GDPR Data Processing Rules for Console Connect IoT Service

The GDPR Data Processing Rules for Console Connect IoT Service (the “Rules”) set out the terms on which PCCW Global (“Company”) and/or its sub-processor processes Personal Data of data subjects within the European Union at the time of processing on behalf of the Customer in connection with the performance of the Company’s obligations for the Console Connect IoT Service.

The Rules are incorporated into and made a part of the Specific Terms for Console Connect IoT Service (the “Specific Terms”). Capitalised terms used herein and not otherwise defined shall have the meanings set forth in the Specific Terms or the EU GDPR, as applicable.

 

1. Definitions

1.1 EU Data Protection Legislation means the General Data Protection Regulation ((EU) 2016/679) (“EU GDPR”) as the same may be amended or updated from time to time. Terms used in the Rules that are not specifically defined herein have the same meanings as given to them in the EU GDPR.

1.2 Personal Data means personal information of Customer’s user(s) and/or end-user(s) that identify individuals, including without limitation names, addresses, telephone numbers, transactional history, account numbers, any information or data about or relating to an identifiable individual (including an individual who can be identified directly or indirectly from the information). For certainty, “personal information” shall include all personal information as defined in applicable privacy legislation.

 

2. Data Protection

2.1 The Parties acknowledge that for the purposes of the EU Data Protection Legislation, the Customer is the Data Controller and the Company is the Data Processor (where “Data Controller” and “Data Processor” have the meanings as defined in the EU GDPR). Customer acknowledges and consents to the organisations named in the Rules being engaged as sub-processors of Console Connect IoT Service.

2.2. The Customer shall serve as a single point of contact for the Company. As other Data Controllers, being Customer affiliates, enterprise customers, Users or other operators, as applicable (“Disclosing Controllers”), may have certain direct rights against and obligations towards the Company as described in the Rules, the Customer undertakes to exercise all such rights and obligations on their behalf and to obtain all necessary permissions from the Disclosing Controllers. The Company shall be discharged of its obligation to inform or notify Disclosing Controllers when the Company has provided such information or notice to the Customer.

2.3 Without prejudice to the generality of clause 10.1 of the Specific Terms, the Customer shall:

(i) ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Company and use of the Personal Data by the Company for the duration and purposes of the Console Connect IoT Service;

(ii) act as the data subject’s sole point of contact;

(iii) ensure that the data subjects have received sufficient information or prior consultation regarding the processing as required by the EU GDPR;

(iv) promptly inform the Company of any erroneous, rectified or updated Personal Data subject to the Company’s processing, as well as if any such data is to be deleted;

(v) in a timely manner, provide the Company with lawful and documented instructions regarding the Company’s processing of Personal Data;

(vi) provide the detailed information within its control that is required in Schedule A (Description of the Processing of Personal Data);

(vii) provide the Company with the relevant data protection impact assessment for the processing activities that the Company is to carry out, in accordance with Article 35 of the EU GDPR; and

(viii) comply with all its obligations and applicable requirements under the EU GDPR including but not limited to the Customer’s responsibilities set out clause 4 of these Rules.

2.4 The Company will, and will endeavour to require sub-processor to, as the case may be, in relation to any Personal Data processed in connection with the performance of the Company’s obligations under the Specific Terms:

(i) process the Personal Data only on documented instructions from the Customer including with regard to transfers of Personal Data to a third country, unless the Company and/or sub-processor is legally required to process the Personal Data by European or Member State law or authority to which the Data Processor is subject and provided it informs the Customer of that legal requirement and the proposed processing before such processing takes place (unless that law prohibits such information on important grounds of public interest);

(ii) ensure that persons authorised to process the Personal Data are obliged to keep the Personal Data confidential;

(iii) take appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development, the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it. The Company has procured the deployment of certain physical, access, data, communication and network domain security measures in relation to the device connectivity platform, as set out in the relevant security document which is available upon request. The Customer agrees and confirms that these security measures meet the Customer’s security requirements and processing instructions;

(iv) assist the Customer, at the Customer’s additional cost to be mutually agreed in advance in writing, in responding to any request from a data subject and in ensuring compliance with its obligations under the EU Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

(v) notify the Customer without undue delay after becoming aware of a Personal Data breach and assist the Customer with making any mandatory notifications to regulators and/or affected data subjects in the event of a Personal Data breach;

(vi) at the choice of the Customer, delete or return Personal Data and copies thereof to the Customer on termination or expiry of the relevant Order Form for Console Connect IoT, unless required by Applicable Law to store the Personal Data;

(vii) make available to the Customer all reasonable information to demonstrate the Company’s compliance with this clause 2.4 and allow for audits by the Customer or it’s designated auditor. Any such audits shall be carried out no more than once each calendar year during service term and only on providing not less than 4 weeks’ prior written notice to the Company; and

(viii) with regard to clause 2.3(i), inform the Customer, if in its opinion, an instruction from the Customer infringes EU GDPR.

2.5 The Customer consents to the Company appointing a sub-processor of Personal Data under the Rules provided the Company confirming that it will be incorporating terms in the agreement between the Company and the sub-processor of Personal Data which are substantially similar to those set out in the Rules, and in particular the Company will endeavour to obtain sufficient guarantees from the sub-processor that it shall implement appropriate technical and organisational measures in such a manner that the processing shall meet the requirements of EU GDPR. The Company agrees to inform the Customer in advance of any changes to sub-processors. Within 30 days after the Company’s notification of the intended change, the Customer can object to the addition of a sub-processor on the basis that such change would cause the Customer to violate applicable legal requirements. The Customer’s objection shall be in writing and include the Customer’s specific reasons for its objection and options to mitigate, if any. If the Customer does not object within such period, the respective sub-processor may be commissioned to process Personal Data.

2.6 The Company may, at any time on not less than 30 days’ notice, revise this clause 2 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by an attachment to the Rules).

 

3. Transfer of Personal Data Outside European Union and EEA

3.1 The Company will procure its sub-processors not to transfer Personal Data outside the European Economic Area (“EEA”) or the United Kingdom (“UK”) without the prior written consent of the Customer and, where the Customer consents to such transfer, the Company will procure its sub-processors:

(i) only do so in compliance with the Customer’s documented instructions and EU Data Protection Legislation; and

(ii) either to: (a) to transfer such Personal Data according to the relevant binding corporate rules of the sub-processors; or (b) on the Customer’s written request, to enter into an agreement with the Customer on any then current standard contractual clauses:

(A) with respect to Personal Data in the EEA, for the transfer of such Personal Data from a data controller in the EEA to a data sub-processor outside of the EEA as approved by the European Commission (or such other relevant authority of the European Union or its constituent member states); or

(B) with respect to Personal Data in the UK, for the transfer of such Personal Data from a data controller in the UK to a data sub-processor outside of the UK as approved by the UK government (or such other relevant authority of the UK).

3.2 The Customer will ensure that the data subjects are informed about the existence of processors and sub-processors based outside of the EU and of any applicable binding corporate rules of the processors and sub-processors. In addition, if the transfer involves special categories of data as referred to in Article 9 of the EU GDPR, the Customer will ensure that the data subjects have been informed that their data could be transferred to a third country not providing adequate protection, and apply for national authorizations with the applicable data protection authorities to transfer data to processors and sub-processors (if applicable).

3.3 Data subjects who wish to file a complaint or a request should first contact the Customer. The Customer shall promptly notify Company such complaint or request by email to [email protected].

4. EU GDPR Compliance Elements

4.1 The Customer acknowledges and agrees that the Company is a data processor and neither the Company nor its sub-processors has any interaction with end-users (“data subjects”). Without limiting clause 2.3 (viii) of the Rules, the Customer shall fulfil the following compliance elements:

(i) Privacy statement presented to the data subject (EU GDPR Articles: 5, 6, 7, 13):

  • The Customer must secure that the privacy statement is presented to data subjects, since neither the Company nor its sub-processors have any interaction with the data subjects and can therefore not present them with any privacy statement.

(ii) Collecting, storing and demonstrating consent from data subject (EU GDPR Articles: 5, 6, 7, 13):

  • The Customer must collect, store and be able to demonstrate consent from data subject, since neither the Company nor its sub-processors have any interaction with the end-user and can therefore not present them with any privacy statement.

(iii) Provide access to personal data related to a data subject (subscriber) on request (EU GDPR Articles: 15):

  • The Customer is responsible for delivering personal data upon request to data subjects.

(iv) Editing, correcting and deleting any personal data collected from the data subject (EU GDPR Articles: 16, 17):

  • The Customer is responsible for editing, correcting and deleting any personal related data through the existing portal or API interfaces.

Note: Data that are stored to be able to perform billing, such as XDRs, CDRs and so on, cannot be edited or deleted based on data subject requests, since this can cause incorrect billing, which provides a legitimate reason for not supporting editing. This data is generated automatically based on actual traffic in the network.

(v) Data subject has the right to object and not be subjected to automated individual decision-making (EU GDPR Art: 21, 22):

  • Sub-processors may do analytics of the data going through their core network and the service cannot be delivered without such processing. The service needs to be terminated by the Customer, in case the data subject objects to the processing of their personal information.

Schedule A

Description of the Processing of Personal Data

1.2 Data Subjects

The Personal Data processed concern the categories of data subjects identified below.

The Customer may submit Personal Data to the Console Connect IoT Service, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

·        Customers, business partners and vendors of the Customer (who are natural persons);

·        Employees or contact persons of the Customer’s prospects, customers, business partners and vendors;

·        Employees, agents, advisors, freelancers of the Customer (who are natural persons); and

·        The Company’s users and Users authorized by the Customer to use the Console Connect IoT Service.

 

1.3  Categories of Personal Data

The Personal Data processed concern the categories of Personal Data listed in the table below:

Personal Data
Category
Data Item
Basic Data IP-Address
MSISDN
IMSI
IMEI code
First name
Last name
User ID
Email address
Password
Country
US State/Postal code
Physical address / City
Login details
Other basic data Subscription type, commercial data history, customer relationship history
Sensitive data (identifiable user activity) Call history (CDR)
Metadata showing user activity
Browsing/Connection history, URL, originating IP
Location history
Location: GPS coordinates
Location: LAC/CellID

 

1.4  Purpose of the Personal Data Processing

Console Connect IoT Service will process and store data in order to deliver the required services as specified in Schedule A of these Specific Terms.

 

1.5  Processing Operations

The Personal Data processed will be subject to the following basic processing activities:
PCCW Global is delivering a Console Connect IoT Service. The following main activities with a privacy impact will be performed:

• Collect, process and store subscription data.

• Collect, process and store data from the telecom network to trigger events based of the subscription.

• Collect, process and store data for rating and billing purposes.

• Collect, process and store data to provide the operators and Customers with data and reports.

• Collect, process and store log events for troubleshooting and security purposes.

 

1.6 Duration of Processing

The Personal Data will be processed with the following duration:

Data Type Description   Data retention period*
CDR Charging data records (“CDRs”) from the telecom network used to produce:

·        Input for billing

·        Reports

·        KPIs and data for the portal

36 months
Probe Data (XDRs) Meta data from the telecom network used for:

·        Trigger activities

·        creating CDRs

36 months
SIM data Data transferred between Customer and PCCW Global for provisioning of new SIMs 12 months after a subscription expires
Subscription Data Data for subscription management, including search services for subscriptions and eSIM inventories in portal. 12 months after a subscription expires
Invoice XML Data Billing data for the MNOs 36 months
Reporting data Reports in the portal and servers 24 months

 

Incidents, alarms and Service Requests Information regarding operational alarms and incidents, and Customer service requests. 36 months

 

 

Customer specific Settings Information about enterprises, price plans, subscription packages, APNs, triggers, routes and any keys. PCCW Global data: duration of contract + 6 months
User credentials Credential for access to portal, APIs and infrastructure, e.g.  users, email address, password

(Note: only for administrators not for data subject of Console Connect IoT Service)

Inactive accounts are deleted after 12 months

 

Localization data Used to deliver device localization services
(not used by all customers)
6 months Localization of SIM as for SIM data
Log data Logs for troubleshooting and audit trails. 24 months

*Above data retention periods may change from time to time upon posting a notice to Customers on the Service Portal.

1.7 Sub processors

 

The Personal Data will be processed by the following sub processors:

The Ericsson Group and such other sub processors notified to Customers through the Service Portal and/or mutually agreed in the Order Form (if applicable).
 

1.8  Location of processing

The personal data will be processed Singapore, Sweden, The Netherlands and other locations notified to Customers through the Service Portal and/or mutually agreed in the Order Form (if applicable).