SoftServe Personal Data Protection Rules

SoftServe Global Data Sharing Agreement Schedule 2.
Binding Corporate Rules. Date: 07 July 2022

SoftServe Personal Data Protection Rules

SoftServe Entities are employing over 10.000 associates worldwide to provide digital services to hundreds clients, including services that depend on personal data processing. SoftServe Entities implement a variety of measures to ensure appropriate level of personal data protection, including these SoftServe Personal Data Protection Rules (PDPR), made to provide a unified level of personal data protection at all SoftServe Entities globally.

Version

This version of SoftServe Personal Data Protection Rules was published 07/07/2022

1 Scope

1.1 Role of SoftServe Entities

SoftServe Entities process personal data playing either the role of data controllers or data processors.

As data controllers SoftServe Entities employ associates, maintain business contacts, welcome visitors, and do other activities needed to operate a business.

SoftServe Entities provide a wide range of services, including services that depend on (personal) data processing. SoftServe Entities offer these services acting as processors, processing personal data on behalf of the clients, who play the role of data controllers, and in accordance with contracts that SoftServe Entities execute with such clients.

In certain situations SoftServe Entities perform services for each other. In these contexts, a SoftServe Entity providing the service acts as a processor for the SoftServe Entity commissioning it, who remains controller of the data.

The rendering of some services, both on external and performed between SoftServe Entities, requires cooperation between particular SoftServe Entities. In such cases, a SoftServe Entity being a processor may engage another SoftServe Entity as a subprocessor.

1.2 Data subjects

SoftServe processes personal data of the following categories of individuals (also called ‘data subjects’):

When a SoftServe Entity is a data controller	When a SoftServe Entity is a data processor
Data subjects related to the business of a particular SoftServe Entity, including: SoftServe associates (employees and contractors) Business contacts and client representatives Job candidates Family members of associates Other individuals (visitors, requestees, etc.)	Data subjects indicated by controllers requesting the processing: For external services: other individuals, For services performed between SoftServe Entities: data subjects whose data are processed by other SoftServe Entities as data controllers

1.3 Geographical scope

The PDPR apply to all personal data processing performed by all SoftServe Entities, both within and outside of the EEA. Group structure and data transfers SoftServe is a global organization and it relies on global data transfers to conduct its business.

The PDPR apply to all personal data transfers performed by SoftServe Entities, including transfers inside the EEA, from the EEA to third countries, from third countries to the EEA, and transfers made between third countries.

The PDPR apply to the following categories of data transfers between the SoftServe Entities: controller-to-processor transfers, processor-to-(sub)processor transfers and controller-to-controller transfers.

SoftServe Clients, who request any SoftServe Entity to process personal data on their behalf, are informed in writing about the involvement of other SoftServe Entities, acting as sub-processors, including the SoftServe Entities located outside the EEA and need to give their prior written consent for usage of these sub-processors.

Transfers of personal data between SoftServe Entities are only allowed when the corresponding data protection laws permit so, including – as the case may be – when the following agreements are in place:

Data Processing Agreement made to satisfy Article 28(3) of the GDPR;
Standard Contractual Clauses made to satisfy Article 46(2)(c) of the GDPR.

2 Bindingness

The PDPR are binding upon and within all SoftServe Entities.

2.1 Bindingness upon SoftServe Entities

Each SoftServe Entity commits to comply with the provisions of the PDPR and to implement them in its structure and operations. Newly added SoftServe Entities should not perform any personal data processing before committing themselves to the PDPR.

2.2 Bindingness upon SoftServe Associates

All SoftServe Associates are bound by the PDPR through the obligation to comply with SoftServe policies, of which the PDPR is a part. This obligations is reflected in all employment or cooperation contracts.

SoftServe Associates are made aware of the PDPR during onboarding, training, and regular review. Violation of the PDPR may lead to sanctions according to applicable local laws, including dismissal of the relevant Associate.

3 Data Protection Principles

3.1 Compliance with local law

SoftServe Entities shall always comply with local data protection laws. Where local data protection laws require lower level of personal data protection than the PDPR, then SoftServe Entities will commit to the level set in the PDPR.

SoftServe Entities shall collect compliance evidence and demonstrate compliance with applicable law (principle of ‘accountability’). That includes various forms of evidence:

electronic records of consent or being informed;
contracts and agreements;
records of processing, registries of specific processing operations, transfers or disclosures;
archive of emails or other communications;
archived logs or screencasts;
etc.

This evidence may be retained for certain periods, as required or implied by applicable law.

3.2 Transparent communication

SoftServe Entities shall be transparent when communicating with individuals about their personal data processing.

When a SoftServe Entity is a data controller	When a SoftServe Entity is a data processor
SoftServe Entities being data controllers shall communicate to data subjects in particular about: the identity of SoftServe Entity being the data controller; the type of personal data being processed; the purposes of processing; the legal basis for the processing; the retention period; the identity or, at least, categories of entities with whom the data will be shared (data recipients); any third countries to which the data will be transferred, and appropriate safeguards; the rights of the individuals; the right to lodge a complaint with a Supervisory Authority. This communication shall be done – unless the applicable laws prescribe specific time periods for communication – at the moment when personal data is collected, or, if that is not possible, within the shortest reasonable period after the data was collected. SoftServe Entities shall communicate in a clear and comprehensive way, using the language and terminology that is commonly understandable by the individuals. SoftServe Entities may refrain from communicating the abovementioned information to the individuals, if they already have the information or in other cases prescribed in the applicable laws.	SoftServe Entities being data processors shall assist data controllers in performing their obligations to communicate with data subjects, in particular by collecting the information that the controllers need in this respect.

When a SoftServe Entity is a data controller

When a SoftServe Entity is a data processor

SoftServe Entities being data controllers shall communicate to data subjects in particular about:

the identity of SoftServe Entity being the data controller;
the type of personal data being processed;
the purposes of processing;
the legal basis for the processing;
the retention period;
the identity or, at least, categories of entities with whom the data will be shared (data recipients);
any third countries to which the data will be transferred, and appropriate safeguards;
the rights of the individuals;
the right to lodge a complaint with a Supervisory Authority.

This communication shall be done – unless the applicable laws prescribe specific time periods for communication – at the moment when personal data is collected, or, if that is not possible, within the shortest reasonable period after the data was collected.

SoftServe Entities shall communicate in a clear and comprehensive way, using the language and terminology that is commonly understandable by the individuals.

SoftServe Entities may refrain from communicating the abovementioned information to the individuals, if they already have the information or in other cases prescribed in the applicable laws.

SoftServe Entities being data processors shall assist data controllers in performing their obligations to communicate with data subjects, in particular by collecting the information that the controllers need in this respect.

3.3 Purpose of processing

SoftServe Entities shall process personal data only for pre-defined, specific and justifiable purposes.

When a SoftServe Entity is a data controller	When a SoftServe Entity is a data processor
SoftServe Entities being data controllers shall only process personal data for the purposes that were communicated to the individuals upon data collection, and will not reuse the data in any manner which is not compatible with such purposes. SoftServe may derogate from this principle only if there exists a legitimate reason to do so, such as compliance with a legal obligation or an established legitimate interest. Any derogation is registered, documented, and communicated to the individuals concerned as required by the applicable laws	SoftServe Entities being data processors shall strictly follow instructions received from data controllers as part the corresponding data processing agreement or other communications from the controller, made in writing and in accordance with the agreement. SoftServe Entities shall deny requests for processing that contradict with the agreement. If an instruction issued by a data controller breaches the applicable laws, SoftServe Entities shall advise the data controller thereof.

When a SoftServe Entity is a data controller

When a SoftServe Entity is a data processor

SoftServe Entities being data controllers shall only process personal data for the purposes that were communicated to the individuals upon data collection, and will not reuse the data in any manner which is not compatible with such purposes.

SoftServe may derogate from this principle only if there exists a legitimate reason to do so, such as compliance with a legal obligation or an established legitimate interest. Any derogation is registered, documented, and communicated to the individuals concerned as required by the applicable laws

SoftServe Entities being data processors shall strictly follow instructions received from data controllers as part the corresponding data processing agreement or other communications from the controller, made in writing and in accordance with the agreement.

SoftServe Entities shall deny requests for processing that contradict with the agreement.

If an instruction issued by a data controller breaches the applicable laws, SoftServe Entities shall advise the data controller thereof.

3.4 Lawfulness of processing

SoftServe Entities shall only process personal data if there is a legal basis for doing so.

When a SoftServe Entity is a data controller	When a SoftServe Entity is a data processor
SoftServe Entities being data controllers shall processes personal data, if there is a legal basis recognized by the applicable law. This may include, depending on the context and the categories of data processed, in particular the following: Entering and performance of a contract with the individual, such as an employment contract; Legal obligation of the SoftServe Entity in question, such as connected with taxation; Legitimate interest of SoftServe Entity, such as promoting its business; Protecting vital interests of the individual, such as calling emergency numbers; Asking for consent in other cases, such as placing a website cookie	SoftServe Entities being data processors shall only process personal data on behalf of a controller when guided by a data processing agreement executed between the controller and a SoftServe Entity.

When a SoftServe Entity is a data controller

When a SoftServe Entity is a data processor

SoftServe Entities being data controllers shall processes personal data, if there is a legal basis recognized by the applicable law. This may include, depending on the context and the categories of data processed, in particular the following:

Entering and performance of a contract with the individual, such as an employment contract;
Legal obligation of the SoftServe Entity in question, such as connected with taxation;
Legitimate interest of SoftServe Entity, such as promoting its business;
Protecting vital interests of the individual, such as calling emergency numbers;
Asking for consent in other cases, such as placing a website cookie

SoftServe Entities being data processors shall only process personal data on behalf of a controller when guided by a data processing agreement executed between the controller and a SoftServe Entity.

3.5 Retention

SoftServe Entities shall store personal data for the shortest period possible, necessary to fulfill the purposes of processing.

When a SoftServe Entity is a data controller	When a SoftServe Entity is a data processor
SoftServe Entities shall erase all data elements when they reach their retention periods. SoftServe Entities may also choose to reliably (irreversibly) depersonalize (anonymize) the data, to be further used for legitimate purposes, e.g. remove developer emails but keep using program source code. SoftServe Entities shall set retention periods reasonably, bearing in mind that the data shall not be stored longer than necessary.	SoftServe Entities being data processors shall – subject to the decision of the data controller – return or delete personal data processed on behalf of such controller at the end of the processing engagement and erase all copies of that data.

When a SoftServe Entity is a data controller

When a SoftServe Entity is a data processor

SoftServe Entities shall erase all data elements when they reach their retention periods. SoftServe Entities may also choose to reliably (irreversibly) depersonalize (anonymize) the data, to be further used for legitimate purposes, e.g. remove developer emails but keep using program source code.

SoftServe Entities shall set retention periods reasonably, bearing in mind that the data shall not be stored longer than necessary.

SoftServe Entities being data processors shall – subject to the decision of the data controller – return or delete personal data processed on behalf of such controller at the end of the processing engagement and erase all copies of that data.

3.6 Data minimization

SoftServe Entities shall keep data profiles minimal, taking into account the goals and purposes of the processing.

When a SoftServe Entity is a data controller	When a SoftServe Entity is a data processor
SoftServe Entities being data controllers shall proactively limit the processing to minimal volumes of data that are necessary to achieve the purposes of processing.	SoftServe Entities being data processors shall proactively limit their exposure to the data processed on behalf of a controller, e.g. by assuming minimal permissions or receiving minimal data sets.

3.7 Accuracy and data quality

SoftServe Entities shall keep the data accurate and up to date.

When a SoftServe Entity is a data controller	When a SoftServe Entity is a data processor
SoftServe Entities being data controllers shall proactively take appropriate measures to ensure accuracy and quality of personal data, appropriate for the purposes of processing.	SoftServe Entities being data processors shall proactively assist a controller in ensuring the level of data quality that is appropriate for the purposes of processing.

3.8 Security and confidentiality

SoftServe Entities shall implement industry-standard measures to ensure security and confidentiality of processing of all personal data.

When a SoftServe Entity is a data controller	When a SoftServe Entity is a data processor
When processing personal data as a controllers SoftServe Entities inevitably put some risks on rights and freedoms of the data subjects. Hence, the SoftServe Entities shall implement technical and organizational security measures that are appropriate to these risks.	SoftServe Entities being data processors shall implement technical and organizational security measures as agreed with the relevant data controllers.

The security measures are further elaborated in SoftServe security policies.

3.9 Processing special categories of data

SoftServe Entities shall minimize processing of special categories of personal data that they perform.

When a SoftServe Entity is a data controller	When a SoftServe Entity is a data processor
SoftServe Entities being data controllers shall only process special categories of personal data when strictly necessary and legally permissible. When doing the processing, SoftServe Entity shall consider implementing additional measures, to reflect increased risk to data subjects (if any).	SoftServe Entity being a data processor shall implement additional technical and organizational security measures if any such measures are agreed with the relevant data controller.

4 Rights of individuals

4.1 Rights

SoftServe shall grant data subjects the following rights:

When a SoftServe Entity is a data controller	When a SoftServe Entity is a data processor
SoftServe Entities being data controllers acknowledge the rights of data subjects, including: the rights of access, rectification, erasure, restriction of processing, objection to processing, data portability, right to withdraw consents (if any was granted) as well as the right not to be subject to decisions solely based on automated processing, as understood and shaped by the GDPR; the right to complain to a SoftServe Entity and to receive fair handling of this complaint.	SoftServe Entities being data processors shall cooperate with the data controllers with regard to the handling of data subjects’ rights.

When a SoftServe Entity is a data controller

When a SoftServe Entity is a data processor

SoftServe Entities being data controllers acknowledge the rights of data subjects, including:

the rights of access, rectification, erasure, restriction of processing, objection to processing, data portability, right to withdraw consents (if any was granted) as well as the right not to be subject to decisions solely based on automated processing, as understood and shaped by the GDPR;
the right to complain to a SoftServe Entity and to receive fair handling of this complaint.

SoftServe Entities being data processors shall cooperate with the data controllers with regard to the handling of data subjects’ rights.

Individuals also have the right to lodge complaint to a relevant supervisory authority or a competent court, in particular in their country of residence or a country where the SoftServe Entity whom the complaint concerns, is established.

4.2 Rights Request Procedure

All data subjects’ requests should be made in writing to the relevant SoftServe Entity or by sending an email to privacy@softserveinc.com.

SoftServe Entities being data controllers shall handle each request within one month, unless the applicable laws allow for the extension of this period.

When acting as data processors SoftServe Entities shall forward any requests received to the appropriate data controller.

4.3 Complaint handling procedure

Any data subject may complain about any SoftServe Entity in writing to the said SoftServe Entity or by sending an email to privacy@softserveinc.com.

All complaints shall be taken in by the Legal Department, registered in an issue tracking system, with their handling history being preserved and made accessible to inspections as required by applicable law or provisions of the PDPR. The departments and associates involved in complaint handling shall be provided with sufficient level of independence to ensure fair complaint handling.

SoftServe Entities shall handle each complaint within one month, unless the applicable laws allow for the extension of this period.

5 External vendors

SoftServe Entities may use external vendors providing various specialized services. Such vendors will usually have the status of subprocessors. However, sometimes the vendors may view themselves wholly or partly as data controllers.

When a SoftServe Entity is a data controller engaging an external vendor as a data processor	When a SoftServe Entity is a data processor engaging an external vendor as a subprocessor
SoftServe Entity shall enter in a data processing agreement made to comply with requirements of Article 28(3) of GDPR. Moreover, the SoftServe Entity shall communicate to data subjects the relevant information on data recipients as required under sec. 3.2 above. If the vendor is located in a third country which is not covered by an adequacy decision of the European Commission, the SoftServe Entity should put in place the necessary safeguards, in particular, execute Standard Contractual Clauses made to satisfy Article 46(2)(c) of the GDPR.	The controller shall be involved in the engagement of other vendors on the conditions stipulated in the data processing agreement guiding the processing. Moreover, the relevant SoftServe Entity shall enter in an appropriate data (sub)processing agreement with the vendor. If the vendor is located in a third country which is not covered by an adequacy decision of the European Commission, the SoftServe Entity should put in place the necessary safeguards, in particular, execute Standard Contractual Clauses made to satisfy Article 46(2)(c) of the GDPR.

When a SoftServe Entity is a data controller engaging an external vendor as a data processor

When a SoftServe Entity is a data processor engaging an external vendor as a subprocessor

SoftServe Entity shall enter in a data processing agreement made to comply with requirements of Article 28(3) of GDPR. Moreover, the SoftServe Entity shall communicate to data subjects the relevant information on data recipients as required under sec. 3.2 above.

If the vendor is located in a third country which is not covered by an adequacy decision of the European Commission, the SoftServe Entity should put in place the necessary safeguards, in particular, execute Standard Contractual Clauses made to satisfy Article 46(2)(c) of the GDPR.

The controller shall be involved in the engagement of other vendors on the conditions stipulated in the data processing agreement guiding the processing. Moreover, the relevant SoftServe Entity shall enter in an appropriate data (sub)processing agreement with the vendor.

When a SoftServe Entity is a data controller engaging an external vendor being a data controller	When a SoftServe Entity is a data processor engaging an external vendor being a data controller
SoftServe Entity being a data controller shall check whether all conditions for the disclosure of personal data to an independent data controller are met, including in particular: If there is a legal basis for data processing involving the disclosure under sec. 3.4 above, If data subjects have received the required information on data recipients under sec. 3.2 above, if the data transfer involves a transfer to a third country which is not covered by an adequacy decision of the European Commission, the SoftServe Entity should put in place the necessary safeguards, in particular execute Standard Contractual Clauses made to satisfy Article 46(2)(c) of the GDPR.	The controller shall be involved in the engagement of other vendors and its approval of the disclosure is necessary for it to occur. This means that the relevant SoftServe Entity shall request an instruction from the data controller to effect the disclosure (unless such disclosure is already envisaged by the data processing agreement executed with the data controller). If the vendor is located in a third country which is not covered by an adequacy decision of the European Commission, the SoftServe Entity should specifically advise the data controller to put in place the necessary safeguards, in particular execute Standard Contractual Clauses made to satisfy Article 46(2)(c) of the GDPR. Such safeguards should be implemented directly by the data controller or indirectly with the help of the SoftServe Entity acting as a data processor (e.g. by executing the Standard Contractual Clauses on behalf of the data controller under a power of attorney).

When a SoftServe Entity is a data controller engaging an external vendor being a data controller

When a SoftServe Entity is a data processor engaging an external vendor being a data controller

SoftServe Entity being a data controller shall check whether all conditions for the disclosure of personal data to an independent data controller are met, including in particular:

If there is a legal basis for data processing involving the disclosure under sec. 3.4 above,
If data subjects have received the required information on data recipients under sec. 3.2 above,
if the data transfer involves a transfer to a third country which is not covered by an adequacy decision of the European Commission, the SoftServe Entity should put in place the necessary safeguards, in particular execute Standard Contractual Clauses made to satisfy Article 46(2)(c) of the GDPR.

The controller shall be involved in the engagement of other vendors and its approval of the disclosure is necessary for it to occur. This means that the relevant SoftServe Entity shall request an instruction from the data controller to effect the disclosure (unless such disclosure is already envisaged by the data processing agreement executed with the data controller).

If the vendor is located in a third country which is not covered by an adequacy decision of the European Commission, the SoftServe Entity should specifically advise the data controller to put in place the necessary safeguards, in particular execute Standard Contractual Clauses made to satisfy Article 46(2)(c) of the GDPR. Such safeguards should be implemented directly by the data controller or indirectly with the help of the SoftServe Entity acting as a data processor (e.g. by executing the Standard Contractual Clauses on behalf of the data controller under a power of attorney).

In a mixed situation, where the vendor generally acknowledges its status as a sub-processor, but claims that it also has its own processing purposes with respect to which it remains an independent data controller, a mixed approach should be adopted.

6 Data transfers to third countries

SoftServe Entities shall only transfer personal data to countries, that do not provide adequate level of personal data protection, when appropriate safeguards are established, such as Standard Contractual Clauses.

7 Compliance

7.1 Breaches

SoftServe Entities shall register and investigate any suspected personal data breach, document the investigation, and take all appropriate actions to assess the scope and severity of the breach, and to address it.

When a SoftServe Entity is a data controller	When a SoftServe Entity is a data processor
Depending on results of the breach investigation, SoftServe Entities being data controllers shall inform the supervising authority and the affected data subjects as required by applicable law.	SoftServe Entities being data processors shall inform the data controller about personal data breaches, without undue delay and in any case – within the deadlines specified in the relevant data processing agreement. They shall also assist the controller in responding to the breach.

7.2 Easy access

SoftServe Entities shall make the PDPR easily accessible to their staff, clients as well as other data subjects.