The following Partner Data Protection Addendum is part of the Partner Program Agreement and establishes the terms regarding the processing of personal data.
This Partner Data Protection Addendum (“DPA”) is part of the Partner Program Agreement (“Agreement”) and sets forth the additional terms regarding the processing of personal data. Capitalized terms have the meaning defined in the next Section of this document or elsewhere in the Agreement. If there is a conflict between the terms of this DPA and any other terms of the Agreement, this DPA will prevail. For the purposes of this DPA, “Provider” shall mean Partner.
The parties shall observe Applicable Data Protection Law as they apply to them and as required herein. In providing Services, Provider shall in particular comply with the provisions of Applicable Data Protection Law regarding the Processing of Personal Data as a Processor.
Provider shall Process Personal Data only (a) in accordance with the terms of this DPA and the Agreement; or (b) on other documented instructions from Siemens. Provider shall not Process Personal Data for its own purposes or transfer it to third parties, unless permitted by this DPA. Provider shall immediately inform Siemens if, in its opinion, an instruction from Siemens infringes Applicable Data Protection Law.
The details of the Processing operations provided by Provider - in particular the subject matter of the Processing, the nature and purpose of the Processing, types of Personal Data Processed and the categories of affected data subjects - are specified in Annex I to this DPA.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Provider shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, but not limited to, as appropriate: (a) the pseudonymisation and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing. Without prejudice to the generality of the preceding sentence, Provider shall at all times implement at least the technical and organizational measures described in Annex IIto this DPA.
Provider shall limit its personnel’s access to Personal Data on a need-to-know basis. Provider shall provide detailed notice to its personnel about the applicable statutory and contractual provisions regarding data protection. Provider shall put its personnel under an obligation to comply with such provisions and, in particular, to hold Personal Data secret and not to Process Personal Data other than according to Siemens’ instructions. The obligation to secrecy shall continue to apply after the expiry of this Agreement and the personnel’s contractual relationship with the Provider. Provider will provide proof of such obligation upon request.
In case of Restricted Transfers to Provider, the Provider shall ensure that such Restricted Transfer is covered by adequate Transfer Safeguards as set forth in this Section 9 and Annex III to this DPA.
Provider shall reasonably assist Siemens in ensuring compliance with Applicable Data Protection Law, in particular by assisting Siemens as follows:
Upon termination of the data Processing relationship, unless otherwise instructed by Siemens or set forth herein, Provider shall return to Siemens all Personal Data made available to Provider or obtained or generated by Provider in connection with the contractually agreed Services and shall irrevocably delete or destroy any remaining data. The deletion or destruction shall be confirmed by Provider in writing upon request.
Provider understands and agrees that the requirements in this DPA are an integral part of the Agreement and, a material breach of any of these requirements shall be considered a material breach by Provider of the Agreement, entitling Siemens to material breach related remedies contained in the Agreement.
If and to the extent Provider accesses Personal Data received from a Siemens group company established in the United States of America (“Siemens US Company”) or of a data subject that is the resident of the United States of America, then in addition to the above, Provider: (i) shall comply with U.S federal, state and local laws regarding Personal Data that are applicable to Provider, such Personal Data, and owners or controllers of such Personal Data; when the foregoing is applicable, the term “Applicable Data Protection Law” as used herein shall include the foregoing laws; (ii) except as specifically provided herein or the Agreement, shall not sell, share, rent, release, disclose, disseminate, or make available Personal Data to third parties; and shall not combine the Personal Data with other information; (iii) shall notify Siemens if Provider makes a determination that Provider can no longer meet its obligations hereunder; (iv) shall ensure that each person processing Personal Data is subject to a duty of confidentiality with respect to the Personal Data; (v) shall be deemed, and shall act as, a “service provider” under Applicable Data Protection Law (including the California Consumer Privacy Act, its implementing regulations, and any amendments thereto); and (vii) hereby certifies that it understands the restrictions contained herein and will comply with them.
Siemens entity specified on Execution Form
As provided on Execution Form
Contact name, position and contact details
Office of the Siemens Data Protection Officer
Werner-von-Siemens-Straße 1, 80333 Munich, Germany
Activities relevant to the data transferred/Processed
Partner will provide customer success services and/or maintenance and support to Customers as indicated in the Partner Authorization Form in accordance with the Agreement. In performing these services, Partner may also have access to Siemens end customer systems and networks and access to personal data cannot be excluded..
Siemens acts as Controller for the processing activities provided by Provider vis-à-vis Siemens and as Processor under the instructions of its Authorized Entities for processing activities provided by Provider vis-à-vis Authorized Entities.
Provider entity specified on Execution Form
As provided on Execution Form
Contact name, position and contact details
As provided on Partner Authorization Form
Activities relevant to the data transferred/Processed
See above table
Provider acts as Processor Processing Personal Data on behalf of Siemens and, as the case may be, Authorized Entities.
Categories of data subjects whose Personal Data is transferred/Processed:
☒ Employees and staff (including applicants, regular, temporary, part-time, trainees, contractors and agents)
☒ Contact persons at business partners, suppliers, vendors and other cooperation partners
☒ Customer(s) and/or their employees and staff (including applicants, regular, temporary, part-time, trainees, contractors and agents)
☒ Users of Siemens software products/services
☐ Other, please list:
Further affected data subjects whose personal data is contained in an application or IT system which is in scope of the Services provided.
Categories of Personal Data transferred/Processed
☒ Contact information (such as name, address, phone or fax number, email address, etc.)
☒ Organizational organization (such as job position, department, etc.)
☒ Location data (such as GPS, etc.)
☐ Governmental and personal identifiers (such as social security number, driver’s license number, social insurance number, etc.)
☐ Financial data (such as income, loan files, transactions, credit information, purchase and consumption habits, insolvency status, etc.)
☐ Employment data (such as recruiting data and qualification, compensation and payroll data, employee identification data, employee status, attendance data, work history data, etc.)
☒ User account data (such as username/ID and password, etc.)
☒ Information related to data subject’s use of IT assets (such as IP address, login information, credentials, etc.)
☐ Financial account information (such as banking/ credit card data, account numbers, credit card numbers, etc.)
☐ Other; please list:
Any further personal data contained in an application or IT system which is in scope of the Services provided.
Special categories of Personal Data to be accessed or Processed
☐ Information on racial or ethnic origin
☐ Information on political opinions
☐ Information on religious or philosophical beliefs
☐ Information on trade union membership
☐ Information on sex life or sexual orientation
☐ Biometric data
☐ Genetic data
☐ Health data (such as mental or physical disabilities, family medical history, personal medical history, medical records, prescriptions, etc.)
☐ Other; please list:
The restrictions or safeguards applied to such sensitive Personal Data are described in Annex II to this DPA
The frequency of the transfer (accessing/Processing)
☐ Provider hosts Personal Data on behalf of Siemens and, as the case may be, Authorized Entities
☒ Provider remotely accesses Personal Data when providing the services
☒ on one-off basis
☒ on continuous basis
☐ Provider otherwise Processes Personal Data when providing the services
☐ on one-off basis
☐ on continuous basis
Nature of the Processing
☒ Adaptation or alteration
☐ Disclosure by transmission
☐ Otherwise making available
☐ Alignment or combination
☐ Erasure or destruction of data
Purpose/activities relevant to the data transferred/Processed
☒ Provider provides maintenance and support services and may have access, including remote-access to Personal Data.
☐ Provider provides professional services by performing services in connection with an application/system or network such as: installation, configuration or data migration or other related IT services and may have access, including remote access to Personal Data.
☐ Provider provides managed services, including data center and infrastructure management, backup and recovery management and may have access, including remote access to Personal Data.
☐ Provider provides XaaS (Software-, Platform-, or Infrastructure-as-a-Service) by providing hosting, operation, management and maintenance and support services.
☒ Other: Provider provides customer success services and may have access, including remote-access, to Personal Data.
☐ The Personal Data will be retained for the period of the Agreement.
☐ The Personal Data will be retained for a period of:
☒ Other: The Personal data will be retained for the period of the Order, unless instructed otherwise.
For transfers to Subprocessor(s), also specify subject matter, nature and duration of the Processing
The subject matter, nature and duration of the processing are specified per Subprocessor in Annex III to this DPA.
Where Siemens is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Siemens with the GDPR as regards the data transfer shall act as competent supervisory authority. For Siemens Aktiengesellschaft, Germany, the supervisory authority is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Where Siemens is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2), the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) GDPR is established shall act as competent supervisory authority; namely:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
The following measures shall only apply to the Provider, insofar as the underlying IT systems, networks and applications are the responsibility of and/or under the custody or control of the Provider. Description of the technical and organizational security measures implemented by the Provider and its Subprocessor(s):
Physical and Environmental Security
Provider implements suitable measures to prevent unauthorized persons from gaining access to the data processing equipment (namely, database and application servers and related hardware). This shall be accomplished by:
establishing security areas;
protecting and restricting access paths;
securing the decentralized data processing equipment and personal computers;
establishing access authorizations for employees and third parties, including the respective documentation;
regulations on access cards;
restrictions on access cards;
all access to the data center where Personal Data is hosted will be logged, monitored, and tracked;
the data center where Personal Data is hosted is secured by restricted access controls, and other appropriate security measures; and
maintenance and inspection of supporting equipment in IT areas and data centers shall only be carried out by authorized personnel.
Access Control (IT-Systems and/or IT-Application)
Provider implements a roles and responsibilities concept.
Provider implements an authorization and authentication framework including, but not limited to, the following elements:
role-based access controls implemented;
process to create, modify, and delete accounts implemented;
access to IT systems and applications is protected by authentication mechanisms;
appropriate authentication methods are used based on the characteristics and technical options of the IT system or application;
access to IT systems and applications shall require, at least, two-factor authentication for privileged accounts;
all access to Personal Data is logged, monitored, and tracked;
authorization and logging measures for inbound network connections to IT systems and applications (including firewalls to allow or deny inbound network connections) implemented;
privileged access rights to IT systems, applications, and network services are only granted to individuals who need it to accomplish their tasks (least-privilege principle);
privileged access rights to IT systems and applications are documented and kept up to date;
access rights to IT systems and applications are reviewed and updated on regular basis;
password policy implemented, including requirements regarding password complexity, minimum length and expiry after adequate period of time, no re-use of recently used passwords;
IT systems and applications technically enforce password policy;
access rights of employees and external personnel to IT systems and applications is removed immediately upon termination of employment or contract; and
use of secure state-of-the-art authentication certificates ensured.
IT systems and applications lock down automatically or terminate the session after exceeding a reasonable defined idle time limit.
Provider limits privileged access to cloud assets to single or specific ranges of IP addresses.
Privileged access to cloud assets is done through a bastion host.
Provider maintains log-on procedures on IT systems with safeguards against suspicious login activity (e.g., against brute-force and password guessing attacks).
Provider protects systems and applications against malicious software by implementing appropriate and state-of-the-art anti-malware solutions.
Provider defines, documents and implements a backup concept for IT systems, including the following technical and organizational elements:
backups storage media is protected against unauthorized access and environmental threats (e.g., heat, humidity, fire);
defined backup intervals; and
the restoration of data from backups is tested regularly based on the criticality of the IT system or application.
Provider stores backups in a physical location different from the location where the productive system is hosted.
IT systems and applications in non-production environments are logically or physically separated from IT systems and applications in production environments.
Data centers in which Personal Data is stored or processed are protected against natural disasters, physical attacks or accidents.
Supporting equipment in IT areas and data centers, such as cables, electricity, telecommunication facilities, water supply, or air conditioning systems are protected from disruptions and unauthorized manipulation.
Provider maintains and implements an Information Security Framework reflecting the measures described herein, which is regularly reviewed and updated.
Provider logs security-relevant events, such as user management activities (e.g., creation, deletion), failed logons, changes on the security configuration of the system on IT systems and applications.
Provider continuously analyzes the respective IT systems and applications log data for anomalies, irregularities, indicators of compromise and other suspicious activities.
Provider scans and tests IT systems and applications for security vulnerabilities on a regular basis.
Provider implements and maintains a change management process for IT systems and applications.
Provider maintains a process to update and implement vendor security fixes and updates on the respective IT systems and applications.
Provider irretrievably erases data or physically destroys the data storage media before disposing or reusing of an IT system.
Provider documents and updates network topologies and its security requirements on regular basis.
Provider continuously and systematically monitors IT systems, applications and relevant network zones to detect malicious and abnormal network activity by
Firewalls (e.g., stateful firewalls, application firewalls);
Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS);
URL filtering; and
Security Information and Event Management (SIEM) systems.
Provider administers IT systems and applications by using state-of-the-art encrypted connections.
Provider protects the integrity of content during transmission by state-of-the-art network protocols, such as TLS.
Provider encrypts, or enables its Providers to encrypt, Provider data that is transmitted over public networks.
Provider uses secure Key Management Systems (KMS) to store secret keys in the cloud.
Provider maintains and implements an incident handling process, including but not limited to:
records of security breaches;
Provider notification processes; and
an incident response scheme to address the following at time of incident: (i) roles, responsibilities, and communication and contact strategies in the event of a compromise (ii) specific incident response procedures and (iii) coverage and responses of all critical system components.
Asset Management, System Acquisition, Development and Maintenance
Provider identifies and documents information security requirements prior to the development and acquisition of new IT systems and applications as well as before making improvements to existing IT systems and applications.
Provider establishes a formal process to control and perform changes to developed applications.
Provider plans and incorporates security tests into the System Development Life Cycle of IT systems and applications.
Provider implements an adequate security patching process that includes:
monitoring of components for potential weaknesses (CVEs);
priority rating of fix;
timely implementation of the fix; and
download of patches from trustworthy sources.
Human Resource Security
Provider implements the following measures in the area of human resources security:
employees with access to Personal Data are bound by confidentiality obligations; and
employees with access to Personal Data are trained regularly regarding the applicable data protection laws and regulations.
Provider implements an offboarding process for Provider employees and external vendors.
Cryptography (relevant for DP in the context of network services)
Provider uses secure state-of-the-art certificates and implements the following:
digital certificates are only accepted and trusted if the digital certificate was issued by a trusted certification authority;
certificates are used and allocated to dedicated IT-systems and applications; and
the validity of digital certificates is verified.
Provider implements a process for the management and implementation of cryptographic keys, including rules and requirements to generate, store, backup, distribute, and revoke cryptographic keys.
LIST OF SUBPROCESSORS AND DATA CENTER LOCATIONS
The ‘Partner Authorization Form’ sets forth the
Entities (including Partner and subprocessors) engaged in the storage/hosting of personal data,
Applicable Data Center Locations,
Subprocessors engaged in the processing of personal data for non-storage/hosting purposes,
which are incorporated herein by this reference.
Provider shall not transfer Personal Data from the respective Data Center Location without Siemens’ consent. The notification and objection mechanism contained in Section 8 shall not apply in this regard.