DATA PRIVACY POLICY
As an expert in digital transformation and data management, Victor Buck Services (“VBS”) processes Personal Data of others entities within the context of service delivery agreed by a contractual agreement.
This data privacy policy (“Data Privacy Policy”) defines how VBS intends to process Personal Data as part of the services provided.
The scope of this Data Privacy Policy covers all Personal Data processed by VBS as a Data Processor.
1. IDENTITY AND CONTACT DETAILS
| Controller: | Victor Buck Services S.A. |
| Short name: | Victor Buck Services |
| Direction: | Stéphanie Noël, Arnaud Wulgaert |
| Telephone number: | (+352) 49 98 66 – 1 |
| Email address: | info@victorbuckservices.com |
| Web page (url): | www.victorbuckservices.com |
| Controller: | Victor Buck Services Asia Pte. Ltd. |
| Short name: | Victor Buck Services |
| Direction: | Edith Magyarics, Arnaud Wulgaert, Isabelle Alvarez |
| Telephone number: | (+65) 6593 5391 |
| Email address: | info@victorbuckservices.com |
| Web page (url): | www.victorbuckservices.com |
| Data protection officer (DPO): | Helene TOVAGLIARO |
| Telephone number: | +352 49 98 66 – 246 |
| Email address: | privacy@victorbuckservices.com |
| Internal or external: | Internal |
| Controller: | Victor Buck Services Asia Pte. Ltd. |
| Short name: | Victor Buck Services |
| Direction: | Edith Magyarics, Arnaud Wulgaert, Isabelle Alvarez |
| Telephone number: | (+65) 6593 5391 |
| Email address: | info@victorbuckservices.com |
| Web page (url): | www.victorbuckservices.com |
| Data protection officer (DPO): | Isabelle Alvarez |
| Telephone number: | +65 6593 5391 |
| Email address: | Privacy_Asia@victorbuckservices.com |
| Internal or external: | Internal |
2. MANAGEMENT STATEMENT
The General Data Protection Regulation (“GDPR”) entered into force on the 25th May 2018 repealing the former applicable European Directive 95/46/CE. The law of the 1st August 2018 completes the GDPR in the Grand-Duchy of Luxembourg.
The GDPR has reinforced data subjects’ rights and increased responsibility and accountability obligations of organizations.
Capitalized Terms included in this policy shall have the meaning assigned to them in paragraph 7.
In this policy, we intend to define all information regarding how we process Personal Data in accordance with laws, regulations and contractual agreements including Controller’s instructions.
VBS is fully committed to the implementation of a strong framework for managing and protecting Personal Data. Hence, VBS has appointed a Data Protection Officer for coordinating, supporting and advising on each topic related to Personal Data management.
VBS undertakes to process Personal Data in accordance with the applicable laws and regulations and, especially, to implement appropriate technical measures aiming at protecting Personal Data against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing.
VBS ensures that its employees or third-parties authorized to access Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Awareness-raising and training sessions are regularly provided to employees.
VBS agrees to process Personal Data lawfully in accordance with the lawful documented instructions of its clients, the latter acting as Controller. Hence, taking into account the nature of the process, VBS will reasonably assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of this latter’s obligation to respond to requests for exercising data subject’s rights.
VBS Management has approved this policy and understands the importance of managing Personal Data based on a risk approach and to ensure that rights and freedoms of data subjects are protected.
Note: VBS reserves the rights to modify this Data Privacy Policy at any time, which updated version will be available on VBS’ website or on demand.
3. PURPOSE OF THE PROCESSING AS A PROCESSOR
3.1 SERVICE PROVISION
Personal Data of data subjects will be processed as part of the performance of VBS services pursuant to the execution of a contract or any other type of agreement.
Clients are responsible for determining and knowing what data and what type of data are transferred into VBS’ environments for processing. VBS is then responsible to take reasonable and appropriate organizational and technical measures to protect data as well as processing data according to documented instructions of clients.
The following services are provided by VBS and may include Personal Data processing:
- Customer communication services
- Content services
- Document outsourcing services
(hereinafter “Services”)
To the extent that Personal Data are processed in the performance of Services, the processing shall be governed by a contract, usually in the form of a Data Protection Agreement, that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects and the obligations and rights of the Controller and the Processor.
3.2 CATEGORIES OF PERSONAL DATA/DATA SUBJECT
For the performance of Services, VBS collects data from its clients that may include Personal Data of data subjects.
When providing Personal Data to VBS, clients must ensure that Personal Data have been collected from data subjects in full compliance with the applicable Data protection legislation.
In any circumstances, VBS will process all data, regardless of the fact that data actually include or not Personal Data, with the same high level of security in accordance with the client’s documented instructions. In the case where client does not instruct VBS, VBS will implement its standard processes and measures.
3.3 CATEGORIES OF RECIPIENTS
Personal data processed by VBS as a Processor will only be disclosed to third parties as defined in documented instructions from the client, or when required by law. VBS reserves its rights to suspend or cease a processing of Personal Data if VBS becomes aware that such processing may not be compliant with Data protection legislation.
3.4 TRANSFER TO THIRD COUNTRIES
Personal Data may be transferred outside of the EEA within the context of a contractual agreement following documented instructions and approval of the client, in particular to VBS’ subsidiary in Singapore, Victor Buck Services Asia Pte Ltd. In this case, VBS has implemented appropriate safeguards to ensure security of Personal Data. These include, but are not limited to:
- Encryption process that shall be implemented as far as possible for transferring any data;
- Data minimization principle that shall be applied to ensure that, as far as possible, only necessary data are transferred in the context of the processing;
- Access that is limited to authorized employees only;
- Data that is deleted in due time after processing;
- Quality controls that are implemented to ensure control of the outputs; and
- Appropriate standard contractual clauses of the European Commission concluded between the data exporter and the data importer in countries not offering an adequate level of protection.
3.5 SUBCONTRACTING
Within the framework of the performance of a service, data processing may be subcontracted to a third-party (“Subcontractor”). In that case, VBS will beforehand ask permission to the client for this outsourcing and, then, will take necessary measures to monitor and control the processing as performed by the Subcontractor. When appointing a Subcontractor, VBS will do so only by way of a written agreement that imposes the same privacy, confidentiality and security obligations in compliance with data protection legislation and applicable privacy standards.
4. RETENTION PERIOD AND DATA SUBJECT RIGHTS
VBS processes Personal Data for the execution of its Services based on contractual obligations. Retention instructions for each data processing shall be defined by the client and communicated to VBS, otherwise retention periods will be based on VBS standard retention policy.
These retention policies shall be defined according to business and operational needs for the delivery of the service and shall not replace legal, regulatory, contractual or other business requirements of the client to store and/or archive Personal Data.
Personal Data retained for that purpose are only stored for traceability, queries/retrieval request from client and investigation needs and cannot be modified in order to ensure their integrity for the purpose of investigation needs. As such, these Personal Data are not subject to the right of rectification.
In any case, deviation with the VBS standard retention policy would involve additional costs for the client.
5. SECURITY MECHANISMS
In order to protect all Personal Data processed and mitigate the risks for the rights and freedom of the data subjects, VBS will apply security measures (classified in legal, organizational and technical measures) to ensure integrity, confidentiality and availability of Personal Data and to respect the rights of the data subjects.
In addition to complying with client’s documented instructions, if any, VBS has defined security measures to protect data received from clients as part of the data processing related to the service.
VBS has implemented an Information Security Management System that is certified against ISO/IEC 27001:2013 standard. VBS Management is strongly committed to information security management and to put in place a governance framework aligned with best practices and in compliance with applicable laws and regulations. The scope of the initial certification covering PSDC Scanning Service, PSDC Archiving Service and Archiving Service as well as their support processes has been extended to other Services including Customer Communication Services, Content Services and all support Services of the foregoing.
Subchapters below summarize VBS commitments towards all security control domains defined by the ISO/IEC 27002 standard. The security controls and initiatives are not limited to the examples mentioned in this document, but the objective is to give an overview of VBS maturity in terms of information security.
5.1 INFORMATION SECURITY POLICY
VBS has defined a documentation framework for information security based on policies. These policies describe VBS requirements and needs regarding protection of assets and information, compliance with applicable laws and regulations as well as contractual obligations.
VBS measures include, but are not limited to:
- An Information Security Policy for the ISMS.
- Topic-dedicated policies
- An annual review of main policies.
- A process for improving, developing and maintaining the documentation framework (policies, procedures, work instructions, etc.).
5.2 INFORMATION SECURITY ORGANIZATION
VBS has defined a process for managing information security within the organization to ensure that information security responsibilities, activities and tasks are well managed and allocated.
VBS measures include, but are not limited to the following:
- A formalized commitment of VBS Management towards information security, the definition of information security objectives, the delivery of resources and budget needed to comply with the information security strategy.
- Information security responsibilities and the related tasks have been defined and allocated to the relevant functions.
- The risk department of VBS is in charge of information security function and reports hierarchically to CEO for independence as per the three-lines of defense model
- An Information Security Committee, composed by key members of the organization including the DPO, is meeting monthly to discuss related topics.
5.3 RISK ASSESSMENTS
VBS has defined a process for performing regular risks assessment on its assets to determine its risk level. Outputs of those risk assessments are reviewed by the information security committee. Risks are addressed with treatment plans. Residual risks are accepted by the corresponding authority.
5.4 ASSET MANAGEMENT
VBS has defined a process for classifying and managing all assets (informational and tangible assets) depending on the classification level.
VBS measures include, but are not limited to the following:
- An inventory of assets is kept up-to-date.
- Each asset is assigned to an owner who is responsible for the operational security of the asset
- Classification of asset is defined with different levels depending on information security criteria, client data used for providing the services being treated always as confidential.
5.5 HUMAN RESOURCES SECURITY
Human resources processes take into account information security requirements for each activity, such as employees onboarding, change of position, employees’ departure, terms and conditions of employment, confidentiality agreements, awareness, training and employees’ evaluation.
VBS measures include, but are not limited to the following:
- A defined list of tasks for new joiners for ensuring that they are competent and fit for purpose for the role(s) (background checks including criminal, reference and education checks) and that they are informed and understood their responsibilities.
- A defined list of tasks for leavers for ensuring that all assets have been retrieved
- Formal employees contract that includes confidentiality requirements and adherence to information security policies.
- An Information security awareness program to keep employees aware of their role and responsibilities in relation with information security. In addition, specific awareness and training are provided to employees regarding privacy and data protection.
- Jobs description that includes information security responsibilities.
5.6 ACCESS MANAGEMENT
Access to information and assets is based on data classification and on roles and responsibilities following a need to know basis.
VBS measures include, but are not limited to the following:
- Accesses are assigned depending on roles that are allocated based on employees’ function and on “need-to-know” principle.
- Specific access rights are subject to approval prior being granted
- Privileged access rights are restricted and controlled allocated following segregation of duties principle, and limited to what is strictly necessary.
- Privileged accounts activities are performed through a security bastion, recorded and reviewed on ad-hoc
- Access rights review are performed at regular intervals.
- Strong password management practices are in place for protecting and managing passwords.
5.7 PHYSICAL AND ENVIRONMENTAL SECURITY
Building access control, clear desk policy and ensuring adequate protection of business premises as well as the information and assets that reside within them are essential.
VBS measures include, but are not limited to the following:
- Access to VBS premises is controlled through nominative access cards.
- Access cards are given access to specific areas on the “need-to-access” principle, with proper logging
- VBS has contracted with recognized and multi-certified provider for renting private rooms in two high-end Data Centers.
- Access to datacenter private rooms is limited to VBS defined personnel
- CCTV is in place at each entry/exit area
- Intrusion detection devices are deployed and connected to a 24×7 monitoring specialized security company
- Fire detection and suppression devices are deployed adequately in the premises and the datacenter
- A department is in charge of building security.
- A clear desk policy has been defined and communicated to all employees.
- VBS shreds itself all sensitive paper.
- A specialized provides shreds media onsite in front of VBS personnel.
5.8 OPERATIONAL SECURITY
Operational security is defined at different levels to ensure that confidentiality, integrity and availability of information are ensured depending on business needs.
VBS measures include, but are not limited to the following:
- Every workstation, windows servers and key entry points are equipped by anti-malware solution managed centrally and updated.
- Hard drives workstations, servers and backup tapes are encrypted.
- Change management process is in place following ITIL best practices.
- Use of resources is monitored and tuned depending on capacity requirements to ensure the required system performance and detection of unavailability.
- Backup copies of critical information, software and system are done and tested regularly based on a defined backup policy.
- A log management architecture is in place for recording information security events, privileged and non-privileged user activities, exceptions and monitored by a security operations center that raises alerts whenever necessary on 24/7/365
- Technological watch and regular scanning is in place for detecting technical vulnerabilities in order to evaluate and implement appropriate measures to timely address the associated risk.
- Vulnerability scans are executed at least monthly on all public facing interfaces.
- Manual penetration testing exercises are executed yearly to identify vulnerabilities on web platforms where Personal Data may be accessible.
- Vulnerabilities are corrected according to a patch management policy that defines priorities and acceptable SLA for patching.
- Quality assurance checks are performed by Victor Buck Services and the concerned client for first production process before the actual distribution
- Specific monitoring controls are in place for identifying errors and failures, including:
- Checklists and dashboard to ensure completeness and accuracy of productions automated software to detect processing errors such as alteration of files, file specifications exceptions, application errors, printing and mailing issues
- Documented procedures and four eyes principles on specific cases of manual manipulation of files.
5.9 NETWORK SECURITY
Protection of information in networks and its supporting information processing facilities and security of information transferred within VBS and with any third parties are implemented.
VBS measures include, but are not limited to the following:
- Network security equipment such as multiple firewall lines, IDS and IPS are implemented to protect information in transit systems and applications
- Segregation of networks is in place to separate zones of different purposes (e.g.: development, testing and production environment)
- Information transfer policies are defined and implemented including communication channels that have to be used depending on the information classification.
- Confidential data sent across public networks shall be encrypted
- Remote access to VBS internal systems is based on multi-factor authentication
5.10 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE
To be able to spread information security requirements across all information systems and during the entire lifecycle of the information system acquisition, development and maintenance, VBS processes include required steps.
VBS measures include, but are not limited to the following:
- Information security requirements have to be defined and included in each new information system acquisition project.
- Pre-production and post-production quality assurance checks are performed depending along the development lifecycle
- Change Management Governance Charter is defined to cover process, steps and requirements when a change is intended on a client environment, with approval of the latter following user acceptance testing sub-cycle
- Functional Requirements document is defined for each change that has an impact on client environment and client approval is required before implementation.
- Release Management Process is defined to ensure changes are captured and reviewed adequately before being promoted.
- Development lifecycle process includes how information security requirements have to be identified, design, implemented and tested.
- Data used in development and testing environment is provided by the client itself.
5.11 SUPPLIER RELATIONSHIPS MANAGEMENT
For ensuring an adequate protection of VBS assets and to maintain an agreed level of information security as part of the Services provided, information security is integrated within purchasing process.
VBS measures include, but are not limited to the following:
- Information security needs and requirements are defined, established and formalized within agreements.
- Supplier assessment process is in place for regularly monitor and review supplier service delivery and conformity with information security requirements, including specific onsite audits by risk department.
5.12 INFORMATION SECURITY INCIDENT MANAGEMENT
Information security events and weaknesses associated with information systems are controlled in a manner allowing timely corrective actions to be taken.
VBS measures include, but are not limited to the following:
- A specific procedure is enforced to ensure a quick, effective and orderly response to information security incidents.
- Employees are informed about their responsibilities to report information security events through appropriate channels.
- Tools to detect potential information security incidents are in place.
- Periodic reviews of information security incidents are done to reduce the likelihood or impact of future incidents.
- Incident reports are formalized to communicate with transparency about an information security incident.
5.13 BUSINESS CONTINUITY MANAGEMENT
To minimize impact to VBS business in the event of a disaster, business continuity process and disaster recovery process are defined and implemented.
VBS measures include, but are not limited to the following:
- Based on business impact analysis, business continuity and disaster recovery plans are defined, reviewed and tested to ensure that business continuity objectives are achieved.
- Information technology sensitive assets are replicated in both of our datacenters.
- Other specific resiliency measures, such as call cascades procedures, are in place in accordance with business requirements.
5.14 COMPLIANCE
Compliance of VBS with applicable laws, regulations, contractual agreements and the internal policies is monitored and assessed through different processes.
VBS measures include, but are not limited to:
- The maintenance of a record of all categories of processing activities carried out on behalf of clients
- VBS’ ISMS is regularly audited by an independent and accredited certification body
- Information security function performs permanent controls to measure compliance with policies and report deficiencies
- Internal audit function is in charge of assessing VBS compliance with defined criteria according to a triennial internal audit approved by the management
- Legal advisor is in charge of legal watch and to carry out review of signed contracts with third-parties to ensure inclusion of data protection provisions
- Technical audits are performed depending on the criticality of the information systems
6. DATA BREACH NOTIFICATION
A Personal Data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data (“Personal Data Breach”). This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing Personal Data.
A Personal Data Breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of Personal Data. In short, there will be a Personal Data Breach whenever any Personal Data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorization; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
When a Personal Data Breach has been identified and proven in the execution of Services, VBS will notify the client without undue delay and assist the client for any related question. Conversely, VBS expects the Controller, when detecting any Personal Data Breach or security incident potentially impacting Services and/or data subject’ rights, to notify VBS without undue delay. It shall be noted that, most of the time, Personal Data breach will be identified by the client or data subject and not by VBS. Furthermore, at this step of the process, there is no analysis of who is responsible of the incident.
All information related to the record and management of data breaches are detailed in an Incident Management procedure.
7. DEFINITION
- Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
- Personal Data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Processor: a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller.
- Recipient: a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a third party or not.