BETWEEN
The European Evaluation Society, a non-for profit association with full legal capacity established and existing under the laws of the Netherlands, having its registered office at Posthoornstraat 17, 3011 WD Rotterdam, the Netherlands and registered with the Trade Register of the Dutch Chamber of Commerce with number 40413697 and hereinafter referred to as: “Controller“;
and
Bay Tree VA, a private limited company established and existing under the laws of the United Kingdom, having its registered office at The Technology Centre, Station Road, Framlingham Woodbridge, Suffolk IP13 9EZ, UK and registered as Company number 06524167, hereinafter referred to as: “Processor”
each a “Party” and collectively, the “Parties“.
RECITALS
- On 29th June 2023 Controller and Processor entered into an agreement pursuant to which Processor will provide the provision of secretariat and related functions for the European Evaluation Society (the “Services“).
- To the extent that the provision of such Services involves the processing of Personal Data, the Parties have agreed to enter into this Agreement for the purposes of ensuring compliance with the applicable Data Protection Laws.
THEREFORE, the Parties have agreed as follows:
1. DEFINITIONS
- Terms such as “processing”, “data subject”, “processor, “controller”, “personal data”, “data breach”, “data protection impact assessment”, etc., shall have the same meaning ascribed thereto in the Data Protection Laws;
- “Adequate Third Country” means a country which is not a member of the EEA and where there is an existing decision by the European Commission pursuant to article 45 GDPR that confirms that such country ensures an adequate level of protection for Personal Data;
- “Data Protection Laws” means the General Data Protection Regulation (EU) 2016/679 (“GDPR“), the UK Data Protection Act 2018 of 23 May 2018 (“DPA”), and the Swiss Federal Act on Data Protection of 19 June 1992 (“FADP”) together with all laws implementing or supplementing the same, including any regulations, guidance, and codes of practice issued by Supervisory Authorities from time to time, and any other (future) applicable supplementing or superseding data protection or privacy laws, including the ePrivacy Directive (EU) 2002/58/EC as transposed into applicable law;
- “EEA” means the European Economic Area, meaning the EU Member States and the three EEA States (Iceland, Liechtenstein, and Norway);;
- “Personal Data” means the data described in Annex 1 (Details of the Processing of Personal Data) and any other Personal Data processed by the Processor or any Subprocessor on behalf of the Controller pursuant to or in connection with the Principal Agreement;
- “Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised, disclosure or access to Personal Data;
- “Services” means the services described in the Principal Agreement;
- “Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data to third countries, adopted by the European Commission via its implementing decision of 4 June 2021, or any set of clauses approved by the European Commission which amends, replaces or supersedes these;
- “Subprocessor” means any data processor (including any third party and any affiliated company) appointed by the Processor to process Personal Data on behalf of the Controller; and
- “Supervisory Authority” means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws.
2. PROCESSING OF THE PERSONAL DATA
- The Processor shall only process the types of Personal Data relating to the categories of data subjects for the purposes of the Principal Agreement and for the specific purposes in each case as set out in Annex 1 (Details of Processing of Personal Data) to this Agreement and shall not process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than in accordance with the Controller’s documented instructions (whether in the Principal Agreement or otherwise) unless such processing is required by EU, Member State or UK law to which Processor is subject, in which case Processor shall, to the extent permitted by such law, inform Controller of that legal requirement before processing that Personal Data unless the law prohibits this on important grounds of public interest.
- For the purposes set out in section 1 above, Controller hereby instructs Processor to transfer Personal Data to the recipients listed in Annex 2 (Authorised Transfers of Controller Personal Data) always provided that Processor shall comply with section 5 (Subprocessing) and 11 (International Transfers of Personal Data).
- Processor shall immediately inform Controller if in Processor’s opinion the instructions given by Controller infringe applicable Data Protection Laws.
- Each Party shall appoint a point of contact (“POC”) who will work together to deal with matters in relation to this Agreement. Any notice given to a Party under or in connection with this Agreement shall be made in writing to the relevant POC. On receipt of such a notice, the receiving POC will acknowledge receipt of the notice in writing to the POC who gave the notice. If Processor’s POC does not receive such an acknowledgement from Controller’s POC Processor’s POC shall take all reasonable steps to confirm that Controller’s POC has received the notice. The POCs for each of the Parties are:
- For Controller: Marco Lorenzoni (Board member) – marco@bridgesconsulting.eu
- For Processor: Jane Cattermole (Managing Director) – jane@baytreeva.co.uk
3. PROCESSOR PERSONNEL AND CONFIDENTIALITY
- Without prejudice to any existing contractual arrangements between the Parties, the Processor guarantees that it shall treat all Personal Data as strictly confidential and that it shall inform all its employees, agents, contractors and/or Subprocessors engaged in processing the Personal Data of the confidential nature of such Personal Data. Processor shall take reasonable steps to ensure the reliability of any employee, agent, contractor and/or Subprocessor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those persons or parties who need to access the relevant Personal Data, as strictly necessary for implementing, managing and monitoring the Principal Agreement.
- Processor is obliged to maintain the confidentiality of the Personal Data of which it becomes aware during the term of both the Agreement and during the provision of the Services (as well as after termination thereof). In addition, the Processor shall treat all other information that comes to its knowledge in connection with the provision of the Services and that is confidential in nature or should be regarded as such in nature, as confidential and secret information and shall only use this information in connection with the provision of the Services or in order to comply with a legal obligation.
- Processor shall ensure that all such persons or parties involved in the processing of Personal Data have committed themselves to confidentiality (of which a copy shall be provided upon Controller’s request) or are under an appropriate statutory obligation of confidentiality.
4. SECURITY
- Without prejudice to any other security standards agreed upon by the Parties, Processor shall implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risks in accordance with article 32 GDPR, which shall at least include the measures specified in Annex 3 (Description of technical and organisational measures). This includes protecting the Personal Data against a Personal Data Breach. In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. The Parties acknowledge that security requirements are constantly changing, and that effective security requires frequent evaluation and regular improvements to outdated security Processor will therefore carry out regular checks to evaluate the technical and organisational measures as implemented to ensure that these measures continue to provide an adequate level of security. Where necessary the Parties will update Annex 3 (Description of technical and organisational measures) and will tighten, supplement and improve these measures in order to maintain compliance with Data Protection Laws.
- Controller may provide written notice to Processor if in the reasonable opinion of Controller the technical and organisational measures need to be changed in order to comply with the Data Protection Laws and the Processor shall implement such changes at no additional cost to Controller.
5. SUBPROCESSING
- Processor has Controller’s general authorisation to appoint (and permit each Subprocessor appointed in accordance with this section 5 to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Principal Agreement.
- Processor may continue to use those Subprocessors already engaged by Processor as at the Effective Date and included in Annex 2 (Authorised Transfers of Controller Personal Data), provided that in each case the Processor meets the obligations set out in section 4.
- Processor shall give Controller prior written notice at least 30 (thirty) days in advance of the appointment of any new Subprocessor, including full details of the processing to be undertaken by the Subprocessor and any other information necessary to enable Controller to exercise its right to object. If within 30 (thirty) days of receipt of that notice, Controller notifies Processor in writing of any objections to the proposed appointment, Processor shall not appoint the Subprocessor. If Controller does not raise any objections Processor may appoint the Subprocessor provided that it meets the obligations set out in section 4.
- With respect to each Subprocessor, the Processor shall:
- provide Controller with full details of the processing to be undertaken by each Subprocessor, by means of completing Annex 2 (Authorised Transfers of Controller Personal Data) including providing an updated version whenever a new Subprocessor is appointed in accordance with section 3;
- carry out adequate due diligence on each Subprocessor to ensure that it is capable of providing the level of protection for the Personal Data as is required by this Agreement including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of Data Protection Laws and this Agreement;
- include terms in the contract between the Processor and each Subprocessor which are the same as those set out in this Agreement, and shall supervise compliance thereof. Upon request, the Processor shall provide a copy of its agreements with Subprocessors to the Controller for its review;
- agree a third party beneficiary clause with the Subprocessor whereby – in the event Processor has factually disappeared, ceased to exist in law or has become insolvent – Controller shall have the right to terminate the Subprocessor contract and instruct the Subprocessor to erase or return the Personal Data;
- to the extent that the appointment of the Subprocessor involves a transfer outside of the EEA, comply with section 2; and
- remain fully liable to Controller for any failure by each Subprocessor to fulfil its obligations in relation to the processing of any Personal Data.
6. DATA SUBJECT RIGHTS
- The Processor shall promptly, and in any case within (5) five working days, notify the Controller if it receives a request from a data subject under any Data Protection Laws in respect of Personal Data, including requests by a data subject to exercise its rights in chapter III of GDPR, and shall provide full details of that request. Processor shall not respond to the request itself unless authorised to do so by Controller in writing.
- The Processor shall co-operate as requested by the Controller to enable the Controller to comply with its obligations to respond to any exercise of rights by a data subject under any Data Protection Laws in respect of Personal Data and comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of Personal Data or this Agreement, which shall include:
- the provision of all information requested by Controller within any reasonable timescale specified by Controller in each case, including full details and copies of the complaint, communication or request and any Personal Data it holds in relation to a data subject;
- where applicable, providing such assistance as is reasonably requested by Controller to enable Controller to comply with the relevant request within the timescales prescribed by the Data Protection Laws; and
- implementing any additional technical and organisational measures as may be reasonably required by Controller to allow Controller to respond effectively to relevant complaints, communications or requests.
7. INCIDENT MANAGEMENT
- In the event of a Personal Data Breach, the Processor shall immediately take appropriate measures to address the Personal Data Breach including measures to mitigate its adverse
- The Processor shall notify the Controller without undue delay and in any case within 72 hours, excluding public holidays, upon becoming aware of or reasonably suspecting a Personal Data Breach and will provide the Controller Point of Contact (see art. 2.4.1) with sufficient information which allows Controller to meet any obligations to report a Personal Data Breach under the Data Protection Laws. Such notification shall as a minimum:
- describe the nature of the Personal Data Breach, the categories and numbers of data subjects concerned, and the categories and numbers of Personal Data records concerned;
- communicate the name and contact details of the Processor’s data protection officer or other relevant contact from whom more information may be obtained;
- describe the likely consequences of the Personal Data Breach; and
- describe the measures taken or proposed to be taken to address the Personal Data Breach, including to mitigate its possible adverse effects.
- Processor shall fully co-operate with the Controller and take such reasonable steps as are directed by Controller to assist in the investigation, mitigation and remediation of each Personal Data Breach, in order to enable the Controller to (i) perform a thorough investigation into the Personal Data Breach, (ii) formulate a correct response and to take suitable further steps in respect of the Personal Data Breach in order to meet any requirement under the Data Protection Laws.
- Parties agree to coordinate and cooperate in good faith on developing the content of any related public statements or any required notices for the affected data subjects. Processor shall not inform any third party without first obtaining Controller’s prior written consent, unless notification is required by EU, Member State or UK law to which Processor is subject, in which case Processor shall, to the extent permitted by such law, inform Controller of that legal requirement, provide a copy of the proposed notification and consider any comments made by Controller before notifying the Personal Data Breach.
8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
- The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments which are required under Article 35 GDPR and with any prior consultations to any Supervisory Authority of the Controller or any of its affiliates which are required under Article 36 GDPR, in each case in relation to processing of Personal Data by the Processor on behalf of the Controller and taking into account the nature of the processing and information available to the Processor.
9. DELETION OR RETURN OF PERSONAL DATA
- The Processor shall promptly and in any event within 30 (thirty) calendar days upon termination of the Services, at the choice of Controller either:
- return a complete copy of all Personal Data to Controller by secure file transfer in such format as notified by Controller to Processor and securely wipe all other copies of Personal Data processed by Processor or any Subprocessor; or
- securely wipe all copies of Personal Data processed by the Processor or any Subprocessor, unless applicable law requires such storage of Personal Data, in which case Processor will inform Controller of such obligation (including details of the Personal Data it is required to retain and a specific timeline for destruction once the legal requirement ends) and warrants that it will continue to ensure compliance with this Agreement and will only process it to the extend and for as long as required under that law.
- The Processor shall provide in each case written confirmation to the Controller that it has complied fully with this section 9.
- Until the Processor complies with its obligations under this section 9, the Processor shall continue to comply with this Agreement.
10. AUDIT RIGHTS
- The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this Agreement. The Processor will deal promptly and adequately with such enquiries.
- At the Controller’s request the Processor shall allow for and contribute to audits, including inspections by the Controller or another auditor mandated by the Controller of any premises where the processing of Personal Data takes The Processor shall permit Controller or another auditor mandated by the Controller to inspect, audit and copy any relevant records, processes and systems in order that the Controller may satisfy itself that the provisions of Data Protection Laws and this Agreement are being complied with. The Processor shall provide full co-operation to the Controller in respect of any such audit.
- If an audit results in the Processor being notified that its processing of Personal Data is not in compliance with Data Protection Laws the Parties shall – notwithstanding any remedies set out in this Agreement – discuss such finding and the Processor shall promptly take all corrective actions necessary to achieve compliance as agreed with the Controller.
- The cost of any audit on Controller’s request will be borne by the Controller unless the audit demonstrates that the Processor does not fully meet its obligations under this Agreement or the Data Protection Laws in which case the costs of the audit will be borne by the
11. INTERNATIONAL TRANSFERS OF PERSONAL DATA
- Processor shall not (permanently or temporarily) process the Personal Data nor permit any Authorised Subprocessor to (permanently or temporarily) process the Personal Data in a country outside of the EEA or an Adequate Third Country, unless authorised in writing by the Controller in advance.
- To the extent that the Processor is located in a country outside of the EEA which is not an Adequate Third Country, the Parties acknowledge that the processing activities of the Processor will involve a transfer of Personal Data within the meaning of Chapter V GDPR and the Parties agree to take all necessary steps to comply with Chapter V GDPR including completing and executing Annex Error! Reference source not (Module 2 Standard Contractual Clauses), whereby Controller is considered to be the data exporter and Processor the data importer.
- To the extent the Controller authorizes the Processor to appoint a Subprocessor in accordance with Clause 5 and such Subprocessor processes Personal Data in a country outside the EEA that is not an Adequate Third Country, Processor shall prior to such appointment complete and execute Module 3 Standard Contractual Clauses (Transfer processor to processor) with the Subprocessor. Processor warrants that it will ensure all conditions for the use of such Standard Contractual Clauses are met.
- If, at any time, a Supervisory Authority or a court with competent jurisdiction over a Party mandates that transfers from controllers in the EEA to processors established outside the EEA must be subject to specific additional safeguards (including but not limited to specific technical and organisational measures), the Parties shall work together in good faith to implement such safeguards and ensure that any transfer of Personal Data is conducted with the benefit of such additional safeguards.
- If, and to the extent that, the European Commission issues any amendment to, or replacement of, the Standard Contractual Clauses pursuant to Article 46(5) GDPR, the Parties acknowledge and agree that such clauses will automatically be deemed to replace all Standard Contractual Clauses then in force between Controller on the one hand and Processor on the other and the Parties shall take such additional steps as necessary to give ensure that such replacement terms are implemented across all transfers. Processor shall also ensure that all Standard Contractual clauses in force between Processor and a Subprocessor in accordance with clause 3 will also be updated.
12. INDEMNITY
- Notwithstanding any contrary provisions in the Principal Agreement, the Processor indemnifies Controller and holds Controller harmless against all claims, actions, third party or Supervisory Authority claims, losses, damages and expenses incurred by the Controller and arising directly or indirectly out of or in connection with a breach of this Agreement by
- Controller is not liable for any damage or cost, either by contract or tort, towards Processor or any of its Subprocessors under this Agreement, except in case of gross negligence or wilful misconduct.
13. MISCELLANEOUS
- Subject to section 2, the Parties agree that this Agreement shall terminate automatically upon termination of the Principal Agreement or expiry or termination of all service contracts entered into by Processor with the Controller pursuant to the Principal Agreement, whichever is later.
- Any obligation imposed on Processor under this Agreement in relation to the processing of Personal Data shall survive any termination or expiration of this Agreement.
- This Agreement shall be read and interpreted in the light of the provisions of the Data Protection Laws. With regard to the subject matter of this Agreement, in the event of inconsistencies between the provisions of this Agreement and any other agreements between the Parties, including but not limited to the Principal Agreement, the provisions of this Agreement shall prevail with regard to the Parties’ data protection obligations for Personal In the event of any conflict or inconsistency between this Agreement and the Standard Contractual Clauses, the Standard Contractual clauses attached as Annex Error! Reference source not found. (Module 2 Standard Contractual Clauses)shall prevail.
- Compliance by the Processor with the provisions of this Agreement will be at no additional cost to Controller.
- Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
- This Agreement is governed by the laws of the Netherlands. Any disputes arising out or in connection with this Agreement shall be brought exclusively before the competent court of Rotterdam (NL).
IN WITNESS WHEREOF, this Agreement is entered into force and becomes a binding part of the Principal Agreement with effect from the Effective Date first set out below.
European Evaluation Society | Bay Tree VA Ltd |
Name T S LING | Name JANE CATTERMOLE |
Title: President, European Evaluation Society | Title: Managing Director, Bay Tree VA |
Date 26 06 23 | Date 29 06 23 |
ANNEX 1: DETAILS OF THE PROCESSING OF PERSONAL DATA
This Annex 1 includes certain details of the processing of Personal Data as required by Article 28(3) GDPR.
1. Subject matter, duration and purposes of the processing of Personal Data
1a. Subject matter of the processing:
☒ Human Resources (HR)
☒ IT
☒ Marketing
☒ Finances
☒ Membership and participation in the EES life and initiatives
1b. Duration of the processing:
The duration of the processing of Personal Data by Processor under this Agreement is the period of the Principal Agreement.
1c. Frequency of the processing:
The Personal Data will be shared on the following basis during the period of the Principal Agreement:
- one-off
☒ continuous
☒ as needed
1d. Nature and Purpose of the processing:
The purpose of the processing of Personal Data by Processor under this Agreement. This will be in line with the performance of the services as described in the Principal Agreement.
2. The categories of data subject to whom the Personal Data relates
☒ Employee data
☒ Customer data, including participants to conferences and events for which registration is needed
☒ Member and Board Member data
☒ Supplier data
3. The types of Personal Data to be processed
- Employees
☒ Employee data, more in particular:
☒ Personal details – such as name and first name, address, email address, telephone number or other contact information, degree/title, date of birth, gender, nationality, social security or national insurance number, marital or civil partnership status, dependents, citizenship.
☒ Emergency contact details – name and contact details of emergency contacts.
☒ Financial details – such as bank account details or other financial characteristics.
☒ Basic work details – such as work contact details e.g. professional email address and telephone number, employee identification number, photograph, details regarding the job function, primary work location, working hours, employment status, and terms and conditions of employment.
☒ Professional qualifications – professional certifications as relevant, language skills, education history.
☒ Recruitment or selection data – any personal data contained in CV’s, application forms, record of interviews or interview notes, and selection and verification records, previous (job) experiences and references.
☒ Remuneration and benefits data – such as details of payment and benefits package, base salary, bonus, compensation type.
☒ Leave data – such as holiday and family related leave records, retirement eligibility.
☒ Performance management data – such as colleague and manager feedback, appraisals, outputs from talent programs and formal and informal performance management processes.
☒ Training and development data – such as data relating to training and development needs or trainings received.
☒ Documentation required under immigration laws (if relevant) – such as citizenship, details of residency, work permit.
☒ Disciplinary data – such as any personal data contained in records of allegations, investigation and proceeding records and outcomes, and in the context of whistleblowing.
☒ Termination data – such as dates and reasons for leaving, termination agreements and payments, exit interviews and references.
- Customers including participants to conferences and events for which registration is needed
☒ Customer data, more in particular:
☒ Contact details – such as name, postal address, telephone number and e- mail address or any other contact details.
☒ Personal characteristics – such as gender or other personal characteristics in order to identify customers.
☒ Profession and job title – including information on the specific (sub) sector the customer operates in.
☒ Data collected automatically through websites – such as cookies and other technologies to track website visitors.
☒ Financial details – such as bank account details or invoicing details.
☒ Information relating to the use of services – such as which services are used or contracted.
☒ Communication data – such as any requests, any complaints and any other customer data that Controller receives when communicating with customers via email, online or via social media.
- Members and Board Members
☒ Member data, more in particular:
☒ Contact details – such as name, postal address, telephone number and e- mail address or any other contact details.
☒ Personal characteristics – such as gender or other personal characteristics in order to identify members.
☒ Profession and job title – including information on the specific (sub) sector the customer operates in.
☒ Data collected automatically through websites – such as cookies and other technologies to track website visitors.
☒ Financial details – such as bank account details or invoicing details.
☒ Information relating to the use of membership services – such as which services are used or contracted.
☒ Communication data – such as any requests, any complaints and any other member data that Controller receives when communicating with members via email, online or via social media.
☒ Information relating to the participation in the EES life – such as membership / role in any Thematic Working Group or alike.
☒ (Limited to past and present Board Members) – dates of terms, type of Board membership (elected, co-opted).
- Suppliers
☒ Supplier data, more in particular:
☒ Contact details – such as name, business postal address, business telephone number and business e-mail address or any other contact details.
☒ Profession and job title – including information on the specific (sub) sector the supplier is working in.
☒ Data collected automatically through websites – such as cookies and other technologies to track website visitors.
☒ Financial details – such as bank account details or invoicing details.
☒ Communication data – such as any requests, any complaints and any other customer data that Controller receives when communicating with customers via email, online or via social media.
- Other data – types of services provided, notes about
ANNEX 2: AUTHORISED TRANSFERS OF CONTROLLER PERSONAL DATA
Company name of recipient | Details of the Point of Contact | Details of the processing | Service location | Additional safeguards (only in case of data transfer outside the EEA) |
Bay Tree VA Limited | Sharon Scotcher Bay Tree VA | Services as described in the Principal Agreement | Remote working
Based: Cambridge, UK |
N/A |
Bay Tree VA Limited | Caroline Kearney Bay Tree VA | Services as described in the Principal Agreement | Remote working
Based: Ipswich, UK |
N/A |
Bay Tree VA Limited | Lucy Willis Bay Tree VA | Services as described in the Principal Agreement | Remote working
Based: Crawley, UK |
N/A |
Bay Tree VA Limited | Paula Murton Bay Tree VA | Services as described in the Principal Agreement | Remote working
Based: Stowmarket, UK |
N/A |
ANNEX 3: DESCRIPTION OF TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE PERSONAL DATA
The measures Processor has taken include, as appropriate and without limitation:
Category 1 – Access control of persons
The Processor shall implement suitable measures in order to prevent unauthorised persons from gaining access to the data processing equipment as long as the Personal Data transferred by Controller are processed.
This shall be accomplished by:
- Establishing access authorisations for employees and third parties, including the respective documentation;
- Code card passes;
- Restrictions on keys;
- Best practices and guidance for third parties;
- Regulations on key codes;
- Identification of the persons having access authority;
- Security alarm system or other appropriate security measures including after working hours;
- Securing the decentralized data processing equipment and personal computers;
- Protection and restriction of access path; and
- Other
Category 2 – Access control to personal data
The Processor commits that the persons entitled to use the data processing system will only be able to access the Personal Data within the scope and to the extent covered by the respective access permission (authorisation).
This shall be accomplished by:
- Locking of terminals;
- Allocation of individual terminals and/or terminal user and identification characteristics exclusive to specific functions;
- Functional and/or time restricted use of terminals and/or terminal users and identification characteristics;
- Regulations for user authorisation;
- Obligation to comply with confidentiality expectations;
- User codes for personal data and programs;
- Coding routines for files;
- Differentiated access regulations (e.g. partial blocking);
- Regulations for the organisation of files;
- Logging and analysis of use of the files;
- Controlled destruction of data media;
- Work instructions for templates for the registration of personal data;
- Checking, adjustment and controlling systems;
- Processes for the checking and release of programs; and
- Other
Category 3 – User Control
The Processor shall implement suitable measures to prevent its data processing systems from being used by unauthorised persons by means of data transmission equipment. In addition, Processor shall implement suitable measures to prevent unauthorised reading, copying, alteration or removal of the data media, unauthorised input into memory, reading, alteration or deletion of the stored personal data.
This shall be accomplished by:
- Authorisation design;
- Terminal with access user key;
- Identification of the terminal and / or the terminal user within the system of the relevant data processor;
- Automatic turn-off of the user ID when several erroneous passwords are entered;
- Log file of events (monitoring of break-in attempts);
- Issuing and safeguarding the identification codes;
- Dedication of individual terminals and/or terminal users;
- Identification characteristics exclusive to specific functions;
- Authentication of the authorised personnel;
- Protective measures for the data input into memory as well as for the reading, blocking and deletion of stored personal data;
- Use of encryption for critical security files;
- Specific access rules for procedures, control cards, process control methods, program cataloguing authorisation;
- Guidelines for data file organisation;
- Keeping records of data file use;
- Separation of production and test environments for libraries and data files;
- Providing that entries to data processing facilities (rooms, housing, computer hardware and related equipment) are capable of being locked;
- Automatic log-off of user IDs that have not been used for a substantial period of time;
- Designating the areas in which data media may / must be located;
- Designating the persons in such areas for authorised removal of data media;
- Controlling the removal of data media;
- Securing the areas in which data media are located;
- Release of data media only to authorised persons;
- Control of files, controlled and documented destruction of data media;
- Policies controlling the production of backup copies; and
- Other
Category 4 – Transmission control
The Processor shall be obliged to enable the verification and tracing of the locations/destinations to which the data subject’s personal data are transferred by the utilization of Processor’s data communication equipment/devices.
This shall be accomplished by:
- Authentication of the authorised personnel;
- In-house verification requirements (four-eye principle);
- Designating the areas in which data media may / must be located;
- Controlling the removal of data media;
- Designating the persons in such areas who are authorised to remove data media;
- Control of files;
- Locking of confidential data media;
- Security lockers;
- Prohibition of taking bags within the secure area;
- Control of destruction of data media;
- Policies controlling the production of backup copies;
- Documentation of the transfer programs;
- Documentation of the retrieval and transmission programs;
- Documentation of the remote locations/destinations to which a transmission is intended and the transmissions path (logical path);
- Authorisation policy;
- Encryption of the data for online transmission or transport by means of data carriers (tapes and cartridges);
- Monitoring of the completeness and correctness of the transfer of data (end to end check);
- Encryption;
- Courier services, personal pickup, accomplishing of the transport;
- Control of plausibility;
- Control of completeness and correctness;
- Deletion of remaining personal data before change of data media; and
- Other
Category 5 – Input Control
The Processor shall provide for the retroactive ability to review and determine the time and the point of the data subject’s personal data entry into Processor’s data processing system.
This shall be accomplished by:
- Proof of relevant data processor’s organisation of the input authorisation;
- Electronic recording of entries;
- Electronic recording of data processing, in particular usage of data; and
- Other
Category 6 – Organisation Control
The Processor shall maintain its internal organisation in a manner that meets the requirements of this Agreement.
This shall be accomplished by:
- Internal data processing policies and procedures, guidelines, work instructions, process descriptions and regulations for programming, testing and release, insofar as they relate to the personal data transferred by the data controller;
- Formulation of a data security concept;
- Industry standard system and program examination;
- Formulation of an emergency plan (backup contingency plan); and
- Other
Category 7 – Instructional Control
The data transferred by the Controller to the Processor may only be processed in accordance with the instructions of the Controller.
This shall be accomplished by:
- Policies and procedures for Processor’s employees;
- Upon request, access will be granted to those of Controller’s employees and agents who are responsible for monitoring Processor’s compliance with this Agreement; and
- Other
Category 8 – Control of Separation of Personal Data
The Processor shall implement suitable measures to allow the separate processing of personal data that has been collected for different purposes.
This shall be accomplished by:
- Storage of the personal data in separated data collectors (physical separation);
- Authorisation policy (logical separation); and
- Separation of the personal data, which have been stored under an alias (pseudonym) from the original personal data.