DATA PROCESSING ADDITIONAL AGREEMENT
Last Updated: 22.02.2023
This Data Processing Addendum (this “Addendum” ) is entered into between Websıte.com.com, LLC, a Delaware limited liability company and its Affiliates (“ Websıte.com ” ) and you ( “Customer” ). The Services (collectively, “Terms of Service” ) are added to and complement the clauses.
1.1 Unless otherwise specified in this Addendum, all capitalized terms not defined in this Addendum will have the meanings given to them in the Terms of Service .
“ Partners ” means any entity that is controlled by, controls or has joint control with Websıte.com.
“ Covered Services ” means hosted services that may include the Processing of Personal Data and are subject to the terms and conditions of the following Agreements: (1) Email Marketing Services, (2) Hosting, (3) Online Store/Quick Shopping Cart, (4) Website Services, (5) Workspace Service.
“Customer Data ” means all Data Subject Personal Data Processed by Websıte.com on behalf of Customer, within the Websıte.com Network, following or in connection with the Terms of Service.
” Data Protection Laws” (i) Australian Privacy Principles and Australian Privacy Act (1988), (ii) Brazil’s Lei Geral de Proteção de Dados (LGPD), iii) California Consumer Privacy Act (CCPA), (iv) Canadian Federal Personal Information Protection and Electronic Documents Any national data protection law under or pursuant to the Act (PIPEDA), (v) EU (GDPR), (vi) GDPR (vii) EU ePrivacy Directive (2002/58/EC), (viii) Singapore Personal Data Protection Act 2012 (PDPA), (ix) Switzerland Federal Data Protection Act and Regulation of 19 June 1992 and (x) UK GDPR or Data Protection Act 2018,Means all data protection or privacy laws and regulations applicable to the Processing of Personal Data under the Contract, including as amended or superseded by new regulations.
“ EEA ” means the European Economic Area.
” EU GDPR ” is Regulation (EU) 2016/679 approved by the European Parliament and Council on April 27, 2016, and concerns the processing of personal data, the free movement of said data, and the repealing Directive 95/46/EC.
“ EU Standard Contractual Clauses ” means standard data protection clauses approved by European Commission decision 2021/914 of 4 June 2021, incorporated herein by reference. Module Two (Controller to Processor) EU Standard Contractual Clauses and Module Three (Processor to Processor) EU Standard Contractual Clauses can be downloaded from the EUR-Lex website .
“ The Websıte.com Network is the data center facilities, servers, network equipment, and hosting software systems (e.g., virtual firewalls) owned and controlled by Websıte.com and used to provide Covered Services.
“ Security Incident ” means a breach of the security of Websıte.com Security Standards resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to any Customer Data on systems managed or controlled by Websıte.com.
“ Safety Standards ” means the security standards attached to this Addendum as Annex 2.
“ Sensitive Data ” (a) social security number, passport number, driver’s license number or similar identifier (or any part thereof); (b) credit or debit card number (other than the abbreviated (last four digits) of a credit or debit card), financial information, bank account numbers or passwords; (c) employment, financial, genetic, biometric or health information; (d) information about racial, ethnic, political or religious affiliation, trade union membership, or sex life or sexual orientation; (e) account passwords, mother’s maiden name or date of birth; (f) criminal history; or (g) other information or combinations of information that fall within the definition of “special categories of data” under the GDPR or other applicable privacy and data protection laws or regulations.
“ Sub-Processor ” means any processor contacted by the Processor to Process data on behalf of the controller.
“ UK (UK) GDPR ” means the EU GDPR as amended and incorporated into UK laws under the UK European Union (Withdrawal) Act 2018 and enacted secondary legislation prepared under this Act.
“ UK International Data Transfer Addendum ” means the International Data Transfer Addendum to the EU Standard Contractual Clauses, Version B1.0, published by the UK Information Commission and effective 21 March 2022. The UK International Data Transfer Supplement can be downloaded from the UK Information Commission Website .
1.2 The terms “personal data”, “data subject”, “processor”, “controller” and “processor” used in this Annex reflect the meanings given in the EU GDPR, irrespective of applicable Data Protection Laws.
2. Scope of Data Processing and Relationship Between Parties
2.1 Websıte.com as handler. The parties acknowledge and agree that (i) Websıte.com is a processor of Customer Data under Data Protection Laws; (ii) Customer is a controller or processor of Customer Data pursuant to applicable Data Protection Laws, and (iii) each party will comply with its obligations under applicable Data Protection Laws with respect to the processing of Customer Data.
2.2 Data Processing Details.The processing of Customer Data by Websıte.com is the performance of Covered Services pursuant to the Terms of Service, Websıte.com will only process Customer Data in accordance with Customer’s documented instructions and for the following purposes: (i) processing in accordance with the Terms of Service; (ii) processing initiated by End Users in their use of the Covered Services; (iii) Processing other documented, reasonable instructions from Customers (e.g., via email) provided these instructions are consistent with the Terms of Service. Websıte.com will not: (a) process, retain, use, sell or disclose Customer Data except as required to provide Covered Services pursuant to the Terms of Service or as required by law; (b) will not sell such Customer Data to any third party; (c) retain, use or disclose such Customer Data outside of the direct business relationship between Websıte.com and Customer.
For the avoidance of doubt, Customer’s instructions regarding the processing of Customer Data will comply with all Data Protection Laws. Customer is solely responsible for the accuracy, quality and legality of Customer Data and the ways in which Customer obtains Customer Data. If Customer is a controller of Customer Data, Customer acknowledges and agrees that (i) you must use commercially reasonable efforts to expressly disclose and obtain consent for any data collection, sharing and use that occurs in the Covered Services, and (ii) that your use of the Covered Services As a result, you must clearly state that End User data may be processed outside of their country of origin. If Customer is a processor of Customer Data, Customer Guarantees that Customer’s instructions and actions regarding Customer Data, including appointment of Websıte.com company as another processor, have been authorized by the relevant controller.
If such instructions are likely to violate Data Protection Laws, Websıte.com will not be required to follow or comply with Customer’s instructions. The processing time, the nature and purpose of the Processing, the types of Personal Data and the categories of Data Subjects Processed under this Addendum are separately specified in Annex 1 (‘Details of Processing’) to this Addendum. The customer will not be required to follow or observe their instructions. The processing time, the nature and purpose of the Processing, the types of Personal Data and the categories of Data Subjects Processed under this Addendum are separately specified in Annex 1 (‘Details of Processing’) to this Addendum. The customer will not be required to follow or observe their instructions. The processing time, the nature and purpose of the Processing, the types of Personal Data and the categories of Data Subjects Processed under this Addendum are separately specified in Annex 1 (‘Details of Processing’) to this Addendum.
3. Confidentiality of Customer Data
Websıte.com will not disclose Customer Data to any government or other third party, except as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If Websıte.com has a valid public court order and to the extent permitted, Websıte.com; It will endeavor to communicate its request to the Customer with reasonable notice by e-mail or physical mail, in order to allow the Customer to apply for a protective order or other appropriate remedy.
4. The Shared Security Responsibility Model
4.1 Websıte.com has implemented and maintains technical and organizational measures for the Websıte.com Network as described in this Section and in more detail in the Appendix 2, Security Standards to this Addendum. Specifically, Websıte.com company has implemented and maintains technical and organizational measures that address: (i) the security of the Websıte.com Network; (ii) physical security of facilities; (iii) controls over employee and contractor access to (i) and/or (ii); and (iv) processes for testing, measuring and evaluating the effectiveness of technical and organizational measures implemented by Websıte.com. If we are unable to meet any of our obligations set out herein, we will provide written notice (via our website or email) as soon as possible.
4.2Websıte.com provides a set of security features and functionality that the Customer may choose to use in relation to the Covered Services. Customer is responsible for: (a) configuring the Covered Services appropriately, (b) using existing controls in conjunction with Covered Services (including security controls) to ensure continued confidentiality, integrity, availability and resilience of the Systems and services, (c) a physical or technical event use existing controls in connection with Covered Services (including security controls) to ensure the availability and timely availability of Customer Data where applicable (e.g. routine backup and archiving of Customer Data);
5. Data Subject Rights
Considering the nature of the Covered Services, Websıte.com provides certain controls that Customer may choose to use to receive, correct, delete or restrict the use and sharing of Customer Data as described in the Covered Services. Customer may use these controls as technical and organizational measures to assist in connection with its obligations under Data Protection Laws, including its obligations to respond to requests from data subjects. To the extent commercially reasonable and legally required or permitted, Websıte.com will promptly notify Customer if Websıte.com receives a direct request from a data subject to exercise such rights under applicable Data Protection Laws (“Data Subject Request”). In addition,
6.1 Authorized Subprocessors. Customer acknowledges that Websıte.com may use Subprocessors to perform certain services, such as to fulfill contractual obligations contained in the Terms of Service and this Addendum, or to provide support services on its behalf. Customer consents to Websıte.com’s use of Subprocessors as described in this Section.
6.2 Subprocessor Obligations. Where Websıte.com authorized subprocessors are used as described in Section 6.1:
(i) Websıte.com will restrict the downstream processor’s access to Customer Data only to those necessary to maintain the Covered Services or to provide the Covered Services to Customer and End Users in relation to the Terms of Service. Websıte.com prohibits the subprocessor from accessing Customer Data for any other purpose;
(ii) Websıte.com will enter into a written agreement with the Subprocessor and apply Websıte.com’s contractual obligations under this Annex in a substantially similar manner to the Websıte.com subprocessor, to the extent that the Subprocessor will perform the same data processing services provided by Websıte.com under this Annex; and
(iii) Websıte.com is liable for any action or omission of a Subprocessor that causes Websıte.com to breach its obligations under this Addendum and any of its obligations to Websıte.com under this Addendum.
6.3 New Subprocessors . From time to time, we may make use of new Subprocessors, subject to the terms of this Addendum. In this case, we will give 30 days’ notice (via our website or email) of a new subprocessor that obtains any Customer Data. If Customer does not approve a new Subprocessor, Customer may terminate it without penalty within 10 days or after notification from us by providing a written notice of termination explaining your reasons for not approving any Covered Service. If the Covered Services are part of a bundle or product purchased in a bundle, the termination will apply to the entire bundle.
7. Security Incident.
7.1 Security Incident. If Websıte.com becomes aware of the Security Incident, Websıte.com will without delay: (a) notify the Customer of the Security Incident; and (b) takes reasonable steps to minimize the impact of any damage resulting from the Security Incident.
7.2 Websıte.com Support. In order to assist Customer with any personal data breach notification Customer is required to make under Data Protection Laws, Websıte.com will contact Customer with Websıte.com, taking into account the nature of the Covered Services, information available to Websıte.com, and any restrictions on disclosure of information, such as confidentiality. shall add information regarding the Security Incident, which it can reasonably share, to the notification in question.
7.3 Failed Security Events. Customer agrees that a failed Security Incident will not be subject to the terms of this Addendum. A Failed Security Event is Security Events that do not result in any unauthorized access to Customer Data or Websıte.com’s Network, equipment or facilities storing Customer Data, and ping and other broadcast attacks on firewalls or edge servers, port scans, failed login attempts, denial of service attacks, It may include, but is not limited to, packet filtering (or other unauthorized access to traffic data beyond headers) or similar events.
7.4 Notification If available, Notification of Security Incidents will be delivered to one or more of the Client’s administrators by any means chosen by Websıte.com, including via email. It is the Client’s sole responsibility to ensure that client administrators maintain correct contact information about the Websıte.com management console and that the transfer is always secure.
7.5 No Acceptance of Fault by Websıte.com: Websıte.com’s obligation to report or respond to a Security Incident under this Section shall not be construed and construed as an acknowledgment of Websıte.com’s liability or any fault with respect to the Security Incident by Websıte.com.
8. Customer Rights
8.1 Independent Determination.Customer is responsible for reviewing the information Websıte.com provides regarding data security and Security Standards and for making an independent determination as to whether the Covered Services meet Customer’s requirements and legal obligations, as well as Customer obligations under this Addendum. The information provided is intended to assist the Customer in complying with its obligations under applicable Data Protection Laws. Customer acknowledges that the Services Covered by Websıte.com and the Security Standards implemented and maintained provide a level of risk-appropriate security for personal data (taking into account the state of the art, implementation costs and nature, scope, context and purposes of processing personal data, and risks to individuals).
8.2 Customer Control Rights. Customer has the right to confirm Websıte.com’s compliance with this Addendum applicable to the Covered Services by making a specified request in writing at reasonable intervals to the address specified in the Terms of Service. If Websıte.com refuses to follow any requested instruction regarding an audit or inspection requested and supervised by Customer, Customer has the right to terminate this Addendum and Terms of Service.
9. Transfer of Customer Data
9.1 Processing in the US Location. Except as specifically provided in the Terms of Service, Customer Data will be transferred outside the UK or EEA and processed in the United States.
9.2 Application of EU Standard Contractual Clauses.Module Two (Controller to Processor) EU Standard Contractual Clauses or Module Three (Processor to Processor) EU Standard Contractual Clauses are Customer transferred outside the EEA, either directly or by onward transfer, to any country not recognized by the European Commission, providing adequate protection for Customer Data It will apply to your data. These EU Standard Contractual Clauses will not apply to Customer Data not transferred outside the EEA directly or by onward transfer. Notwithstanding the foregoing, these EU Standard Contractual Clauses; It will not apply when transferred in accordance with the recognized compliance standard for legal transfer of Personal Data outside of the EEA, for example as required to perform Covered Services pursuant to the Terms of Service or your consent.
For each Module, if applicable:
In Article 7 of the EU Standard Contractual Clauses, the optional placement clause will not apply;
In Article 9 of the EU Standard Contractual Clauses, Option 2 will apply and the deadline for prior written notification of subprocessor changes will be as specified in Section 6.3 (New Subprocessors) of this Addendum;
Optional language in Article 11 of the EU Standard Contractual Clauses will not apply;
In Article 17 (Option 1), the EU Standard Contractual Clauses will be governed by German law;
In accordance with Article 18(b) of the EU Standard Contractual Clauses, disputes will be resolved in the courts of the Federal Republic of Germany;
In Annex I, Part A of the EU Standard Contractual Clauses:
List of Parties
Data Exporters: The data exporter is the legal entity defined as Customer in the Supplemental Agreement.
Signature and date: As of the date on which the Data Exporter electronically accepts the Data Importer’s Terms of Service, the Data Exporter is deemed to have signed these EU Standard Contractual Clauses.
Role: Controller (under Module Two) or Processor (under Module Third)
Data Recipients: Websıte.com.com, LLC
Contact details: Data Protection Officer Office: [email protected]
Signature and date: Data Exporter’s Data Receiving Party’ As of the date on which the Company accepts the Terms of Service electronically, the Data Exporting Party is deemed to have signed these EU Standard Contractual Clauses.
Role: Processor in Annex I, Part B of the EU Standard Contractual Clauses
Definition of Transfer Statement
The categories of the relevant subjects whose personal data are transferred are explained in Annex 1 of the Supplementary Agreement.
The categories of personal data transferred are explained in Annex 1 of the Supplementary Agreement. Sensitive data transferred are described in Annex 1 to this Addendum.
The frequency of the transfer will be on a continuous basis throughout the term of the Terms of Service.
The nature of the processing is described in Section 2.2 and Annex 1 of the Supplemental Agreement.
The purposes of data transfer and further processing are described in Section 2.2 and Annex 1 of this Supplemental Agreement.
The period for which personal data will be stored is described in Annex 1 to this Supplemental Agreement.
For transfers to (sub)processors, the subject, nature and duration of the processing,
In Annex I, Part C of the EU Standard Contractual Clauses:
Competent Supervisory Authority
The North Rhine-Westphalia State Commission on Data Protection and Freedom of Information (‘LDI NRW’) is the competent supervisory authority.
EU Standard Contractual Clauses are in Annex II:
The technical and organizational security measures implemented by the Data Subject are as specified in Annex 2 of the Supplemental Contract.
In Annex III of the EU Standard Contractual Clauses:
The list of subprocessors is in Annex 3 to this Addendum.
9.3 Application of UK International Data Transfer Addendum. The UK International Data Transfer Addendum will apply to Customer Data transferred via Covered Services from the United Kingdom, either directly or via onward transfer, to any country not recognized by the competent United Kingdom regulatory authority or governmental body as providing an adequate level of protection for Customer Data. The UK International Data Transfer Addendum will not apply to Customer Data that is not transferred, either directly or via onward transfer, outside the United Kingdom. Notwithstanding the foregoing, the UK International Data Transfer Addendum will not apply where the data is transferred in accordance with a recognized compliance standard for the lawful transfer of Customer Data outside the United Kingdom,
For data transfers from the UK that are subject to the UK International Data Transfer Addendum, the UK International Data Transfer Addendum will be deemed to be appended (and incorporated by this reference into this Addendum) and completed as follows:
United Kingdom International Data Transfer Addendum Table 1, details of the parties and important contact details are in Section 9.2 (i)(f) of this Addendum.
In Table 2 of the UK International Data Transfer Addendum, information on the EU Standard Contractual Clauses, modules and selected clauses to which this UK International Data Transfer Addendum is attached is in Section 9.2 (EU Standard Contractual Clauses) of this Annex. takes.
Table 3 of the UK International Data Transfer Supplement:
The list of parties is contained in Section 9.2 (i)(f) of this Addendum.
The definition of the term transfer is set out in Section 1 (Nature and Purpose of Processing) of Annex 1 (Processing Details) to this Addendum.
Annex II is included in Annex 2 (Safety Standards) to this Addendum.
The list of subprocessors is in Annex 3 to this Addendum.
In Table 4 of the UK International Data Transfer Addendum, both Data Recipients and Data Exporters may terminate the UK International Data Transfer Addendum in accordance with the terms of the UK International Data Transfer Addendum.
10. Termination of Additional Agreement
This Addendum will remain in effect until our termination in accordance with our Terms of Service (“ Termination Date ”).
11. Return or Deletion of Customer Data
As described in the Covered Services, the Customer may be provided with controls that may be used to retrieve or delete Customer Data. Deletion of Customer Data will occur thirty (30) days after the Termination Date, subject to the terms of certain Covered Services. Customer acknowledges that it is Customer’s responsibility to export Customer Data that you wish to retain after the Termination Date before the Termination Date.
12. Limitation of Liability
Each party’s liability under this Addendum will be subject to the exclusions and limitations of obligations set forth in the Terms of Service. Customer is liable for any legal penalties that Websıte.com has issued in relation to Customer Data, or for Customer’s failure to fulfill its obligations under this Addendum; and any applicable Data Protection Law will reduce and reduce Websıte.com company’s liability under the Terms of Service as Customer is responsible for the Terms of Service.
13. All Terms of Service; Contradiction
This Addendum covers any prior or contemporaneous representations, understandings, agreements or communications between Customer and Websıte.com regarding the subject matter of this Addendum and regarding the processing of personal data entered between Customer and Websıte.com and the free movement of such data. supersedes all of them, including a data processing supplement. In the event of any conflict or inconsistency between the EU Standard Contractual Clauses or the UK International Data Transfer Addendum and other terms in this Addendum or the Terms of Service, the EU Standard Contractual Clauses or the UK International Data Transfer Addendum will prevail, as appropriate. Except as modified by this Addendum, the Terms of Service will remain in full force and effect.
DETAILS OF PROCESSING
1. Nature and Purpose of Processing. Websıte.com will Process Customer Data as necessary to perform Covered Services pursuant to the Terms of Service and as separately instructed by Customer throughout use of Covered Services.
2. Time of Processing. Subject to Sections 10 and 11 of this Addendum, Websıte.com will Process Customer Data during the effective date of the Terms of Service. Notwithstanding the foregoing, Websıte.com may retain Customer Data, or any portion thereof, if required by applicable laws or regulations, including applicable Data Protection Laws, provided that such Customer Data is protected under this Addendum and applicable Data Protection Laws.
3. Data Subject Categories. Client may, at its sole discretion, upload Personal Data associated with Data Subjects during use of the Covered Services as determined and controlled by Client and within the scope of which may include, but are not limited to, the following categories of Personal Data:
Leads, customers, partners, and vendors (natural people)
Employees or contacts of the Customer’s potential customers, customers, business partners and vendors
Employees, agents, consultants, Client’s freelancers (natural persons)
Customer’s users authorized to use User Covered Services
4. Categories of Personal Data. Client may, at its sole discretion, upload Owners’ Personal Data during use of the Covered Services as determined and controlled by Client and within the scope of which may include, but are not limited to, the following categories of Personal Data:
- Phone number
- Date of birth
- E-mail address
Other collected data that can directly or indirectly identify data subjects.
5. Sensitive Data or Special Categories of Data. During the use of the Covered Services, the Customer may upload Sensitive Data, the type and extent of which is determined and controlled by the Customer in its sole discretion. Before transmitting or processing any Sensitive Data through the Covered Services, Customer is responsible for implementing restrictions or measures that fully consider the nature of the data and the risks involved.
I. Technical and Organizational Measures
We are committed to protecting our customers’ information. We take the following technical and organizational measures, taking into account best practices, implementation costs and the nature, scope, conditions and purposes of the processing, as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons. Confidentiality, integrity, availability and flexibility of the systems are also taken into consideration when selecting the measures.
II. Data Privacy Program
Our Data Privacy Program was established to protect the global data governance structure and ensure information security throughout its lifecycle. This program is run by the office of the data protection officer who oversees the implementation of privacy practices and security measures. We regularly test the effectiveness of the Data Privacy Program and Security Standards.
1. Privacy. “Privacy means protecting personal data from unauthorized disclosure.”
We use a variety of physical and reasonable safeguards to protect the confidentiality of our customers’ personal information. These measures include:
Physical access controls are implemented (Beacon access control, Security event monitoring, etc.)
Surveillance systems, including alarms, and closed-circuit TV viewing as appropriate
Enforce clean desk policies and controls (locking unattended computers, lockers, etc.)
Visitor Access Management
Destruction of data in physical media and documents (shredding paper, neutralizing magnetism, etc.)
Access Control and Preventing Unauthorized Access
Role-based access permissions provided/reviewed based on decoupling of user access restrictions and role policies applied
Difficulty authentication and authorization methods (Multi-factor authentication, authorization-based certification, automatic disable/logout, etc.)
Centralized password management and strong/complex password policies (minimum length, complexity of characters, expiration of passwords, etc.)
Controlled access to emails and the internet
Anti virus management
Intrusion Prevention System management
Encryption of external and internal communication with strong cryptographic protocols
Encrypting personal and sensitive data (databases, shared directories, etc.)
Full disk encryption for corporate PCs and laptops
Encryption of storage media
Remote connections to corporate networks are encrypted with VPN
Securing the usage cycle of encryption keys
Minimization of PII/SPI application, debugging and security logs
Faking personal data to prevent an individual from being directly identified
Separation of recorded data by function (testing, staging, live)
Logical separation of data based on role based on access rights
Data retention periods defined for personal data
Penetration Testing for critical corporate networks and platforms hosting personal data
Regular network and vulnerability scans
2. Integrity. “Integrity refers to ensuring the accuracy (robustness) of data and the correct functioning of systems. When the term integrity is used in conjunction with the term ‘data’, it means that the data is complete and unaltered.”
In addition to access controls, appropriate change and log management controls are in place to ensure the integrity of personal data, such as:
Change and Waiver Management
Impact analysis, approvals, testing, security reviews, staging, monitoring, etc. change and waiver management process, including
Providing Role and Function based (Separation of Duties) access in production environments
Log Creation and Monitoring
Log access and data changes
Centralized audit and security logs
Monitoring the completeness and accuracy of data transfer (end-to-end control)
3. Availability. “The availability of services and IT systems, IT applications and IT network functions or information is guaranteed if the user is able to use them at all times and as intended.”
We implement appropriate continuity and security measures to maintain the availability of the Services and the data contained therein:
Regular bug tests for critical services
Comprehensive performance/availability monitoring and reporting for critical systems
Security Incident Response
Replicated or backed up critical data (Cloud Backups/Hard Drives/Database copy etc.)
Planned software, infrastructure and security maintenance is implemented (Security updates, security patches, etc.)
Redundant and resilient systems (server clusters, mirrored databases, high availability settings, etc.)
Use of uninterruptible power supplies, redundant hardware and network systems
Alarm and security systems are used
Physical Protection measures are applied for critical areas (current protection, high floors, cooling systems, fire and/or smoke detectors, fire extinguishing systems, etc.)
DDOS protection to maintain availability
Load and Stress Tests
4 . Data Processing Instructions. “The Data Processing Instructions guarantee that personal data will only be processed in accordance with the data controller’s instructions and the relevant company measures”
We have established in-house privacy policies, agreements, and we organize regular privacy trainings to ensure that employees’ personal preferences are processed in line with the customer’s preferences and instructions.
Confidentiality and confidentiality conditions in effect within the employment contracts
Regular data privacy and security trainings for employees
Contractual provisions in accordance with agreements with subcontractors to protect audit rights with respect to instructions
Regular privacy audits for external service providers
Giving customers full control over their data processing choices