Data Protection Policy
As a business and an employer, it is necessary for Entrust Datacard Corporation and its subsidiaries and affiliates (collectively, “EDC” or the “Company”) to collect, store and process personal data about our employees, contingent workers, customers, suppliers and other third parties with whom we engage to provide products or services on our behalf.
With the introduction of the European General Data Protection Regulation (“GDPR”) on May 25, 2018 and other applicable laws governing data protection, we are subject to enhanced requirements regarding how we collect, use, and store personal data.
The purpose of this policy is to help all of us comply with our legal obligations and enable individuals about whom we hold personal data to have confidence in us. This policy applies to all EDC employees, contingent workers and third parties processing data on behalf of EDC. Unless specified, this policy applies in all countries in which EDC operates and/or conducts business.
Personal data is data relating to an individual who can be identified (directly or indirectly) from that data (or from that data combined with other information in the Company’s possession or available to the Company). Personal data can be factual (e.g., name, address, date of birth) or it can be an opinion about the data subject and their actions or behavior (e.g., employee performance assessment). Personal data can also include identification numbers, location data, online identifiers, or one or more factors specific to the physical, physiological, genetic (e.g., DNA or RNA), mental, economic, cultural or social status of an individual.
Special Category Data is a subset of personal data and refers to information about an individual’s race or ethnic origin, sex life or sexual orientation, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (eye color, hair color, height, weight), medical history, or criminal convictions and offenses or related security measures.
Data Controller is a term used to describe the individual(s) or organization(s) who determinesthe purpose for and the way in which personal data is processed.
Data Processor is a term used to describe the individual(s) or organization(s) who processes personal data on behalf of and at the instruction of a data controller.
Data Subject is a term used to describe any living, identified or identifiable individual about whom personal data is held.
Data User is a term used to describe any employee, consultant, independent contractor, intern, temporary worker or third party acting on EDC’s behalf (including data processors) whose work involves processing personal data for EDC.
Processing is a term used to describe activities performed with respect to personal data such as collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting use, erasing or destroying data. Processing also includes transferring or disclosing personal data to third parties.
4.2 OUR RESPONSIBILITY
Depending on the circumstances, EDC may act as a data controller or a data processor. As a data controller, EDC is responsible for establishing practices and policies in line with the GDPR and other applicable laws governing data protection. It is equally important that EDC be able to demonstrate compliance with these laws. The Company does this by:
- Implementing policies that enable the Company to comply with data protection laws such as this policy, policies around document retention and data security, and EDC’s privacy statements;
- Communicating and training employees, contingent workers and third parties acting on behalf of EDC about data protection requirements;
- Investigating instances of non-compliance with EDC data protection policies and taking appropriate remedial and/or disciplinary action;
- Investigating, remediating and, in some instances, providing notification of a data breach that results in unauthorized access to or loss of personal data;
- Conducting data processing assessments regarding new technologies and products;
- Undertaking periodic internal audits of EDC’s data protection policies and procedures;
- Considering data protection at the outset of new product design.
4.3 PROCESSING PERSONAL DATA
Any personal data that the Company processes or that is processed on EDC’s behalf must:
- Be processed fairly, lawfully and in a transparent manner;
- Be processed only for specified, explicit and legitimate purposes;
- Be relevant and limited to what is necessary for the legitimate purpose(s) for which the data is processed;
- Be accurate and kept up to date ensuring, where reasonably possible, that inaccurate personal data is erased or rectified without delay;
- Not be kept any longer than is necessary to fulfill the purpose(s) for which the data was collected; and;
- Be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage.
4.4 LEGAL GROUNDS FOR PROCESSING PERSONAL DATA
The Company may only process personal data if permitted to do so under the GDPR and other applicable laws governing data protection. The following are the grounds EDC relies upon to process personal data:
Where processing is necessary:
- For the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
- For compliance with a legal obligation to which EDC is subject; and/or
- To pursue EDC’s legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
In addition to these grounds, EDC may also process personal data where the data subject has given consent to the processing for one or more specified purposes, provided that the consent is freely given, specific, informed and an unambiguous indication of the data subject’s wishes. Where EDC uses consent as the grounds for processing, a data subject has the right to withdraw consent at any time and for any reason.
EDC may, on occasion, also need to process special categories of personal data for employees or contingent workers (e.g., where required by safe employment practices). When EDC processes or uses a third party to process on its behalf special categories of personal data, EDC will ensure, where applicable, that the following conditions are satisfied:
- Data subject has given explicit consent to the processing of the special category of personal data for one or more specified purposes;
- Processing is necessary for carrying out obligations under employment law, social security or social protection law, or a collective bargaining agreement;
- Processing is necessary for the purposes of preventive or occupational medicine, or for the assessment of the working capacity of an employee;
- Processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent;
- Processing relates to personal data which has been made public by the data subject; and/or
- Processing is necessary for establishing or defending legal claims.
4.5 DATA RECORDS MANAGEMENT
EDC maintains a central record of the types of personal data the Company collects and why that data is collected. EDC will only process personal data for the specific purpose(s) set forth in the central record or for any other purpose(s) specifically permitted by the GDPR and other applicable laws governing data protection. EDC will notify data subjects of those purposes when data is first collected or, where not possible, as soon as possible thereafter.
EDC will only process personal data to the extent required for the purposes provided to the data subject. This means that EDC may not ask for, or record in its systems, more personal data than is needed. The Company has appropriate technical and organizational measures in place to ensure that personal data that is no longer needed is erased or destroyed.
The Company also employs reasonable measures to ensure that any personal data held is accurate and kept up to date. EDC aims to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. The Company will take all reasonable steps to erase, destroy or amend inaccurate or out-of-date data without undue delay and, in any event, within one month of a data subject’s request (or two months where there are specific reasons why one month is not possible).
4.6 ERASURE OR DESTRUCTION OF PERSONAL DATA
Paper records that contain personal data must be shredded and disposed of securely when there is no longer a need to retain them. Paper records containing personal data may not be disposed of in any other manner.
When deleting electronic personal data, all possible steps should be taken to put the data in question beyond use. Where it is impossible to delete personal data altogether, reasonable steps must be taken to ensure the data is deleted to the fullest extent possible.
IT is responsible for destroying or erasing electronic equipment that contains personal data (e.g. laptops, desktops, company-owned mobile devices, and work data on BYOD devices).
4.7 INFORMATION SECURITY
When the Company processes personal data, it takes reasonable measures to ensure data remains secure and is protected against unauthorized or unlawful processing, accidental loss, destruction or damage. EDC does this by:
- Encrypting personal data where possible and appropriate;
- Ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services used to process personal data;
- Ensuring the restoration of access to personal data in a timely manner in the event of a physical or technical incident; and
- Facilitating testing, assessment and evaluation of the effectiveness of technical and organizational measures for ensuring data security.
In assessing the appropriate level of security, EDC considers the risks associated with the processing, in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the personal data that is processed.
Where EDC engages third parties to process personal data on its behalf, such parties do so based on written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organizational measures to ensure data security. Personal data may not be shared with anyone outside of EDC or authorized third parties.
Desks and cupboards must be kept locked if they hold personal data or confidential information of any kind. Data users must ensure that individual monitors/screens do not show personal data or confidential information to passers-by and that they log off from or lock their computers/tablets when left unattended.
4.8 REPORTING A DATA BREACH
A personal data breach can happen in many ways, including:
- Loss of a mobile device or hard copy file which contains personal data (e.g., accidentally leaving a device behind on public transportation);
- Theft of a mobile device or hard copy file which contains personal data (e.g., stolen from a vehicle or home);
- Human error (e.g., an employee accidentally sending an email containing personal data to an unintended recipient, or accidentally altering or deleting personal data);
- Cyber-attack (e.g., opening an attachment to an email from an unknown third party that contains ransomware or other malware);
- Allowing unauthorized use/access (e.g., permitting an unauthorized third party to access secure areas of EDC offices or systems);
- Unforeseen circumstances such as a fire or flood; or
- Where information is obtained from EDC by a third party through deception.
Signs that a personal data breach may have occurred include the following:
- Unusual log-in and/or excessive system activity, in particular with respect to active user accounts;
- Unusual remote access activity;
- The presence of spoof wireless (Wi-Fi) networks visible or accessible from EDC’s working environment;
- Equipment failure;
- Hardware or software key-loggers connected to or installed on EDC systems.
As soon as you become aware of or have any reason to suspect that a personal data breach has occurred or is about to occur, immediately contact the Entrust Datacard Security Operation Center by email at [email protected] and the Compliance Director at [email protected].
4.9 DATA BREACH RESPONSE PLAN
In the event of an actual or imminent personal data breach, EDC will take quick action to minimize the impact of the breach and report the breach if required by law. In most cases, the response will involve:
- Investigating the breach to determine the nature, cause and extent of the damage or harm that may result;
- Implementing necessary steps to stop the breach from continuing or recurring, and limiting the harm to affected data subjects;
- Assessing whether there is an obligation to notify other parties (e.g., national data protection authorities, affected data subjects) and making those notifications. If there is an obligation to notify data protection authorities, reporting must usually occur within 72 hours of the Company, including any of its employees, becoming aware of the breach;
- Recording information about the personal data breach and the steps taken in response, including documentation that explains the decision to notify or not notify.
4.10 INTERNATIONAL DATA TRANSFERS AND TRANSFERS TO THIRD PARTIES
Under the GDPR, EDC may transfer personal data to countries outside the European Economic Area (“EEA”) where there is an adequate level of protection in that country or where EDC has put appropriate measures in place to ensure data protection.
Companies within the EDC group must enter into the Intra-Group Data Transfer Agreement in order to ensure appropriate safeguards for the transfer of personal data outside the EEA, but within the EDC group.
Companies outside of the EDC group who process personal data for or on behalf of EDC, for which EDC acts as a data controller or data processor, must enter into a data processing agreement with EDC to ensure appropriate safeguards for the transfer of personal data outside the EEA. That agreement contains language to ensure the third party has appropriate technical and organizational measures in place to comply with the GDPR and to ensure the protection of data subject rights.
Instances where EDC transfers personal data to a country outside the EEA may include:
- The data subject has given their explicit consent to the proposed transfer after EDC has informed them of any possible risks associated with such transfer (e.g., the absence in that country of equivalent safeguards);
- The transfer is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract;
- The transfer is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; or
- The transfer is necessary for the establishment or defense of a legal claim
For each transfer of data outside the EEA, EDC will record the grounds upon which it is relying for the transfer. Note that a data transfer agreement is also required if transferring personal data outside of Canada.
4.11 NOTIFYING DATA SUBJECTS
EDC is required to provide information to data subjects about the processing of their personal data. This information is contained in the Company’s Privacy Statement which is publicly available at www.entrustdatacard.com, and the Employee Privacy Statement which is available on the EDC eShare. Such statements provide information about:
- The types of personal data EDC processes;
- The purpose and legal basis for processing personal data;
- Whether personal data will be disclosed to any third parties in the course of processing;
- Whether personal data will be transferred outside of the EEA and Canada and, if so, what safeguards will be put in place;
- How long the personal data will be processed or, if not possible to determine, the criteria the Company will use to determine the processing period;
- How the data subject can obtain a copy of their personal data held by EDC;
- Data subject’s rights, including how to make a complaint;
- If the personal data must be processed in order to comply with a law or a contract, the possible consequences of the data subject failing to provide the data or objecting to processing;
- The existence and details of any automated decision-making processes, where applicable.
If EDC receives personal data about a data subject from a third party, the Company will also provide the data subject with information on:
- The type of personal data received from the third party; and
- The source of the data and whether it came from a publicly accessible source (e.g., a website accessible to the public).
4.12 PRIVACY BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENTS
The GDPR and other applicable laws governing data protection require EDC to consider data protection during the development stages of a new product offering. In order to satisfy this obligation, EDC must take steps to ensure data protection is part of the design process and personal data collection is minimized to the extent possible.
In some circumstances (namely, when processing would result in high risk to an individual’s rights and freedoms), EDC may be required to undertake a formal data protection impact assessment (DPIA) in relation to the processing of personal data. Such an assessment involves documenting the purposes for which the activity is carried out, how EDC will comply with data protection laws and how the Company will mitigate potential risks to individuals’ privacy. If you believe a data protection impact assessment may be needed, contact the Compliance Director at [email protected].
4.13 DATA SUBJECT RIGHTS
If EDC processes personal data, under the GDPR and other applicable laws governing data protection the data subject may have the right to:
- Request information about the personal data held with respect to them;
- Have any inaccurate personal data about them corrected and incomplete personal data completed, subject to EDC determining that the data is, in fact, inaccurate or incomplete;
- Object to EDC processing their personal data where the Company is doing so in pursuit of its own legitimate interests. EDC can continue processing the personal data notwithstanding an objection if the Company’s legitimate interests outweigh those of the data subject, or if EDC needs to do so for the establishment or defense of a legal claim;
- Ask EDC to destroy personal data held with respect to the data subject. The Company can refuse this request if the personal data is still necessary for the purposes for which it is being processed and there is a legitimate basis for EDC to continue processing;
- Ask EDC to restrict the processing of their personal data to storage. This can only be requested if the accuracy of personal data has been contested and remains unverified; EDC no longer requires the personal data, but the data subject needs it to establish or defend a legal claim; the data subject has objected to the processing of personal data; and EDC is deciding whether itslegitimate interests override the data subject’s interests or if the processing is unlawful.
If a data subject exercises these rights and EDC has disclosed the personal data in question to a third party, the Company will do its best to ensure that the third party also complies with the wishes of the data subject.
4.14 DATA SUBJECT ACCESS REQUESTS
Data subjects who wish to request information about the personal data EDC holds about them may do so by submitting a Data Subject Access Request (DSAR) available at https://go.entrust.com/manage-db. If you receive a request directly (whether verbally or in writing), immediately forward details of the request to [email protected].
EDC provides its employees and contingent workers with access to training about data protection responsibilities. This training occurs at onboarding and at regular intervals thereafter. If you have not received this training, it is your responsibility to let your supervisor or a member of your local HR team know so that arrangements can be made for you to take the training.
4.16 DATA PROTECTION OFFICER
EDC’s assigned GDPR representative is Anjali Doherty, Sr. Corporate Counsel (UK). Entrust Datacard Deutschland GmbH’s assigned Data Protection Officer is the law firm of Kill & Wolff GmbH. Entrust Datacard Corporation does not have an assigned Data Protection Officer. Oversight of the data privacy compliance program is handled by the Compliance Director, Jenny Carmichael, who is located at EDC’s headquarters in Shakopee, Minnesota, USA.
All employees and contingent workers are expected to comply with this policy. Additionally, all business units must ensure they have appropriate local standards and procedures in place to comply with this policy and applicable data privacy legislation in their jurisdiction. Breaches of this policy will be taken seriously and may result in disciplinary action, up to and including termination. This policy may be updated or amended at any time.
There are no exceptions to this policy.
Ownership and Review
This policy is owned by the General Counsel and Chief Compliance Officer. This policy shall be reviewed on an annual basis. Changes to this document shall be in accordance with the ISMS Document and Records Control Standard.
7.1 CONTACT INFORMATION
Questions about this policy or complaints about the handling of personal data should be directed to the Compliance Director at [email protected].