Data Protection Agreement

Transcription

1 Data Protection Agreement between... (the Controller ) and S.C. BITDEFENDER S.R.L. (hereafter mentioned as Bitdefender), with its official headquarters in Bucharest, district 2, Delea Veche street, no. 24, building A, registered in the Bucharest Trade Register with number J40/20427/2005, fiscal code RO , privacy@bitdefender.com processes personal data in agreement with the Romanian data protection legislation (Law 677/2001) and the EU directive on personal data (Directive 95/46/EC) and is registered at the Romanian Data Protection Authority under number (the Processor ) Preamble This annex specifies the data protection obligations of the parties which arise from data processing on behalf, as stipulated in the Bitdefender license agreement that accompanies each Bitdefender Product ( Main Agreement ). It applies to all activities performed in connection with the Main Agreement in which the staff of the data processor on behalf ( Processor ) or a third party acting on behalf of the processor may come into contact with personal data of the controller of the data ( Controller ). The following provisions shall apply to all services of order processing within the meaning of Section 11 FDPA (German Federal Data Protection Act), which are provided by Processor to Controller. 1. Subject-matter and Duration of the order 1.1 Processor shall process personal data on behalf of Controller and in accordance with Controller`s instructions, the FDPA and the provisions of this agreement. The details of the contractual services are set out in the Main Agreement. 1.2 The duration of this Data Protection Agreement is equal to the term of the Main Agreement.

2 2. Extent, type and purpose of the data processing, categories of data and circle of data subjects 2.1 The scope, nature and purpose of the collection, processing and/or use of personal data by the Processor on behalf of the Controller are described in detail in the Agreement. Processing on behalf shall include the circle of data subjects, the categories of personal data and purposes listed below: a) Circle of data subjects: users of the Bitdefender Products, including but not limited to employees and end customers. b) Categories of data: name, surname, , profession; IP address, unique internal identification code of the device on which the product was installed, licenses codes, other technical data of the device that uses the software services supplied by the data processor. c) Purpose of collection, processing or use of data: a) Processing of Controller's contact data in order to supply IT security software products and services; b) Processing the data of the employees of the data controller for the purpose of supplying IT security software services, c) Processing personal data for the purpose of embittering the quality of services/products; d) Processing personal data for the purposes of contacting, support and granting additional information ; 2.2 Within the scope of this Agreement, Controller shall be solely responsible for complying with the statutory requirements relating to data protection, in particular regarding the transfer of personal data to Processor and the processing of personal data by Processor (acting as responsible body as defined in Section 3 (7) FDPA). 2.3 Processor shall process personal data on behalf of Controller. Processing shall include such actions as may be specified in the Main Agreement and in the scope of work, especially performance of services related to the processing of data in the area of advisory and support services mentioned in the Main Agreement. 2.4 Due to Controller`s responsibility during the term of this Agreement, Processor shall be obliged: - to use the personal data only for the intended purposes pursued by the Controller and the fulfillment of the contractual obligations.

3 - to process personal data solely according to Controller s instructions and to correct, delete and block data without undue delay. 2.5 Processor shall be permitted to create necessary procedurally and safetyrelevant intermediate-, temporary- or duplication files for performance-related processing and use of personal data, in so far as this does not lead to a substantive transformation. Beyond this, Processor shall not be permitted to create unauthorized copies of personal data. 2.6 The data shall be processed and used exclusively within the territory of the Federal Republic of Germany, a Member State of the European Union or another signatory to the Agreement on the European Economic Area. Except as herein stated (as for example in art 7.1), any transfer of data to a third country shall require the prior information of Controller and shall only be permitted if the special requirements set out in Sections 4b and 4c FDPA are met. 2.7 Controller as the data controlling entity shall be responsible for ensuring the rights of the data subjects. Rights of the data subjects are to be exercised against Controller. Provided that the cooperation of Processor is needed for Controller to ensure the data subjects rights (especially the right to information, rectification, blocking or deletion), Processor shall take the necessary measures in accordance with the instructions of Controller. 3. Obligations of Processor 3.1 Processor shall collect, process and use personal data only within the scope of Controller s instructions. Any instruction by Controller to Processor related to processing shall, initially, be defined in the Agreement. 3.2 Processor shall, without undue delay, inform Controller of any material breach of regulations for the protection of Controller s personal data, committed by Processor or Processor s personnel. After consulting with Controller, Processor shall implement the measures necessary to secure the data and to mitigate potential adverse effects on the data subjects. Processor shall support Controller in fulfilling Controller s disclosure obligations under Section 42a FDPA. 3.3 Controller shall remain owner of any data / data carriers provided to Processor as well as any copies or reproductions thereof. Processor shall store such media safely and protect it against unauthorised access by third parties. Processor shall, upon Controller s request, provide to Controller all information on Controller s personal Data and information. Processor shall be obliged to securely delete any test material based on an Instruction issued by Controller on a case-by-case basis. Where Controller so decides, Processor shall hand over such material to Controller or store it on Controller s behalf. Processor shall be obliged to verify the fulfilment of these obligations and shall maintain an adequate documentation of such verification.

4 3.4 If a data subject contacts Processor directly to request the correction or deletion of his personal data, Processor must forward this request to the Controller without undue delay. Where Controller is obliged to provide information to an individual about the collection, processing or use of his/her personal data, Processor shall assist Controller in making this information available. 4. Obligations of Controller 4.1 Within the scope of this Agreement, Controller shall be solely responsible for complying with the statutory data privacy and protection regulations, including, but not limited to, the lawfulness of the transfer to Processor and the lawfulness of processing. 4.2 Controller shall, without undue delay and in a comprehensive manner, inform Processor of any defect Controller may detect in Processor s work results and of any irregularity in the implementation of statutory regulations on data privacy. 4.3 Controller shall be obliged to maintain the publicly available register as defined in Section 4g (2) sentence 2 FDPA. 4.4 Instructions shall generally be issued within the scope of the use of the application. If Controller issues single instructions that go beyond the contractually agreed services, Controller shall bear the costs incurred as a result (see also paragraph 6). 4.5 Controller shall be responsible for fulfilling the duties to inform according to Section 42a FDPA. 4.6 Controller shall be obliged to treat all information of Processor regarding business secrets and data security measures obtained within the contractual relationship strictly confidential. 5. Technical/organizational measures 5.1 Within Processor s area of responsibility, Processor shall structure Processor s internal corporate organisation to ensure compliance with the specific requirements of data protection. Processor shall take the appropriate technical and organisational measures to adequately protect Controller s personal data against misuse and loss in accordance with the requirements of Section 9 FDPA. An overview of the described technical and organisational measures shall be attached to this Agreement. 5.2 The technical and organizational measures are subject to technical progress and development, and the Processor may implement adequate alternative measures. However, these must not fall short of the level of security provided by the measures specified in the attachment. 6. Controller s authority to issue instructions

5 6.1 The data may only be handled under the terms of the agreements concluded and the instructions issued by Controller. 6.2 Processor shall inform Controller immediately, in accordance with Section 11 (3) sentence 2 FDPA, if he believes that there has been an infringement of legal data protection provisions. He may then postpone the execution of the relevant instruction until it is confirmed or changed by the Controller s representative. 6.3 Any instruction by Controller to Processor related to processing shall, initially, be defined in the Agreement. With the performance of the service in accordance with the contract Processor shall obey Controller`s instructions. 7. Subcontractors 7.1 Processor shall be entitled to subcontract Processor s obligations to third parties. Controller acknowledges that Processor s contractual obligations hereunder, or the parts of the deliverables defined, may be performed by a subcontractor, namely Amazon Web Services, using servers primary from EU territories, or using other servers compliant to the EU Standard Contractual Clauses, notified to a European Data Protection Authority according to European Union applicable legislation. 7.2 If Processor engages further subcontractors functioning as data processors in terms of Sections 9, 11 FDPA Processor shall inform Contractor thereof without undue delay. Contractor shall be able to reject the commissioning of subcontractors only for substantially justified reasons. A substantially justified reason is in particular if there are indications a that the commissioning endangers or impairs the contractual services b that the cooperation with the subcontractor endangers the fulfilment of legal or contractual obligations of Controller, in particular concerning supervisory regulations. 7.3 Processor shall set out the contractual agreements with the subcontractor(s) in a way that they reflect the data protection provisions agreed on between Controller and Processor. The Processor has to monitor the compliance with such obligations on a regular basis. Transmission of data shall be admissible only if subcontractor fulfills the obligations according to Section 11 FDPA. 8. Audit Obligations 8.1 Controller has the right to monitor Processor s compliance of all directives and provisions of this Agreement. Such monitoring and other regular evaluation activities shall be conducted during standard office hours. In general, such controls shall be

6 announced. The Controller shall coordinate such visits with Processor to ensure a minimal disturbance of Processor s ongoing operations. Processor shall not be entitled to demand payment from Controller for permitting and/or supporting the implementation of such controls. The monitoring and ensuing results shall be documented and signed by both parties. 8.2 Processor shall, upon Controller s written request and within a reasonable period of time, submit to Controller all information, documentation and other means of factual proof necessary for the conduction of an audit. 9. Deletion of data and return of data media Upon completion of the contractual work or when requested by Controller and no later than the end-date of the Main Agreement the Processor shall return to Controller all documents/data media in his possession as well as all work products and data produced in connection with the commission, or delete them in compliance with data protection law with the prior consent of Controller. The same applies to any test data and scrap material. The deletion log must be presented upon request. If Controller wishes an additional destruction by an external service provider, Processor will carry this out at the expense of Controller. 10. Correction, deletion and blockings of data Processor may only correct, delete or block the data processed on behalf of Controller when instructed to do so by Controller. 11. Data secrecy /Business secret 11.1 Processor shall provide services towards Controller solely within the scope of the provisions of this contract and according to Controller s instructions. Processor shall not use any data made available by Controller for data processing for other purposes. Copies and duplicates shall be created solely for backups as part of the usual data storage practice. Controller shall be informed thereof. Processor shall ensure that any personnel entrusted with processing Controller s personal data has to comply with the principle of data secrecy and has been sworn to data secrecy in writing. Processor confirms to have knowledge of the relevant data protection regulations. Processor shall ensure that any personnel entrusted with processing Controller s personal data has been duly instructed on the protective regulations of the FDPA. The commitment to data secrecy shall continue after the termination of the contract.

7 11.4 Processor shall maintain strict confidentiality and shall not disclose, disseminate or use any confidential information belonging to Controller. Processor will put his employees under an obligation to confidentiality. 12. Duties to inform, mandatory written form 12.1 Where Controller s data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Processor s control, Processor shall notify Controller of such action without undue delay. Processor shall, without undue delay, notify to all parties involved in such action, that any data affected thereby is in Controller s sole property and area of responsibility, that data is at Controller s sole disposition, and that Controller is the responsible body in the sense of the FDPA No modification of this annex and/or any of its components including, but not limited to, Processor s representations and warranties, if any shall be valid and binding unless made in writing and then only if such modification expressly states that such modification applies to the regulations of this annex. The foregoing shall also apply to any waiver or modification of this mandatory written form. An overview of the technical and organisational measures taken by Processor are available below. Bitdefender SRL... Florin Talpes... President... Date:... Please send a scanned copy of the executed Agreement at privacy@bitdefender.com

8 Technical and organizational measures for Bitdefender SRL as a data processor All Bitdefender information security policies are ISO certified the information below just highlights some of the technical and organizational measures on place that could be shared with our partners if you need further details on these measures please contact us at privacy@bitdefender.ro 1. Access control to premises and facilities Unauthorized access (in the physical sense) must be prevented. Technical and organizational measures to control access to premises and facilities, particularly to check authorization: 2. - Access control system: Magnetic card; - (Issue of) keys: Keys. - Door locking: electronic doors - Security staff, janitors: Magnetic card - Surveillance facilities : Alarm system, Video/CCTV monitor and alarm connected to an external specialized security company. Access control to systems Unauthorized access to IT systems must be prevented. Technical (ID/password security) and organizational (user master data) measures for user identification and authentication: e) User name, distinct for each employee; f) Password procedures (incl. special characters, minimum length, change of password): password, for each user name a different password, composed of 9 characters, including small and big letters, number, signs and diacritical; when the password is being written the password is not visible and the passwords are being changed at each 60 days, by authorizes staff: the user name and the password are confidential; g) Automatic blocking (e.g. password or timeout): at each five minutes. h) Active directory i) User review

9 3. Access control to data Activities in IT systems not covered by the allocated access rights must be prevented. Requirements-driven definition of the authorization scheme and access rights, and monitoring and logging of accesses: Differentiated access rights (profiles, roles, transactions and objects) Reports: Logs and alerts Access: internal procedure regarding the access. Change and Deletion: Access control policy based on need to know and need to use 4. Disclosure control Aspects of the disclosure of personal data must be controlled: electronic transfer, data transport, transmission control, etc. Measures to transport, transmit and communicate or store data on data media (manual or electronic) and for subsequent checking: Secure communication channels Logging, reports and reviews Transport security 5. Input control Full documentation of data management and maintenance must be maintained. Measures for subsequent checking whether data have been entered, changed or removed (deleted), and by whom: Logging and reporting systems Authentication and authorization 6. Job control Commissioned data processing must be carried out according to instructions. Measures (technical/organizational) to segregate the responsibilities : Unambiguous wording of the contract Access control policy based on need to know and need to use

10 Monitoring Privileged User account administration policy 7. Availability control The data must be protected against accidental destruction or loss. Measures to assure data security (physical/logical): Examples: Backup procedures Mirroring of hard disks, e.g. RAID technology Remote storage Anti-virus/firewall systems 8. Segregation control Data collected for different purposes must also be processed separately. Measures to provide for separate processing (storage, amendment, deletion, transmission) of data for different purposes: Examples: Limitation of use Segregation of functions (production/testing/support) Access control policy based on need to know and need to use