Mastercard – Customer Data Processing Agreement
This Data Processing Agreement (the “DPA”), which includes Annexes 1 and 2, is incorporated into and forms an integral part of the Agreement (the “Principal Agreement”) and governs the Processing of Personal Data in the context of the Services between Mastercard and Customer, as defined under the Principal Agreement.
Mastercard and Customer are collectively referred to as the “Parties” or each individually as a “Party”. For the purposes of this DPA only, and except where indicated otherwise, the term “Mastercard” and “Customer” include Mastercard’s and Customer’s respective Affiliates insofar as they are a party to the Principal Agreement or any collateral thereto.
The Parties agree that the DPA is supplemental to any existing confidentiality or privacy and data protection terms contained in the Principal Agreement. To the extent of an overlap, inconsistency, or direct conflict between the terms of the Principal Agreement (or a collateral contract to the Principal Agreement) and this DPA, the terms of this DPA shall govern and control.
For the avoidance of doubt, this DPA applies to all Personal Data collected by Mastercard in the context of the Principal Agreement, including Personal Data collected by Mastercard in the context of the Principal Agreement before the effective date of this DPA.
1.1. The terms “Personal Data Breach”, “Processing/Process”, “Sell”, “Sensitive Data”, “Share”, and “Supervisory Authority” have the meanings given to those terms under applicable Privacy and Data Protection Law. In the event of a conflict, the meaning from the law applicable to the residence of the relevant Data Subject applies.
1.2. “Affiliate” means, in relation to a Party, any other entity which directly or indirectly Controls, is Controlled by, or is under direct or indirect common Control with that Party from time to time. “Control”, for the purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.3. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data, including as applicable a “business” or equivalent term as defined under applicable Privacy and Data Protection Law.
1.4. “Data Protection Rights” means all rights granted to Data Subjects under Privacy and Data Protection Law, which may include – depending on applicable law – the right to know, the right of access, rectification, erasure, complaint, data portability, restriction of Processing, objection to the Processing, and rights relating to automated decision-making and indemnification against misuse of Personal Data.
1.5. “Data Subject” means the identified or identifiable individual to whom Personal Data relates.
1.6. “EU Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area (“EEA”), including the European Union (“EU”), and all other data protection laws of the EEA, the United Kingdom (“UK”), Monaco, and Switzerland, each as applicable, and as may be amended or replaced from time to time.
1.7. “Mastercard BCRs” means the Mastercard Binding Corporate Rules as approved by the data protection authorities and available at https://www.mastercard.us/content/dam/mccom/global/documents/mastercard-bcrs.pdf.
1.8. “Personal Data” means information that can reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular individual or household, including “personal data”, “personal information”, or equivalent terms as defined under applicable Privacy and Data Protection Law. To the extent permitted by applicable Privacy and Data Protection Law, “Personal Data” does not include information that is deidentified, aggregated, or anonymized in accordance with applicable law, or otherwise excluded from the scope of applicable Privacy and Data Protection Law.
1.9. “Privacy and Data Protection Law” means any law, statute, declaration, decree, legislation, enactment, order, ordinance, regulation or rule (as amended and replaced from time to time) which relates to the privacy and protection of Personal Data, and to which the Parties are subject, including but not limited to EU Data Protection Law; State Privacy Laws; the U.S. Gramm-Leach-Bliley Act; laws regulating unsolicited email, telephone, and text message communications; security breach notification laws; laws imposing minimum security requirements; laws requiring the secure disposal of records containing certain Personal Data; laws governing the portability and/or cross-border transfer of Personal Data; and all other similar international, federal, state, provincial, and local requirements; each as applicable.
1.10. “Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable a “service provider” or equivalent term as defined under applicable Privacy and Data Protection Law.
1.11. “Services” means the services provided by Mastercard to Customer under the Principal Agreement.
1.12. “Standard Contractual Clauses” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (OJ L 199, 7.6.2021, p. 31-61), as amended or replaced from time to time.
1.13. “State Privacy Laws” means the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq., as amended including by the California Privacy Rights Act, the Virginia Consumer Data Protection Act, Code of Virginia title 59.1, Chapter 52, the Colorado Privacy Act, Colorado Rev. Stat. 6-1-1301 et seq., the Utah Consumer Privacy Act, Utah Code 13-61-101 et seq., the Connecticut Personal Data Privacy and Online Monitoring Act, Public Act No. 22-15, and any other U.S. state privacy laws and their implementing regulations issued pursuant thereto, as amended and superseded from time to time.
1.14. “Sub-Processor” means a Processor engaged by a Processor to carry out Processing on behalf of a Controller.
1.15. “Swiss Addendum” means the addendum to the Standard Contractual Clauses required by the Swiss Federal Data Protection and Information Commissioner to satisfy the requirements of the Swiss Federal Data Protection Act (“FADP”).
1.16. “UK Addendum” means the addendum to the Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).
2. Roles of the Parties and Processing by Mastercard.
2.1. Processing of Personal Data subject to Privacy and Data Protection Law. This Section 2.1 applies only to the Processing of Personal Data that is subject to Privacy and Data Protection Law that require the Controller and Processor to enter into a data processing agreement. For the avoidance of doubt, this also applies where the applicable Privacy and Data Protection Law does not specifically use the terms Controller and Processor.
2.1.1. Roles of the Parties. Mastercard acts as Processor on behalf of Customer and Customer acts as a Controller (or a Processor on behalf of another Controller) in the context of the Services described in Annex 1.
2.1.2. Processing by Mastercard. Customer hereby authorizes Mastercard to Process, as permitted by applicable Privacy and Data Protection Law, as a Controller, Personal Data relating to the operation, support, or use of the Services to (i) conduct internal analyses of Personal Data, (ii) develop and improve existing and future products and services offered to third parties, including through the development of algorithmic models, (iii) monitor and prevent fraud, (iv) prepare and furnish reports of aggregated information, and to anonymize information, provided that such reports do not identify the Customer or any Data Subjects, and Mastercard will not, and will not allow its Sub-Processors to, attempt to re-identify any such anonymized or aggregated information, and (v) for other purposes for which consent has been provided by the Data Subject to whom the Personal Data relates. Mastercard represents and warrants that it will Process Personal Data for these purposes in compliance with applicable Privacy and Data Protection Law and the Mastercard BCRs.
2.2. Processing of Covered Personal Data Subject to State Privacy Laws. This Section 2.2 applies only to the Processing of Personal Data that is subject to the State Privacy Laws by Mastercard on behalf of Customer (“Covered Personal Data”). Notwithstanding any provision to the contrary of this DPA or this Section, the terms of this Section shall not apply to Mastercard’s Processing of Covered Personal Data that is exempt from the State Privacy Laws. Except as expressly permitted by the State Privacy Laws, Mastercard will not (i) Sell or Share Covered Personal Data; (ii) retain, use, or disclose Covered Personal Data for any purpose other than for the specific purpose of performing the Services under the Principal Agreement and Annex 1 for Customer; (iii) retain, use, or disclose Covered Personal Data outside the direct business relationship between the Parties; or (iv) combine Covered Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer, except as expressly permitted under applicable State Privacy Laws.
2.3. Categories of Personal Data. Customer represents and warrants that Customer will not share or make available any (i) special categories of Personal Data, as defined under applicable Privacy and Data Protection Law, or (ii) Personal Data relating to Data Subjects being minors, with Mastercard in the context of the Services.
3. Additional Obligations of the Parties.
3.1. Compliance with Privacy and Data Protection Law. Customer and Mastercard represent and warrant that they will comply with Privacy and Data Protection Law when Processing Personal Data in the context of the Services and will provide the level of privacy protection required by the Privacy and Data Protection Laws. Customer and Mastercard agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to applicable Privacy and Data Protection Law. In particular, the Parties agree to the following:
3.1.1. Notice and Consent for the Processing of Personal Data. As a Controller, Customer is responsible for complying with Privacy and Data Protection Law in the context of the Processing of Personal Data as set forth in Annex 1, which may include the profiling of Data Subjects. Customer represents and warrants that it will, as required under Privacy and Data Protection Law, (i) provide clear and transparent notice to Data Subjects in an easily accessible form that includes appropriate references to the categories of Personal Data involved, the Customer’s legal basis for the Processing, and the sharing of the Personal Data with Mastercard; and (ii) rely on a valid legal ground, including Data Subjects’ consent when required under Privacy and Data Protection Law, for the Processing of Personal Data as set forth in Annex 1.
3.1.2. Cookies Notice and Consent. Customer is responsible for providing notice and obtaining consent as required under Privacy and Data Protection Law to allow for the storing or gaining access to information stored on Data Subjects’ terminal equipment via cookies and similar technologies. Customer must enable Data Subjects to withdraw such consent at any time as easily as it was originally given.
3.1.3. Proof of Consent. To the extent that Data Subjects’ consent is required under Privacy and Data Protection Law, Customer must be able to demonstrate that valid consent has been obtained from Data Subjects.
3.2. Instructions. Where Mastercard acts as a Processor on behalf of Customer as per Section 2.1.1 above, Mastercard will take steps to:
3.2.1. Only Process Personal Data in accordance with the Customer’s lawful documented instructions or as otherwise agreed by the Parties in writing, unless otherwise required or permitted by law.
3.2.2. Promptly inform Customer if, in its opinion, the Customer’s instructions infringe Privacy and Data Protection Law, or if Mastercard is unable to comply with the Customer’s instructions without failing to meet its obligations under Privacy and Data Protection Law.
3.2.3. Notify Customer when local laws prevent Mastercard from (1) fulfilling its obligations under this DPA or the Mastercard BCRs and have a substantial adverse effect on the guarantees provided by this DPA or the Mastercard BCRs; and (2) complying with the instructions received from the Customer via this DPA, except if such disclosure is prohibited by applicable laws, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation.
Notify Customer, as required under applicable Privacy and Data Protection Law, no later than five business days after determining that it can no longer meet its obligations under applicable State Privacy Laws. Upon receiving notice from Mastercard in accordance with this subsection, Customer may direct Mastercard to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
3.3. Confidentiality. Mastercard will ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.4. Security. The Parties will take steps to ensure a level of security appropriate to the risk for the Personal Data and implement at the minimum the security measures listed in Annex 2. The Parties must notify a Personal Data Breach that relates to Personal Data Processed in the context of the Service to the other Party, without undue delay, and no later than 48 hours after having become aware of a Personal Data Breach.
3.5. Sub-Processing. Customer gives a general authorization and instructs Mastercard to engage internal and external Sub-Processors in the context of the Services under the conditions set forth below, including any addition or replacement of Sub-Processors, and Mastercard represents and warrants that when Sub-Processing the Processing of Personal Data in the context of the Services, and to the extent required by applicable Privacy and Data Protection Law, it will:
3.5.1. Bind its Affiliates acting as Sub-Processors to respect the Mastercard BCRs and to comply with the Customer’s instructions.
3.5.2. Require its other Sub-Processors, via a written agreement, to comply with applicable Privacy and Data Protection Law, with the Customer’s instructions and with substantially similar obligations as are imposed on Mastercard by this Section and the Mastercard BCRs.
3.5.3.Remain liable to the Customer for the performance of its Sub-Processors’ obligations.
3.5.4. Commit to provide a list of Sub-Processors to Customer upon request.
3.5.5 .Inform Customer of any addition or replacement of a Sub-Processor in a timely fashion and, if required by applicable Privacy and Data Protection Law, give Customer an opportunity to object to the change, except where the Services cannot be provided without the involvement of a specific Sub-Processor.
3.6. Assistance. To the extent required by Privacy and Data Protection Law and upon Customer’s prior written request, Mastercard will assist Customer, in so far as reasonably possible, in fulfilling Customer’s own data protection compliance obligations under Privacy and Data Protection Law, and provide to Customer all information available to Mastercard as reasonably necessary to demonstrate compliance with the Customer’s own obligations under Privacy and Data Protection Law, including Customer’s obligation to conduct data protection impact assessments or prior consultation with Supervisory Authorities.
3.7. Delete or Return Personal Data. Upon written request to delete or return Personal Data by Customer, except for any Personal Data which Mastercard Processes as a Controller, Mastercard will, at the choice of Customer, delete, anonymize, or return such Personal Data to Customer, except where Mastercard needs to retain a copy of such Personal Data to fulfill any legal obligations (in which case Mastercard will protect the confidentiality of the Personal Data).
3.8. Data Protection Audit. To the extent required by EU Data Protection Law and upon prior written request by Customer, Mastercard agrees to cooperate and within reasonable time provide Customer with: (a) a summary of the audit reports demonstrating Mastercard’s compliance with its obligations under this DPA and Mastercard BCRs where the transfer of Personal Data is based on the Mastercard BCRs, or such other relevant documentation, as required by Privacy and Data Protection Law, after redacting any confidential and commercially sensitive information; and (b) confirmation that the audit has not revealed any material vulnerability in Mastercard’s systems, or to the extent that any such vulnerability was detected, that Mastercard has fully remedied such vulnerability. If the above measures are not sufficient to meet the requirements of applicable Privacy and Data Protection Law and the Mastercard BCRs, or reveal some material issues, subject to the strictest confidentiality obligations, and maximum once a year, Mastercard allows Customer to request an audit of Mastercard’s data protection compliance program by external independent auditors, which are jointly selected by the Parties. The external independent auditor cannot be a competitor of Mastercard, and the Parties will mutually agree upon the scope, timing, and duration of the audit. Mastercard will make available to Customer the result of the audit of its data protection compliance program.
3.9. Data Subject Requests. The Services may provide Customer with features to assist Customer with its obligations relating to responding to requests from Data Subjects to exercise their Data Protection Rights (“Data Subject Requests”). To the extent the Services do not provide such features or Customer is unable to address a Data Subject Request through the Services, Mastercard will provide Customer with reasonable assistance to respond to Data Subject Requests as required under applicable Privacy and Data Protection Law relating to the Processing of Personal Data under the Principal Agreement and Customer will reimburse Mastercard for commercially reasonable costs arising from this assistance. If a Data Subject Request is made directly to Mastercard regarding the Processing of Personal Data under the Principal Agreement, and to the extent Customer is identified in the Data Subject Request or can easily be identified by Mastercard based on the Data Subject Request, Mastercard will direct the Data Subject to submit their request to Customer.
4. Personal Data Transfers.
4.1. Customer acknowledges that Mastercard may, and where required by applicable Privacy and Data Protection Law, Customer authorizes Mastercard to, transfer Personal Data Processed in connection with the Services globally in accordance with the Mastercard BCRs or any other lawful data transfer mechanism. Mastercard represents and warrants that it will abide by the Mastercard BCRs in the context of such transfers of Personal Data.
4.2. To the extent that the Mastercard BCRs cannot be relied upon as appropriate safeguards, the transfer shall be governed by the Standard Contractual Clauses and the UK Addendum or the Swiss Addendum, as applicable, which are incorporated into this DPA by reference.
4.2.1. The Parties conclude and complete module two (controller-to-processor) of the Standard Contractual Clauses as follows: (i) they implement the optional docking clause in Clause 7; strike the optional paragraph in Clause 11(a); choose option 2 in Clause 9(a); indicate Belgium in Clauses 13(a) and Clause 17, and indicate the courts of Brussels, Belgium in Clause 18(b); (ii) the “data exporter” is Customer; the “data importer” is Mastercard; and (iii) Annex I and II to the Standard Contractual Clauses are Annex 1 and 2 to this DPA respectively.
4.2.2. The Swiss Addendum is completed as follows: (i) in deviation of Clause 13(a) of the Standard Contractual Clauses in connection with its Annex I.C. incorporated in Annex 1 to this DPA, the competent supervisory authority in Annex 1 shall be the Swiss Federal Data Protection and Information Commissioner and all references to the “competent supervisory authority” shall be interpreted accordingly, (ii) the references to the “Regulation (EU) 2016/679” and specific articles thereof in the Standard Contractual Clauses should be interpreted as references to the FADP and its corresponding provisions, as applicable.
4.2.3. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Mastercard, their details are set forth in the Principal Agreement and this DPA; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the Standard Contractual Clauses referred to in Section 4.2.1 of this DPA; (iii) in Table 3, “Annex 1 (A and B) and II to the” Approved EU SCCs” are Annexes 1 and 2 to this DPA; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.
5. Liability. The Parties agree that if Mastercard has paid compensation, damages or fines, Mastercard is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer’s part of responsibility for the compensation, damages or fines.
6. Applicable Law and Jurisdiction.
6.1. To the extent the Processing of Personal Data is subject to EU Data Protection Law, this DPA and the Processing of Personal Data will be governed by the law of Belgium and any dispute will be submitted to the Courts of Brussels.
6.2. To the extent the Processing of Personal Data is not subject to EU Data Protection Law, this DPA and the Processing of Personal Data will be governed by the law applicable to the Principal Agreement, and any dispute will be submitted to the Courts identified in the Principal Agreement.
7. Modification of this DPA. This DPA may only be updated by Mastercard or its Affiliates without notice, provided that the Customer shall be notified in advance of any material change Mastercard or its Affiliates deem adverse to the Customer.
8. Termination. The Parties agree that this DPA is terminated upon the termination of the Principal Agreement.
9. Invalidity and Severability. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision will not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
Annex 1 – Description of processing activities
A. LIST OF PARTIES
- Name: Customer as defined in the Principal Agreement
- Address: See signature page in the Principal Agreement
- Contact person’s name, position and contact details: See signature in the Principal Agreement
- Activities relevant to the data transferred: Receiving the Services as described in this DPA and the Principal Agreement
- Signature and date: See signature page in the Principal Agreement
- Role (Controller/Processor): Controller
- Name: Mastercard as defined in the Principal Agreement
- Address: See signature page in the Principal Agreement
- Contact person’s name, position and contact details: See signature page in the Principal Agreement
- Activities relevant to the data transferred: Providing the Services as described in this DPA and the Principal Agreement
- Signature and date: See signature page in the Principal Agreement
- Role (Controller/Processor): Processor
B. DESCRIPTION OF TRANSFER
- Categories of Data Subjects whose Personal Data is transferred: End-users (i.e., cardholders and consumers)
- Categories of Personal Data transferred:
○ Geographic information (city, state, country and as applicable, postal code);
○ Audience membership – based on real time user segmentation and backend historical calculations;
○ IP address;
○ Online identifiers (i.e., online data collected from end-user’s devices, applications and protocols), such as UDID, cookie identifiers, and other unique ID that Mastercard or Customer assigns to end-users’ devices;
○ Device and browser attributes;
○ Page views and interactions;
○ As applicable: Customer events (e.g., and “add to cart” or other interactions and engagement set up by Customer);
○ As applicable: search query terms;
○ Only as applicable, the information you provide to us:
■ email address;
■ CRM data and other data that Customer elects for onboarding (e.g., gender, status, average order value, number of items ordered, days since last order, net sales, items per order, days since first order, sessions since last order, days since last visit, average interpurchase time, last order site, loyalty status, etc.);
■ Online purchase history on the Customer website;
■ Offline purchase history;
■ For financial institutions only: transaction data (e.g., end-users’ spend history, predictive spend, travel spend).
- Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: No Sensitive Data.
- The frequency of the transfer (e.g., whether the Personal Data is transferred on a one-off or continuous basis): On a continuous basis.
- Nature of the Processing: The Personal Data will be processed and transferred as described in this DPA and the Principal Agreement.
- Purpose(s) of the transfer and further Processing: The Personal Data will be processed and transferred for the provision of the Services as described in this DPA and the Principal Agreement, in particular to:
○ Personalize end users’ interaction with Customer’s online platforms across the web, mobile web, mobile apps and email and other channels;
○ Build actionable end users’ segments in real time, enabling Customer to take instant action via personalization, product/content recommendations, automatic optimization, real-time messaging and other activation modules offered by Mastercard from time to time;
○ As applicable, and for financial institutions only: examine spending patterns [on end-user transaction data/consumer payment cards] to improve card engagement and usage;
○ As applicable, and for financial institutions only: prepare and furnish aggregated reports on end-users’ spending patterns.
- The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Privacy and Data Protection Law.
- For transfer to Sub-Processors, also specify subject matter, nature and duration of the Processing: The Personal Data may be transferred to Sub-Processors to provide the Services as described in this DPA and the Principal Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
The Belgian Supervisory Authority shall act as the competent Supervisory Authority.
Annex 2 – Security Measures
The Parties will apply at least the following types of security measures to Personal Data:
1. Physical access control
Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are Processed, include:
- Establishing security areas, restriction of access paths;
- Establishing access authorizations for employees and third parties;
- Access control system (ID reader, magnetic card, chip card);
- Key management, card-keys procedures;
- Door locking (electric door openers etc.);
- Security staff, janitors;
- Surveillance facilities, video/CCTV monitor, alarm system; and
- Securing decentralized data processing equipment and personal computers.
2. Virtual access control
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:
- User identification and authentication procedures;
- ID/password security procedures (special characters, minimum length, change of password);
- Automatic blocking (e.g. password or timeout);
- Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous password attempts;
- Creation of one master record per user, user-master data procedures per data processing environment; and
- Encryption of archived data media.
3. Data access control
Technical and organizational measures to ensure confidentiality and that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, include:
- Internal policies and procedures;
- Control authorization schemes;
- Default configuration;
- Differentiated access rights (profiles, roles, transactions and objects);
- Monitoring and logging of accesses;
- Disciplinary action against employees who access Personal Data without authorization;
- Reports of access;
- Access procedure;
- Change procedure;
- Deletion procedure; and
4. Disclosure control
Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include:
- Logging; and
- Transport security.
5. Entry control
Technical and organizational measures to monitor whether Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:
- Logging and reporting systems; and
- Audit trails and documentation.
6. Control of instructions
Technical and organizational measures to ensure that Personal Data are Processed solely in accordance with the instructions of the Controller include:
- Unambiguous wording of the contract;
- Formal commissioning (request form); and
- Criteria for selecting the Processor.
7. Availability control
Technical and organizational measures to ensure the integrity, availability and resilience of the processing systems, and that Personal Data are protected against accidental destruction or loss (physical/logical) include:
- Disaster recovery plan, in the event of a physical or technical incident.
8. Separation control
Technical and organizational measures to ensure that Personal Data collected for different purposes can be Processed separately include:
- “Internal client” concept / limitation of use;
- Segregation of functions (production/testing); and
- Procedures for storage, amendment, deletion, transmission of data for different purposes.
9. Testing controls
Technical and organizational measures to test, assess and evaluate the effectiveness of the technical and organizational measures implemented in order to ensure the security of the processing include:
- Periodical review and test of disaster recovery plan;
- Testing and evaluation of software updates before they are installed;
- Authenticated (with elevated rights) vulnerability scanning; and
- Test bed for specific penetration tests.
10. IT governance
Technical and organizational measures to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with the compliance efforts include:
- Certification/assurance of processes and products;
- Processes for data minimization;
- Processes for data quality;
- Processes for limited data retention;
- Processes for ensuring accountability; and
- Data subject rights policies.