Legal

Samsung Data Processing Agreement

Effective Date: August 02, 2023

This Data Processing Addendum ("Addendum") forms part of the Samsung Knox Product Terms and Conditions, and in the case of Knox Guard forms part of the Knox Guard Terms and Conditions, ("Principal Agreement") between: (i) Samsung Electronics Co., Ltd.("SAMSUNG"); and (ii) you, acting on your own behalf and/or as agent for the entity you represent ("Company,” “you,” or your”) and as agent for each Company Affiliate.

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum. Provided that, where and if there You have not agreed to the Principal Agreement, this Addendum shall apply as a standalone document and any terms or conditions shall be construed accordingly.

IT IS IMPORTANT THAT YOU READ CAREFULLY AND UNDERSTAND THIS ADDENDUM. BY CHECKING THE “AGREE” BOX AND PROCEEDING WITH REGISTRATION OR DOWNLOADING, INSTALLING OR USING ANY KNOX PRODUCT, YOU (A) IF ACTING AS AN INDIVIDUAL, REPRESENT THAT YOU ARE AT LEAST THE LEGAL AGE OF MAJORITY AND ABLE TO FORM A LEGALLY BINDING CONTRACT, AND CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS ADDENDUM OR, (B) IF REPRESENTING AN ENTITY, REPRESENT THAT YOU ARE LEGALLY AUTHORIZED TO BIND THE ENTITY AND THAT THE ENTITY CONSENTS TO BE BOUND BY AND BECOME A PARTY TO THIS ADDENDUM.

YOU REPRESENT AND WARRANT THAT YOU HAVE THE FULL ORGANIZATIONAL RIGHT, POWER AND AUTHORITY TO ENTER INTO THIS ADDENDUM, AND WHEN EXECUTED THIS ADDENDUM WILL CONSTITUTE THE LEGAL, VALID AND BINDING OBLIGATION OF YOU, AND ENFORCEABLE AGAINST YOU IN ACCORDANCE WITH THE TERMS AND CONDITIONS OF THIS ADDENDUM.

IF YOU OR THE ENTITY DO NOT AGREE TO CONSENT TO BE BOUND BY ALL OF THE TERMS OF THIS ADDENDUM, DO NOT CHECK THE “AGREE” BOX AND PROCEED WITH REGISTRATION, OR DOWNLOAD, INSTALL OR USE THE KNOX PRODUCT.

1. Definitions

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1.1 “Adequate EEA Jurisdiction” means any country in the EEA, as well as any country that the European Commission has formally determined provides adequate protection for Personal Data as reflected in a published adequacy finding (or any third country subject to a determination having an equivalent effect for the purposes of Chapter V of the EU GDPR), including (as at the date of this Addendum) Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland and Uruguay;

1.1.2 “Adequate Swiss Jurisdiction” means any third country, territory, or one or more specific sectors within that third country listed in the FDPIC's list of adequate countries (found at https://www.edoeb.admin.ch/edoeb/en/home/data-protection/handel-und-wirtschaft/transborder-data-flows.html), or otherwise acknowledged as a country deemed adequate for the purpose of Swiss Data Protection Law by the Federal Data Protection and Information Commissioner or (under the Revised Data Protections Laws) the Swiss Federal Council.

1.1.3 “Adequate UK Jurisdiction” means: any (i) third country; (ii) territory or one or more sectors within a third country; (iii) international organization; or (iv) description of such a country, territory, sector or organization, in each case that, pursuant to sections 17A and 17B of the UK Data Protection Act 2018, the Secretary of State has determined provides an adequate level of protection for Personal Data;

1.1.4 "CCPA/CPRA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, Cal. Civil Code § 1798.100 et seq., and its implementing regulations;

1.1.5 "Company Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Company, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

1.1.6 "Company Group Member" means Company, any Company Affiliate, and/or any other third party for which Company is Processing Personal Data for or on behalf of (“Third Party Company Group Member”);

1.1.7 "Contracted Processor" means SAMSUNG and/or a Subprocessor;

1.1.8 "Company Personal Data" means any Shared Personal Data Processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement and/or this Addendum;

1.1.9 "Data Protection Laws" means any applicable law, enactment, constitution, treaty, statute, rule, regulation, ordinance, order, directive, judgment, decree, injunction, writ, determination, award, permit, license, authorization, requirement or decision of or agreement with or by any legislative, administrative, judicial or other governmental authority concerning the processing of data relating to living persons or relating in any way to the privacy, confidentiality, security or protection of Personal Data, as they may be amended from time to time, in any jurisdiction, each to the extent applicable to the activities or obligations under or pursuant to this Addendum, including without limitation;

(a) EU General Data Protection Regulation (EU) 2016/679 (“EU GDPR”);

(b) the EU GDPR as it forms part of retained EU law in the UK, as defined in the European Union (Withdrawal) Act 2018 and as amended (if applicable) by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“UK GDPR”);

(c) UK Data Protection Act 2018 (as amended from time to time);

(d) any law, enactment, regulation or order transposing, implementing, adopting, supplementing or derogating from the EU GDPR and the EU Directive 2002/58/EC in each EU Member State and the UK; and

(e) applicable laws regulating the internet and unsolicited email communications, relating to security breach notifications, imposing minimum security requirements, and the secure disposal of records containing certain personal information;

1.1.10 "EEA" the European Economic Area, which includes all member states of the European Union, and (as at the date of this Addendum), Norway, Iceland, and Liechtenstein ;

1.1.11 "EU Processor Model Clauses" means Module Two of the model clauses for transfers from controllers in the EU to processors established outside the EU or EEA approved by European Commission Decision C(2021) 3972 final (as amended, superseded or replaced from time to time), and as amended and incorporated in accordance with Annex 3

1.1.12 ""FDPIC"" means the Federal Data Protection and Information Commissioner.

1.1.13 "Personal Data" means any information relating to an identified or identifiable natural person;

1.1.14 “Personal Data Breach”means any confirmed, actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Company Personal Data transmitted, stored or otherwise processed;

1.1.15 “Processing”means any operation or set of operations that is performed upon Personal Data or on sets of Personal Data, whether or not by automated or automatic means;

1.1.16 “Services" means the services and other activities to be supplied to or carried out by or on behalf of SAMSUNG for Company pursuant to the Principal Agreement;

1.1.17 “Shared Personal Data” means any Personal Data shared or otherwise made available by Company Group Member with SAMSUNG or that SAMSUNG collects directly from a user on behalf of a Company Group Member during the course of the Principal Agreement and/or this Addendum;

1.1.18 "Subprocessor" means any person including any third party and any SAMSUNG Affiliate, but excluding an employee of SAMSUNG or any of its sub-contractors appointed by or on behalf of SAMSUNG to Process Personal Data on behalf of a Company Group Member in connection with the Principal Agreement and/or this Addendum;

1.1.19 “Supervisory Authority”means the relevant competent authority responsible for data privacy and protection where Company Group Member or SAMSUNG are established

1.1.20 “Swiss Data Protection Laws”means any law, enactment, regulation or order in Switzerland concerning the Processing of data relating to living persons, including the Federal Act on Data Protection of 19 June 1992 (SR 235.1) (“FADP”) and the revised version of the FADP dated 25 September 2020 (the “Revised FADP”) and

1.2 The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. Processing of Company Personal Data

2.1 SAMSUNG shall:

2.1.1 Comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and

2.1.2 Not Process Company Personal Data other than on the relevant Company Group Member’s documented instructions unless Processing is required by applicable laws to which the relevant Contracted Processor is subject, in which case SAMSUNG shall to the extent permitted by applicable laws inform the relevant Company Group Member of that legal requirement before the relevant Processing of that Personal Data.

2.2 The applicable Company Group Member:

2.2.1 Instructs SAMSUNG and authorizes SAMSUNG to instruct each Subprocessor to:

2.2.1.1 Process Company Personal Data; and

2.2.1.2 In particular, transfer Company Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Principal Agreement; and

2.2.2 Warrants and represents

2.2.2.1 That it is and will at all relevant times remain duly and effectively authorized to give the instruction set out in section 2.2.1, including on behalf of each relevant Company Group Member (and if requested shall provide to SAMSUNG evidentiary documentation immediately);

2.2.2.2 That any Shared Personal Data it shares, transfers, or otherwise makes available (including in the case where Company or Company Affiliates shares, transfers, or otherwise makes available Shared Personal Data of a Third Party Company Group Member) to SAMSUNG is shared, transferred, or otherwise made available in accordance with applicable laws and its applicable privacy policy or notice, including without limitation obtaining proper consent (to the extent required) and providing appropriate notices and/or disclosures (to the extent required), and further that it will provide accurate Company Personal Data to SAMSUNG and will update Company Personal Data as necessary to ensure continued accuracy; and

2.2.2.3 That it shall comply at all times, at its own expense, with the provisions of all applicable laws, including procurement of any required permits or certificates in the Processing of Personal Data and making any instructions to SAMSUNG.

2.3 Annex 1 to this Addendum sets out certain information regarding the Contracted Processors' Processing of the Company Personal Data and, possibly, equivalent requirements of other Data Protection Laws. Company may make reasonable amendments to Annex 1 by written notice to SAMSUNG from time to time as Company reasonably considers necessary to meet those requirements. Nothing in Annex 1 including as amended pursuant to this section 2.3 confers any right or imposes any obligation on any party to this Addendum.

2.4 Nothing herein shall prevent or limit SAMSUNG from independently collecting and Processing Personal Data from devices using any Knox Service (defined in Annex 1 hereunder) (“Independent Personal Data”). To the extent the term “controller” or its equivalent exists under applicable Data Protection Laws, as applicable, SAMSUNG is an independent controller of any such Independent Personal Data.

3. SAMSUNG Personnel

SAMSUNG shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with applicable laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, SAMSUNG shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.

5. Subprocessing

5.1 Company and .each Company Group Member authorises SAMSUNG to appoint and permit each Subprocessor appointed in accordance with this section 5 to appoint Subprocessors in accordance with this section 5 and any restrictions in the Principal Agreement.

5.2 SAMSUNG may continue to use those Subprocessors already engaged by SAMSUNG at the date of this Addendum, subject to SAMSUNG as soon as practicable meeting the obligations set out in section 5.4.

5.3 SAMSUNG shall give Company prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 30 calendar days of receipt of that notice, Company notifies SAMSUNG in writing of any objections on reasonable grounds related to the Processing of Company Personal Data, SAMSUNG may appoint or disclose any Company Personal Data to that proposed Subprocessor provided that reasonable steps have been taken to address the objections raised by Company and/or any Company Group Member and Company has been provided with a reasonable written explanation of the steps taken.

5.4 With respect to each Subprocessor, SAMSUNG shall:

5.4.1 Before the Subprocessor first Processes Company Personal Data or, where relevant, in accordance with section 5.2, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Company Personal Data required by the Principal Agreement; and

5.4.2 Ensure that the arrangement between on the one hand (a) SAMSUNG, or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Company Personal Data as those set out in this Addendum and meet the requirements of applicable Data Protection Laws.

6. Data Subject Rights

6.1 Taking into account the nature of the Processing, SAMSUNG and each SAMSUNG Affiliate shall assist Company and each Company Group Member by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Company and/or the Company Group Members' obligations, as reasonably understood by Company, to respond to requests to exercise data subject rights under the Data Protection Laws.

6.2 SAMSUNG shall:

6.2.1 Promptly notify Company if any Contracted Processor receives a request from a data subject under any Data Protection Law in respect of Company Personal Data; and

6.2.2 Ensure that the Contracted Processor does not respond to that request except on the documented instructions of Company or the relevant Company Affiliate or as required by applicable laws to which the Contracted Processor is subject, in which case SAMSUNG shall to the extent permitted by applicable laws inform Company of that legal requirement before the Contracted Processor responds to the request.

7. Personal Data Breach

7.1 SAMSUNG shall notify Company without undue delay upon SAMSUNG or any Subprocessor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow Company or each Company Group Member to meet any obligations to report or inform data subjects of the Personal Data Breach under the Data Protection Laws.

7.2 SAMSUNG shall co-operate with Company and each Company Group Member and take such reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. Data Protection Impact Assessment and Prior Consultation

To the extent required under applicable Data Protection Laws, SAMSUNG shall provide reasonable assistance to Company and each Company Group Member with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which Company reasonably considers to be required of Company or any Company Group Member under any applicable Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

9. Deletion or return of Company Personal Data

9.1 Subject to sections 9.2 and 9.3 SAMSUNG may retain Company Personal Data Processed after the date of cessation of any Services involving the Processing of Company Personal Data (the "Cessation Date") for up to the retention period stated in Annex 1.

9.2 Subject to section 9.3, Company may in its absolute discretion by written notice to SAMSUNG within 30 calendar days of the Cessation Date require SAMSUNG to (a) return a complete copy of all Company Personal Data to Company by secure file transfer in such format as is reasonably notified by Company to SAMSUNG; and (b) delete and procure the deletion of all other copies of Company Personal Data Processed by any Contracted Processor. SAMSUNG shall comply with any such written request within 90 calendar days of receipt of such written notice.

9.3 Each Contracted Processor may retain Company Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that SAMSUNG shall ensure the confidentiality of all such Company Personal Data and shall ensure that such Company Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.

10. Cooperation Assistance

10.1 To the extent required under applicable Data Protection Laws, SAMSUNG shall make commercially reasonable efforts to provide to Company or each Company Group Member on request all information necessary to demonstrate compliance with this Addendum, when Company or a Company Group Member is required or requested to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory,

10.2 To the extent required under applicable Data Protection Laws, SAMSUNG acknowledges and agrees that Company shall have the right, at any time during the term of the Principal Agreement, including any renewal thereof, to request that SAMSUNG engage a third party or allow Company at Company’s sole cost and expense, such third party to be mutually agreed upon by Company and SAMSUNG, to conduct an independent audit of SAMSUNG’s privacy and security practices, and SAMSUNG shall comply with such request.

11. International Transfers

11.1

Transfers from the EEA and UK

The Parties acknowledge and agree that SAMSUNG, in relation to EEA and UK Shared Personal Data

(A) is located in an Adequate EEA Jurisdiction and Adequate UK Jurisdiction respectively, and thus, any international transfers of such Personal Data do not require the execution or use of additional transfer mechanisms.

Transfers from Switzerland

(B) If the Company, in the context of an establishment located within Switzerland or to the extent it is otherwise subject to the Swiss Data Protection Laws, transfers any Personal Data outside of Company’s country or territory to SAMSUNG, such transfer shall be governed by, and the Parties hereby agree to comply with, EU Processor Model Clauses, unless:

i) SAMSUNG is in an Adequate Swiss Jurisdiction; or

ii) the transfer is permitted under Swiss Data Protection Law by some other method (such as binding corporate rules).

(C) If, in accordance with clause 11(B) above, the transfer of Personal Data is governed by EU Processor Model Clauses,

i) the EU Processor Model Clauses is incorporated by reference to this Addendum (as per clause 11(D));

ii) Company (as data exporter) shall assume all rights, obligations and liability of the data exporter under the EU Processor Model Clauses; and

iii) SAMSUNG (as data importer) shall assume all the rights, obligations and liabilities of the data importer under, the EU Processor Model Clauses.

(D) For the purposes of the EU Processor Model Clauses, the details of the transfer are contained in Annex 1 (Description of Processing) and details of the technical and organizational security measures implemented by SAMSUNG (as data importer) are contained in Annex 2 (Technical and Organizational Security Measures) of this Addendum.

(E) To the extent there is any conflict between the terms of the EU Processor Model Clauses and the Principal Agreement or this Addendum, the terms of the EU Processor Model Clauses shall prevail.

Transfers from Other Jurisdictions

(F) If Company, in the context of an establishment located within a country outside the EEA, UK, or Switzerland, or to the extent it is otherwise subject to the Data Protection Law of such country, transfers any Personal Data outside of Company’s country or territory to SAMSUNG, such transfer shall be governed by, and the Parties hereby agree to comply with, if required and applicable, the standard contractual clauses or their equivalent ("Other Jurisdiction Processor Model Clauses") issued by the applicable Supervisory Authority or governmental or regulatory ("Other Jurisdiction Supervisory Authority"), unless:

i) SAMSUNG is located in an adequate jurisdiction approved by the Other Jurisdiction Supervisory Authority;

ii) the transfer is subject to a derogation in accordance with applicable Data Protection Law; or

iii) the transfer is permitted under Data Protection Law by some other method (such as binding corporate rules).

(G) If, in accordance with clause 11(F) above, the transfer of Personal Data is governed by Other Jurisdiction Processor Model Clauses,

i) such Other Jurisdiction Processor Model Clauses is incorporated by reference into this Addendum (as per clause 11(H));

ii) Company (as data exporter) shall assume all rights, obligations and liability of the data exporter under such Other Jurisdiction Processor Model Clauses; and

iii) SAMSUNG (as data importer) shall assume all the rights, obligations and liabilities of the data importer under such Other Jurisdiction Processor Model Clauses.

(H) For the purposes of such Other Jurisdiction Processor Model Clauses, the details of the transfer are contained in Annex 1 (Description of Processing) and details of the technical and organizational security measures implemented by SAMSUNG (as data importer) are contained in Annex 2 (Technical and Organizational Security Measures) of this Addendum.

(I) To the extent there is any conflict between the terms of such Other Jurisdiction Processor Model Clauses and the Principal Agreement or this Addendum, the terms of the Other Jurisdiction Processor Model Clauses shall prevail.

Further assurance

11.2 To the extent required under Data Protection Laws, the parties shall enter into a supplementary addendum to this Addendum to ensure appropriate data protection safeguards in relation to any transfer of Personal Data out of the jurisdiction from which the applicable Personal Data is collected. SAMSUNG shall have the right to propose, in good faith, alternatives to executing any such agreement and the parties agree to discuss in good faith any such alternatives.

12. Indemnification

Company shall – and shall procure that each Company Affiliate that is subject to this Addendum shall – indemnify, defend, and hold harmless SAMSUNG and its Subprocessors, their affiliates, and each of their respective officers, directors, employees, and agents (collectively, the “Contracted Processor Indemnitees”) from and against any and all costs, charges, damages, expenses, penalties and/or fines (including from any governmental or regulatory authority), fees (including without limitation reasonable attorney’s fees) and losses (including without limitation fees and costs incurred in recovering the same) incurred by any Contracted Processor Indemnitee that arises from any Company Group Member’s negligence, gross negligence or willful misconduct, or a breach by Company Group Member or any of its employees, subcontractors, or agents of this Addendum or Data Protection Laws.

13. General Terms

13.1 Without prejudice to:

13.1.1 The parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and

13.1.2 This Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.

13.2 Subject to section 11(E) and 11(I), with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties and entered into or purported to be entered into after the date of this Addendum), the provisions of this Addendum shall prevail.

13.3 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

ANNEX 1: DESCRIPTION OF PROCESSING

1. Categories of Personal Data

The Company Personal Data concern the following categories of Personal Data:

- Contact, registration and profile information, such as name, email, phone, address, and employer related information

- Device information, such as device identifiers (such as IMEI, serial number, MAC address and IP address), hardware information (such as device type related information, sensor related information, battery, country, time and network related information), and software information (such as application related information and configuration information)

- Usage information, such as when and for how long users use a Knox Service (defined below) and its features, permissions and status (such as license keys, license status, expiry dates and registration status), and compiled log data

- Location information, including precise geolocation and Wi-Fi and access point information

- Customer service related information, such as information provided by users (including any media or attachments) and responses and requests, inquiries and responses made through or about Knox Services

- Any other Personal Data Company may request Processing of pursuant to the Services

The Company Personal Data concern the following special categories of, or sensitive, Personal Data:

- None

2. Categories of data subjects

The Company Personal Data concern the following categories of Individuals:

End users (including employees) of Company Group Members

3. Purposes of the data Processing

The Company Personal Data will be Processed for the following purposes:

- Registration, authentication, and management of end user accounts, hardware, software or otherwise use of a Knox Service

- Billing and related functions

- Customer service, including resolution of technical issues and errors

- Maintenance (including monitoring usage) and security (including providing updates and patches)

- Any other purpose for which Processing of Personal Data is required to provide the Knox Service

“Knox Service” includes (i) Knox Platform for Enterprise, (ii) Knox Configure, (iii) Knox Guard, (iv) Knox Mobile Enrollment, (v) Knox Manage, (vi) Knox E-FOTA One (Cloud and On-Premise), (vii) Knox Suite, (viii) Enterprise Technical Support, (ix) Knox Asset Intelligence, any (x) other Knox related product that SAMSUNG may provide or release, from time to time, and which can be found at https://www2.samsungknox.com/en/dpa_services

4. Processing activities

The Covered Data will be subject to the following Processing activities:

Collection, recording, storage, organization, use, transmission and erasure of Company Personal Data. The specific Processing activities will vary depending on the specific Knox Service, however, Processing shall only be for the purposes described in Section 3 of Annex 1, and SAMSUNG will perform its Processing obligations under this Addendum on workstations that comply with Annex 2 of this Addendum

5. Recipients of the Covered Data

The Covered Data may only be disclosed to the following recipients:

Internal employees of SAMSUNG who have a reasonable need to know to perform the Services, and any other third party in accordance with the Addendum

6. Retention periods

The Company Personal Data will be retained, subject to the terms of this Addendum, in accordance with SAMSUNG’s internal policy

7. Frequency of the transfer

The Covered Data will be transferred on a continuous basis

8. Transfers to sub-processors

For transfers of Covered Data to sub-processors.

Name

Purpose

Salesforce, Inc.

For handling customer support tickets and leads created via trial license generation, inquiries, or gated content download

Oracle Corporation

For sending emails on maintenance or optional newsletters

Google LLC

For analyzing traffic status, such as visitor geography and, entry channel

Amazon Web Services Inc.

For license server hosting

Samsung R&D Institute Philippines

For license server management, and Knox account server development and operation

Samsung R&D Institute Canada

For Knox service administration and data analytics

Samsung R&D Institute Brazil

For Knox license and Analytics server development, and Knox data analytics

Samsung Research America

For Knox data analytics, and Knox service account server development and operation

Samsung SDS Co., Ltd.

For Samsung Knox Manage web services development, operation, and analytics

Contact details

Party

Contact details

Data exporter (Company)

The contact details inputted by Company Group Member during the registration process or use of the Knox Services

Data importer (Processor)

Samsung Electronics Co., Ltd.

129 Samsung-ro, Yeongtong-gu

Suwon-si, Gyeonggi-do Korea

dataprivacy@samsungknox.com

ANNEX 2: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

This Annex 2 sets out the minimum technical and organization security measures to be implemented by SAMSUNG.

1. Access control (physical access control and data access control)

SAMSUNG shall take measures to prevent unauthorized persons from gaining physical access to data processing facilities used for Processing Personal Data and to guarantee that authorized persons when using an automated data processing system may only access Personal Data that are within their competence. SAMSUNG undertakes in particular to implement the following measures:

- Implementation an entry control system

- Installation of surveillance

- Implementation of authorized user systems

- Authentication procedures

- Implementation of procedures to prevent third party access

2. Control of use

SAMSUNG shall take measures to prevent unauthorized persons from using the data processing facilities and processes. SAMSUNG undertakes in particular to implement the following measures:

- Encryption

- Rights administration

- Secure storage of data carriers

3. Control of data transmission

SAMSUNG shall take measures to ensure that Personal Data cannot be read, copied, amended or deleted during their transmission, transport or storage on data carriers, and to allow checks to determine which recipients are entitled to receive Personal Data by data transmission facilities. SAMSUNG undertakes in particular to implement the following measures:

- Transport security

- Encryption, VPN and password protection

4. Input control

SAMSUNG shall take measures to allow subsequent checks to determine whether and by whom Personal Data has been entered, amended or deleted in data processing systems. SAMSUNG undertakes in particular to implement the following measures:

- Monitoring and reporting

- Records and documentation

5. Availability control

SAMSUNG shall take measures to ensure that Personal Data is protected against accidental destruction or loss. SAMSUNG undertakes in particular to implement the following measures:

- Alarm system

- Measures to prevent natural disasters, including fire and smoke detectors and fire extinguishers

- Backup procedures, including backup power supplies

- Mirroring of hard disks

- Anti-virus/firewall systems

6. Separation control

SAMSUNG shall take measures to ensure that Personal Data collected for different purposes can be Processed separately

7. Compliance with instructions

SAMSUNG shall ensure that commissioned data Processing is carried out in accordance with Company’s instructions. SAMSUNG has been entitled as an AAA level Compliance Program certified company by Ministry of Trade, Industry and Energy of Republic of Korea since 2014.

8. Media

SAMSUNG shall ensure that any media containing Personal Data permit the identification, inventorying and storing of Personal Data at a location with access restricted to authorized personnel. Data media handed over by Company and any copies or reproductions produced of them remain the property of Company.

9. Testing

SAMSUNG shall ensure that the security measures implemented in accordance with this Exhibit are regularly tested, assessed and evaluated in terms of their effectiveness in securing Personal Data.

ANNEX 3: EU PROCESSOR MODEL CLAUSES MODIFICATIONS

(SWISS PERSONAL DATA)

Where Swiss Data Protection Laws apply, the EU Processor Model Clauses are amended as follows:

Term

Amendment/Selected Option

References / Definitions

Where the transfer is exclusively subject to Swiss Data Protection Laws:

  • References to EU GDPR are replaced by references to the FADP (or Revised FADP, as appropriate).
  • References to the “EU”, “EU Member State”, “European Union” and “Union” are replaced with references to Switzerland.
  • References to competent supervisory authority are replaced with references to FDPIC.

Where the transfer is subject to both Swiss Data Protection Law and EU GDPR:

  • References to EU GDPR are supplemented by references to the FADP (or Revised FADP, as appropriate).
  • References to the “EU”, “EU Member State”, “European Union” and “Union” are supplemented with references to Switzerland.
  • References to competent supervisory authority are supplemented with references to FDPIC.

Clause 7 (Docking Clause)

Included.

Clause 9 (Use of sub-processors)

Option 2:

The data importer shall specifically inform the data exporter in writing of any intended changes to the list of sub-processors through the addition or replacement of sub-processors at least 60 days in advance, giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s).

Clause 11 (Redress)

Included

Clause 13 (Supervision) and Annex 1.C

  • Where the transfer is exclusively subject to Swiss Data Protection Laws: FDPIC.
  • Where the transfer is subject to both Swiss Data Protection Law and EU GDPR: (i) FDPIC, insofar as the transfer is governed by Swiss Data Protection Law; and (ii) the Office of the Data Protection Commissioner (of the Republic of Ireland), insofar as the transfer is governed by EU GDPR.

Clause 17 (Governing law)

  • Where the transfer is exclusively subject to Swiss Data Protection Laws: Swiss law
  • Where the transfer is subject to both Swiss Data Protection Law and EU GDPR: Irish law.

Clause 18 (Choice of forum and jurisdiction)

Courts of Ireland (Republic of Ireland).

Appendix Annex I.A (List of parties)

As set out in Annex 1 of the Addendum.

Appendix Annex I.B (Description of the transfer)

As set out in Annex 1 of the Addendum.

Appendix Annex II (Technical and organisational measures)

As set out in Annex 2 of the Addendum.

Annex III (list of sub-processors)

As set out in Annex 1 of the Addendum.

Annex IV (Switzerland specific changes)

The term “Member state” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the relevant EU Processor Model Clauses. The parties acknowledge that the EU Processor Model Clauses shall protect the data of legal entities until the entry into force of the Revised FADP.

ANNEX 4: CCPA/CPRA ADDENDUM

SAMSUNG shall not (1) Sell or Share (as defined in the CCPA/CPRA) Shared Personal Data; and (2) retain, use or disclose Shared Personal Data (i) for any purpose other than those permitted herein and/or the CCPA/CPRA, or (ii) outside of the direct business relationship between SAMSUNG and Company. During the time Shared Personal Data is disclosed to SAMSUNG, Company has no knowledge or reason to believe that SAMSUNG is unable to comply with, or intends to use the Shared Personal Data in violation of, the provisions of this Addendum.

Back to top