Skip to main content
header_optionb_grey_1440x230.png
Mastercard Data & Services

Data Processing Agreement

This Data Processing Agreement (“DPA”) regulates the Processing of Personal Data subject to Privacy and Data Protection Law in the context of each agreement and/ or statement of work between (i) the stated Mastercard Entity (as defined below) and, (ii) the Merchant, Issuer or other applicable counterparty (the “Customer”), which references this DPA or to which this DPA is attached (the “Principal Agreement”).

1. Definitions

1.1. The terms “Personal Data Breach,” “Processing,” “Sale,” “Sensitive Data,” “Share,” and “Supervisory Authority” have the meanings given to those terms under applicable Privacy and Data Protection Law. In the event of a conflict, the meaning from the law applicable to the residence of the relevant Data Subject applies.

1.2. “Affiliate” means in relation to a Party, any other entity which directly or indirectly Controls, is Controlled by, or is under direct or indirect common Control with that Party from time to time. “Control”, for the purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.3. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data, including as applicable a “business” or equivalent term as defined under applicable Privacy and Data Protection Law.

1.4. “Data Protection Rights” means all rights granted to Data Subjects under Privacy and Data Protection Law, which may include – depending on applicable law – the right to know, the right of access, rectification, erasure, complaint, data portability, restriction of Processing, objection to the Processing, and rights relating to automated decision-making and indemnification against misuse of Personal Data.

1.5. “Data Subject” means the identified or identifiable individual to whom Personal Data relates.

1.6. “Disclosure Request” means any request by a Government Agency for access to, or disclosure of, Personal Data for law enforcement, national security, regulatory reporting or other purposes.

1.7. “Europe Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area (“EEA”), including the European Union (“EU”), and all other data protection laws of the EEA, the United Kingdom (“UK”), Monaco, and Switzerland, each as applicable, and as may be amended or replaced from time to time.

1.8. “Government Agency” means any competent public or quasi-public authority (including without limitation regulators, local government authorities, law enforcement authorities and national security agencies) of any jurisdiction that may request disclosure of Personal Data Processed in connection with the Services.

1.9. “Mastercard BCRs” means the Mastercard Binding Corporate Rules as approved by the EEA data protection authorities and the UK Information Commissioner’s Office and available at https://www.mastercard.us/content/dam/mccom/global/documents/mastercard-bcrs.pdf.

1.10. “Personal Data” means information that can reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular individual or household, including “personal data,” “personal information,” or equivalent terms as defined under applicable Privacy and Data Protection Law. To the extent permitted by applicable Privacy and Data Protection Law, “Personal Data” does not include information that is deidentified, aggregated, or anonymized in accordance with applicable law, or otherwise excluded from the scope of applicable Privacy and Data Protection Law.

1.11. ”Mastercard Entity” means any direct or indirect subsidiary of Mastercard International Incorporated, a company incorporated in Delaware, USA of 2000 Purchase Street, Purchase, NY 10577, USA.

1.12. “Privacy and Data Protection Law” means any law, statute, declaration, decree, legislation, enactment, order, ordinance, regulation or rule (as amended and replaced from time to time) which relates to the privacy and protection of Personal Data, and to which the Parties are subject, including but not limited to Europe Data Protection Law; State Privacy Laws; the U.S. Gramm-Leach-Bliley Act; the Brazil General Data Protection Act; the South Africa Protection of Personal Information Act; the Personal Information Protection Law of the PRC and other PRC Laws relating to privacy and protection of Personal Information; Argentina Personal Data Protection Act; laws regulating unsolicited email, telephone, and text message communications; security breach notification laws; laws imposing minimum security requirements; laws requiring the secure disposal of records containing certain Personal Data; laws governing the portability and/or cross-border transfer of Personal Data; and all other similar international, federal, state, provincial, and local requirements; each as applicable.

1.13. “Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable a “service provider” or equivalent term as defined under applicable Privacy and Data Protection Law.

1.14. “Services” means the services provided by Mastercard to Customer under the Principal Agreement.

1.15. “Standard Contractual Clauses” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (OJ L 199, 7.6.2021, p. 31-61), as amended or replaced from time to time.

1.16. “State Privacy Laws” means the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq., as amended including by the California Privacy Rights Act, the Virginia Consumer Data Protection Act, Code of Virginia title 59.1, Chapter 52, the Colorado Privacy Act, Colorado Rev. Stat. 6-1-1301 et seq., the Utah Consumer Privacy Act, Utah Code 13-61-101 et seq., the Connecticut Personal Data Privacy and Online Monitoring Act, Public Act No. 22-15, and any other U.S. state privacy laws and their implementing regulations issued pursuant thereto, as amended and superseded from time to time that apply generally to the processing of Personal Data and that do not apply solely to specific industry sectors (e.g., financial institutions), specific demographics (e.g., children), or specific classes of information (e.g., health or biometric information).

1.17. “Sub-Processor” means a Processor engaged by a Processor to carry out Processing on behalf of a Controller.

1.18. “Third Country” means a country other than the EEA countries or the UK to which Personal Data may only be transferred in compliance with the conditions set out in Europe Data Protection Law.

1.19. “Swiss Addendum” means the addendum to the Standard Contractual Clauses required by the Swiss Federal Data Protection and Information Commissioner to satisfy the requirements of the Swiss Federal Data Protection Act (“FADP”).

1.20. “UK Addendum” means the addendum to the Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).

2. Roles of the Parties and Processing by Mastercard. 

2.1. Processing of Personal Data subject to Privacy and Data Protection Law. This Section 2.1 applies only to the Processing of Personal Data that is subject to Privacy and Data Protection Law that require the Controller and Processor to enter into a data processing agreement. For the avoidance of doubt, this also applies where the applicable Privacy and Data Protection Law does not specifically use the terms Controller and Processor.

2.1.1. Roles of the Parties. Mastercard acts as Processor on behalf of Customer and Customer acts as a Controller (or a Processor on behalf of another Controller) in the context of the Services described in Annex 1.

2.1.2. Processing by Mastercard. Customer hereby authorizes Mastercard to process, as permitted by applicable Privacy and Data Protection Law, as a Controller, Personal Data relating to the operation, support, or use of the Services to (i) conduct internal analyses of Personal Data, (ii) develop and improve existing and future products and services offered to third parties, (iii) operate, build and improve algorithmic models for internal use or in support of the Services, (iv) perform security and risk management, including monitor and prevent fraud, (v) aggregate and anonymize information, and prepare and furnish reports of such aggregated and anonymized information, provided that such reports do not identify the Customer or any Data Subjects, and (vi) for other purposes for which consent has been provided by the Data Subject to whom the Personal Data relates. Mastercard represents and warrants that it will Process Personal Data for these purposes in compliance with applicable Privacy and Data Protection Law and the Mastercard BCRs.

2.2. Processing of Covered Personal Data Subject to State Privacy Laws. This Section 2.2 applies only to the Processing of Personal Data that is subject to the State Privacy Laws by Mastercard on behalf of Customer (“Covered Personal Data”). Notwithstanding any provision to the contrary of this DPA or this Section, the terms of this Section shall not apply to Mastercard’s Processing of Covered Personal Data that is exempt from the State Privacy Laws. Except as otherwise permitted by the State Privacy Laws, Mastercard will not (i) Sell or Share Covered Personal Data; (ii) retain, use, or disclose Covered Personal Data for any purpose other than for the specific purpose of performing the Services under the Principal Agreement and Annex 1 for Customer; (iii) retain, use, or disclose Covered Personal Data outside the direct business relationship between the Parties; or (iv) combine Covered Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer, except as permitted under applicable State Privacy Laws or authorized by Customer pursuant to the Principal Agreement.

3. Additional Obligations of the Parties

3.1. Compliance with Privacy and Data Protection Law. Customer and Mastercard represent and warrant that they will comply with applicable Privacy and Data Protection Law when Processing Personal Data in the context of the Services. Where required by applicable Privacy and Data Protection Law, Customer will ensure that it has obtained/will obtain all necessary consents, including disclosures on the collection, uses, and sharing practices of Data Subjects’ Personal Data by the Customer and Mastercard as set out in the Principal Agreement and this DPA and has given/will give all necessary notices, for the Processing of Personal Data by Mastercard and its Sub-Processors in accordance with the Principal Agreement.

3.2. Instructions. Where Mastercard acts as a Processor on behalf of Customer, Mastercard will take steps to:

3.2.1. Only Process Personal Data in accordance with the Customer’s lawful written instructions or as otherwise agreed by the Parties in writing, unless otherwise required or permitted by law.

3.2.2. Promptly inform Customer if, in its opinion, the Customer’s instructions infringe Privacy and Data Protection Law, or if Mastercard is unable to comply with the Customers’ instructions without failing to meet its obligations under Privacy and Data Protection Law. Upon receiving notice from Mastercard in accordance with this subsection, Customer may direct Mastercard to take reasonable and appropriate steps, as required by applicable Privacy and Data Protection Law, to stop and remediate unauthorized use of Customer Personal Data.

3.2.3. Notify Customer when local laws prevent Mastercard (1) from fulfilling its obligations under this DPA or the Mastercard BCRs and have a substantial adverse effect on the guarantees provided by this DPA or the Mastercard BCRs, and (2) from complying with the instructions received from the Customer via this DPA, except if such disclosure is prohibited by applicable law, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation.

3.3. Confidentiality. Mastercard will ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.4. Security. The Parties will take steps to ensure a level of security appropriate to the risk for the Personal Data and implement at the minimum the security measures listed in Annex 2, the Parties must notify a Personal Data Breach that relates to Personal Data Processed in the context of the Services to the other Party, without undue delay, and no later than 48 hours after having become aware of a Personal Data Breach, in accordance with applicable Privacy and Data Protection Law.

3.5. Sub-Processing. Customer hereby gives a general authorization to and instructs Mastercard to engage internal and external Sub-Processors in the context of the Services under the conditions set forth below, including any addition or replacement of Sub-Processors, and Mastercard represents and warrants that when Sub-Processing the Processing of Personal Data in the context of the Services, and to the extent required by applicable Privacy and Data Protection Law, it will:

3.5.1. Bind its internal Sub-Processors to respect the Mastercard BCRs and to comply with the Customer’s instructions, including by passing down any deletion requests.

3.5.2. Require its external Sub-Processors, via a written agreement, to comply with applicable Privacy and Data Protection Law, with the Customer’s instructions and with the same obligations as are imposed on Mastercard by this Section and the Mastercard BCRs.

3.5.3. Remain liable to the Customer for the performance of its Sub-Processors’ obligations.

3.5.4. Commit to provide a list of Sub-Processors to Customer upon written request.

3.5.5. Where required by applicable Privacy and Data Protection Law, inform Customer of any addition or replacement of a Sub-Processor in a timely fashion and, if required by applicable Privacy and Data Protection Law, give Customer an opportunity to object to the change within 30 days or to terminate this DPA before the Personal Data is communicated to the new Sub-Processor, except where the Services cannot be provided without the involvement of a specific Sub-Processor.

3.6. Assistance. To the extent required by Privacy and Data Protection Law and upon Customer’s prior written request, Mastercard will assist Customer, in so far as reasonably possible, in fulfilling its own data protection compliance obligations under Privacy and Data Protection Law, and provide to Customer all information available to Mastercard as reasonably necessary to demonstrate compliance with the Customer’s own obligations under Privacy and Data Protection Law, including Customer’s obligation to conduct data protection impact assessments or prior consultation with Supervisory Authorities.

3.7. Delete or Return Personal Data. Upon written request to delete or return Personal Data by Customer, except for any Personal Data which Mastercard Processes as a Controller, Mastercard will, at the choice of Customer, delete, anonymize, or return such Personal Data to Customer, except where Mastercard needs to retain a copy of such Personal Data to fulfil any legal obligations (in which case Mastercard will protect the confidentiality of the Personal Data).

3.8. Data Protection Audit. To the extent required by Privacy and Data Protection Law and upon prior written request by Customer, Mastercard agrees to cooperate and within reasonable time provide Customer with: (a) a summary of the audit reports demonstrating Mastercard’s compliance with Privacy and Data Protection obligations under this DPA and Mastercard BCRs where the transfer of Personal Data is based on the Mastercard BCRs, or such other relevant documentation, as required by Privacy and Data Protection Law, after redacting any confidential and commercially sensitive information; and (b) confirmation that the audit has not revealed any material vulnerability in Mastercard’s systems, or to the extent that any such vulnerability was detected, that Mastercard has fully remedied such vulnerability. If the above measures are not sufficient to meet the requirements of applicable Privacy and Data Protection Law and the Mastercard BCRs, subject to the strictest confidentiality obligations, Mastercard allows Customer to request an audit of Mastercard’s data protection compliance program by external independent auditors, which are jointly selected by the Parties. The external independent auditor cannot be a competitor of Mastercard, and the Parties will mutually agree upon the scope, timing, and duration of the audit. Mastercard will make available to Customer the result of the audit of its data protection compliance program.

3.9. Governmental Requests for Personal Data Except to the extent prohibited by Privacy and Data Protection Law, each Party shall promptly inform the other Party in writing if any Government Agency requests disclosure of, or information about, Personal Data that has been Processed in connection with the Services. Each Party shall, without limiting its rights under Privacy and Data Protection Law, cooperate with the other Party as reasonably necessary to comply with any direction or ruling made by such Government Agencies.

3.10. Data Subject Requests. The Services may provide Customer with features to assist Customer with its obligations relating to responding to requests from Data Subjects to exercise their Data Protection Rights (“Data Subject Requests”). To the extent the Services do not provide such features or Customer is unable to address a Data Subject Request through the Services, Mastercard will provide Customer with reasonable assistance to respond to Data Subject Requests as required under applicable Privacy and Data Protection Law relating to the Processing of Personal Data under the Principal Agreement and Customer will reimburse Mastercard for commercially reasonable costs arising from this assistance. Customer will provide all necessary information for Mastercard to facilitate such Data Subject Requests. If a Data Subject Request is made directly to Mastercard regarding the Processing of Personal Data under the Principal Agreement, and to the extent Customer is identified in the Data Subject Request or can easily be identified by Mastercard based on the Data Subject Request, Mastercard will direct the Data Subject to submit their request to Customer.

4. Personal Data Transfers

4.1. Customer hereby instructs Mastercard to Process Personal Data as necessary to provide the Services and acknowledges that Mastercard may, and where required by applicable Privacy and Data Protection Law, Customer authorizes Mastercard to, transfer Personal Data Processed in connection with the Services globally in accordance with the Mastercard BCRs or any other lawful data transfer mechanism. Mastercard represents and warrants that it will abide by the Mastercard BCRs in the context of such transfers of Personal Data.

4.2. To the extent that the Mastercard BCRs cannot be relied upon as appropriate safeguards under applicable law, the transfer shall be governed by the Standard Contractual Clauses and the UK Addendum or the Swiss Addendum, as applicable, which are incorporated into this DPA by reference. To the extent Privacy and Data Protection Law requires additional terms to transfer Personal Data under the Principal Agreement, the parties will amend this DPA.

4.2.1. The Parties conclude and complete module 2 (Controller-to-Processor) of the Standard Contractual Clauses as follows: (i) they implement the optional docking clause in Clause 7, strike the optional paragraph in Clause 11(a), choose option 2 in Clause 9(a), indicate Belgium in Clause 13(a) and Clause 17, and indicate the courts of Brussels, Belgium in Clause 18(b); (ii) the “data exporter” is Customer and the “data importer” is Mastercard; and (iii) Annex I and II to the Standard Contractual Clauses are Annex 1 and 2 to this DPA respectively.

4.2.2. The Swiss Addendum is completed as follows: (i) in deviation of Clause 13(a) of the Standard Contractual Clauses in connection with its Annex I.C. incorporated in Annex 1 to this DPA, the competent supervisory authority in Annex 1 shall be the Swiss Federal Data Protection and Information Commissioner and all references to the "competent supervisory authority” shall be interpreted accordingly, (ii) the references to the “Regulation (EU) 2016/679” and specific articles thereof in the Standard Contractual Clauses should be interpreted as references to the FADP and its corresponding provisions, as applicable.

4.2.3. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Mastercard, their details are set forth in this DPA and the Principle Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the Standard Contractual Clauses referred to in Section 4.2.1 of this DPA; (iii) in Table 3, Annexes 1 (A and B) and II to the “Approved EU SCCs” are Annex 1 and 2 to this DPA respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.

4.3. Customer acknowledges and agrees that (i) Mastercard may transfer Personal Data to Third Countries for operational or organizational reasons in the course of providing its Services; and (ii) such Personal Data may be subject to a Disclosure Request or other access by a Government Agency in such Third Country.

4.4. As between the Customer and Mastercard, it shall be the Customer that is solely responsible for evaluating and, where Europe Data Protection Law requires documentation, documenting the level of protection afforded to Personal Data in any Third Country where Personal Data is transferred in the context of the Agreement, provided that Mastercard shall, upon reasonable request of the Customer, taking into account the nature of the Processing and the information available to Mastercard, provide commercially reasonable assistance to the Customer in conducting and documenting its assessment.

5. Notifications. Customer will send all notifications, requests and instructions under this DPA in accordance with the notice provision contained in the Principal Agreement with a copy provided to Mastercard’s Privacy and Data Protection department via email to [email protected].

6. Liability. The Parties agree that if Mastercard has paid compensation, damages or fines, Mastercard is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer’s part of responsibility for the compensation, damages or fines.

7. Liability Towards Data Subjects. Subject to the liability clauses in the Principal Agreement, the Parties agree that they will be held liable for violations of Privacy and Data Protection Law towards Data Subjects as follows:

7.1. Customer is responsible for the damage caused by the Processing which infringes Privacy and Data Protection Law or this Agreement.

7.2. When Mastercard acts as a Processor, it will be liable for the damage caused by the Processing only where it has not complied with obligations of Privacy and Data Protection Law specifically directed to Processors or where it has acted outside of or contrary to Customer’s lawful instructions. In that context, Mastercard will be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

7.3. Where the Parties are involved in the same Processing and where they are responsible for any damage caused by the Processing, both Customer and Mastercard may be held liable for the entire damage to ensure effective compensation of the Data Subject.

7.4. For clarity, Mastercard and its Affiliates’ total liability for all claims from the Customer and all of its Affiliates arising out of or related to this DPA shall be subject to the liability limitations in the Principal Agreement which shall apply in the aggregate for all claims under both the Principal Agreement and this DPA, including by Customer and all Customer Affiliates. 

8. Applicable Law and Jurisdiction. The Parties agree that:

8.1. To the extent the Processing of Personal Data is subject to Europe Data Protection Law, this DPA and the Processing of Personal Data will be governed by the law of Belgium and any dispute will be submitted to the Courts of Brussels; and

8.2. To the extent the Processing of Personal Data is not subject to Europe Data Protection Law, this DPA and the Processing of Personal Data will be governed by the law applicable to the Principal Agreement, and any dispute will be submitted to the Courts identified in the Principal Agreement.

9. Termination. The Parties agree that this DPA is terminated upon the termination of the Principal Agreement.

10. Invalidity and Severability. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision will not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

 

Annex 1 – Description of the processing activities

The description of the Processing under this DPA is as follows, and may be further detailed in the Principal Agreement such as in the applicable statement of work:

  • Subject-matter of the Processing: the Services elected by Customer, as set forth in this DPA or the Principal Agreement, which may include data analytics services, consulting services, loyalty program services, or other managed services on behalf of Customer.
  • Nature of the Processing: The Personal Data will be processed and transferred as necessary to perform the Services pursuant to this DPA and the Principal Agreement, including but not limited to for monitoring, reporting, data analysis and data aggregation.
  • Categories of Data Subjects whose Personal Data is processed and transferred: End-consumers of Customer whose Personal Data are Processed by Mastercard, which may include cardholders.
  • Categories of Personal Data processed and transferred: Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
    • Name
    • Contact details
    • Transaction-related information such as card or account number (full or partial), transaction amount, transaction date and time, and merchant identifier
    • Any Customer loyalty card-related information
    • Any other Personal Data provided by Customer or by a third party on behalf of Customer
  • Sensitive data processed and transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: N/A
  • The frequency of the transfer (e.g., whether the Personal Data is transferred on a one-off or continuous basis): On a continuous basis.
  • Purpose(s) of the transfer and further Processing: The Personal Data will be transferred and further processed for the provision of the Services as described in this DPA and the Principal Agreement, in particular for monitoring, reporting, data analysis and data aggregation purposes, as well as for any other Processing in connection with the Services.
  • The period for which the Personal Data will be Processed and retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be Processed and retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Privacy and Data Protection Law.
  • For transfer to Sub-Processors: The Personal Data may be transferred to Sub-Processors to provide the Services as described in this DPA and the Principal Agreement.
  • The Belgian Supervisory Authority shall act as the competent Supervisory Authority.

 

Annex 2 – Security Measures

The Parties will apply at least the following types of security measures to Personal Data:

1. Physical access control

Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are Processed, include:

  • Establishing security areas, restriction of access paths;
  • Establishing access authorizations for employees and third parties;
  • Access control system (ID reader, magnetic card, chip card);
  • Key management, card-keys procedures;
  • Door locking (electric door openers etc.);
  • Security staff, janitors;
  • Surveillance facilities, video/CCTV monitor, alarm system; and
  • Securing decentralized data processing equipment and personal computers.

2. Virtual access control

Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:

  • User identification and authentication procedures;
  • ID/password security procedures (special characters, minimum length, change of password);
  • Automatic blocking (e.g. password or timeout);
  • Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous password attempts;
  • Creation of one master record per user, user-master data procedures per data processing environment; and
  • Encryption of archived data media (where applicable).

3. Data access control

Technical and organizational measures to ensure confidentiality and that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, include:

  • Internal policies and procedures;
  • Control authorization schemes;
  • Differentiated access rights (profiles, roles, transactions and objects);
  • Monitoring and logging of accesses;
  • Disciplinary action against employees who access Personal Data without authorization;
  • Deletion procedure; and
  • Encryption.

4. Disclosure control

Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include:

  • Encryption/pseudonymization/tunneling;
  • Logging; and
  • Transport security.

5. Entry control

Technical and organizational measures to monitor whether Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:

  • Logging and reporting systems; and
  • Audit trails and documentation.

6. Control of instructions

Technical and organizational measures to ensure that Personal Data are Processed solely in accordance with the instructions of the Controller include:

  • Unambiguous wording of the contract;
  • Formal commissioning (request form); and
  • Criteria for selecting the Processor.

7. Availability control

Technical and organizational measures to ensure the integrity, availability and resilience of the processing systems, and that Personal Data are protected against accidental destruction or loss (physical/logical) may include, as applicable:

  • Backup procedures;
  • Mirroring of hard disks (e.g. RAID technology);
  • Uninterruptible power supply (UPS);
  • Remote storage;
  • Antivirus/firewall systems;
  • Disaster recovery plan, in the event of a physical or technical incident; and
  • Other availability mechanisms.

8. Separation control

Technical and organizational measures to ensure that Personal Data collected for different purposes can be Processed separately include:

  • Mechanisms to ensure the separation of Personal Data where appropriate ;
  • Segregation of functions (production/testing); and
  • Procedures for storage, amendment, deletion, transmission of data for different purposes.

9. Testing controls

Technical and organizational measures to test, assess and evaluate the effectiveness of the technical and organizational measures implemented in order to ensure the security of the processing include:

  • Periodical review and test of disaster recovery plan;
  • Testing and evaluation of software updates before they are installed;
  • Authenticated (with elevated rights) vulnerability scanning; and
  • Test bed for specific penetration tests and red team attacks.

10. IT governance

Technical and organizational measures to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with the compliance efforts include:

  • Certification/assurance of processes and products;
  • Processes for data minimization;
  • Processes for data quality;
  • Processes for limited data retention;
  • Processes for ensuring accountability; and
  • Data subject rights policies.