Atos Data Protection Addendum with Client

Parties

This Data Protection Addendum (“DPA”) forms part of the Terms of Service Production for Unify Phone Service (hereinafter „Agreement“) concluded by Client with Unify Software and Solutions GmbH, Otto Hahn Ring 6, 81379 Munich, Germany, using “Click and Accept” when registering for the cloud service.

Client and Supplier shall individually be referred to as a “Party” and jointly referred to as the “Parties”.

This DPA to the Agreement describes the Parties’ obligations regarding the processing of Personal Data on behalf of Client, by Supplier, for the purposes of performing the Services set forth in the Agreement. Both parties shall act in accordance with applicable data protection principles, legal and contractual requirements.

  1. Definitions
  1. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified or supplemented below, the definitions of the Agreement shall remain in full force and effect. For the purpose of interpreting this DPA, the following terms shall have the meanings set out below:

 

Verb meaning
(a) “Applicable Laws” means all current and future laws and regulations (as may be amended or updated from time to time) applicable to the Processing of Personal Data under the Agreement, including laws of the European Union, any Member State Law (or any other applicable laws of any other country, province, state or jurisdiction to which the Processing of the Personal Data is subject). For the execution of this Agreement applicable laws shall refer to the GDPR, the German Federal Data Protection Act and any other laws and regulations relating to the processing and protection of Personal Data applicable in Germany.
(b) “Data Controller” (or Controller) means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the scope, purposes and means of the Processing of Personal Data.
(c) “Data Processor” (or Processor) means a natural or legal person, public authority, agency, or any other body which Processes Personal Data on behalf of the Data Controller and as set forth in the written instructions of the Controller.
(d) “GDPR” or “General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 “on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC,” as may be amended from time to time.
(e) “Processing” (or any cognate terms) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(f) “Personal Data” means any information relating to an identified or identifiable natural person (a “Data Subject”) pertaining to Atos (and the Data Subjects, respectively) Processed by Service Provider on behalf of Atos or an Atos Customer pursuant to or in connection with the Agreement. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as but not limited to a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(g) “Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data which Supplier Processes on behalf of Client in connection with the Agreement.
(h) “Sub-Processor” means a third party engaged by a Data Processor which has or potentially will have access to or Process the Client Personal Data.
(i) “Third Country” means any country or jurisdiction outside of the country of origin or the European Economic Area (“EEA”).
  1. Roles and Obligations of the Parties
  1. For the purpose of Processing Personal Data, both Parties acknowledge and recognize being bound by the duties and the obligations of the Applicable Laws and the following subsequent conditions.
  1. The purpose of this DPA is to frame the Processing of Personal Data in connection with the terms of the Agreement, regardless of the country of origin, place of Processing, location of Data Subjects, or any other factor.
  1. The Parties expressly agree that (i) Client is the Data Controller for the Personal Data Processed for the purpose of the provision of the Services under the Agreement and (ii) Supplier is the Data Processor in the event it Processes any Personal Data on behalf of and under the written instructions of Client when performing the Services.
  1. Guarantees regarding Client’s processing
  1. Client, as Data Controller, guarantees that any Personal Data processed by Atos on its behalf for the purposes of this Agreement (hereinafter “Client Personal Data”) is processed in accordance with Applicable Data Protection Law, including but not limited to its own obligations to the legitimacy of the processing, the categories of data processed, data subjects’ rights (including information), the definition and implementation of adequate retention periods, the completion of relevant formalities, if any as well as any verifications and assurances regarding the adequacy of the guarantees provided by Atos regarding the processing and protection of Client Personal Data. In this respect, Client guarantees that it has taken all necessary steps to ensure that its own obligations are complied with under its applicable legislation
  1. Exchange of Business Data and Communication Between the Parties
  1. In the context of the performance of the Agreement, the Parties may be required, for the purpose of communication, to exchange the following information:
  1. personal information: first name, last name;
  1. communications data: telephone, email, postal mail; and/or
  1. other: Personal Data to which one Party provides access to the other for the purpose of communication between the Parties.
  1. Both Parties undertake that each Party shall act as an independent Data Controller in order to process the above-mentioned Personal Data for their own means and purposes. Therefore, the Parties shall comply with the obligations of a Data Controller, as required by the Applicable Laws, in order to protect and secure the aforementioned Personal Data.
  1. Client’s Processing Instructions
  1. As Data Controller, Client shall provide Supplier with written and lawful documented instructions regarding the processing of Personal Data. The Parties agree that Client’s instructions are a condition for Supplier to assist Client with complying with its obligations under Applicable Laws.
  1. The Parties agree that Client’s initial instructions for the Processing of Personal Data are set out in: (i) the Agreement and (ii) this DPA, including (a) the Description of Processing of Personal Data (Annex 1) and (b) Technical and Organizational Measures (Annex 3).
  1. Subject to the terms of this DPA and with mutual agreement of the parties, the Client may issue additional written instructions consistent with the terms of this agreement.
  1. In that case, Client shall notify Supplier in written form at least thirty (30) days before desired date of implementation to evaluate Client’s proposed additional instructions and assess the feasibility of the implementation timeframe. For the avoidance of doubt, any additional instructions shall be agreed between the parties by completion and signature of Annex 2.
  1. In the event Client requests the implementation of modifications or additions to its Instructions, it is expressly agreed between the Parties that it may have a direct impact on the delivery of the Services which may require a review and modification of the terms of the Agreement, including, notably, the scope of the Services and cost of implementation. In such case, the Parties shall use the change control procedures set forth in Section [X] of the Agreement or the additional instructions procedure set forth in the Section 5.2 above.
  1. Supplier’s Obligations
  1. Supplier shall process Personal Data on behalf of Client exclusively and only in accordance with the Instructions received from Client as documented in Annex 1 to this DPA, and additional instructions agreed by the parties in Annex 2
  1. If Supplier becomes aware that the instruction(s) it receives from Client constitutes or may constitute an infringement of Applicable Laws, it shall immediately inform Client in any written form of such actual or potential infringement.
  1. Supplier shall comply with any new lawful or revised Instructions provided by Client, subject to Section 4.3 of this DPA. In case Client’s Instructions are or may be in contradiction with Applicable Laws, Supplier shall stop Processing, or the part of the Processing that is infringing the Applicable Law and notify Client as such in order to obtain new, revised and lawful Instructions.
  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Supplier shall implement appropriate technical and organizational measures to ensure that Client Personal Data are processed as per applicable legal data protection requirements as set forth in the Appendices of this DPA.
  1. Supplier confirms that its personnel in charge of processing Personal Data in the context of the Agreement are bound by an appropriate obligation of confidentiality regarding the Processing of Personal Data. Supplier shall also ensure that its personnel in charge of Processing Personal Data in the context of the Agreement participate in mandatory training or e-learning regarding Privacy and Personal Data Protection.
  1. Records of Processing Activities
  1. Supplier shall maintain a record of categories of Processing activities carried out on behalf of Client regarding the Services provided under the Agreement, if required under Applicable Laws. Upon request from Client or from any competent supervisory authority (as may be required under Applicable Laws), Supplier shall provide a copy of such records of Processing activities without undue delay and, in any case, within fifteen (15) business days of such request, or within the timeframe defined by Applicable Laws.
  1. Data Subject Rights
  1. Whilst Client is responsible for determining the manner in which it responds to Data Subjects requests to exercise their rights under Applicable Data Protection Law, Supplier shall, in accordance with Applicable Data Protection Law and taking into account the nature of the Processing, assist Client by appropriate processes to support Client in the fulfilment of the obligation to respond to Data Subjects’ requests including notably:
  1. promptly notify Client if any Personal Data recipient receives a request that should have been directed to Client from a Data Subject under any Applicable Law with respect to Personal Data;
  1. ensure that the Personal Data recipient does not respond to that request, except on the documented instructions of Client, where Client and Supplier have agreed that Supplier shall undertake that role, or as required by Applicable Laws to which the Personal Data recipient is subject, in which case Supplier shall, to the extent permitted by Applicable Laws, inform Client of that legal requirement before the Personal Data recipient responds to the request; and
  1. comply with any documented instructions from Client regarding response to a request to exercise rights of the Data Subjects under Applicable Laws.
  1. In this respect, parties shall communicate Personal Data in a structured, commonly used and machine-readable format.

 

  1. Interactions with Supervisory Authorities
  1. Upon Client’s request, Supplier shall assist Client with complying with its obligations towards any competent data protection authority where required, including:
  1. providing information relating to a Processing where it is required to support a request for approval or authorization of a Processing;
  1. providing information relating to a Processing in order to address any requests for information, controls or investigations; and/or
  1. providing information in case of a Personal Data Breach as set out below in Section 14 of this DPA.
  1. Security of Processing
  1. Taking into account the state of the art, the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Supplier shall, in accordance with Applicable Laws, assist Client to comply with its obligation to define and implement adequate technical and organizational measures to ensure the security and confidentiality of the Personal Data Processed under this DPA.
  1. Data Protection Impact Assessments
  1. Supplier shall provide Client with information that is relevant regarding Processing of Personal Data performed by Supplier on behalf of Client, in order to enable Client to complete necessary documents (such as a data protection impact assessment).
  1. Subcontracting
  1. Client hereby expressly confirms and acknowledges that it has given its written consent to Supplier in order to transfer personal data to its third-party subcontractors for Personal Data processing operations that are necessary to comply with its obligations under the main Agreement. Supplier shall implement or rely on appropriate documentation (i.e., contracts, binding corporate rules, standard contractual clauses, codes of conduct, etc.) and technical additional safeguards (i.e, such as encryption and pseudonymized data, data non decryptable by national security agencies) to ensure that the third-party subcontractor implements a level of protection for Client Personal Data similar to the provisions set out under this DPA.
  1. If such transfer includes a transfer of Client Personal Data outside the EEA, the provisions set out in Section 13 below of this DPA shall apply.
  1. Transfers of Client Personal Data to Third Countries
  1. Supplier and its affiliates are bound by the Binding Corporate Rules of the Atos Group (“BCR”), as approved by authorized agencies and set forth at: https://atos.net/content/dam/global/documents/atos-binding-corporate-rules.pdf Client acknowledges that, in the event that Supplier transfers Client Personal Data to any Supplier affiliate located outside the EEA, the BCR constitutes a sufficient safeguard to establish that such entities provide an adequate level of protection to Personal Data as required under Applicable Law.
  1. Supplier shall ensure that its third-party subcontractors authorized by Client to Process Client Personal Data provide an adequate level of protection for such Client Personal Data. For that purpose, Supplier shall: (i) ensure that any third-party subcontractor authorized to Process Client Personal Data outside the EEA or a country with EU Adequacy Decision as per GDPR, Art. 45 shall comply with the obligations set out in appropriate standard contractual clauses for the transfer of Personal Data as set forth by the European Commission (or any competent authority) (in particular the European Commission’s standard contractual clauses pursuant to decision 2021/914 of 4 June 2021) with Client or with Supplier in accordance with the mandate granted above; or (ii) implement alternative means to the Standard Contractual Clauses in order to ensure an adequate level of protection of Client Personal Data if acknowledged as appropriate by the competent European or local authorities.

 

  1. Security and Confidentiality Measures
  1. Client acknowledges that: (i) the technical and organizational security measures defined and applied by Supplier are based on the Instructions and information it has received from Client, which are used to assess and evaluate, with Client, the risks associated with the Processing of Client Personal Data and (ii) it has reviewed the technical and organizational security measures set forth in Schedule A (Information Security Requirements) and deems them adequate, taking into consideration the risks of the Processing, and the defined purpose of the Processing.
  1. Client agrees that, in the event that it modifies its Processing Instructions in accordance with the provisions of Section 5 of this DPA, the technical and organizational security measures initially defined and implemented may no longer be adequate to the risks of the Processing and the defined purposes of the Processing. In such case, Client agrees that such technical and organizational security measures may need to be amended and that such changes may have an impact on the delivery of the Services and the terms of the Agreement, including, notably, the financial provisions.
  1. Client shall inform Supplier in respect of any particular threats or vulnerabilities that it becomes aware of. Additionally, Client acknowledges that significant security threats and vulnerabilities may, from time to time, occur and be identified by Supplier. Where such threats and vulnerabilities result from or are connected to Client’s technical or operational decisions (e.g. initial security measures decided, systems implemented, etc.), Supplier shall, without undue delay, notify Client of said threat or vulnerability when it becomes aware of such threat or vulnerability. Supplier shall, where possible, recommend a course of action or remediation to suppress, mitigate or limit the impact of the threat or vulnerability and the Parties shall agree to any such changes under the change control procedures set forth in Section [X] of the Agreement. Client shall bear any costs related to Supplier’s efforts to mitigate threats or vulnerabilities resulting from Client’s actions.
  1. Personal Data Breaches
  1. In the event of a Personal Data Breach arising during the performance of the Services by Supplier, Supplier shall, without undue delay, after having become aware, notify Client about the Personal Data Breach, and provide the following: (i) where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of data records concerned; (ii) where possible, the name and contact details of the relevant contact point where more information can be obtained; and (iii) where possible, describe the likely consequences of the Personal Data Breach.
  1. In case of a Personal Data Breach, Supplier shall:
  1. take, in coordination with Client, all relevant further actions as may be necessary to limit the effects of the Personal Data Breach;
  1. assist Client in order to define and implement all actions as may be required under Applicable Laws (including any notifications to competent data protection authorities);
  1. maintain a record of information relating to the Personal Data Breach, including, where possible, the results of its own investigations and/or authorities’ investigations; and
  1. cooperate with Client and take necessary measures to prevent such a Personal Data Breach from occurring again.
  1. In the event of such a Personal Data Breach, both Parties shall treat any information regarding the Personal Data Breach with the highest degree of confidentiality and actively cooperate on any public communication and/or official notification to competent authorities.
  1. Legal Requests for Access to Client Personal Data
  1. In the event Supplier is requested or required under Applicable Laws or regulatory obligations to conduct certain Processing operations (including but not limited to disclosure to public authorities) relating to Client Personal Data, in a Third-country that does not provide a level of protection to personal data that is essentially equivalent to that provided for in the EEA, and in the context of mass surveillance or surveillance measures Supplier hereby expressly undertakes to: (i) inform Client of such request or requirement as soon as possible (subject to compliance with legal provisions which may prevent it from informing Client) in order to obtain Client’s express and written consent to such Processing operations; (ii) oppose, where possible, such request or requirement (including, notably, by advising that Supplier does not own nor control the data it Processes on behalf of Client); or (iii) assist Client, if possible and at Client’s cost, in any action undertaken (if Client so decides) to oppose such Processing operations.

 

  1. Audit Rights
  1. Client may, once a year, and subject to prior written notice of at least four (4) weeks, conduct, or have an independent duly appointed third party established on the market for its auditing functions, an audit of Supplier’s Processing facilities in order to ensure Supplier’s compliance with the obligations set forth in this DPA. Any third-party conducting an audit on Client’s behalf shall be bound by a strict obligation of confidentiality and shall not be a Supplier’s competitor. Such audit shall not hinder or disrupt Supplier’s operations or business activities and shall only relate to that part of the relevant information technology infrastructure which processes Client’s Personal Data.
  1. No Selling of Personal Data
  1. Supplier acknowledges and confirms that it does not receive any Personal Data as consideration for any Services or other items that Supplier provides to Client. Client retains all rights and interests in its Personal Data. Supplier agrees to refrain from taking any action that would cause any transfers of Personal Data to or from Supplier to qualify as selling Personal Data under Applicable Laws.

 

Annex 1

GENERAL DESCRIPTION OF THE PROCESSING OF PERSONAL DATA CONDUCTED BY ATOS

 

 

Contact information

Atos affiliates Unify Software and Solutions GmbH
Atos’ DPO A

Name:
Mail: Dpo-global@atos.net
Tel:

tos’ DPO

 

Service description

Please describe in few words the services or products provided by Atos to the Client Please, specify:

Unify Phone Service

 

 

Processing activities

Purpose of the Processing

 

Please describe the operation or set of operations which is performed on personal data

Unify as Data Processor will Process Personal Data as required to deliver the Unify Phone Service functionality in accordance with the Agreement and this DPA.

 

Categories of Processing activities* (see definition list below)

 

Collection Consultation
Storage Media Handling (e.g. shipping of tapes or optical media
Organization Disclosure
Structuring Making Available
Recording Alignment/Combination/Matching
Adaptation Restriction of use or access
Retrieval Erasure or destruction
Remote Access Use
Profiling Big Data Analytics

 

Other (please, specify):

 

Location of the Data Subjects  

European Union
Non-European Union

 

Please specify (non-EU):

US, UK, Australia, Switzerland

 

Categories of Personal Data processed  

Identification Data Connection Data
Personal life Location Data
Professional life Account profile

 

Other (please, specify):

 

Categories of sensitive Personal Data processed
No sensitive Personal Data
Social Security Number or National Identification Number Trade-Union Affiliation
Biometric Data Health Information
Genetic Data Sexual Preferences
Banking and financial data Criminal offences and sanctions
Racial or ethnic data Criminal offences and sanctions
Philosophical, Political or Religious Beliefs Telephone intercepts

 

 

Categories of Data Subjects  

Employees of the client End-Users
Customers of the client Members
Providers Visitors

 

Other (please, specify):

For external calling parties only the phone numbers are kept in the call logs.

 

Term of retention/deletion of Personal Data  

Please, specify:

See Privacy Notice, Chapter 7.

 

 

Atos’s Data Protection practices

 

Atos’s guarantees regarding the Processing of Personal Data

 

 

Data Protection/Privacy Policy/Binding Corporate Rules

 

 

Reference: https://atos.net/content/dam/global/documents/atos-binding-corporate-rules.pdf

 

Information Security Policy

 

Reference: https://atos.net/wp-content/uploads/2021/04/atos-data-protection-statement.pdf

 

Policy regarding encryption of Personal Data

 

Reference: https://atos.net/wp-content/uploads/2021/04/atos-data-protection-statement.pdf

 

Data access management and control rules

 

Reference: https://atos.net/wp-content/uploads/2021/04/atos-data-protection-statement.pdf

Security standard certifications (e.g. ISO 27001)

 

Atos is certificated according to:

• DIN EN ISO 9001: 2015 (Quality Management);

• ISO / IEC 27001: 2013 (Information Security Management);

• ISO / IEC 20000-1: 2011 (IT Service Management);

• ISO / IEC 14001:2015 (Environmental Management)

 

Data Subject’s exercise rights process:

Reference: Exercise your rights regarding your Personal Data – Atos

Regular training of employees on Data Protection:

 

Atos has developed a Global Training Program which aims at providing general training to all Employees and specific training to Employees who have permanent or regular access to Personal Data. For more information refer to Atos BCR

 

 

Location of Atos Processing activities

(Atos’s affiliates)

 

Name Address Country Service Description
Atos IT Solutions and Services EOOD 2 Maria Luiza Blvd., TZUM Building floor 4.

1000, Sofia, Bulgaria

Bulgaria Technical Support Services
Atos IT Solutions and Services Srl. Calea Floreasca nr.169A, Et. 2, Sector 1014459 Bucureşti, Romania Romania Technical Support Services
Unify Communications S.A. Paseo Doce Estrellas, 2. CP, 28042 Madrid, Spain Spain Technical Support Services
Unify Communications and Collaboration GmbH & Co. KG Otto-Hahn-Ring 6
81739 München
Germany Technical Support Services
Unify Enteprise Communications A.E 455 Irakliou Ave, Iraklio, 14122 Athens, Greece Greece Technical Support Services
Atos IT&Telecommunications Services SA 455 Irakliou Ave, Iraklio, 14122 Athens, Greece Greece Technical Support Services
Unify – Soluções em Tecnologia da Informação Ltda Rua Werner Siemens, 111, Prédio 20 05069-010 – Lapa – São Paulo – SP – Brazil Brazil Technical Support Services
Atos India Private Limited 10th Floor, Tower-B, Hcc-247 Park, Lal Bahadur Shastri Marg, Vikhroli (W), Mumbai 400083 Maharashtra, India India Technical Support Services

 

Does Atos use one or several external subcontractors?
YES
NO

 

List of Atos external subcontractors involved in the project  

If yes, provide the information below of Atos external subcontractors

 

Name Address Country Service Description
Google Ireland Limited Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland Ireland Data Center Services
MongoDB, Inc. 1633 Broadway

38th Floor

New York, NY 10019, United States

USA Managed Data Base Service

 

 

Safeguards implemented if Atos’s affiliates or subcontractors are located outside the EU or if Personal Data is available from outside the EU

 

Country recognized as providing an adequate level of protection by the EU Commission
European Commission’s Standard Contractual Clauses
Specific (ad-hoc) data transfer agreement, requiring a high level of protection, duly validated by competent authorities
Atos’s validated Binding Corporate Rules
Atos’s adhesion to a validated code of conduct

Atos shall specify which measure it uses to frame the transfer of personal data to its subcontractors

 

 

 

 

 

 

 

 

 

 

 

 

 

Please, specify:

 

 

 

* CATEGORIES OF PROCESSING ACTIVITIES
Term Definition
Adaptation Providing services that transform existing data into a form more suitable for a particular purpose, for instance by removing data that is not required for that purpose or by making it accessible via a different means.
Alignment / Combination / Matching Providing services that process two or more customer data sets in order to either (a) validate or update one or more of them, or (b) create a further data set.
Big Data Analytics Providing the means for analyzing big data (big data is a massive amount of data sets that cannot be stored, processed, or analyzed using traditional tools). Big Data Analytics allows the accumulation and/or interrogation of large data sets for the purpose of deriving novel insights or new data sets.

For example, a process used to extract meaningful insights, such as hidden patterns, unknown correlations, market trends, and customer preferences.

Collection Providing services that can directly obtain data, such as: providing a website that receives applications, processing written data, or contacting individuals to obtain data.
Consultation Providing services that require reference to existing customer data sets in order to answer queries on behalf of the customer.
Disclosure Providing services that copy or transmit customer data to an authorized third party for its own use (for example a tax authority or a regulator).
Erasure or destruction Providing services that permanently delete data so that it can never be recovered – either by securely wiping/overwriting it or by physically destroying the media that it is stored on.
Making available Providing services that facilitate access to personal data, such as an internet or intranet service that provides user access to permitted data.
Media handling Providing services that organize, store or transport media that contain customer’s data.
Organization Providing services improving data quality or accessibility, for example by bringing data together in one place or removing duplication.
Profiling of individuals Providing services that analyze personal data from one or more sources leading to evaluation of certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. In other words, it identifies characteristics of identifiable individuals and/or make decisions, such as marketing decisions, that may subsequently have an impact on particular individuals (e.g. types of marketing they are sent or types of services they are offered).
Recording Providing services that result in the storage of audio or video recordings., or creating data based on manual or automated observation to reproduce a scene. (e.g. electronic recording of voice or taking exact notes of a conversation)
Remote access Providing the ability for an authorized person to access a computer or a network from a geographical distance through a network connection. It enables users to connect to the systems they need when they are physically far away.
Restriction of use or access Providing services that allow specific data to be quarantined for example to meet legal obligations to restrict processing or to maintain evidential integrity of data for legal / regulatory purposes.
Retrieval Providing services that process requests for finding personal data in, for example from archives or database. Retrieval is the operation of accessing data, either from memory or from a storage device.
Use „Use“ is non-specific and covers a multitude of other processing categories as listed here. Please only refer back to this term if the processing comprises all other categories except profiling, combination and Big Data Analytics. Data in use is data that is currently being updated, processed, erased, accessed or read by a system. This type of data is not being passively stored, but is instead actively moving through parts of an IT infrastructure
Storage Providing services that offer the means for storing (i.e. kept for actual or possible further use) customer data, such as cloud storage, backup or archiving.
Structuring Providing services that help to arrange data in a way that makes information more accessible and easier to use for its intended purpose.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Annex 2 INFORMATION SECURITY REQUIREMENTS

TECHNICAL AND ORGANIZATIONAL MEASURES

TOM’s

Technical and organizational measures are implemented according to the Global Data Protection Statement

 

Confidentiality

Physical Access Control

The goal of physical access control is to deny unauthorized persons access to those data Processing systems that process or use Personal Data.

YES/NO
Atos implements controls designed to stop unauthorized individuals to access to data Processing systems YES
Atos uses a partitioning of Data Centre rooms N/A
Atos uses a video surveillance and intrusion detection systems in order to monitor access to data Processing systems N/A
Atos has policies ensuring physical access control YES

 

Logical Access Control

The goal of logical access control is to prevent unauthorized persons from using data Processing systems that process and use Personal Data.

YES/NO
Atos ensures that data Processing systems are accessed by means of authorization and authentication in all systems YES
Atos assigns passwords to authorized persons YES
Atos assigns a company ID to authorized persons YES
Atos ensures that role-based rights are tied to access ID YES
Atos uses encryption of data storage devices while in transit YES
Atos ensures use of firewalls and antivirus software including regular security updates and patches YES
Atos has policies ensuring logical access control YES

 

Application Access Control

Application access control measures prevent unauthorized Processing and activities (e.g. unauthorized reading, copying, modification or removal) in data Processing systems by persons without the required level of authorization.

YES/NO
Atos ensures the system-wide authentication of all users and data terminals including access regulations and user authorizations YES
Atos implements a role-based authorization concept YES
Atos ensures that access authorization is always based on the principle of restrictive allocation of rights YES
Atos implements a program-related authorization concept YES
Atos ensures that shared systems have client separation/separate data pool YES
Atos has a clear desk policy is in place YES
Atos ensures that data storage devices in all mobile systems are encrypted while in transit YES
Atos uses the firewalls and antivirus software including regular security updates and patches YES
Atos carries out a regular review of all existing privileged accounts YES

 

Separation Control

The goal of separation control is to ensure that data collected for different purposes can be processed separately.

YES/NO
To the extent that there are no dedicated systems in use for exactly one customer, Atos ensures that the employed systems are multi-tenant capable YES
Development and quality assurance systems are completely separate from productive systems in order to ensure productive operation YES
Atos ensures that customer systems are only accessed by authorized persons from a secured administration network. YES

 

Pseudonymization

The objective of the pseudonymization regulation and control is that the Processing of Personal Data is carried out in such a way that the data can no longer be attributed to a specific Data Subject without additional information, provided that this additional information is kept separately and fall under the corresponding technical and organizational measures.

YES/NO
Atos uses anonymized identifiers, which can only be resolved using a separate database NO
Atos uses server identifiers, which conceal conclusions on the function NO
System hardening requirements include a strict prohibition on login banners with information about the type and version of the software used on the systems operated by Atos NO

 

Encryption measures

The aim of the measures for the encryption of Personal Data is to protect the contents of databases from unauthorized access and alteration.

YES/NO
Atos can ensure encryption of Personal Data following the given instruction from the controller NO
Atos uses point-to-point or end-to-end SSL-encrypted data transfer between systems YES
Atos ensures application-driven encryption of the data before transfer to databases YES
Atos ensures encryption of DB backups YES
Atos implements e-mail encryption N/A

 

Schrems II Security measures for personal data subject to EU GDPR

The aim of the measures for the encryption of Personal Data is to protect the contents of databases from unauthorized access and alteration in countries which do not ensure an adequate level of protection regarding mass surveillance laws and surveillance measures.

YES/NO
Atos ensures that the level of encryption and/or pseudonymization is adequate compared to the risk level in the country of importation as per the assessment conducted before the transfer. YES
Atos ensures after encryption that the cryptographic keys remain either in the country of exportation, the European Union or in a third country recognized as providing a level of protection essentially equivalent to that guaranteed in the EU regarding mass surveillance laws and surveillance measures. YES
Atos ensures in case of transfers of personal data to third countries mentioned above, the importer must not have access to the personal data unencrypted. YES
Atos ensures that subject to request from Atos it will provide documented proof that cryptographic keys are located as per Atos’ requirements. YES

 

Integrity

Transmission control

The goal of transmission control is to ensure that Personal Data cannot be read, copied, modified, altered or removed while being transmitted, transported or saved to a data storage medium and that it can be checked and asserted where the transmission of Personal Data through transmission systems is intended

YES/NO
Atos supports standard secure transmission types such as network-based encryption (server to server or server to client and/or to suppliers) and encrypted connection tunneling YES
Atos uses SSL certificate for websites (https://) to transfer data within forms YES
Atos has policy for mobile devices YES
Atos implements disposal of data storage devices in a manner compatible with data protection regulations N/A
Atos has clear desk policy in place YES
Atos uses encryption of data storage media while in transit (including notebook hard drives) YES

 

Input Control

Measures that are suited for facilitating the belated checking and asserting if Personal Data has been entered into, changed within or deleted from data Processing systems and if so by whom

YES/NO
Atos has implemented access regulations and user authorizations that enable the identification of all users and data terminals in the system YES
All monitoring and logging measures are adapted to the state of the art and the criticality of the data to be protected and carried out in the associated economic framework YES

 

Availability and resilience

Availability control

The goal of availability control is to ensure that Personal Data is protected from accidental destruction, damage or loss.

YES/NO
Atos ensures that Personal Data is stored at a minimum in systems which are protected against hardware-related data loss YES
Atos ensures that Personal Data is stored in secure and redundant systems up to a spatially separate area, in order to ensure a short recovery time and a high overall availability YES
Atos implements storage systems, in combination with appropriate software components, which are equipped with a technology that enables defined data from certain points of time to be recovered YES
Atos carries out the data backups on a regular basis according to existing service agreements YES
Atos ensures that the systems are powered without interruption YES

 

Resilience / rapid recovery

This measure ensures that Personal Data can be quickly recovered in the event of a physical or technical incident through an emergency management plan and regular recovery testing (at minimum annually

YES/NO
Atos ensures that emergency planning / crisis planning in connection with emergency and restart plans for the data centers is available YES
Emergency plans are subject to a regular and continuous audit and improvement process YES

 

Other measures

Privacy by Design and Privacy by Default YES/NO
Atos ensures that Data Protection is taken into account at the earliest possible date by data protection-friendly presets in order to prevent unlawful Processing or the misuse of data. YES
Atos minimizes the amount of Personal Data and ensures limitation of use YES
Atos pseudonymizes or encrypts data as early as possible YES
Atos creates transparency with regard to procedures and Processing of data YES
Atos anonymizes data as early as possible YES
Atos minimizes access to data YES
Atos presets existing configuration options to the most privacy-friendly values YES
Atos documents the assessment of the risks to the persons concerned. YES