Data Protection Addendum Addressing Article 28 GDPR
For Cloud Services and Related Professional Services
Click here to download PDF
Between –Customer–
and
Unify Software and Solutions GmbH & Co. KG – „Unify“ or „Processor“
Preamble
This Data Protection Addendum (“DPA”) forms part of the Terms of Service Production for Unify Phone Service (hereinafter “Customer Agreement” or “Agreement”) concluded by Client with Unify Software and Solutions GmbH & Co.KG, Otto Hahn Ring 6, 81379 Munich, Germany, using “Click and Accept” when registering for the cloud service.
Client and Supplier shall individually be referred to as a “Party” and jointly referred to as the “Parties”.
This DPA to the Agreement describes the Parties’ obligations regarding the processing of Personal Data on behalf of Client, by Supplier, for the purposes of performing the Services set forth in the Agreement. Both parties shall act in accordance with applicable data protection principles, legal and contractual requirements.
1 Definitions
2.1 Capitalized terms not otherwise defined herein shall have the meaning given to them in the Customer Agreement. Except as modified or supplemented below, the definitions of the Customer Agreement shall remain in full force and effect. For the purpose of interpreting this DPA, the following terms shall have the meanings set out below:
| Term | Meaning |
| (a) “Applicable Laws” | means all current and future laws and regulations (as may be amended or updated from time to time) applicable to the Processing of Personal Data under the Agreement, including laws of the European Union or any Member State (which shall include, but not limited to GDPR), the United Kingdom, or any other applicable laws of any other country, province, state or jurisdiction to which the Processing of the Personal Data is subject. |
| (b) “Data Controller” (or Controller) | means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the scope, purposes and means of the Processing of Personal Data. |
| (c) “Data Processor” (or Processor) | means a natural or legal person, public authority, agency, or any other body which Processes Personal Data on behalf of the Data Controller and as set forth in the written instructions of the Controller. |
| (d) “GDPR” or “General Data Protection Regulation” | means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 “on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC,” as may be amended from time to time. |
| (e) “UK GDPR” | as defined in section 3 of the UK Data Protection Act 2018 |
| (f) “Processing” (or any cognate terms) | means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
| (g) “Personal Data” | means any information relating to an identified or identifiable natural person (a “Data Subject”) pertaining to Unify (and the Data Subjects, respectively) Processed by Service Provider on behalf of Unify or an Unify Customer pursuant to or in connection with the Agreement. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as but not limited to a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. |
| (h) “Personal Data Breach” | means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data which Unify Processes on behalf of Customer in connection with the Agreement. |
| (i) “Sub-Processor” or “Subcontractor” | means a third party engaged by a Data Processor which has or potentially will have access to or Process the Customer Personal Data. |
| (j) “Third Country” | means any country or jurisdiction outside of the country of origin or the European Economic Area (“EEA”). |
2. Roles and Obligations of the Parties
2.1 For the purpose of Processing Personal Data, both Parties acknowledge and recognize being bound by the duties and the obligations of the Applicable Laws and the following subsequent conditions.
2.2 The purpose of this DPA is to frame the Processing of Personal Data in connection with the terms of the Customer Agreement, regardless of the country of origin, place of Processing, location of Data Subjects, or any other factor.
2.3 The Parties expressly agree that (i) Customer is the Data Controller for the Personal Data Processed for the purpose of the provision of the Services under the Customer Agreement and (ii) Unify is the Data Processor in the event it Processes any Personal Data on behalf of and under the written instructions of Customer when performing the Services.
3. Guarantees regarding Customer’s Processing
3.1. The Customer shall, as Data Controller, ensure that any Personal Data processed by Unify on its behalf is processed in accordance with the Applicable Laws and that it meets its own obligations in relation to the Processing of the Personal Data.
4. Exchange of Business Data and Communication Between the Parties
4.1 In the context of the performance of the Agreement, the Parties may be required, for the purpose of communication, to exchange the following information:
- personal information: first name, last name;
- communications data: telephone, email, postal mail; and/or
- other: Personal Data to which one Party provides access to the other for the purpose of communication between the Parties.
4.2 Both Parties undertake that each Party shall act as an independent Data Controller in order to process the above-mentioned Personal Data for their own means and purposes. Therefore, the Parties shall comply with the obligations of a Data Controller, as required by the Applicable Laws, in order to protect and secure the aforementioned Personal Data.
5. Customer’s Processing Instructions
As a Data Controller, the Customer shall issue instructions to Unify as a prerequisite for Unify’s processing of the Customer’s Personal Data. These instructions shall initially be determined by the Agreement and may thereafter be amended, supplemented, or replaced by the Customer in writing or in an electronic format (text form) to the officer designated by Unify by means of individual instructions. Instructions which are not provisioned in the Agreement shall be treated as a change request. Verbal instructions shall be confirmed without delay in writing or in text form.
6. Unify’s Obligations
6.1. Unify shall process Personal Data on behalf of Customer exclusively and only in accordance with the Instructions received from Customer as documented in Annex 1 to this DPA.
6.2. If Unify becomes aware that the instruction(s) it receives from Customer constitutes or may constitute an infringement of Applicable Laws, it shall immediately inform Customer in any written form of such actual or potential infringement.
6.3. Unify shall comply with any new lawful or revised Instructions provided by Customer. In case Customer’s Instructions are or may be in contradiction with Applicable Laws, Unify shall stop Processing, or the part of the Processing that is infringing the Applicable Law and notify Customer as such in order to obtain new, revised and lawful Instructions.
6.4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Unify shall implement appropriate technical and organizational measures to ensure that Customer Personal Data are processed as per applicable legal data protection requirements as set forth in the Appendices of this DPA.
6.5. Unify confirms that its personnel in charge of processing Personal Data in the context of the Agreement are bound by an appropriate obligation of confidentiality regarding the Processing of Personal Data. Unify shall also ensure that its personnel in charge of Processing Personal Data in the context of the Agreement participate in mandatory training or e-learning regarding Privacy and Personal Data Protection.
7. Records of Processing Activities
Unify shall maintain a record of categories of Processing activities carried out on behalf of Customer regarding the Services provided under the Agreement, if required under Applicable Laws.
8. Data Subject Rights
8.1. Whilst Customer is responsible for determining the manner in which it responds to Data Subjects requests to exercise their rights under the Applicable Laws, Unify shall, in accordance with the Applicable Laws and taking into account the nature of the Processing, assist Customer by appropriate processes to support Customer in the fulfilment of the obligation to respond to Data Subjects’ requests including notably:
8.1.1. promptly notify Customer if any Personal Data recipient receives a request that should have been directed to Customer from a Data Subject under any Applicable Law with respect to Personal Data;
8.1.2. ensure that the Personal Data recipient does not respond to that request, except on the documented instructions of Customer, where Customer and Unify have agreed that Unify shall undertake that role, or as required by the Applicable Laws to which the Personal Data recipient is subject, in which case Unify shall, to the extent permitted by Applicable Laws, inform Customer of that legal requirement before the Personal Data recipient responds to the request; and
8.1.3. comply with any documented instructions from Customer regarding response to a request to exercise rights of the Data Subjects under Applicable Laws.
8.1.4. In this respect, parties shall communicate Personal Data in a structured, commonly used and machine-readable format.
9. Interactions with Supervisory Authorities
9.1. Upon Customer’s request, Unify shall assist Customer with complying with its obligations towards any competent data protection authority where required, including:
9.1.1. providing information relating to a Processing where it is required to support a request for approval or authorization of a Processing;
9.1.2. providing information relating to a Processing in order to address any requests for information, controls or investigations; and/or
9.1.3. providing information in case of a Personal Data Breach as set out below in Section 15 of this DPA.
10. Security of Processing
10.1. Taking into account the state of the art, the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Unify shall, in accordance with Applicable Laws, assist Customer to comply with its obligation to define and implement adequate technical and organizational measures to ensure the security and confidentiality of the Personal Data Processed under this DPA.
11. Data Protection Impact Assessments
At the request of the Customer, Unify shall provide the Customer with information which is required in order to enable the Customer to meet its legal obligations such as completion of a data protection impact assessment or providing an evidence of the technical and organizational measures taken to ensure data security.
12. Subcontracting
12.1 Unify is entitled to subcontract the Processing of Customer’s Personal Data in whole or in part to other companies of the Atos Group or to third parties for the purpose to comply with its obligations under the Agreement. Unify shall always inform the Data Controller of any intended changes with regard to the involvement or replacement of other Data Processors, giving the Data Controller the opportunity to object to such changes, which may not be refused without good cause under the Applicable Laws. If the Customer does not object within a period of 10 (ten) working days, the consent shall be deemed granted. If there is an important reason under Applicable Laws and if a mutually agreeable solution cannot be found between the Parties, the Customer shall be entitled to a special right of termination.
12.2 If Unify engages subcontractors for the Processing, it shall be obliged to transfer its data protection obligations under this Agreement to the subcontractor by means of corresponding agreements (contracts, binding internal data protection instructions, codes of conduct, etc.).
12.3 If such Processing includes a transfer of Customer Personal Data outside the EEA, the provisions set out in Section 13 below of this DPA shall apply.
12.4 The list of approved subcontractors of Unify in relation to the contractually agreed performance of Services is contained in Annex 1 to this DPA.
13. Transfers of Customer Personal Data to Third Countries
13.1. Unify and its affiliates are bound by the Binding Corporate Rules of the Atos Group (“BCR”), as approved by authorized agencies and set forth at: https://atos.net/content/dam/global/documents/atos-binding-corporate-rules.pdf. Customer acknowledges that, in the event that Unify transfers Customer Personal Data to any Unify affiliate located outside the EEA, the BCR constitutes a sufficient safeguard to establish that such entities provide an adequate level of protection to Personal Data as required under Applicable Law.
13.2. Unify shall ensure that its third-party subcontractors authorized by Customer to Process Customer Personal Data provide an adequate level of protection for such Customer Personal Data. For that purpose, Unify shall: (i) ensure that any subcontractor authorized to Process Customer Personal Data outside the EEA shall comply with the obligations set out in appropriate standard contractual clauses for the transfer of Personal Data as set forth by the European Commission (or any competent authority) (in particular the European Commission’s standard contractual clauses pursuant to Regulation (EU) 2016/679); or (ii) implement alternative means to the Standard Contractual Clauses in order to ensure an adequate level of protection of Customer Personal Data if acknowledged as appropriate by the competent European or local authorities.
14. Security and Confidentiality Measures
14.1. Customer acknowledges that: (i) the technical and organizational security measures defined and applied by Unify are based on the Instructions and information it has received from Customer, which are used to assess and evaluate, with Customer, the risks associated with the Processing of Customer Personal Data and (ii) it has reviewed the technical and organizational security measures set forth in Annex 2 (Information Security Requirements) and deems them adequate, taking into consideration the risks of the Processing, and the defined purpose of the Processing.
14.2. Customer agrees that, in the event that it modifies its Processing Instructions in accordance with the provisions of Section 5 of this DPA, the technical and organizational security measures initially defined and implemented may no longer be adequate to the risks of the Processing and the defined purposes of the Processing. In such case, Customer agrees that such technical and organizational security measures may need to be amended and that such changes may have an impact on the delivery of the Services and the terms of the Agreement, including, notably, the financial provisions.
14.3. Customer shall inform Unify in respect of any particular threats or vulnerabilities that it becomes aware of. Additionally, Customer acknowledges that significant security threats and vulnerabilities may, from time to time, occur and be identified by Unify. Where such threats and vulnerabilities result from or are connected to Customer’s technical or operational decisions (e.g. initial security measures decided, systems implemented, etc.), Unify shall, without undue delay, notify Customer of said threat or vulnerability when it becomes aware of such threat or vulnerability. Unify shall, where possible, recommend a course of action or remediation to suppress, mitigate or limit the impact of the threat or vulnerability and the Parties shall agree to any such changes under the conditions set forth in Section 5 above. Customer shall bear any costs related to Unify’s efforts to mitigate threats or vulnerabilities resulting from Customer’s actions.
15. Personal Data Breaches
Unify shall notify the Customer without undue delay if it becomes aware of any Personal Data Breach concerning the Customer’s Personal Data. Unify shall take the necessary measures to secure the Personal Data and to mitigate any possible adverse consequences for the data subjects and shall coordinate this with the Customer without undue delay.
16. Legal Requests for Access to Customer Personal Data
16.1. In the event Unify is requested or required under Applicable Laws or regulatory obligations to conduct certain Processing operations (including but not limited to disclosure to public authorities) relating to Customer Personal Data, in a Third-country that does not provide a level of protection to personal data that is essentially equivalent to that provided for in the EEA, and in the context of mass surveillance or surveillance measures Unify hereby expressly undertakes to: (i) inform Customer of such request or requirement as soon as possible (subject to compliance with legal provisions which may prevent it from informing Customer) in order to obtain Customer’s express and written consent to such Processing operations; (ii) oppose, where possible, such request or requirement (including, notably, by advising that Unify does not own nor control the data it Processes on behalf of Customer); or (iii) assist Customer, if possible and at Customer’s cost, in any action undertaken (if Customer so decides) to oppose such Processing operations.
17. Audit Rights
17.1. Customer may, once a year, and subject to prior written notice of at least four (4) weeks, conduct, or have an independent duly appointed third party established on the market for its auditing functions, an audit of Unify’s Processing facilities in order to ensure Unify’s compliance with the obligations set forth in this DPA. Any third-party conducting an audit on Customer’s behalf shall be bound by a strict obligation of confidentiality and shall not be a Unify’s competitor. Such audit shall not hinder or disrupt Unify’s operations or business activities and shall only relate to that part of the relevant information technology infrastructure which processes Customer’s Personal Data.
17.2. In addition to the annual audit right under 17.1 the Customer shall be entitled to perform additional audits in case of a Personal Data Breach; based on an order of a competent Data Protection Authority, or amendments in the applicable data protection legislation.
17.3 The party conducting the data protection audit shall bear its own audit costs.
18. No Selling of Personal Data
18.1. Unify acknowledges and confirms that it does not receive any Personal Data as consideration for any Services or other items that Unify provides to Customer. Customer retains all rights and interests in its Personal Data. Unify agrees to refrain from taking any action that would cause any transfers of Personal Data to or from Unify to qualify as selling Personal Data under Applicable Laws.
Annex 1
General Description Of The Processing Of Personal Data Conducted By Data Processor
Contact information
Atos affiliates
| The Atos’ DPO | Name:
Post: dp.it-solutions@atos.net Tel: |
Service description
| Please describe in few words the services or products provided by Unify/Atos to the Customer | Please, specify:
Cloud Service Unify Phone |
Processing activities
| Purpose of the Processing
|
Please describe the operation or set of operations which is performed on personal data
Provision of the Cloud Services Unify Phone incl. Support. |
||||||||||||||||||||||||||||||||||||||
| Categories of Processing activities* (see definition list below)
|
Other (please, specify):
|
||||||||||||||||||||||||||||||||||||||
| Location of the Data Subjects |
Please specify (non-EU):
|
||||||||||||||||||||||||||||||||||||||
| Categories of Personal Data processed |
Other (please, specify):
|
||||||||||||||||||||||||||||||||||||||
| Categories of sensitive Personal Data processed |
The Cloud Service is not meant to process sensitive data, it is a Customer’s decision whether to put such data as a content. |
||||||||||||||||||||||||||||||||||||||
| Categories of Data Subjects |
Other (please, specify):
|
||||||||||||||||||||||||||||||||||||||
| Term of retention/deletion of Personal Data |
Please, specify:
|
Atos’s Data Protection practices
| Atos’s guarantees regarding the Processing of Personal Data |
|
|||||||||||||||||||||
| Location of Atos Processing activities
(Atos’s affiliates) |
|
|||||||||||||||||||||
| Does Atos use one or several external subcontractors? |
|
|||||||||||||||||||||
| List of Atos external subcontractors involved in the project |
|
|||||||||||||||||||||
| Safeguards implemented if Atos’s affiliates or subcontractors are located outside the EU or if Personal Data is available from outside the EU
|
Atos shall specify which measure it uses to frame the transfer of personal data to its subcontractors
Please, specify:
|
| * Categories Of Processing Activities | |
| Term | Definition |
| Adaptation | Providing services that transform existing data into a form more suitable for a particular purpose, for instance by removing data that is not required for that purpose or by making it accessible via a different means. |
| Alignment / Combination / Matching | Providing services that process two or more customer data sets in order to either (a) validate or update one or more of them, or (b) create a further data set. |
| Big Data Analytics | Providing the means for analyzing big data (big data is a massive amount of data sets that cannot be stored, processed, or analyzed using traditional tools). Big Data Analytics allows the accumulation and/or interrogation of large data sets for the purpose of deriving novel insights or new data sets. For example, a process used to extract meaningful insights, such as hidden patterns, unknown correlations, market trends, and customer preferences. |
| Collection | Providing services that can directly obtain data, such as: providing a website that receives applications, processing written data, or contacting individuals to obtain data. |
| Consultation | Providing services that require reference to existing customer data sets in order to answer queries on behalf of the customer. |
| Disclosure | Providing services that copy or transmit customer data to an authorized third party for its own use (for example a tax authority or a regulator). |
| Erasure or destruction | Providing services that permanently delete data so that it can never be recovered – either by securely wiping/overwriting it or by physically destroying the media that it is stored on. |
| Making available | Providing services that facilitate access to personal data, such as an internet or intranet service that provides user access to permitted data. |
| Media handling | Providing services that organize, store or transport media that contain customer’s data. |
| Organization | Providing services improving data quality or accessibility, for example by bringing data together in one place or removing duplication. |
| Profiling of individuals | Providing services that analyze personal data from one or more sources leading to evaluation of certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. In other words, it identifies characteristics of identifiable individuals and/or make decisions, such as marketing decisions, that may subsequently have an impact on particular individuals (e.g. types of marketing they are sent or types of services they are offered). |
| Recording | Providing services that result in the storage of audio or video recordings., or creating data based on manual or automated observation to reproduce a scene. (e.g. electronic recording of voice or taking exact notes of a conversation) |
| Remote access | Providing the ability for an authorized person to access a computer or a network from a geographical distance through a network connection. It enables users to connect to the systems they need when they are physically far away. |
| Restriction of use or access | Providing services that allow specific data to be quarantined for example to meet legal obligations to restrict processing or to maintain evidential integrity of data for legal / regulatory purposes. |
| Retrieval | Providing services that process requests for finding personal data in, for example from archives or database. Retrieval is the operation of accessing data, either from memory or from a storage device. |
| Use | “Use” is non-specific and covers a multitude of other processing categories as listed here. Please only refer back to this term if the processing comprises all other categories except profiling, combination and Big Data Analytics. Data in use is data that is currently being updated, processed, erased, accessed or read by a system. This type of data is not being passively stored, but is instead actively moving through parts of an IT infrastructure |
| Storage | Providing services that offer the means for storing (i.e. kept for actual or possible further use) customer data, such as cloud storage, backup or archiving. |
| Structuring | Providing services that help to arrange data in a way that makes information more accessible and easier to use for its intended purpose. |
Annex 2
Information Security Requirements
Technical And Organizational Measures
Technical and organizational measures (TOMs) are implemented according to the Global Data Protection Statement
Notes
- These TOMs apply to the processing of personal data by Atos for the technical support of the Cloud Services resold under this Agreement.
- Measures marked with N\A are out of scope for the technical support services delivered by Atos.
- Measures marked with No*) are technically not possible for Cloud Services.
Confidentiality
| Physical Access Control
The goal of physical access control is to deny unauthorized persons access to those data Processing systems that process or use Personal Data. |
YES/NO |
| Atos implements controls designed to stop unauthorized individuals to access to data Processing systems | YES |
| Atos uses a partitioning of Data Centre rooms | N/A |
| Atos uses a video surveillance and intrusion detection systems in order to monitor access to data Processing systems | N/A |
| Atos has policies ensuring physical access control | YES |
| Logical Access Control
The goal of logical access control is to prevent unauthorized persons from using data Processing systems that process and use Personal Data. |
YES/NO |
| Atos ensures that data Processing systems are accessed by means of authorization and authentication in all systems | YES |
| Atos assigns passwords to authorized persons | YES |
| Atos assigns a company ID to authorized persons | YES |
| Atos ensures that role-based rights are tied to access ID | YES |
| Atos uses encryption of data storage devices while in transit | YES |
| Atos ensures use of firewalls and antivirus software including regular security updates and patches | YES |
| Atos has policies ensuring logical access control | YES |
| Application Access Control
Application access control measures prevent unauthorized Processing and activities (e.g. unauthorized reading, copying, modification or removal) in data Processing systems by persons without the required level of authorization. |
YES/NO |
| Atos ensures the system-wide authentication of all users and data terminals including access regulations and user authorizations | YES |
| Atos implements a program-related authorization concept | YES |
| Atos ensures that access authorization is always based on the principle of restrictive allocation of rights | YES |
| Atos implements a program-related authorization concept | YES |
| Atos ensures that shared systems have client separation/separate data pool | YES |
| Atos has a clear desk policy in place | YES |
| Atos ensures that data storage devices in all mobile systems are encrypted while in transit | YES |
| Atos uses the firewalls and antivirus software including regular security updates and patches | YES |
| Atos carries out a regular review of all existing privileged accounts | YES |
| Separation Control
The goal of separation control is to ensure that data collected for different purposes can be processed separately. |
YES/NO |
| To the extent that there are no dedicated systems in use for exactly one customer, Atos ensures that the employed systems are multi-tenant capable | YES |
| Development and quality assurance systems are completely separate from productive systems in order to ensure productive operation | YES |
| Atos ensures that customer systems are only accessed by authorized persons from a secured administration network. | YES |
| Pseudonymization
The objective of the pseudonymization regulation and control is that the Processing of Personal Data is carried out in such a way that the data can no longer be attributed to a specific Data Subject without additional information, provided that this additional information is kept separately and fall under the corresponding technical and organizational measures. |
YES/NO |
| Atos uses anonymized identifiers, which can only be resolved using a separate database | NO |
| Atos uses server identifiers, which conceal conclusions on the function | NO |
| System hardening requirements include a strict prohibition on login banners with information about the type and version of the software used on the systems operated by Atos | NO |
| Encryption measures
The aim of the measures for the encryption of Personal Data is to protect the contents of databases from unauthorized access and alteration. |
YES/NO |
| Atos can ensure encryption of Personal Data following the given instruction from the controller | NO |
| Atos uses point-to-point or end-to-end SSL-encrypted data transfer between systems | YES |
| Atos ensures application-driven encryption of the data before transfer to databases | YES |
| Atos ensures encryption of DB backups | YES |
| Atos implements e-mail encryption | N/A |
| Schrems II Security measures for personal data subject to EU GDPR
The aim of the measures for the encryption of Personal Data is to protect the contents of databases from unauthorized access and alteration in countries which do not ensure an adequate level of protection regarding mass surveillance laws and surveillance measures.. |
YES/NO |
| Atos ensures that the level of encryption and/or pseudonymization is adequate compared to the risk level in the country of importation as per the assessment conducted before the transfer. | YES |
| Atos ensures after encryption that the cryptographic keys remain either in the country of exportation, the European Union or in a third country recognized as providing a level of protection essentially equivalent to that guaranteed in the EU regarding mass surveillance laws and surveillance measures. | YES |
| Atos ensures in case of transfers of personal data to third countries mentioned above, the importer must not have access to the personal data unencrypted. | YES |
| Atos ensures that subject to request from Atos it will provide documented proof that cryptographic keys are located as per Atos’ requirements. | YES |
Integrity
| Transmission control
The goal of transmission control is to ensure that Personal Data cannot be read, copied, modified, altered or removed while being transmitted, transported or saved to a data storage medium and that it can be checked and asserted where the transmission of Personal Data through transmission systems is intended |
YES/NO |
| Atos supports standard secure transmission types such as network-based encryption (server to server or server to client and/or to suppliers) and encrypted connection tunneling | YES |
| Atos uses SSL certificate for websites (https://) to transfer data within forms | YES |
| Atos has policy for mobile devices | YES |
| Atos implements disposal of data storage devices in a manner compatible with data protection regulations | N/A |
| Atos has clear desk policy in place | YES |
| Atos uses encryption of data storage media while in transit (including notebook hard drives) | YES |
| Input Control
Measures that are suited for facilitating the belated checking and asserting if Personal Data has been entered into, changed within or deleted from data Processing systems and if so by whom |
YES/NO |
| Atos has implemented access regulations and user authorizations that enable the identification of all users and data terminals in the system | YES |
| All monitoring and logging measures are adapted to the state of the art and the criticality of the data to be protected and carried out in the associated economic framework | YES |
Availability and resilience
| Availability control
The goal of availability control is to ensure that Personal Data is protected from accidental destruction, damage or loss. |
YES/NO |
| Atos ensures that Personal Data is stored at a minimum in systems which are protected against hardware-related data loss | YES |
| Atos ensures that Personal Data is stored in secure and redundant systems up to a spatially separate area, in order to ensure a short recovery time and a high overall availability | YES |
| Atos implements storage systems, in combination with appropriate software components, which are equipped with a technology that enables defined data from certain points of time to be recovered | YES |
| Atos carries out the data backups on a regular basis according to existing service agreements | YES |
| Atos ensures that the systems are powered without interruption | YES |
| Resilience / rapid recovery
This measure ensures that Personal Data can be quickly recovered in the event of a physical or technical incident through an emergency management plan and regular recovery testing (at minimum annually) |
YES/NO |
| Atos ensures that emergency planning / crisis planning in connection with emergency and restart plans for the data centers is available | YES |
| Emergency plans are subject to a regular and continuous audit and improvement process | YES |
Other measures
| Privacy by Design and Privacy by Default | YES/NO |
| Atos ensures that Data Protection is taken into account at the earliest possible date by data protection-friendly presets in order to prevent unlawful Processing or the misuse of data. | YES |
| Atos minimizes the amount of Personal Data and ensures limitation of use | YES |
| Atos pseudonymizes or encrypts data as early as possible | YES |
| Atos creates transparency with regard to procedures and Processing of data | YES |
| AAtos anonymizes data as early as possible | YES |
| Atos minimizes access to data | YES |
| Atos presets existing configuration options to the most privacy-friendly values | YES |
| Atos documents the assessment of the risks to the persons concerned. | YES |
| Privacy by Design and Privacy by Default | YES/NO |
| Atos ensures that Data Protection is taken into account at the earliest possible date by data protection-friendly presets in order to prevent unlawful Processing or the misuse of data. | YES |
| Atos minimizes the amount of Personal Data and ensures limitation of use | YES |
| Atos pseudonymizes or encrypts data as early as possible | YES |
| Atos creates transparency with regard to procedures and Processing of data | YES |
| AAtos anonymizes data as early as possible | YES |
| Atos minimizes access to data | YES |
| Atos presets existing configuration options to the most privacy-friendly values | YES |
| Atos documents the assessment of the risks to the persons concerned. | YES |