Data Privacy Requirements
This Data Privacy Requirements (“Appendix”) forms part of the Agreement between Forcepoint and Contractor for the provision of services by Contractor, whereby this Appendix reflects the parties’ agreement with regard to the Processing of Personal Data provided by Forcepoint to Contractor.
1. Acceptance of Terms
1.1 “Agreement” means the agreement between Forcepoint and Contractor for the provision of services by Contractor.
1.2 “Contractor” means the company, or other legal entity that is providing services to Forcepoint pursuant to the Agreement. Contractor may also mean “Vendor” or “Seller” as identified in the Agreement or purchase order issued by Forcepoint.
1.3 “Data Subject” means the natural person to whom the Personal Data relates.
1.4 "EU Data Protection Law" means EU Directive 95/46/EC on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data, and any subsequent amending or replacing European legislation, including without limitation the General Data Protection Regulation 2016/679, governing the Processing of Personal Data provided to Contractor by Forcepoint.
1.5 “Forcepoint” means, as the context requires: (i) Forcepoint LLC, a Delaware limited liability company with its principal place of business at 10900-A Stonelake Blvd., 3rd Floor, Austin, Texas 78759, USA; or (ii) Forcepoint International Technology Limited, with a principal place of business at Minerva House, Simmonscourt Road, Dublin 4, Ireland; (iii) Forcepoint Federal LLC, with a principal place of business at 12950 Worldgate Drive, Suite 600, Herndon, VA 20170; or (iv) a corporation or entity controlling, controlled by or under the common control of Forcepoint.
1.6 “Personally Identifiable Information” “PII” or “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
1.7 “Privacy Shield” means the EU-US Privacy Shield Framework, details of which are available at www.privacyshield.gov.
1.8 “Privacy Shield Principles and Supplementary Principles” means the Privacy Shield principles, details of which are available at www.privacyshield.gov.
1.9 “Process/Processing” means any operation or set of operations performed upon Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2. Acting on the instructions of Forcepoint
Contractor will ensure that it will only Process Personal Data provided to Contractor by Forcepoint (i) in accordance with applicable laws, including without limitation EU Data Protection Law; (ii) the terms of the Agreement, including this Appendix; (iii) solely on the instructions of Forcepoint; and (iv) for the purposes of performing Contractor’s obligations and providing the agreed services under the Agreement.
3. If Contractor is Privacy Shield certified
If Contractor is Privacy Shield certified, Contractor will ensure that, in addition to the obligations set out in this Appendix, during the term of the Agreement, Contractor will maintain Contractor Privacy Shield certification and comply at all times with the Privacy Shield Principles and Supplementary Principles as they apply to the Processing by Contractor of Personal Data provided to Contractor by Forcepoint. Contractor shall provide Forcepoint with written notice ninety (90) days prior to any date Contractor withdraws from or otherwise no longer maintains a current certification to Privacy Shield, at which time Forcepoint may require Contractor to execute supplemental data privacy and data security terms to protect Personal Data, including but not limited to a Data Processing Agreement.
4. Access to or relocation of Personal Data provided to Contractor by Forcepoint
Contractor may not make Personal Data provided to Contractor by Forcepoint accessible to any third parties, including any subcontractors, or relocate such Personal Data to new locations, except as set forth in written agreement with, or written instructions from. Forcepoint.
5. Security Measures
Contractor will ensure that it has in place, and undertake to maintain throughout the term of the Agreement, (i) appropriate technical and organisational measures against the accidental, unauthorised or unlawful Processing, destruction, loss, damage or disclosure of Personal Data provided to Contractor by Forcepoint; (ii) adequate security programmes and procedures to ensure that unauthorised persons do not have access to such Personal Data or to any equipment used to Process such Personal Data; and (iii) that such technical and organisational security measures will (as a minimum) include the following measures:
- encrypt all portable devices and media that hold Personal Data provided to Contractor by Forcepoint using encryption standards in accordance with applicable laws, regulations and guidelines;
- take all reasonable care with the handling of communications (including post, fax and email) to ensure the protection of Personal Data provided to Contractor by Forcepoint;
- securely dispose of all paper waste and all redundant computer and other related assets used for Processing Personal Data provided to contractor by Forcepoint in accordance with NIST 800-88;
- ensure information security controls are in place, adequate and aligned to ISO 27001 and/or NIST 800-83;
- ensure the ongoing confidentiality, integrity, availability and resilience of Contractor processing systems and services;
- ensure the ability to restore the availability and access to Personal Data provided to Contractor by Forcepoint in a timely manner in the event of a physical or technical incident;
- ensure Contractor has a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measure for ensuring the security of the processing.
6. Training and confidentiality obligations of Employees and subcontractors
Contractor will ensure that Contractor employees, agents, subcontractors and other personnel who deal with Personal Data provided to Contractor by Forcepoint (i) have been provided with appropriate training to ensure that Personal Data provided to Contractor by Forcepoint is handled securely and in accordance with the terms of this Appendix; and (ii) are bound by industry standard obligations of confidentiality as regards all such Personal Data.
7. Data Breach Notification
In the event of any accidental, unauthorised or unlawful Processing, access, destruction, loss, damage or disclosure of Personal Data provided to Contractor by Forcepoint (“Data Breach”), Contractor will (i) immediately notify Forcepoint of such Data Breach, but not later than forty-eight (48) hours upon learning of such Data Breach, (ii) immediately take reasonable and appropriate steps to remediate such Data Breach, and (iii) comply with all reasonable requests of Forcepoint as regards the remediation and investigation of the Data Breach. Contractor shall promptly reimburse Forcepoint for all costs incurred by Forcepoint in responding to and/or mitigating the Data Breach. The timing, content and manner of effectuating any notices shall be determined by Forcepoint at its sole discretion.
Contractor will not subcontract the Processing of Personal Data provided to Contractor by Forcepoint unless (i) Contractor provides reasonable prior notice to Forcepoint, (ii) Forcepoint does not object (acting reasonably) to such subcontracting; and (iii) Contractor has in place a signed contract with such subcontractor setting out terms for the Processing of such Personal Data that are no less onerous than those set out in this Appendix. Contractor will remain liable to Forcepoint for the actions and omissions of Contractor subcontractors. Upon request by Forcepoint, Contractor will provide a list of subcontractors who Process Personal Data provided to by Contractor by Forcepoint and a copy of the relevant extracts of the contract between Contractor and the subcontractor relating to such Processing.
9. Enquiries and Requests
Contractor will immediately inform Forcepoint if it receives any enquiry, complaint or claim from any court, governmental official, third parties or individuals, including but not limited to any Data Subjects. In relation to such requests received by Contractor, or any such request received directly by Forcepoint, Contractor will timely provide Forcepoint support and cooperation in responding to any such request. Should Forcepoint, on the basis of applicable law, be obliged to provide access or information to a Data Subject about the Processing of Personal Data relating to him or her, Contractor will, without levying a fee, assist Forcepoint in providing such access or information.
10. Transfers of Personal Data outside the EEA
Contractor will not transfer Personal Data provided to Contractor by Forcepoint outside the European Economic Area (“EEA”) without (i) providing reasonable prior written notice to Forcepoint, and (ii) having taken appropriate measures to ensure that such Personal Data will be subject to an adequate level of data protection in accordance with the requirements of EU Data Protection Law.
Contractor will, upon reasonable written notice of Forcepoint and during regular business hours, submit Contractor facilities, data files and documentation related to the Processing the Personal Data provided to Contractor by Forcepoint (and/or those of Contractor agents, affiliates and sub-processors) to reviewing and/or auditing by Forcepoint (or any independent or impartial inspection, agents or auditors bound by a duty of confidentiality, selected by Forcepoint and not reasonably objected to by Contractor) to ascertain compliance with the obligations in this Appendix, the Agreement, and applicable laws which govern the Processing of such Personal Data. If Forcepoint, in its sole discretion, believes that Contractor (or Contractor agents, affiliates or subcontractors) are in breach of any of the obligations under this Appendix, the Agreement, or applicable laws which govern Personal Data provided to Contractor by Forcepoint, the requirement for Forcepoint to give reasonable notice under this Section shall not apply.
12. Termination and Return of Personal Data provided to Contractor by Forcepoint on Termination
Forcepoint will be entitled to terminate the Agreement in the event of non-compliance by Contractor with this Appendix. Upon termination, Contractor will immediately cease all processing of Personal Data provided to Contractor by Forcepoint; and upon request by Forcepoint, either (i) return (in a format accessible by Forcepoint) all such Personal Data; or (ii) destroy or otherwise render inaccessible all Personal Data provided to Contractor by Forcepoint (as far as technically possible and except as may be required by law) and provide confirmation in writing of such destruction.