Data Processing under Commission GDPR Agreement

(hereinafter referred to as “Agreement”)

 

between

 

 

the User who uses in a professional/commercial context one of MeasureOn Services that include cloud data storage   

 

- hereinafter referred to as “Data Controller” or “User” or “data exporter”-

 

 

and

 

the Provider

 

- hereinafter referred to as “Data Processor” or “data importer

 

 

Jointly referred to as “Parties” and listed in Annex 1.A

 

 

 

Preamble

The present Data Processing under Commission Agreement (“Agreement”) specifies the obligations of the parties on data protection rights and obligations according to the Terms and Conditions of Use in those situations when the Data Processor (Provider) acts on behalf of the Data Controller (User). The Agreement is applicable when the User uses in a professional/commercial context the Services that include cloud storage for User’s projects, documents and workspaces, and sending emails to User’s designated assignees on User’s behalf in order to facilitate the assignee’s access to and use of MeasureOn in the context of the MeasureOn Multi-License. In the event of any conflict between this Agreement and other agreements between the Provider and User, this Agreement shall prevail to the extent of such conflict.

Definitions and Interpretations

In this Agreement, the following terms shall have the following meanings:

a)     “GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation);

b)     "Data Subject" means an identified or identifiable natural person whose Personal Data is processed;

c)     "Personal Data" means any information relating to an identified or identifiable individual or any other information defined as 'personal data' under GDPR (Art. 4 (1) GDPR);

d)     "Restricted Transfer" means a transfer of Personal Data from the EEA to a country outside the EEA which is not subject to an adequacy decision by the European Commission;

e)     "EU SCCs" means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021, as may be amended, superseded or replaced from time to time;

f)      “National SCCs” means standard data protection clauses as defined in Art. 46 (2) lit. d) GDPR;

g)     The terms "Data Controller", "Data Processor" and "processing" have the meanings given to them in the GDPR (and "process", "processes" and "processed" shall be interpreted accordingly).

Processing of Personal Data

1.1.          The term of the present Agreement and the duration of the processing are determined by the duration of the User Agreement unless obligations going beyond that date result from the provisions of the present Agreement.

1.2.          The User is the Data Controller of the Personal Data described in Annex 1.B and the Data Processor shall process the Personal Data solely as a processor or service provider on behalf of the User. The Data Controller and the Data Processor shall each comply with their respective obligations under the GDPR, other applicable national laws, and further guidance from data protection authorities with respect to such processing.

Under certain conditions, the Provider can take the role of the Data Controller regarding the Personal Data provided by the User, namely if this is defined in the Terms and Conditions of Use, if there is a separate contractual agreement to this effect or if the Provider is obliged to do so for legal reasons.

1.3.          Any services in connection with data processing under commission under this Agreement shall be rendered exclusively in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area (EEA). Any relocation to a third country requires the Data Controller's prior agreement and is permitted only if the special requirements of Art. 44 et seqq. GDPR have been satisfied. The Data Controller agrees to any data transfers that the Data Controller was informed about prior to concluding this Agreement. An adequate level of protection in the third country:

   -  has been established by an adequacy decision by the Commission (Art. 45 (3) GDPR);

   -  is ensured by binding corporate rules (Art. 46 (2) lit. b) in conjunction with Art. 47 GDPR);

   -  is ensured by standard data protection clauses (Art. 46 (2) lit. c) and d) GDPR) (EU SCCs and National SCCs);

   -  is ensured by an approved code of conduct (Art. 46 (2) lit. e) in conjunction with Art. 40 GDPR);

   - is ensured by an approved certification mechanism (Art. 46 (2) lit. f) in conjunction with Art. 42 GDPR);

   - is ensured by other measures (Art. 46 (2) lit. a), (3) lit. a) and b) GDPR).

 

1.4.          To the extent that the transfer of Personal Data from the Data Controller to the Data Processor involves a Restricted Transfer, the EU SCCs shall be incorporated by reference and form an integral part of this Agreement with the Data Controller as "data exporter" and the Data Processor as "data importer". For the purposes of the EU SCCs: (i) the module two (controller to processor) terms shall apply and the module one, three and four terms shall be deleted in their entirety; (ii) in Clause 9, Option 2 shall apply, with 4 weeks in advance notice about the addition or replacement of sub-processors; (iii) in Clause 11, the optional section in para. a) shall be deleted; (iv) in Clause 17, Option 1 shall apply and the EU SCCs shall be governed by German law; (v) in Clause 18(b), disputes shall be resolved before the courts of Germany (in Stuttgart); (vi) the Annexes of the EU SCCs shall be populated with the information set out in the Annexes to this Agreement; and (vii) if and to the extent the EU SCCs conflict with any provision of the Contract or this Agreement, the SCCs shall prevail to the extent of such conflict.

2.   Scope of application and responsibility

2.1.          The Data Processor processes Personal Data at the instruction of the Data Controller. This comprises activities as described in detail in Annex 1.B below. With regard to data processing under commission, the Data Controller is responsible for compliance with the statutory regulations on data protection and especially for the legitimacy of data processing.

2.2.          The Data Processor shall process the Personal Data as necessary to perform its obligations under the User Agreement and this Agreement and strictly in accordance with the documented instructions of the Data Controller as outlined in Annex 1.B below (Description of transfer). The Data Processor shall not retain, use, disclose or otherwise process the Personal Data for any purpose other than the purposes defined in Annex 1.B (including for its own commercial purpose), except where otherwise required by any law applicable to the Data Processor. The Data Processor shall inform the Data Controller without delay if it becomes aware that Data Controller's processing instructions violate data protection rules but without obligation to actively monitor Data Controller's compliance with data protection rules. The Data Processor is entitled to suspend compliance with the instruction in question until it is either confirmed or changed by the Data Controller.

3.   Obligations of the Data Processor

3.1.          The Data Processor may process personal data of Data Subjects only within the scope of the assignment defined in this Agreement and the documented instructions of the Data Controller. In the event that the Data Processor is obliged to process data differently as a result of national or European law, it shall point out the circumstance to the Data Controller before processing begins unless that law prohibits such information on important grounds of public interest.

3.2.          The Data Processor shall set up the internal organisation of his area of responsibility in such a manner that it meets the specific requirements of data protection as enshrined in the GDPR. The Data Processor shall take the technical and organisational measures described in Annex 2 to ensure an adequate protection of the Data Controller's Personal Data. The purpose of these measures is to ensure long-term confidentiality, integrity, availability and resilience of the systems and services in connection with the processing of Personal Data under commission. The Data Controller is informed of these technical and organisational measures by virtue of this Agreement. It is the Data Controller's responsibility to ensure that these measures provide an adequate level of protection regarding the risks of Personal Data processing.

3.3.          The Data Processor reserves the right to change the technical and organisational measures but must guarantee that the level of protection agreed in this Agreement is not reduced.

3.4.          To the best of his ability and within the scope of the services defined in this Agreement (in Annex 1.B.), the Data Processor shall assist the Data Controller in dealing with requests and claims of data subjects according to chapter III of the GDPR and in respecting its obligations specified in Articles 32 to 36 GDPR. For these services, the Data Processor is entitled to adequate financial compensation.

3.5.          The Data Processor ensures that the individuals authorised to process Personal Data have signed an agreement of confidentiality or are subject to an adequate confidentiality clause. This obligation of confidentiality and secrecy shall remain in effect even beyond completion of an assignment.

3.6.          The Data Processor shall inform the Data Controller without delay as soon as it becomes aware of any violation of the protection of the Data Controller's Personal Data. The Data Processor shall take the necessary measures to safeguard Personal Data and to alleviate possible disadvantageous consequences for the Data Subject and shall consult with the Data Controller in that respect without delay.

3.7.          The Data Processor is obliged to appoint a competent and reliable Data Protection Officer according to Art. 37 GDPR to the extent and as long as the statutory prerequisites for such an obligatory appointment are in force. The Data Controller shall be informed of the contact data of this individual for the purpose of making direct contact. Any change of Data Protection Officer shall be communicated to the Data Controller without delay. An update to the Terms and Conditions of Use which includes the change of the Data Protection Officer details is deemed sufficient for this purpose.

Data Protection Officer of the Data Processor:

Name: Thoralf Knuth (C/ISP)
Address: Robert-Bosch-Platz 1, 70839 Gerlingen-Schillerhöhe, Germany
E-Mail: DPO@bosch.com  
   

First contact for data protection issues:

Name: Data Protection and Information Security Bosch Power Tools
E-Mail: 002.PTDSO@de.bosch.com
   

3.8.          The Data Processor shall ensure that its obligations according to Art. 32 (1) lit. d) GDPR are complied with and put in place a process for regular examination of the effectiveness of the technical and organisational measures to ensure the safety of processing.

3.9.          The Data Controller is responsible for correction and erasure of Personal Data. The same is valid for the restriction of the processing of Personal Data under commission (blocking).

3.10.       The Personal Data shall be erased at the date of completion of the respective User Agreement. It is up to the Data Controller to prepare backup copies of its Personal Data and to move such Personal Data before the end of the User Agreement. The Data Processor is not obliged to hand over Personal Data to which the Data Controller has direct access. In case the Data Controller doesn’t have direct access to Personal Data, the Data Controller may request a copy of such data from the Data Processor within 90 days from ending the User Agreement.

3.11.       The Data Processor undertakes to maintain a record of data processing activities (RoPA) according to Art. 30 (2) GDPR.

4.   Obligations of the Data Controller

4.1.          It is the Data Controller's responsibility to provide the Data Processor with the Personal Data in due time so to enable the latter to provide the services according to this Agreement. The Data Controller is responsible for the quality of the Personal Data. The Data Controller shall inform the Data Processor immediately and completely in the event that it should identify any errors or irregularities with regard to data protection rules or in the performance of the Data Processor when checking the work results.

4.2.          In the event that claims should be made by a Data Subject in connection with Art. 82 GDPR, the Data Controller and the Data Processor undertake to assist each other in the defence against such claims.  The Data Processor shall be entitled to invoice the Data Controller for any costs it incurs when providing assistance regarding Data Subject requests, for actions performed on the specific request of the Data Controller which fall outside Data Processor’s commercially reasonable efforts.

5.          Enquiries from data subjects

If a Data Subject contacts the Data Processor demanding correction, erasure, restriction of processing or information about the Personal Data, the Data Processor shall refer the data subject to the Data Controller if allocation to the Data Controller is possible on the basis of the information provided by the Data Subject.

6.   Ways of verification

6.1.          If so requested, the Data Processor shall submit suitable proof to the Data Controller that the obligations set forth in Art. 28 GDPR and in the present Agreement are complied with. For the purpose of proving compliance with the agreed obligations, the Data Processor may provide the Data Controller with certificates and third-party test results (e.g. according to Art. 42 GDPR or ISO 27001) or with test reports from the internal Data Protection Officer or any individual to whom this task has been assigned by the Data Protection Officer.

6.2.          In the event that spot checks by the Data Controller or an auditor appointed by the Data Controller should turn out to be necessary in individual cases, these shall be conducted during regular business hours from Monday to Friday between 8 a.m. and 5 p.m. without disruption of operations and after an adequate notification period of at least 4 weeks in advance. The Data Processor is entitled to make approval of such checks dependent on signing an adequate declaration of secrecy by the Data Controller or the auditor assigned by the Data Controller. If the auditor appointed by the Data Controller should be a competitor of the Data Processor, the Data Processor is entitled to object. Such objection shall be declared to the Data Controller in text form.

6.3.          In the event that an audit should be carried out by the data protection supervisory agency or another state authority, chapter 6.2 shall apply accordingly. Signing a confidentiality obligation is not required if the supervisory authority is subject to professional or statutory confidentiality any breach of which shall be penalised in accordance with the German Criminal Code.

6.4.          The Data Processor is entitled to request adequate compensation for carrying out such an audit as per chapter 6.2 or 6.3, unless the reason for such an audit is the strong suspicion that a data protection breach has taken place within the scope of responsibility of the Data Processor. In such a case, details of the suspicion must be submitted by the Data Controller together with the notification of the examination.

 

7.   Sub-Processors (additional contract data processors)

7.1.           The Data Controller agrees to the Data Processor involving sub-processors. Before involving or replacing sub-processors, the Data Processor shall inform the Data Controller in text form with four weeks' notice. The Data Controller may object to such a change only for important reason. Any objection must be lodged in writing within 14 days, and all reasons must be specified explicitly. If no objection is lodged within this time limit, consent to the involvement or replacement is deemed to have been given. If there is an important reason which cannot be eliminated by the Data Processor by adjusting the assignment, the Data Controller is granted an extraordinary right of termination. No separate information will be provided regarding the sub-processors and their partial services than given in Annex 3 upon signature of the Agreement. If the Data Processor assigns any sub-processors, it is up to the Data Processor to convey its obligations regarding data protection under the present Agreement to the sub-processor.

7.2.          Upon written request of the Data Controller, the Data Processor shall provide information regarding the data protection obligations of its sub-processors to the extent possible due to confidentiality obligations that may be in a sub-processor agreement between the Data Processor and its sub-processors.

7.3.          The provisions of this chapter 7 shall also apply if a sub-processor in a third country is involved - observing the principles of Chapter 5 of the GDPR. The Data Processor agrees to cooperate to the required extent in meeting the prerequisites as set in Chapter 5 of the GDPR. For the purposes of Clause 9(c) of the EU SCCs, the Data Controller acknowledges that the Data Processor may be restricted from disclosing sub-processor agreements to the Data Controller due to confidentiality obligations. Where the Data Processor cannot disclose a sub-processor agreement to the Data Controller, the Data Processor shall provide all information (on a confidential basis, e.g. by redacting the text of the sub-processor agreement) it reasonably can in connection with such agreement.

 

8.   Liability

8.1.          The limitations of liability as defined in the Terms and Conditions of Use apply.

8.2.          The Data Controller shall indemnify the Data Processor against any claims lodged by third parties against the Data Processor as a result of the processing of Personal Data according to the instructions of the Data Controller. The Data Controller shall release the Data Processor from any third-party claims in this context. Article 82 para. 3 of the GDPR shall apply.

 

9.   Obligations of information, written form clause, choice of law

9.1.          In the event that the Data Controller's Personal Data processed by the Data Processor should be placed at risk as a result of seizure or confiscation, insolvency or settlement proceedings or by other events or measures of a third party, the Data Processor shall inform the Data Controller without delay.

9.2.          Data Processor shall inform the Data Controller about any amendments and additions to the present Agreement and its constituent elements, giving the Data Controller the right to raise any reasonable objections on grounds of data protection within one month. If there is an objection on the grounds of reasonable data protection concerns, the Data Controller is granted an extraordinary right of termination. Otherwise, it would be considered that the Data Controller accepted the amendments and/or additions. However, explicit consent is required if the amendment would no longer fulfil the requirements of Art. 28 GDPR.

9.3.          Any changes to the Agreement shall be made in the form of a written agreement which may also be in text form (such as via e-mail or within the web/mobile app) and include an explicit reference that it is an amendment or addition to this Agreement. This shall also apply to the waiver of the requirements of this format. The Parties agree that the process described under 9.2 meets the requirements for amending and supplementing this Agreement.

9.4.          In the event of contradictions, the regulations in this Agreement shall take precedence over the regulations of the Terms and Conditions of Use. If individual regulations of the present Agreement should become invalid, the validity of the Agreement as such shall not be affected.

9.5.          This Agreement shall be governed by German law. The agreed place of jurisdiction shall be Stuttgart (Germany).


 

Annexes

Annex 1.A. List of Parties

 

Data exporter(s):

Name: the User who uses in a professional/commercial context one of MeasureOn Services that include cloud data storage

Address: User’s electronic or physical address

Contact person’s name, position and contact details: Contact name and contact email specified in the User Agreement and/or the contact information specified in the User’s account

Activities relevant to the data transferred under these Clauses: The data exporter is a customer of the data importer who uses in a professional/commercial context the data importer’s Services to create, manage and update projects, documents and workspaces that are stored on the data importer’s cloud and may contain personal data. In addition, if the data exporter is a MeasureOn Multi-License owner, the data importer may send emails to data exporter’s designated assignees on data exporter’s behalf in order to facilitate the assignee’s access to and use of MeasureOn.

Role (controller/processor): Controller

 

Data importer:

Name: the Provider stated in the Terms and Conditions of Use

Address: as stated in the Terms and Conditions of Use

Contact person’s name, position and contact details: Data Protection and Information Security Bosch Power Tools, 002.PTDSO@de.bosch.com  

Activities relevant to the data transferred under these Clauses: The data importer operates MeasureOn mobile/web app that offers the Services that may include cloud storage for data exporter’s projects, documents and workspaces, and sending emails to data exporter’s designated assignees on data exporter’s behalf in order to facilitate the assignee’s access to and use of MeasureOn in the context of the MeasureOn Multi-License.

Role (controller/processor): Processor

Annex 1.B. Description of transfer

Categories of data subjects whose Personal Data is transferred:

Commercial/professional contacts of the data exporter (when the data exporter is a natural person using MeasureOn Services in a professional/commercial context)

Company owner of data exporter, employees of data exporter, customers and clients of data exporter (when the data exporter is a legal entity)

Categories of Personal Data transferred:

Any Personal Data that may be contained in the projects, documents and workspaces created or uploaded by the data exporter on the data importer’s cloud, such as but not limited to: Name, Address, Username, Customer name, Identifiers, Descriptions and/or other information contained in projects which can be considered Personal Data.

In case of MeasureOn Multi-License – email address of data exporter’s designated assignee who is invited to use MeasureOn.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

No.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Continuous in case of data hosting on the cloud

One-off in case of email invitation of data exporter’s designated assignee in the context of MeasureOn Multi-License

Nature of the processing:

Processing of Personal Data in the context of:

(1)   the Services that may include cloud storage for data exporter’s projects, documents and workspaces,

(2)   sending emails to data exporter’s designated assignees on data exporter’s behalf in order to facilitate the assignee’s access to and use of MeasureOn in the context of the MeasureOn Multi-License, and

(3)   other processing activities on behalf of the data exporter if described in the Terms and Conditions of Use or in a separate agreement.

 

Purpose(s) of the data transfer and further processing:

Provision of the Services as described in this Agreement and its Annexes

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:

The Personal Data will be retained until termination of the User Agreement, in accordance with Clauses 1.1 and 3.10 of this Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

See information in Annex 3; the duration of data processing is governed by clauses 1.1. and 3.10. of this Agreement.

 

Annex 1.C. Competent supervisory authority

The supervisory authority of the EEA member state where the User is established, resides, or, if the User is not established or residing in the EEA, the EEA member state where the User’s representative is established or where majority of the User’s end customers or contacts (Data Subjects) are located.


 

Annex 2:

Technical and organisational measures including technical and organisational measures to ensure the security of the data

Overview

Cybersecurity, Information Security and Data Protection are fundamental components of the quality standards at Bosch. We consider trust in the security of systems and data, as well as their resilience to manipulative interference, to be a key success factor for the realization of our AIoT strategy. This also includes handling user data in a responsible way - in line with the values that have always characterized our company.

A cross-functional steering committee with the participation of the Data Protection Officer, Chief Information Security Officer, Chief Cyber Security Officer, and Chief Digital Officer reports directly to the Group Executive Board twice a year in a meeting specially scheduled for this purpose. In addition, we have set up a dedicated central office for the IT security of our products. A clearly described process and a steadily growing network of experts ensure that Cybersecurity and Data Protection are broadly embedded in the development of our products.

Bosch operates a combined Information Security and Data Protection Management System, which is continuously maintained and updated. The system is aligned with international standards such as ISO 27000 and also takes into account legal requirements like those formulated in the General Data Protection Regulation (GDPR). In this way, Bosch is integrating Data Protection, Information Security and Cybersecurity into a consistent system to ensure that data is handled responsibly and securely.

All relevant areas of Cyber Security, Information Security, and Data Protection at Bosch are covered by corresponding guidelines and central directives. Binding guidelines on Cybersecurity are provided by the two central directives "Cyber Security Management System" and "IT Security", which regulate the development of products and services as well as the operation of servers and other IT systems throughout the Bosch Group. In addition, the group policy "Information Security and Data Protection", which is binding for all employees, defines principles, responsibilities and tasks relating to operational Information Security and Data Protection.

Data Protection experts are involved in the development of products at an early stage so that they can support project management and development in evaluating and implementing Data Protection requirements. They make their know-how available to all units and are continuously qualified. Central specifications regulate processes, roles and qualifications. These are regularly reviewed so that deviations can be identified at an early stage and remedied promptly. All specifications are regularly revised and updated. Our subsidiary ESCRYPT also provides support in the form of technical expertise.

Although we take every precaution, it is clear that absolute security does not exist, even in the field of Information Technology. For this reason, we have established the Bosch Product Security Incident Response Team (PSIRT). It is available to security experts, partners, or customers as a central point of contact in the event that vulnerabilities are identified in our products. Security vulnerabilities can also be reported via our whistleblower system. Once a solution has been found, we make it transparent online for all our customers.

 

The following pages describe the most important components of the Information Security and Data Protection Management System of the Bosch Group.

 

Organization

The Bosch Group operates a globally valid Information Security and Data Protection Management System (ISMS/DPMS). This is commissioned by the Group Executive Board and managed by the corporate department “Information Security and Data Protection”.

The head of the corporate department “Information Security and Data Protection” is the Chief Information Security Officer (CISO) and the Data Protection Officer (DPO) of the Bosch Group, and has direct reporting rights to the Group Executive Board.

The tasks of the corporate department “Information Security and Data Protection” include the definition of corporate policies based on risk assessments, external standards (e.g., ISO 27001, TISAX) and laws (e.g., GDPR) as well as monitoring the implementation of the corporate policies.

The corporate guidelines are supplemented by further implementation regulations for separate areas (e.g. specifications in accordance with ISO/IEC 62443 in the OT area).

The Group Executive Board authorizes the corporate policies.

The management of the Bosch Group’s organizational units (OE) (such as divisions, regional organizations) are responsible for implementing the corporate policies.

For this purpose each OE has appointed a Data Protection and Information Security Officer (DSO), who is responsible for implementing the ISMS/DPMS in the OEs.

At an operational level, dedicated contact persons as “Data Protection and Information Security Partners (DSP)” support the implementation of corporate policies on Information Security and Data Protection.

 

Risk Management

Information Security and Data Protection are an independent part of the Bosch Group’s Risk Management System.

Risks are continuously identified, assessed, monitored and reported to the Executive Management [Functional Risk Management System of C/ISP].

The treatment of risks is based on measures that are derived from established security standards (e.g. ISO 27001, ISO 27018) and external requirements (e.g. GDPR) and made binding by corporate policies.

Risks are monitored as part of internal controls and Information Security and Data Protection audits.

Risks are considered separately in the product development process

 

Technical and Organizational Measures to Protect Information and Personal Data

Sensitization and Training of Employees

The following Technical and Organizational Measures, among others, have been implemented to reduce risks in the handling of information and personal data by employees:

For new hires in sensitive areas, there is a process in place to ensure that employees are qualified for their intended roles.

Employees are regularly instructed, trained and sensitized about the risks involved in handling information or product development.

Employees are required to comply with laws and internal policies on Information Security and Data Protection.

 

 Handling of Information and IT Systems

The following Technical and Organizational Measures, among others, have been implemented to reduce risks arising from inadequate protection of information, personal data or IT systems:

Information, personal data and IT systems are identified, inventoried, assigned to responsible persons and classified with regard to their security classification.

The processing of information on privately procured IT systems is prohibited.

Storage media containing sensitive information (e.g. confidential information, personal data) is securely disposed by encrypting, deleting or destroying the data.

After termination of employment, employees must return any asset in their possession to the Bosch Group.

 

Access to IT Systems

The following Technical and Organizational Measures, among others, have been implemented to reduce risks arising from unauthorized access to IT systems:

User accounts are managed centrally, checked regularly and deleted if necessary.

Administrative accounts are assigned restrictively, their necessity is checked regularly and deleted if necessary.

Secret authentication information (e.g. passwords) follow strict password management procedures and are securely managed, stored and transmitted in the IT systems.

Access to IT systems is performed using secure login procedures depending on the type of access and the security classification of the information.

 

Access to Information and Personal Data

The following Technical and Organizational Measures, among others, have been implemented to reduce risks from unauthorized access to information and personal data:

Access authorizations are limited to the necessary extent, are regularly checked, adjusted if necessary or withdrawn (need-to-know, need-to-use).

Administrative authorizations are assigned restrictively, their necessity is checked regularly and withdrawn if necessary.

 

Encryption of Information and Personal Data

The following Technical and Organizational Measures, among others, have been implemented to reduce risks from unauthorized reading, copying or modification of information and personal data:

Information is encrypted during storage and transport depending on its security classification.

Keys are issued and managed by an own Bosch Trustcenter to reduce the risk of theft or loss of the keys.

Encryption methods are state of the art.

 

Physical Protection of Information, Personal Data and IT Systems

The following Technical and Organizational Measures, among others, have been implemented to reduce risks arising from unauthorized access, damage or theft of information, personal data and IT systems:

Access to the Bosch Group properties (e.g. plants, buildings, offices) is based on identification and authorization of persons (e.g. via employee ID cards, visitor controls).

Dividing properties into security zones with appropriate security requirements.

Sensitive IT systems (e.g. servers) are placed in access protected IT data centers or IT rooms.

Employees are regularly advised to maintain a tidy work environment (clean desk) to reduce risks from the theft of documents, IT devices, or removable storage media.

A regulated process with documentation requirements has been implemented for transporting equipment, removable storage media and documents.

 

Secure Operation of IT Systems and Networks

The following Technical and Organizational Measures, among others, have been implemented to reduce risks arising from the improper operation of IT systems:

 

Operating procedures are implemented for the operation of IT systems, which describe the security-relevant operating processes (e.g. change and patch management, backup and recovery procedures).

Changes to IT systems are planned, approved and executed as part of change management processes.

Test and production systems are separated from each other.

IT systems are protected by a multi-level malware concept.

Software installation by users is restricted.

On IT systems, security-relevant events are logged under consideration of data protection in order to identify security and data protection incidents.

Vulnerability management: Technical vulnerabilities in IT systems are evaluated by the Bosch CERT (Computer Emergency Response Team) within the framework of regulated patch and change management processes, bindingly instructed and eliminated by the responsible parties.

Network segmentation and secure network interfaces are provided where technically necessary. IT systems requiring special protection or those with high risks are operated in separate network segments.

 

Acquisition and Development of IT Systems and Bosch Products

The following Technical and Organizational Measures, among others, have been implemented to reduce risks during the acquisition and development of IT systems and Bosch products:

 

When purchasing and developing IT systems, security requirements are derived from the protection requirements of the information and personal data.

Vulnerabilities are identified and eliminated during the development and before the implementation of IT applications.

Test data is protected according to its security classification.

A particular process exists for the development as well as for the operation of Bosch products, which takes special account of the requirements for the protection of information and personal data ("Security by Design", "Data Protection by Design", "Data Protection by Default").

 

Processing and Protection of Information and Personal Data by Third Parties

The following Technical and Organizational Measures, among others, have been implemented to reduce risks in the processing of information and personal data by third parties:

Security requirements are implemented in supplier contracts to ensure that the information and personal data are protected at suppliers and their subcontractors to the same extent as when processed by the Bosch Group.

Before contracting and regularly during the service provision, it is reviewed whether suppliers meet the Information Security requirements of the Bosch Group.

In the case of especially high-risk applications (e.g. external clouds), a preliminary check of the supplier's security concepts and processes is carried out to identify vulnerabilities and to reduce risks.

The implementation of the measures at the supplier is randomly checked.

If necessary, nondisclosure agreements (NDA) are signed when exchanging information with third parties.

 

Handling of Information Security and Data Protection Incidents

The following Technical and Organizational Measures, among others, have been implemented to reduce risks resulting from undetected or inadequately handled security incidents:

The Bosch Group has a computer emergency response team (Bosch CERT), which coordinates the handling of IT security incidents and vulnerabilities.

The Bosch Group has a Product Security Incident Response Team (Bosch PSIRT), which coordinates the handling of security incidents and vulnerabilities in Bosch products.

Every employee is obliged to report security incidents or weaknesses to the Bosch CERT.

Data protection incidents can be reported to the Bosch Group’s Data Protection Officer via defined reporting channels, who coordinates further treatment.

There are defined reporting and communication channels to the responsible authorities for Data Protection incidents as well as Information and Cyber Security incidents.

 

Availability of Information, Personal Data and IT Systems

The following Technical and Organizational Measures, among others, have been implemented to reduce risks arising from unavailable information, personal data and IT systems:

 

Redundancy, emergency and restart concepts for IT systems are in place and implemented depending on the importance of the information, business processes and personal data. An appropriate incident management is in place.

The information on IT systems is regularly backed up using tested procedures and, if necessary, archived to reduce the risks of information destruction or loss.

 

Monitoring Compliance with Corporate Policies

The following Technical and Organizational Measures, among others, have been implemented in order to reduce risks arising from specifications that have not been implemented:

The information and data protection organization conducts regular Information Security and Data Protection audits to reduce risks from missing or ineffective security measures.

Operators of IT systems conduct regular self-checks to reduce risks due to missing or ineffective security measures.

Depending on the risks, security checks and attack simulations are conducted on a regular basis.

 

Consideration of Additional Requirements for Data Protection

5.1. Data Protection Organization Within the Bosch Group

Within the Bosch Group, a Data Protection and Information Security Officer (DSO) is appointed for all regional units to advise on data protection issues and to be responsible for implementing the ISMS/DPMS in the regions. In this way, the Bosch Group complements the existing DSO organization within the business areas.

5.2. Transfer of Personal Data Outside the Bosch Group

Data transfers to third parties are carried out in compliance with data protection requirements. The Bosch Group makes use of standardized data protection under commission contracts and standardized joint controllership agreements. For transfers of personal data to a non-European country, the Bosch Group relies on standard data protection clauses if no adequacy decision exists.

 

5.3. Transfer of Personal Data Within the Bosch Group

Within the Bosch Group, data is processed based on a data protection under commission framework.

If the Bosch Group transfers personal data from a member state of the European Union to a third country (outside the EU), this transfer is also legitimized by an internal framework agreement, involving the EU standard data protection clauses.

Internal and external data transfers are therefore comprehensively documented and always verifiable.

For data transfers and/or data processing without reference to the EU/EEA, the respective national law is applied in the Bosch Group.

5.4. Observation and Consideration of International Data Protection Regulations

The Bosch Group monitors the development of data protection laws and regulations in other countries and ensures that they are adequately taken into account.

 

 

 

Annex 3: List of Sub-processors

The Data Controller/data exporter has authorized the use of the sub-processors listed below:

 

Company name, direction of the sub-processor and nomination of possible data protection officer/contract partner for data protection questions

Content of assignment (Scope of the commission by the Data processor)

Place of data processing

Transmission of/access to personal data of the Data controller (category of data and data subjects)

1.

Robert Bosch GmbH (Bosch Digital)

Robert-Bosch-Platz 1

70839 Gerlingen-Schillerhöhe, Germany

Data hosting and sending of emails

EEA

Data listed in Annex 1.B. of the Agreement