Ciphertrace – Data Processing Agreement
Last Updated: September 1, 2022
This Data Processing Agreement (the “DPA”) regulates the Processing of Personal Data subject to Privacy and Data Protection Law in the context of the agreement for the provision of CipherTrace Services (the “Agreement”) entered into between
(i) the Mastercard entity which is a party to the Agreement,
(ii) and if not already a Party to the Agreement, to the least extent necessary under EU Data Protection Law, Mastercard Europe SA, a Belgian private limited liability company, with Belgian enterprise number RPR 0448038446, whose registered office is at 198/A, Chaussée de Tervuren, 1410 Waterloo, Belgium
((i) and as applicable, (ii) referred to herein as “Mastercard”)
(iii) the applicable counterparty (the “Customer”).
Mastercard and Customer are hereinafter collectively referred to as “the Parties” or each individually as a “Party”.
(A) Mastercard and Customer have entered into the Agreement which involves Processing of Personal Data.
(B) The Parties have agreed to enter into this DPA to govern such Processing of Personal Data.
NOW, THEREFORE, the Parties agree as follows:
- This DPA regulates the Processing of Personal Data in the context of the Services.
- This DPA is incorporated into and forms part of the Agreement. Except as modified below, the terms of the Agreement remain in full force and effect. Exhibits 1, 2, 3, and 4 form an integral part of this DPA.
- For the purposes of this DPA only, and except where indicated otherwise, the term “Mastercard” and “Customer” shall include Mastercard’s and Customer’s respective Affiliates insofar as they are a party to the Agreement and/or any collateral thereto.
- The Parties agree that the terms as set out below supersede and replace any existing privacy and data protection terms contained in the Agreement pertaining to the Processing of Personal Data. To the extent of a direct conflict between the terms of the Agreement (or a collateral contract to the Agreement) and this DPA, the terms of this DPA shall govern and control.
1.1. The terms “Controller,” “Data Subject,” “Personal Data Breach,” “Processing/Process,” “Processor”, and “Supervisory Authority” shall have the meanings given to them under EU Data Protection Law.
1.2. The terms “Business,” “Sell” and “Service Provider,” shall have the meanings give to them under the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 to 1798.199) and its implementing regulations (“CCPA”), as amended including by the California Privacy Rights Act (“CPRA”).
1.3. “Affiliate” means in relation to a Party, any other entity which directly or indirectly Controls, is Controlled by, or is under direct or indirect common Control with that Party from time to time. “Control”, for the purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.4. “Data Protection Rights” means all rights granted to Data Subjects under Privacy and Data Protection Law, which may include – depending on applicable law – the right to know, the right of access, rectification, erasure, complaint, data portability, restriction of Processing, objection to the Processing, and rights relating to automated decision-making and indemnification against misuse of Personal Data.
1.5. “EU Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area (“EEA”), including the European Union (“EU”), and all other data protection laws of the EEA, the United Kingdom (“UK”), Monaco, and Switzerland, each as applicable, and as may be amended or replaced from time to time.
1.6. “Mastercard BCRs” means the Mastercard Binding Corporate Rules as approved by the data protection authorities and available at https://www.mastercard.us/content/dam/mccom/global/documents/mastercard-bcrs.pdf.
1.7. “Personal Data” shall be interpreted consistent with the applicable Privacy and Data Protection Law, and includes at a minimum “Personal Data” as that term is defined under EU Data Protection Law and “Personal Information” as that term is defined under the CCPA and CPRA.
1.8. “Privacy and Data Protection Law” means any law, statute, declaration, decree, legislation, enactment, order, ordinance, regulation or rule (as amended and replaced from time to time) which relates to the protection of Personal Data, and to which the Parties are subject, including but not limited to EU Data Protection Law (as defined above); the CCPA; the CPRA; the U.S. Gramm-Leach-Bliley Act; the Brazil General Data Protection Act; the South Africa Protection of Personal Information Act; laws regulating unsolicited email, telephone, and text message communications; security breach notification laws; laws imposing minimum security requirements; laws requiring the secure disposal of records containing certain Personal Data; laws governing the portability and/or cross-border transfer of Personal Data; and all other similar international, federal, state, provincial, and local requirements; each as applicable.
1.9. “Services” means the services provided by Mastercard to Customer under the Agreement.
1.10. “Standard Contractual Clauses” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (OJ L 199, 7.6.2021, p. 31-61), as amended or replaced from time to time.
1.11. “Sub-Processor” means a Processor engaged by a Processor to carry out Processing on behalf of a Controller.
1.12. “UK Addendum” means the addendum to the Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).
- Roles and Obligations of the Parties.
2.1. Both Parties represent and warrant that they will comply with Privacy and Data Protection Law when Processing Personal Data in the context of the Services. Each Party shall notify the other if it can no longer meet its obligation under applicable Privacy and Data Protection Law. Upon receiving notice, each Party may direct the other to take steps as reasonable and appropriate to remediate unauthorized use of Personal Data or terminate this DPA upon thirty (30) days’ notice.
2.2. Both Parties act as independent Controllers in the context of the Services described in Exhibit 1A (“Controller Services”). The obligations of the Parties in the context of the Controller Services are described in Exhibit 2 (“Controller-to-Controller DPA”).
2.3. Mastercard acts as Processor on behalf of Customer and Customer acts as a Controller (or a Processor on behalf of another Controller) in the context of the Services described in Exhibit 1B (“Processor Services”). The obligations of the Parties in the context of the Processor Services are described in Exhibit 3 (“Controller-to-Processor DPA”).
2.4. For the avoidance of doubt, the Parties must comply with obligations imposed on Controllers or Processors under this DPA irrespective of whether the applicable Privacy and Data Protection Law uses the terms Controller and Processor, or uses similar terms, and irrespective of whether it provides or not for a distinction between Controllers and Processors.
2.5. Notwithstanding Sections 2.2 to 2.4 above, and solely for the purposes of the CCPA and CPRA, the Parties acknowledge and agree that Customer is a Business and appoints Mastercard as a Service Provider to process Personal Data of California residents (“Covered Personal Information”) on behalf of Customer.
2.6. Except as otherwise permitted by the CCPA and CPRA, Mastercard will not (i) retain, use, or disclose Covered Personal Information for any purpose other than for the specific purpose of performing the Services specified in the Agreement for Customer, (ii) Sell or share (as defined by the CPRA) Covered Personal Information; (iii) combine the Covered Personal Information with other Personal Data except as expressly permitted under the CCPA and CPRA, such as to detect data security incidents or protect against fraudulent or illegal activity; and (iv) further collect or use Covered Personal Information except as necessary to perform the Services.
- Privacy and Security Audits. On written request from Customer, Mastercard shall cooperate with any reasonable requests for information made by Customer necessary to confirm Mastercard’s compliance with this DPA and the CCPA and CPRA, provided that Customer shall not exercise this right more than once in any 12 month rolling period.
- The Parties agree that if Mastercard has paid compensation, damages or fines, Mastercard is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer’s part of responsibility for the compensation, damages or fines.
- Applicable Law and Jurisdiction. The Parties agree that:
5.1. To the extent the Processing of Personal Data is subject to EU Data Protection Law, this DPA and the Processing of Personal Data will be governed by the law of Belgium and any dispute will be submitted to the Courts of Brussels; and
5.2. To the extent the Processing of Personal Data is not subject to EU Data Protection Law, this DPA and the Processing of Personal Data will be governed by the law applicable to the Agreement, and any dispute will be submitted to the Courts identified in the Agreement.
- The Parties agree that this DPA is terminated upon the termination of the Agreement.
- Invalidity and Severability. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision will not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
- Counterparts. This DPA may be executed in any number of counterparts, each of which when executed will constitute a duplicate original, but all the counterparts will together constitute the one agreement.
Exhibit 1A – Controller Services
Both Parties act as independent Controllers in the context of the following Controller Services:
|#||Controller Services||Personal Data Processed||Processing for which Mastercard |
is an independent Controller
|Processing for which Customer |
is an independent Controller
|1.||Sentry||● Customer’s employee information: first name, last name, e-mail address. |
● Information gathered from the blockchain, including blockchain address and IP address
● Cryptocurrency transaction details, such as date and time of the transaction, amount of the transaction, the transaction’s unique identifier (transaction ID), address balances, participating blockchain addresses, and domiciled or associated location
● Risk scores and additional insights relating to OFAC sanctioned individuals
|● Collection and Processing of Personal Data from the blockchain ledger; and|
● Provision of insights to Customer in relation to specific cryptocurrency transactions or blockchain addresses.
|● Submitting a query into Mastercard’s systems in relation to specific cryptocurrency transactions or blockchain addresses; and|
● Any further processing of Personal Data based on the risk scores and additional insights provided by Mastercard.
|3.||Armada||● Customer’s employee information: first name, last name, e-mail address. |
● Personal details of cryptocurrency companies’ management personnel, such as name, role, organization, contact information and hyperlink to social media profile (as part of the optional People and Roles module).
|● Collection and Processing of Personal Data to assign KYC scores to VASPs; and|
● Any provision of Personal Data to Customer in the context of the provision of KYC scores and additional insights to Customer in relation to specific VASPs.
|● Any provision of Personal Data to Mastercard in the context of the submission of a query into Mastercard’s systems in relation to specific VASPs; and|
● Any further processing of Personal Data based on the KYC scores and additional insights provided by Mastercard.
Exhibit 1B – Processor Services
Mastercard acts as Processor on behalf of Customer and Customer acts as a Controller (or a Processor on behalf of another Controller) in the context of the following Processor Services:
|#||Processor Services||Personal Data Processed|
|1.||Traveler||● Cryptocurrency transaction details for compliance with Travel Rule regulations, such as originator’s and beneficiary’s name, amount transferred, blockchain address, physical address, network used for the transaction, originating and destination cryptocurrency company and any other information included in the Traveler protocol (“TRISA”)|
|2.||Defi Compli||● Indication if a given blockchain address relates to a sanctioned entity or individual|
Exhibit 2 – Controller-to-Controller DPA
- This Exhibit 2 applies to the Processing of Personal Data in the context of the Controller Services described in Exhibit 1A. Both Parties act as independent Controllers in the context of the Controller Services and this DPA does not create a joint-controller relationship between the Parties.
- Notice and Legal ground. Each Party agrees and warrants that, with respect to the Processing for which it is a Controller, it will provide appropriate notice to Data Subjects and rely on a valid legal ground for the Processing.
- Cooperation and Assistance. Each Party agrees and warrants that it will cooperate with the other Party in good faith to fulfill their respective data protection compliance obligations under Privacy and Data Protection Law, including complying with Data Subjects’ requests to exercise their Data Protection Rights, providing notice to, or obtaining consent from, Data Subjects, and replying to investigations and inquiries from regulators.
- Data Disclosures. Each Party agrees and warrants that it will only disclose Personal Data Processed to a third party in the context of the Services in accordance with Privacy and Data Protection Law, and with this DPA and the Agreement, and will require such third party in writing to comply with Privacy and Data Protection Law and with the same obligations as are imposed on each Party by this DPA, as appropriate and relevant, unless it is not possible to do so, such as where the data recipient is a governmental authority.
- Security of the Processing. Each Party agrees and warrants that it has implemented and maintains a comprehensive written information security program that complies with Privacy and Data Protection Law and Exhibit 4 of this DPA, including appropriate technical, operational and organizational measures to protect from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, access to, or otherwise unauthorized Processing of Personal Data transmitted, stored or otherwise Processed (“Information Security Program”).
- Personal Data Breach. Customer agrees and warrants that it will inform Mastercard of any Personal Data Breach in relation to any Personal Data Processed by Customer in the context of the Services or where there is a reasonable suspicion that such a Personal Data Breach has occurred i) in writing to [email protected], [email protected], and the account manager or person they are doing business with inside of Mastercard and; ii) by contacting the Mastercard Operations Command Center (OCC) in Mastercard at +1-636-722-3600 or 1-800-358-3060 (US toll-free number) and selecting the option to be directed to Mastercard’s Security Operations Center, without undue delay, and no later than 24 (twenty-four) hours after having become aware of a Personal Data Breach or the reasonable suspicion of a Personal Data Breach. Such notice will summarize in reasonable detail the effect on Mastercard, if known, of the Personal Data Breach and the corrective action taken. Customer agrees to cooperate with Mastercard in all reasonable and lawful efforts to prevent, mitigate, investigate or rectify such Personal Data Breach including in relation to any forensic investigation or audit requested by Mastercard. Customer will assist Mastercard in complying with its own obligations under Privacy and Data Protection Law to notify a Personal Data Breach. Except to the extent prohibited by applicable legal, regulatory or law enforcement requirements, Customer must obtain the written approval of Mastercard prior to the publication or communication of any filings, communications, notices, press releases or reports related to any Personal Data Breach that expressly mention Mastercard or its Affiliates.
- Inquiry. Customer will immediately inform Mastercard, in writing of any request, question, objection, complaint, investigation or any other inquiry, received from any individual, regulator or public authority of whatever jurisdiction, that relates to the Processing of Personal Data by Mastercard in the context of the Services, unless otherwise restricted by applicable law. Customer will provide a copy of any such requests within 48 (forty eight) hours of receipt by email to [email protected] and will respond to such requests only in accordance with Mastercard’s prior written authorization, unless otherwise prohibited by applicable law.
- Personal Data Transfers.
8.1. Each Party will ensure that, for any transfers of Personal Data in the context of the Services, the Personal Data will be protected with the same level of protection as provided by this DPA and implement any data transfer mechanism as required under Privacy and Data Protection Law.
8.2. Customer acknowledges that Mastercard may transfer Personal Data Processed in connection with the Services and subject to EU Data Protection Law globally in accordance with the Mastercard BCRs or any other lawful data transfer mechanism that provides an adequate level of protection under EU Data Protection Law. Mastercard represents and warrants that it will abide by the Mastercard BCRs in the context of such transfers of Personal Data.
8.3. By executing this DPA, the Parties conclude and incorporate by reference the Standard Contractual Clauses. The Parties conclude and complete module 1 (Controller-to-Controller) as follows: (i) they implement the optional docking clause in Clause 7, strike the optional paragraph in Clause 11(a), indicate Belgium in Clause 13(a), Clause 17 and Clause 18(b); (ii) the “data exporter” is Mastercard; the “data importer” is Customer; (iii) Annex I and II to the Standard Contractual Clauses are Exhibit 4A and Exhibit 4B to this DPA respectively.
8.4. By executing this DPA, the Parties conclude and incorporate by reference the UK Addendum. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Mastercard and the “Importer” is Customer, their details are set forth in this DPA and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the Standard Contractual Clauses referred to in Section 8.3 of this Exhibit; (iii) in Table 3, Annexes 1 (A and B) and II to the “Approved EU SCCs” are Exhibit 4A and Exhibit 4B to this DPA respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.
Exhibit 3 – Controller-to-Processor DPA
- This Exhibit 3 applies to the Processing of Personal Data in the context of the Processor Services described in Exhibit 1B, for which Mastercard acts as Processor on behalf of Customer and Customer acts as a Controller (or a Processor on behalf of another Controller).
- Obligations of Mastercard. Mastercard will take steps to:
2.1 Only Processes Personal Data in accordance with the Customer’s lawful written instructions or as otherwise agreed by the Parties in writing, unless otherwise required by law. Customer hereby authorizes Mastercard to process, as a Controller, Personal Data relating to the operation, support, or use of the Processor Services to (i) conduct internal analyses of Personal Data, (ii) develop and improve existing and future products and services offered to third parties, (iii) monitor and prevent fraud, and (iv) prepare and furnish reports of aggregated or anonymized information provided that such reports do not identify the Customer and do not identify any Data Subjects whose Personal Data were involved in the preparation of the report.
2.2 Promptly inform Customer if, in its opinion, the Customer’s instructions infringe Privacy and Data Protection Law, or if Mastercard is unable to comply with the Customers’ instructions.
2.3 Notify Customer when local laws prevent Mastercard (1) from fulfilling its obligations under this DPA or the Mastercard BCRs and have a substantial adverse effect on the guarantees provided by this DPA or the Mastercard BCRs, and (2) from complying with the instructions received from the Customer via this DPA, except if such disclosure is prohibited by applicable law, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation.
2.4 Ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2.5 Ensure a level of security appropriate to the risk for the Personal Data and implement at the minimum the security measures listed in Exhibit 4.
2.6 Assist Customer, in so far as possible, in fulfilling its own data protection compliance obligations under Privacy and Data Protection Law, and provide to Customer all information available to Mastercard as necessary to demonstrate compliance with the Customer’s own obligations under Privacy and Data Protection Law, including Customer’s obligation to respond to Data Subjects’ requests to exercise their Data Protection Rights, and to conduct data protection impact assessments or prior consultation with Supervisory Authorities.
2.7 When the DPA expires or upon termination of the DPA or upon a request to delete or return Personal Data by Customer, except for any Personal Data which Mastercard Processes as a Controller, Mastercard will, at the choice of Customer, delete, anonymize, or return such Personal Data to Customer, and delete or anonymize existing copies unless applicable law prevents it from returning or destroying all or part of the Personal Data or requires storage of the Personal Data (in which case Mastercard will protect the confidentiality of the Personal Data and will not actively Process the Personal Data anymore).
- Sub-Processing. Customer gives a general authorization to Mastercard to engage internal and external Sub-Processors in the context of the Services under the conditions set forth below and Mastercard represents and warrants that when Sub-Processing the Processing of Personal Data in the context of the Services, it:
3.1 Binds its internal Sub-Processors to respect the Mastercard BCRs and to comply with the Customer’s instructions.
3.2 Requires its external Sub-Processors, via a written agreement, to comply with applicable Privacy and Data Protection Law, with the Customer’s instructions and with the same obligations as are imposed on Mastercard by this Exhibit 3 and Mastercard’s BCRs.
3.3 Remains liable to the Customer for the performance of its Sub-Processors’ obligations.
3.4 Commits to provide a list of Sub-Processors to Customer upon request.
3.5 Will inform Customer of any addition or replacement of a Sub-Processor in a timely fashion so as to give Customer an opportunity to object to the change or to terminate the DPA before the Personal Data is communicated to the new Sub-Processor, except where the Services cannot be provided without the involvement of a specific Sub-Processor.
- Personal Data Transfers.
4.1 Customer acknowledges that Mastercard may transfer Personal Data Processed in connection with the Services and subject to EU Data Protection Law globally in accordance with the Mastercard BCRs or any other lawful data transfer mechanism that provides an adequate level of protection under EU Data Protection Law. Mastercard represents and warrants that it will abide by the Mastercard BCRs in the context of such transfers of Personal Data.
4.2 By executing this DPA, the Parties conclude and incorporate by reference the Standard Contractual Clauses. The Parties conclude and complete module 4 (Processor-to-Controller) as follows: (i) they implement the optional docking clause in Clause 7, strike the optional paragraph in Clause 11(a), indicate Belgium in Clause 13(a), Clause 17 and Clause 18(b); (ii) the “data exporter” is Mastercard; the “data importer” is Customer; (iii) Annex I and II to the Standard Contractual Clauses are Exhibit 4A and Exhibit 4B to this DPA respectively.
4.3 By executing this DPA, the Parties conclude and incorporate by reference the UK Addendum. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Mastercard and the “Importer” is Customer, their details are set forth in this DPA and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the Standard Contractual Clauses referred to in Section 3.2 of this Exhibit; (iii) in Table 3, Annexes 1 (A and B) and II to the “Approved EU SCCs” are Exhibit 4A and Exhibit 4B to this DPA respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.
- Data Protection Audit. To the extent required by Privacy and Data Protection Law and upon prior written request by Customer, Mastercard agrees to cooperate and within reasonable time provide Customer with: (a) a summary of the audit reports demonstrating Mastercard’s compliance with Privacy and Data Protection obligations under this DPA and Mastercard BCRs where the transfer of Personal Data is based on the Mastercard BCRs, after redacting any confidential and commercially sensitive information; and (b) confirmation that the audit has not revealed any material vulnerability in Mastercard’s systems, or to the extent that any such vulnerability was detected, that Mastercard has fully remedied such vulnerability. If the above measures are not sufficient to confirm compliance with Privacy and Data Protection Law and Mastercard BCRs, or reveal some material issues, subject to the strictest confidentiality obligations, Mastercard allows Customer to request an audit of Mastercard’s data protection compliance program by external independent auditors, which are jointly selected by the Parties. The external independent auditor cannot be a competitor of Mastercard, and the Parties will mutually agree upon the scope, timing, and duration of the audit. Mastercard will make available to Customer the result of the audit of its data protection compliance program.
Exhibit 4A – Annex I to the Standard Contractual Clauses
- LIST OF PARTIES
- Name: Mastercard as defined above
- Address: As set forth in the Agreement
- Contact person’s name, position and contact details: As set forth in the Agreement
- Activities relevant to the data transferred under these Clauses: Providing the Services as described in this DPA and the Agreement
- Role (Controller/Processor): Controller in the context of the Controller Services; Processor in the context of the Processor Services
- Name: Customer as defined above
- Address: As set forth in the Agreement
- Contact person’s name, position and contact details: As set forth in the Agreement
- Activities relevant to the data transferred under these Clauses: Receiving the Services as described in this DPA and the Agreement
- Role (Controller/Processor): Controller
B. DESCRIPTION OF TRANSFER
- Categories of Data Subjects whose Personal Data is transferred:
|1.||Users of blockchain addresses involved in cryptocurrency transactions|
|2.||Individuals associated with entities involved in cryptocurrency transactions, such as cryptocurrency companies’ management personnel|
- Categories of Personal Data transferred: Please see Personal Data Processed as described in Exhibit 1 of this DPA.
- Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
|#||Category||Applied restrictions or safeguards|
|1.||Personal Data may include information relating individuals included on sanctions lists||The security measures described in Annex II will apply to all information relating to individuals included on sanctions lists. In particular, the following measures provide appropriate safeguards taking into consideration the nature of the data and the risks involved: |
● Data access control measures are in place to ensure that only the persons entitled to use a data processing system gain access to the personal data, in accordance with their access rights; and
● Disclosure control measures (such as encryption and pseudonymization) are implemented to ensure that the information cannot be read, copied, modified or deleted without authorization.
- The frequency of the transfer (e.g. whether the Personal Data is transferred on a one-off or continuous basis): On a continuous basis.
- Nature of the Processing: The Personal Data will be processed and transferred as described in this DPA and the Agreement.
- Purpose(s) of the transfer and further Processing: The Personal Data will be transferred and further processed for the provision of the services as described in this DPA and the Agreement.
- The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Privacy and Data Protection Law.
- For transfer to Sub-Processors, also specify subject matter, nature and duration of the Processing: N/A
C. COMPETENT SUPERVISORY AUTHORITY
The Belgian Supervisory Authority shall act as the competent Supervisory Authority.
Exhibit 4B – Annex II to the Standard Contractual Clauses
The Parties will apply at least the following types of security measures to Personal Data:
1. Physical access control
Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are Processed, include:
☐ Establishing security areas, restriction of access paths;
☐ Establishing access authorizations for employees and third parties;
☐ Access control system (ID reader, magnetic card, chip card);
☐ Key management, card-keys procedures;
☐ Door locking (electric door openers etc.);
☐ Security staff, janitors;
☐ Surveillance facilities, video/CCTV monitor, alarm system; and
☐ Securing decentralized data processing equipment and personal computers.
2. Virtual access control
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:
☐ User identification and authentication procedures;
☐ ID/password security procedures (special characters, minimum length, change of password);
☐ Automatic blocking (e.g. password or timeout);
☐ Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous password attempts;
☐ Creation of one master record per user, user-master data procedures per data processing environment; and
☐ Encryption of archived data media.
3. Data access control
Technical and organizational measures to ensure confidentiality and that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, include:
☐ Internal policies and procedures;
☐ Control authorization schemes;
☐ Default configuration;
☐ Differentiated access rights (profiles, roles, transactions and objects);
☐ Monitoring and logging of accesses;
☐ Disciplinary action against employees who access Personal Data without authorization;
☐ Reports of access;
☐ Access procedure;
☐ Change procedure;
☐ Deletion procedure; and
4. Disclosure control
Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include:
☐ Logging; and
☐ Transport security.
5. Entry control
Technical and organizational measures to monitor whether Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:
☐ Logging and reporting systems; and
☐ Audit trails and documentation.
6. Control of instructions
Technical and organizational measures to ensure that Personal Data are Processed solely in accordance with the instructions of the Controller include:
☐ Unambiguous wording of the contract;
☐ Formal commissioning (request form); and
☐ Criteria for selecting the Processor.
7. Availability control
Technical and organizational measures to ensure the integrity, availability and resilience of the processing systems, and that Personal Data are protected against accidental destruction or loss (physical/logical) include:
☐ Backup procedures;
☐ Mirroring of hard disks (e.g. RAID technology);
☐ Uninterruptible power supply (UPS);
☐ Remote storage;
☐ Antivirus/firewall systems; and
☐ Disaster recovery plan, in the event of a physical or technical incident.
8. Separation control
Technical and organizational measures to ensure that Personal Data collected for different purposes can be Processed separately include:
☐ Separation of databases;
☐ “Internal client” concept / limitation of use;
☐ Segregation of functions (production/testing); and
☐ Procedures for storage, amendment, deletion, transmission of data for different purposes.
9. Testing controls
Technical and organizational measures to test, assess and evaluate the effectiveness of the technical and organizational measures implemented in order to ensure the security of the processing include:
☐ Periodical review and test of disaster recovery plan;
☐ Testing and evaluation of software updates before they are installed;
☐ Authenticated (with elevated rights) vulnerability scanning; and
☐ Test bed for specific penetration tests and red team attacks.
10. IT governance
Technical and organizational measures to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with the compliance efforts include:
☐ Certification/assurance of processes and products;
☐ Processes for data minimization;
☐ Processes for data quality;
☐ Processes for limited data retention;
☐ Processes for ensuring accountability; and
☐ Data subject rights policies.