goes beyond what is necessary in a democratic society to safeguard national security, defense, and public security.
8.3. If Supplier receives a legally binding request to access Data from a government agency or law enforcement authority, including judicial authorities (“Public Authority”), Supplier shall, unless otherwise legally prohibited, promptly notify Insight and provide a written summary of the nature of the request to Insight. To the extent Supplier is prohibited by law from providing such notification, Supplier shall use commercially reasonable efforts to obtain a waiver of the prohibition to enable Supplier to communicate to Insight as much information as possible, as soon as possible. Further, Supplier shall challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful. Supplier shall pursue possibilities of appeal.
8.4. When challenging a request, Supplier shall seek interim measures to suspend the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the Data requested until required to do so under the applicable procedural rules. Supplier agrees it will provide the minimum amount of information and Data both necessary and permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
8.5. Supplier shall promptly notify Insight if Supplier becomes aware of any direct access by a Public Authority to Data and provide information available to Supplier in this respect, to the extent permitted by law. For the avoidance of doubt, this Section 8 shall not require Supplier to pursue action or inaction that may likely result in civil or criminal penalty for Supplier such as contempt of court.
9. Cooperation Rights, Data Subject Requests and Assistance
9.1. Supplier shall provide timely assistance to Insight to enable Insight to respond to:
a) any request from a data subject to exercise any of its rights under Data Protection Legislation (including its rights of access, correction, objection, erasure and data portability, as applicable) (“Data Subject Request”); and
b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data.
9.2. If Supplier receives a Data Subject Request, Supplier will:
a) promptly redirect the data subject to Insight; and
b) not respond to that Data Subject Request except on the documented instructions of Insight or as required by Data Protection Legislation to which Supplier is subject, in which case Supplier, to the extent permitted by the Data Protection Legislation, shall inform Insight of that legal requirement before Supplier responds to the Data Subject Request. Supplier will stop processing data on request by Insight made in accordance with a data subject’s authenticated request.
9.3. Supplier shall promptly and fully assist Insight in ensuring compliance with its obligations under the Data Protection Legislation including without limitation with respect to Security Incident notifications, data protection impact assessments, and consultations with supervisory authorities or regulators; this includes providing to Insight all information necessary to demonstrate compliance with its obligations under applicable Data Protection Legislation.
10. Security Incidents
10.1. If Supplier becomes aware of an actual or suspected Security Incident, Supplier shall notify Insight promptly without undue delay, and at the latest within twenty-four (24) hours, on becoming aware of such Security Incident, and shall provide information and cooperation to Insight so that Insight can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Data Protection Legislation.
10.2. The notification referred to above shall at least: (a) describe the nature of the Security Incident including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (b) communicate the name and contact details of the Supplier’s data protection officer or other contact point where more information can be obtained; (c) describe the likely consequences of the Security Incident; (d) describe the measures taken or proposed to be taken by Supplier to address Security Incident, including, where appropriate, measures to mitigate its possible adverse effects; and (e) include all information reasonably requested by Insight.
10.3. Supplier shall further take all necessary or appropriate measures and actions to remedy or mitigate the effects of the Security Incident, even if potential, and shall keep Insight informed on all significant developments in connection with the Security Incident.
10.4. Any limitation of liability provisions in the Supply Agreement(s) will not apply to this Agreement. Subject to Section 10.5, to the greatest extent permissible under applicable law, neither Party will be liable to the other Party under this Agreement for any incidental, consequential, indirect or special damages.
10.5. The Parties hereby stipulate that the following shall be considered direct damages (and shall not be considered incidental, consequential, indirect or special damages): (a) reasonable fees, costs and expenses (for purposes of this paragraph collectively, “costs”) arising out or in connection with investigation, remediation, mitigation, administration, and/or management of the Security Incident, (b) forensic and investigative costs; (c) consultant, expert, legal professional, and public relations/reputation management professional costs; (d) costs to find and/or recover lost or compromised data; (e) costs of compliance with Security Incident reporting laws, or with legally required or customarily provided notices to regulators, other governmental agencies, Clients, individuals and/or households, (f) amounts due or payable under statutory/regulatory provisions, such as governmental agency fines and/or penalties; and (g) the cost of providing credit monitoring services and call center support to the extent required by applicable Data Protection Legislation or customary in the applicable jurisdiction taking into account the nature and scope of the Security Incident.
11. Audit
11.1. Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this Agreement.
11.2. Supplier shall permit Insight (or its appointed third-party auditors) to audit Supplier’s compliance with this Agreement, and shall make available to Insight all information, systems and staff necessary for Insight (or its third-party auditors) to conduct such audit. Supplier acknowledges that Insight (or its third-party auditors) may enter its premises for the purposes of conducting this audit, provided that Insight gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes reasonable measures intended to prevent unnecessary disruption to Supplier’s operations. Supplier shall provide a report of such assessment to Insight upon request.
11.3. Insight will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority or otherwise under Data Protection Legislation; (ii) Insight reasonably believes a further audit is necessary due to a Security Incident suffered by Supplier; or (iii) in response to a Client or governmental request or contractual obligation.
12. Deletion or Return of Data
12.1. Upon termination or expiry of this Agreement, Supplier shall destroy or return to Insight on Insight’s written request all Data (including all copies of Data) in its possession or control (including Data provided or made available to any Sub-processors). Upon receipt of written request from Insight, Supplier will provide written certification to Insight that it has complied with this Section 12.1.
12.2. This requirement shall not apply to the extent that Supplier is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, which data Supplier shall securely isolate and protect from any further processing except to the extent required by such law. Supplier’s obligations under this Agreement with respect to the Data Supplier (or its Sub-processors at any tier) has retained shall continue for so long as Supplier (or its Sub-processors at any tier) retains any such Data.
13.1. Notwithstanding any other provision of the Supply Agreement, Supplier shall indemnify Insight and its Affiliates fully against all claims, liabilities, costs, expenses, damages and losses (including but not limited to any legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by Insight, Insight's Affiliates and/or Clients arising out of or in connection with: (i) any breach of this Agreement by or attributable to Supplier; (ii) any violation of Data Protection Legislation by Supplier or any of its Sub-processors (at any tier); or (iii) the processing of any Data under this Agreement by Supplier or any Sub-processor. This includes without limitation any third-party claim demand or action, or any breach of statutory duty or non-compliance with any part of this Agreement, or any Data Protection Legislation, by Supplier, its employees, servants, agents or Sub-processors (including, without limitation claims against Insight, Insight’s Affiliates, and/or Clients).
14. Miscellaneous
14.1. From the date of its entry into effect, this Agreement supersedes all prior data processing agreements or clauses between the Parties and/or their Affiliates (without affecting rights and obligations accrued thereunder or in relation to any breach) with respect to the subject matter hereof, and constitutes the entire and only agreement between the Parties relating to the subject matter hereof, including but not limited to the processing of Data by Supplier.
14.2. Any subsequent additions, deletions or modifications to this Agreement are not binding unless agreed upon in writing by authorized representatives of both Parties.
14.3. If any part of this Agreement is for any reason found to be invalid, illegal or unenforceable, all other parts will remain in effect.
14.4. In the event that any provision of the Supply Agreement contradicts with any provision of this Agreement, the provision of this Agreement will prevail. If there is any conflict between this Agreement and the Standard Contractual Clauses where and to the extent the Standard Contractual Clauses are applicable, the Standard Contractual Clauses will prevail with respect to such Data that is subject to the GDPR or the UK GDPR.
14.5. This Agreement will be governed by the substantive laws of as agreed upon in the Supply Agreement without giving effect to any conflict of law rules.
14.6. Any dispute arising out of or in relation to this Agreement or the execution thereof shall be submitted to the competent court as agreed upon in the Supply Agreement.
This Schedule 1 includes certain details of the processing of Data as required by Article 28(3) GDPR.
This Schedule 1 may be superseded in respect of a particular Service(s) by inclusion of a new schedule within a statement of work (“SOW”) for that SOW.
Annex 1(A): List of Parties
Data Exporter: Insight entity specified in the Supply Agreement Address: as specified in the Supply Agreement Contact person’s name, position and contact details:
Role: data controller | Data Importer: Supplier entity specified in the Supply Agreement Address: as specified in the Supply Agreement Contact person’s name, position and contact details: as specified in the Supply Agreement or as otherwise notified to Insight in writing Role: data processor |
Annex 1(B): Description of Processing / Transfer
The subject matter of the processing is set out in the applicable Supply Agreement and any related individual contract(s) for the supply of Services entered in to between Insight and Supplier.
The performance of the Services, as further documented in the applicable Supply Agreement and any related individual contract(s) for the supply of Services entered in to between Insight and Supplier.
Processing and transfers of Data will be continuous for the duration necessary for:
Annex 1(C): Competent Supervisory Authority
The competent supervisory authority, in accordance with Clause 13 of the New EU SCCs, must be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. With respect to the processing of personal data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioners Office (the “ICO”). With respect to the processing of personal data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
The following technical and organisational measures are implemented in relation to the processing of Data, in accordance with Data Protection Legislation (including Articles 28 and 32 (1) of the GDPR):
1. Confidentiality
1.1. Physical Access Control
Measures suitable for preventing unauthorized persons from gaining access to data processing systems with which personal data are processed or used.
1.2. Logical Access Control
Measures suitable for preventing data processing systems (computers) from being used by unauthorized persons.
| Technical Measures | Organizational Measures |
|---|---|
| ☒ Login with username + password | ☒ Manage user permissions |
| ☒ Login with biometric data | ☒ Creating user profiles |
| ☒ Anti-Virus-Software Server | ☒ Central password assignment |
| ☒ Anti-Virus-Software Clients | ☒ “Secure password” policy |
| ☒ Anti-Virus-Software mobile devices | ☒ “Delete / Destroy” policy |
| ☒ Firewall | ☒ „Clean desk“ policy |
| ☒ Intrusion Detection System | ☒ General privacy and/or security policy |
| ☒ Mobile Device Management | ☒ Mobile Device Policy |
| ☒ Use of VPN for remote access | ☒ “Manual desktop lock“ policy |
| ☒ Encryption of data carriers | ☒ Annual and quarterly cybersecurity awareness training |
| ☒ Encryption of smartphones | |
| ☒ Case locking | |
| ☒ BIOS protection (separate password) | |
| ☒ Locking of external interfaces (USB) | |
| ☒ Automatic desktop lock | |
| ☒ Encryption of notebooks/tablets | |
| ☒ Endpoint Detection & Response (EDR) systems | |
| ☒ Phishing simulation tools |
1.3. Data Access Control
Measures that ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage.
| Technical Measures | Organizational Measures |
|---|---|
| ☒ Document shredder (at least level 3, Cross Cut) | ☒ Use of authorization concepts |
| ☒ External document shredder (DIN 32757) | ☒ Minimum number of administrators |
| ☒ Physical deletion of data media | ☒ Data protection vault |
| ☒ Logging of access to applications and systems | ☒ Management of user rights by administrators |
1.4. Separation Control
Measures that ensure that data collected for different purposes can be processed separately.
| Technical Measures | Organizational Measures |
|---|---|
| ☒ Separation of production and test environment | ☒ Control via authorization concept |
| ☒ Physical separation (systems / databases / data carriers) | ☒ Determination of database rights |
| ☒ Multitenancy of relevant applications | ☒ Data records are provided with purpose attributes |
1.5. Pseudonymization
The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without recourse to additional information, provided that such additional information is stored separately and is subject to appropriate technical and organizational measures.
| Technical Measures | Organizational Measures |
|---|---|
| ☒ In case of pseudonymization: Separation of assignment data and storage in separate and secured systems (possibly encrypted). | ☒ Internal instruction to anonymize / pseudonymize personal data as far as possible in the event of data transmission or even after the expiration of the legal deletion period. |
2.1. Transmission Control
Measures to ensure that personal data cannot be read, copied, altered or removed without authorization during electronic transmission or while being transported or stored on data media, and that it is possible to check and determine to which entities personal data is intended to be transmitted by data transmission equipment.
| Technical Measures | Organizational Measures |
|---|---|
| ☒ E-Mail encryption | ☒ Documentation of data recipients and duration of planned transfer or deletion periods |
| ☒ Use of VPN | ☒ Overview of regular retrieval and transmission processes |
| ☒ Logging of accesses and retrievals | ☒ Transfer in anonymized or pseudonymized form |
| ☒ Secure transport containers | ☒ Care in the selection of transport personnel and vehicles |
| ☒ Provision via encrypted connections such as sftp, https | ☒ Personal handover with protocol |
| ☒ Use of signature procedures | ☒ Patch management policy with defined SLA per severity |
| ☒ Log retention policy and log review procedures |
2.2. Input Control
Measures that ensure that it is possible to check and determine retrospectively whether and by whom personal data has been entered into, modified or removed from data processing systems.
| Technical Measures | Organizational Measures |
|---|---|
| ☒ Technical logging of data entry, modification and deletion. | ☒ Oversight of which programs can be used to enter, change or delete which data. |
| ☒ Manual or automated control of logs | ☒ Traceability of data entry, modification and deletion through individual user names (not user groups) |
| ☒ Vulnerability scanner and CVE tracker | ☒ Assignment of rights to enter, change and delete data based on an authorization processes |
| ☒ Retention of forms from which data has been transferred to automated processes | |
| ☒ Clear responsibilities for deletions | |
| ☒ Monthly vulnerability reports | |
| ☒ Documented vulnerability risk management process, reviewed annually | |
| ☒ Risk treatment plans with ownership and deadlines |
3.1. Availability Control
Measures to ensure that personal data is protected against accidental destruction or loss.
| Technical Measures | Organizational Measures |
|---|---|
| ☒ Fire and smoke detection systems | ☒ Backup & recovery concept (formulated) |
| ☒ Fire extinguisher server room | ☒ Control of the backup procedure |
| ☒ Server room monitoring temperature and humidity | ☒ Regular tests for data recovery and logging of results |
| ☒ Server room air conditioned | ☒ Storage of backup media in a secure location outside the server room |
| ☒ UPS (Uninterruptible power supply) | ☒ No sanitary connections in or above the server room |
| ☒ Protective socket strips server room | ☒ Existence of an emergency plan (e.g. the German BSI IT-Grundschutz 100-4) |
| ☒ Data protection safe (S60DIS, S120DIS, other suitable standards with swelling seal etc.) | ☒ Separate partitions for operating systems and data |
| ☒ RAID System / hard disk mirroring | ☒ Business continuity plan including cyberattacks |
| ☒ Video surveillance server room | ☒ Third-party risk management framework |
| ☒ Alarm message in case of unauthorized access to server room | |
| ☒ Central SIEM platform | |
| ☒ 24/7 monitoring team or contracted MDR provider |
4.1. Data Protection Management
| Technical Measures | Organizational Measures |
|---|---|
| ☒ Use of software solutions for data protection management | ☒ Appointment of a data protection officer (DPO) |
| ☒ Central documentation of all procedures and regulations for data protection with access for employees according to need/authorization | ☒ Employees trained and bound to confidentiality/data secrecy |
| ☒ Security certification according to ISO 27001, BSI IT-Grundschutz or ISIS12 | ☒ Regular employee awareness training (at least annually) |
| ☒ Other documented security concept | ☒ Appointment of an information security officer (ISO) |
| ☒ Regular review of the effectiveness of technical protection measures (at least annually) | ☒ Implementation of data protection impact assessment (DPIA) if needed |
| ☒ Secure coding guidelines adopted | ☒ Implementation of information obligations pursuant to Art. 13 and 14 GDPR |
| ☒ Formalized process for handling requests for information from data subjects is in place | |
| ☒ Management board assumes accountability for cybersecurity | |
| ☒ Security responsibilities defined in corporate governance | |
| ☒ Regular board-level reporting on cybersecurity risks and status | |
| ☒ Ownership and accountability defined for all critical assets | |
| ☒ Procedures for onboarding/offboarding assets |
4.2. Incident-Response-Management
Support for the response to security breaches.
| Technical Measures | Organizational Measures |
|---|---|
| ☒ Use of firewall and regular updating | ☒ Documented process for detecting and reporting security incidents/data breaches within twenty-four (24) and seventy-two (72) hour deadlines |
| ☒ Use of spam filter and regular updating | ☒ Documented process for handling security incidents / data breaches |
| ☒ Use of virus scanner and regular updating | ☒ Involvement of DPO and/or ISO (if available) in case of security incidents / data breaches |
| ☒ Intrusion Detection System (IDS) | ☒ Documentation of security incidents and data breaches e.g. via ticket system |
| ☒ Intrusion Prevention System (IPS) | ☒ Formal process and responsibilities for following up on security incidents and data breaches |
4.3. Order Control
Measures that ensure that personal data processed on behalf of the data controller can only be processed in accordance with the data controller’s instructions.
| Organizational Measures: |
|---|
| ☒ Entering into contractual terms with the contractor in accordance with applicable data protection legislation, including obligations with regard to data protection and data security |
| ☒ Conclusion of the necessary agreement on commissioned data processing resp. EU standard contractual clauses |
| ☒ Agreement on effective control rights towards the contractor |
Version April 2025