STANDARD CONTRACTUAL CLAUSES (PROCESSORS) · 2020-06-17 · The Clauses shall be governed by the...

12
STANDARD CONTRACTUAL CLAUSES (PROCESSORS) For the purposes of Article 26(2) of Directive 951461EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection Name of the data exporting organisation: __________________________ Address: __________________________________________ Tel.: ______________________ Fax:____________________________ (the data exporter) and Name of the data importing Organisation: Akamai Technologies, lnc~, Address: 145 Broadway, Cambridge MA,02142, USA Tel.: +1 877-325-2624 Fax: + 1 617-444-3001 (the data importer) each a “party“; together “the parties“, HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals tor the transfer by the data exporter to the data importer of the personal data specified in Appendix 1. Clause 1: Definitions For the purposes of the Clauses: (a) ‘~oersonaI data‘, ‘special categories of data‘, ‘process/processing‘, ‘controller‘, ‘processor‘, ‘data subject‘ and ‘supeivisoiy authority‘ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; (b) ‘the data exporter‘ means the controller who transfers the personal data; (c) ‘the data importer‘ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country‘s system ensuring adequate protection within the meaning ofArticle 25 (1) of Directive 95/46/EC; (d) ‘the subprocessor‘ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract; EU SCCs Customer-ATI Version January 2020 Page 1 of 12

Transcript of STANDARD CONTRACTUAL CLAUSES (PROCESSORS) · 2020-06-17 · The Clauses shall be governed by the...

Page 1: STANDARD CONTRACTUAL CLAUSES (PROCESSORS) · 2020-06-17 · The Clauses shall be governed by the law of the Member State in which the data exporter is established. Clause 10 Variation

STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

For the purposes of Article 26(2) of Directive 951461EC for the transfer of personal datato processors established in third countries which do not ensure an adequate level ofdata protection

Name of the data exporting organisation: __________________________

Address: __________________________________________

Tel.: ______________________

Fax:____________________________ (the data exporter)

and

Name of the data importing Organisation: Akamai Technologies, lnc~,

Address: 145 Broadway, Cambridge MA,02142, USATel.: +1 877-325-2624Fax: + 1 617-444-3001 (the data importer)

each a “party“; together “the parties“,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduceadequate safeguards with respect to the protection of privacy and fundamental rightsand freedoms of individuals tor the transfer by the data exporter to the data importer ofthe personal data specified in Appendix 1.

Clause 1: DefinitionsFor the purposes of the Clauses:

(a) ‘~oersonaI data‘, ‘special categories of data‘, ‘process/processing‘, ‘controller‘,‘processor‘, ‘data subject‘ and ‘supeivisoiy authority‘ shall have the samemeaning as in Directive 95/46/EC of the European Parliament and of the Councilof 24 October 1995 on the protection of individuals with regard to the processingof personal data and on the free movement of such data;

(b) ‘the data exporter‘ means the controller who transfers the personal data;(c) ‘the data importer‘ means the processor who agrees to receive from the data

exporter personal data intended for processing on his behalf after the transfer inaccordance with his instructions and the terms of the Clauses and who is notsubject to a third country‘s system ensuring adequate protection within themeaning ofArticle 25 (1) of Directive 95/46/EC;

(d) ‘the subprocessor‘ means any processor engaged by the data importer or by anyother subprocessor of the data importer who agrees to receive from the dataimporter or from any other subprocessor of the data importer personal dataexclusively intended for processing activities to be carried out on behalf of thedata exporter after the transfer in accordance with his instructions, the terms ofthe Clauses and the terms of the written subcontract;

EU SCCs Customer-ATI Version January 2020 Page 1 of 12

Page 2: STANDARD CONTRACTUAL CLAUSES (PROCESSORS) · 2020-06-17 · The Clauses shall be governed by the law of the Member State in which the data exporter is established. Clause 10 Variation

(e) ‘the applicable data protection Iaw‘ means the legislation protecting thefundamental rights and freedoms of individuals and, in particular, their right toprivacy with respect to the processing of personal data applicable to a datacontroller in the Member State in which the data exporter is established;

(f) ‘technical and organisational security measures‘ means those measures aimed atprotecting personal data against accidental or unlawful destruction or accidentalloss, alteration, unauthorised disclosure or access, in particular where theprocessing involves the transmission of data over a network, and against all otherunlawful forms of processing.

Clause 2 Details of the transfer:The details of the transfer and in particular the special categories of personal data whereapplicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3 Third-party beneficiary clause:1 .The data subject can enforce against the data exporter this Clause, Clause 4(b) to

(i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), andClauses 9 to 12 as third-party beneficiary.

2.The data subject can enforce against the data importer this Clause, Clause 5(a) to(e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases wherethe data exporter has factually disappeared or has ceased to exist in law unless anysuccessor entity has assumed the entire legal obligations of the data exporter bycontract or by operation of law, as a result of which it takes on the rights andobligations of the data exporter, in which case the data subject can enforce themagainst such entity.

3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to(e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases whereboth the data exporter and the data importer have factually disappeared or ceasedto exist in law or have become insolvent, unless any successor entity has assumedthe entire legal obligations of the data exporter by contract or by operafion of law asa result of which it takes on the rights and obligations of the data exporter, in whichcase the data subject can enforce them against such entity. Such third-party liabilityof the subprocessor shall be limited to its own processing operations under theClauses.

4. The parties do not object to a data subject being represented by an association orother body if the data subject so expressly wishes and if permitted by national law.

Clause 4 Obligations of the data exporter:The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been andwill continue to be carried out in accordance with the relevant provisions of theapplicable data protection law (and, where applicable, has been notified to therelevant authorities of the Member State where the data exporter is established)and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processingservices will instructthe data importerto process the personal data transferred onlyon the data exporter‘s behalf and in accordance with the applicable data protectionlaw and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical

EU SCCs Customer-ATI Version January 2020 Page 2 of 12

Page 3: STANDARD CONTRACTUAL CLAUSES (PROCESSORS) · 2020-06-17 · The Clauses shall be governed by the law of the Member State in which the data exporter is established. Clause 10 Variation

and organisational security measures specified in Appendix 2 to this contract;(d) that after assessment of the requirements of the applicable data protection iaw,

the security measures are appropriate to protect personal data against accidentalor unlawful destruction or accidental loss, alteration, unauthorised disclosure oraccess, in particular where the processing involves the transmission of data overa network, and against all other unlawful forms of processing, and that thesemeasures ensure a level of security appropriate to the risks presented by theprocessing and the nature of the data to be protected having regard to the state ofthe art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;(f) that, if the transfer involves special categories of data, the data subject has been

informed or will be informed before, or as soon as possible after, the transfer thatits data could be transmitted to a third country not providing adequate protectionwithin the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any subprocessorpursuant to Clause 5(b) and Clause 8(3) to the data protection supervisoryauthority if the data exporter decides to continue the transfer or to lift theSuspension;

(h) to make available to the data subjects upon request a copy of the Ciauses, withthe exception ofAppendix 2, and a summary description ofthe security measures,as weil as a copy of any contract for subprocessing services which has to be madein accordance with the Ciauses, unless the Clauses or the contract containcommercial information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out inaccordance with Clause 11 by a subprocessor providing at least the same level ofprotection for the personal data and the rights of data subject as the data importerunder the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5 Obligations of the data importer:The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliancewith its instructions and the Clauses; if it cannot provide such compliance forwhatever reasons, it agrees to inform promptly the data exporter of its inabiiity tocompiy, in which case the data exporter is entitied to suspend the transfer of dataand/or terminate the contract;

(b) that it has no reason to believe that the legisiation applicable to it prevents it fromfulfilling the instructions received from the data exporter and its obligations underthe contract and that in the event of a change in this legisiation which is likely tohave a substantial adverse effect on the warranties and obiigations provided bythe Ciauses, it will promptly notify the change to the data exporter as soon as it isaware, in which case the data exporter is entitled to suspend the transfer of dataand/or terminate the contract;

(c) that it has implemented the technical and organisational security measuresspecified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:(i) any legaiiy binding request for disciosure of the personal data by a iaw

enforcement authority unless otherwise prohibited, such as a prohibitionunder criminai law to preserve the confidentiality of a law enforcement

EU SCCs Customer-ATI Version January 2020 Page 3 of 12

Page 4: STANDARD CONTRACTUAL CLAUSES (PROCESSORS) · 2020-06-17 · The Clauses shall be governed by the law of the Member State in which the data exporter is established. Clause 10 Variation

investigation,(ii) any accidental or unauthorised access, and(iii) any request received directly from the data subjects without responding to

that request, unless it has been otherwise authorised to do so;(e) to deal promptly and properly with all inquiries from the data exporter relating to

its processing of the personal data subject to the transfer and to abide by theadvice of the supervisory authority with regard to the processing of the datatransferred;

(f) at the request of the data exporter to submit its data processing facilities for auditof the processing activities covered by the Clauses which shall be carried out bythe data exporter or an inspection body composed of independent members andin possession of the required professional qualifications bound by a duty ofconfidentiality, selected by the data exporter, where applicable, in agreement withthe supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or anyexisting contract for subprocessing, unless the Clauses or contract containcommercial information, in which case it may remove such commercial information,with the exception of Appendix 2 which shall be replaced by a summary descriptionof the security measures in those cases where the data subject is unable to obtaina copy from the data exporter;

(h) that, in the event of subprocessing, it has previously informed the data exporterand obtained its prior written consent;

(i) that the processing services by the subprocessor will be carried out in accordancewith Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under theClauses to the data exporter.

Clause 6 Liability:1. The parties agree that any data subject, who has suffered damage as a result of

any breach of the obligations referred to in Clause 3 or in Clause 11 by any partyor subprocessor is entitled to receive compensation from the data exporter for thedamage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance withparagraph 1 against the data exporter, arising out of a breach by the data importeror his subprocessor of any of their obligations referred to in Clause 3 or in Clause11, because the data exporter has factually disappeared or ceased to exist in lawor has become insolvent, the data importer agrees that the data subject may issuea claim against the data importer as if it were the data exporter, unless anysuccessor entity has assumed the entire legal obligations of the data exporter bycontract or by operation of law, in which case the data subject can enforce its rightsagainst such entity.The data importer may not rely on a breach by a subprocessor of its obligations in

order to avoid its own liabilities.3. If a data subject is not able to bring a claim against the data exporter or the data

importer referred to in paragraphs 1 and 2, arising out of a breach by thesubprocessor of any of their obligations referred to in Clause 3 or in Clause 11because both the data exporter and the data importer have factually disappearedor ceased to exist in law or have become insolvent, the subprocessor agrees thatthe data subject may issue a claim against the data subprocessor with regard to

FU SCCs Customer-ATI Version January 2020 Page 4 of 12

Page 5: STANDARD CONTRACTUAL CLAUSES (PROCESSORS) · 2020-06-17 · The Clauses shall be governed by the law of the Member State in which the data exporter is established. Clause 10 Variation

its own processing operations under the Clauses as if it were the data exporteror the data importer, unless any successor entity has assumed the entire legalobligations of the data exporter or data importer by contract or by operation oflaw, in which case the data subject can enforce its rights against such entity. Theliability of the subprocessor shall be limited to its own processing operationsunder the Clauses.

Clause 7 Mediation and jurisdiction:1. The data importer agrees that if the data subject invokes against it third-party

beneficiary rights and/or claims compensation for damages under the Clauses,the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, whereapplicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the dataexporter is established.

2. The parties agree that the choice made by the data subject will not prejudice itssubstantive or procedural rights to seek remedies in accordance with otherprovisions of national or international law.

Clause 8 Cooperation with supervisory authorities:1. The data exporter agrees to deposit a copy of this contract with the supervisory

authority if it so requests or if such deposit is required under the applicable dataprotection law.

2. The parties agree that the supervisory authority has the right to conduct an audit ofthe data importer, and of any subprocessor, which has the same scope and issubject to the same conditions as would apply to an audit of the data exporterunder the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence oflegislation applicable to it or any subprocessor preventing the conduct of an auditof the data importer, or any subprocessor, pursuant to paragraph 2. In such a casethe data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9 Governing Law:The Clauses shall be governed by the law of the Member State in which the dataexporter is established.

Clause 10 Variation of the contract:The parties undertake not to vary or modify the Clauses. This does not preclude theparties from adding clauses on business related issues where required as long as theydo not contradict the Clause.

Clause 11 Subprocessing:1. The data importer shall not subcontract any of its processing Operations performed

on behalf of the data exporter under the Clauses without the prior written consentof the data exporter. Where the data importer subcontracts its obligations underthe Clauses, with the consent of the data exporter, it shall do so only by way of awritten agreement with the subprocessor which imposes the same obligations onthe subprocessor as are imposed on the data importer under the Clauses. Wherethe subprocessor fails to fulfil its data protection obligations under such written

EU SCCs Customer-ATI Version January 2020 Page 5 of 12

Page 6: STANDARD CONTRACTUAL CLAUSES (PROCESSORS) · 2020-06-17 · The Clauses shall be governed by the law of the Member State in which the data exporter is established. Clause 10 Variation

agreement the data importer shall remain fully liable to the data exporter for theperformance of the subprocessor‘s obligations uncier such agreement.

2. The prior written contract between the data importer and the subprocessor shallalso provide for a third-party beneficiary clause as Iaid down in Clause 3 for caseswhere the data subject is not able to bring the claim for compensation referred toin paragraph 1 of Clause 6 against the data exporter or the data importer becausethey have factually disappeared or have ceased to exist in Iaw or have becomeinsolvent and no successor entity has assumed the entire legal obligations of thedata exporter or data importer by contract or by operation of law. Such third-partyliability of the subprocessor shall be limited to its own processing operations underthe Clauses.

3. The provisions relating to data protection aspects for subprocessing ofthe contractreferred to in paragraph 1 shall be governed by the law of the Member State inwhich the data exporter is established.

4. The data exporter shall keep a list of subprocessing agreements concluded underthe Clauses and notified by the data importer pursuant to Clause 5 (j), which shallbe updated at least once a year. The list shall be available to the data exporter‘sdata protection supervisory authority.

Clause 12 Obligation after the termination of personal data processing services:1. The parties agree that on the termination of the provision of data processing

services, the data importer and the subprocessor shall, at the choice of the dataexporter, return all the personal data transferred and the copies thereof to the dataexporter or shall destroy all the personal data and certify to the data exporter thatlt has done so, unless legislation imposed upon the data importer prevents lt fromreturning or destroying all or part of the personal data transferred. In that case, thedata importer warrants that it will guarantee the confidentiality of the personal datatransferred and will not actively process the personal data transferred anymore.

2. The data importer and the subprocessor warrant that upon request of the dataexporter and/or of the supervisory authority, lt will submit its data processingfacilities for an audit of the measures referred to in paragraph 1.

EU SCCs Customer-ATI Version January 2020 Page 6 of 12

Page 7: STANDARD CONTRACTUAL CLAUSES (PROCESSORS) · 2020-06-17 · The Clauses shall be governed by the law of the Member State in which the data exporter is established. Clause 10 Variation

On behalf of the data exporter:

Name (written out in full):______

Position:_____________________

Address: ____________________

Signature.

(stamp of organisation)

On behalf of the data importer: Akamai Technologies, Inc.

Name (written out in full): James H Hammons

Position: Assistant Secretary

Adclress: 145 Broadway, Cambridge, MA 02142 USA

(stamp of organisation)

EU SCCs Customer-All Version January 2020 Page7ofl2

Page 8: STANDARD CONTRACTUAL CLAUSES (PROCESSORS) · 2020-06-17 · The Clauses shall be governed by the law of the Member State in which the data exporter is established. Clause 10 Variation

Appendix 1 to the Standard Contractual Clauses (processor)Data Processing Activities

Data exporterThe Data Controller is:

Data importerThe data importer is:A provider of content delivery, med ja acceieration, web performance and Internet securityservices.

Data subjectsThe personal data of the following data subjects is processed under this Agreement:Internet end-users accessing the web content of the data exporter and/or using the webservices of the data exporter.

Categories of dataThe personal data transferred concern the foliowing categories of data:a) End User Personal Data

Akamai processes Personal Data inciuded within Customer Content (“End User PersonalData‘) when providing the Services to Customer. Upon the Customer‘s choice, End UserPersonal Data may include data such as:

a. Login credentiais;

b. Subscriber name and contact information;

c. Financial or other transaction information;

d. Other Personal Data relating to the individual data subject as set by Customer.

b) Loqqed Personal Data

Akamai processes Personal Data that is inciuded in log files when performing the Services forCustomer (Logged Personal Data“). Logged Personal Data is Personal Data logged by Akamaiservers, relating to the access to Customer Content over the Akamai platform by Customer‘send users, as weil as logged personal data associated with user activity and interaction withweb and internet protocol sessions transiting Akamai‘s servers as part of a data subject‘ssession with the Customer‘s web property. Logged Personal Data include such data as:

a. End user IP addresses;

b. URLs of sites visited with time stamps (with an associated IP address);

c. Geographic location based upon IP address and location ofAkamai server;

d. Telemetry data (eg., mouse ciicks, movement rates, and related browser data).

c) Site Personal Data

Akamai processes Personal Data associated with user activity and interaction with web andinternet protocol sessions transiting Akamai‘s servers as part of a data subject‘s session withthe Customer‘s web property (“Site Personal Data“). The Site Personal Data consists of usertelemetry data (eg., mouse clicks, movement rates, and user agent and reiated browser data)designed to measure website performance.

EU SCCs Customer-ATI Version January 2020 Page 8 of 12

Page 9: STANDARD CONTRACTUAL CLAUSES (PROCESSORS) · 2020-06-17 · The Clauses shall be governed by the law of the Member State in which the data exporter is established. Clause 10 Variation

d) Enterprise Security Personal Data

Akamai processes Personal Data on behalf of Customers of Akamai Enterprise SecurityServices that are provided by Customer or collected during the provision of Services in orderto protect users of the Customer‘s enterprise network and the network itself from Internetsecurity and policy abuse risks (“Enterprise Security Personal Data“). The Enterprise SecurityPersonal Data includes such data as:

a. Login and user authentication data;

b. Contents of communications, including attachments

c. Browser and device information, including location information

d. URLs visited

e) Special categories of data

Customer as the Data Controller decides which categories of data are included in the End UserPersonal Data. Where Customer chooses to include special categories of data in the CustomerContent, Akamai will process this data as End User Personal Data, as instructed by theCustomer.

f) Cateqories of data processed by particular Akamai Services

Akamai maintains a list of service categories that provide further information regarding theprocessing of Personal Data conducted in providing Services in each category. This list isavailable at www.akamai.com/compliance/privacy/.

Description of processing activities:The following processing activities are performed when providing the Services:

a) End User Personal DataThe data importer processes End User Personal Data on behalf of the data exporter, inciudinginstructions given through the service agreement, or via configuration of the Services via the relevantcustomer portals or support processes.

b) Loqqed Personal DataThe data importer collects Logged Personal Data and conducts analysis of Logged Personal Data toprovide the data exporter with copies of traffic bgs and data analytic reports related to the performanceof its services and the the data exporter‘s web properties.

Logged Personal Data is also be processed for purposes of Service issue resolution.

c) Site Personal DataThe data importer processes Site Personal Data to provide website monitoring and anaiytics servicesto the data exporter to enable it to understand the nature of end user traffic to their web properties, asweil as to monitor the performance of such properties.

d) Enterprise Security Personal DataThe data importer‘s Enterprise Security Services provides the data exporter with tools and services toprotect its employees and guests, as weil as its network infrastructure from Internet threats. In addition,these same toois may be used to monitor network activity, provide secure access to applications, andestablish and enforce access policies. To provide these services, the data importer processes EnterpriseSecurity Personal Data as needed to access and monitor network traffic, process and store accesscredentials and related network data as part of the network infrastructure services ordered by the dataexporter.

EU SCCs Customer-ATI Version January 2020 Page 9 of 12

Page 10: STANDARD CONTRACTUAL CLAUSES (PROCESSORS) · 2020-06-17 · The Clauses shall be governed by the law of the Member State in which the data exporter is established. Clause 10 Variation

Appendix 2 to the Standard Contractual Clauses (processor):Technical and Organisational lVleasures to secure the Personal Data processed:

Confidentiality (Art 32 (1) 1 Nt b GDPR)Entry control:The data importer monitors its servers and the rooms in which the servers are depioyedwith perimeter cameras. lt requires its co-Iocation facility partners to restrict physicalaccess to its servers to persons that have been authorized in advance to access theservers, inter alia by picture identification. Such persons are checked in and escorted tothe servers by the personnei of the data importer co-location facility partner. The dataimporter also requires its co-location facility partners to enforce verification of the requesterprior to answer any service request. The co-location facility partner may not attempt togain any sort of access to the data importer‘s data systems outside the documentedprocess set forth by the data importer. Physical access to the servers by field techniciansfor purposes of first instalment or maintenance of the servers is Iimited to the technicalfunctions of the servers. Field technicians do not have control over the ability of suchservers to process the data exporter‘s web content.

Access control:The data importer limits the access to its data systems according to its businessrequirements and the least privilege principle. For example, contracted field techniciansare not granted administrative access to servers processing the data exporter‘s webcontent. Field technicians performing system diagnostics and analysis are provided withread-only logins to the servers. Administrative access is restricted to trained andauthorized employees of the data importer. Remote administrative access is only availableto such employees via cryptographically secure connections, systems authenticateadministrative connections using asymmetric key cryptography. User administrativeaccess is provided through an access control gateway, which enforces a need-haveaccess grant authorization model. All connections through the authorization gateway arelogged. User SSH system are routinely rotated and access is immediately removed incase of reports of theft of devices or the termination of a person‘s employment.A system of grants is used to track and permit access to all data processing systems ofthe data importer.Access to the data importer‘s systems used to process the data exporter‘s web content isgained via the data importer‘s authorization gateway. Access to the authorization gatewayitseif requires possession of a grant authorized by one or more second parties, as weil asa deployed SSH key. Issuance of a deployed SSH key requires access to the corporatenetwork environment using a device with a corporate PKI issued Network Access Control(NAC) certificate, valid corporate authentication credentiais for the data importer‘scorporate web services, and either confirmation of possession of a usable, unexpired priorkey or the confirmation by the data importer‘s Network Operations Command Center(NOCC) of the user‘s identity.Access to the data importer‘s corporate network requires using a device with a corporatepublic key infrastructure (PKI) issued NAC certificate. Access to data processing systemswithin the corporate network requires the NAC certificate as weil as user authenticationvia either the Duo Security, Inc. Trusted Access System or the data importer‘s corporateactive directory username and password management system.In case of password authentication, the complexity of the password is ensured by the dataimporter‘s password poiicy (e.g. multiple character types, length of min. 8 characters,change requirement after 120 days, inability to reuse a password within the following 12month).The data importer does not provide user accounts to servers transmitting content.Administrative access to such servers is limited to a number of authorized employees ofthe data importer. Access to these servers by authorized employees on a user level is

EU SCCs Customer-ATI Version January 2020 Page 10 of 12

Page 11: STANDARD CONTRACTUAL CLAUSES (PROCESSORS) · 2020-06-17 · The Clauses shall be governed by the law of the Member State in which the data exporter is established. Clause 10 Variation

logged by an authentication gateway. Remote access via the authentication gatewayutiNzes SSH keys and asymmetric cryptography. Introduction of a new SSH key requireseither direct confirmation of identity with the data importer‘s NOCC or possession of theprior SSH key, the prior SSH key password, a machine‘s NAC for the data importer‘scorporate network and a corporate Active Directory username and password.

Segregation controlThe data importer separates the environment for development, software, engineering,from the environment for testing and the environment for operations and has put in placeseveral controls to ensure the code development, testing and production data handlingenvironments are separated. E.g. employees within a development team do not haveaccess to the same systems as the employees within a test or operation team. Separatecryptographic credentials are used to access development, test, operations andproduction environments, critical network operations systems are further isolated from thecorporate, development and test network environments. The separation is supervised bygranular logging of access to the production and operations servers, change controlprocesses and by the responsible management.

Pseudonymization (Art 32 (1) lit a GDPR. Art 25 (1) GDPRIn most cases the data importer does not pseudonymize or anonymize the personal datait processes. For the personal data in the data importer‘s web content this would requiremodifications of the web content which solely the data exporter should make to avoid a aviolation of the integrity of the data exporter‘s web content.For Logged Personal Data, Site Personal Data and Enterprise Security Personal Data, thisdata is required in raw and clean for the purpose of the processing activities. E.g. the dataimporter could not perform security analytics using pseudonymized or anonymized lPadd resses.

lntegrity (Art 32 (1) lit b GDPRTransmission controlThe data importer has put in place a robust alert management system that provides forextensive monitoring of all servers. Eine grained monitoring of running processes allowsthe definition of predefined alerts to catch unexpected and suspicious behavior, includingthe execution of rogue processes.In addition, the data exporter can control access to the personal data in its content whilehaving the Data Processor transmitting traffic to its server over encrypted andauthenticated connections by its configuration of the services in the data importer‘scustomer portal ‚the Akamai Customer Center, ACC). The data exporter can controlstorage of personal data in its content by configuring property specific content cachingrules. By its configuration the data exporter can also limit the storage of End User PersonalData (where required) to servers with enhanced physical security controls only. Theintegrity of Logged Personal Data, Site Personal Data and Enterprise Security PersonalData is ensured by various storage controls (e.g., log retention control) that are subject toseveral regular third-party assessments as outlined in the data importer‘s complianceportal, www.akamai.com/compliance.

Input controlAccess to the data importer‘s server is logged and monitored via audit systems andprocesses. Logged Personal Data, Site Personal Data and Enterprise Security PersonalData gathered by web-servers is digitally signed by “Edge Servers“ and is audited by thedistributed data processing facilities, to ensure that it is not modified or corrupted.Respective access bgs consisting of aggregated and anonymized bog data are providedto the data exporter as part of the data importer‘s “Log Delivery Service“ offering.

Availability and resilience (Art 32 (1) lit b GDPRThe data importer‘s web server networks have been created matching the principles of

FU SCcs Customer-ATI Version January 2020 Page 11 of 12

Page 12: STANDARD CONTRACTUAL CLAUSES (PROCESSORS) · 2020-06-17 · The Clauses shall be governed by the law of the Member State in which the data exporter is established. Clause 10 Variation

availability. The server network is self-curing and ensures that the content of the dataexporter is transmitted via the server network, even in case of an outage of single servers.This prevents an outage of the services which would require a fast recovery of the services(Art 32(1) lit c GDPR.

Evaluation of effectiveness (Art 32 (19 Lit d GDPR and Art 25 (1) GDPR:The data importer has a data protection and security management in place, which isevaluated in the course of the annual third-party audits performed by the data importer.Details are publicly available in the data importer‘s compliance portal,www.akamai.com/compliance. In addition, the data importer maintains an IncidentResponse Management that is also evaluated in the course of the annual third-partyaudits. Further the data importer ensures by its privacy by design (Art 25 (2) GDPR)program that personal data that it is processing is protected. E.g. the data importer hasensured by training and process implementation that new services are developed incompliance with applicable data protection principles. In addition, the data importer isoffering, where technically possible, data anonymization, and is thereby implementing withthe data minimization principle.

RoIe Control:The Parties ensure that personal data is processed by the data importer only inaccordance with the instructions provided by the data exporter. Contractually this isensured by the data processing agreement in place between the parties. Technically thisis ensured the data importer‘s robust monitoring and alert mechanism.

EU SCCs Customer-ATI Version January 2020 Page 12 of 12