Data Processing Addendum

BACKGROUND

FCM Travel Solutions is part of the Flight Centre Travel Group ("FCTG"), one of the world's largest travel agency groups.

The Client and FCTG (together, the "Parties") have entered into an agreement for the provision of travel and/or event management services by FCTG to the Client and, where applicable, to the Client’s Affiliates ("Travel Management Agreement").

In performance of its obligations under the Travel Management Agreement, FCTG processes Personal Data on behalf of the Client as set forth herein and in the Travel Management Agreement ("Contract Data Processing").  The Parties agree that, in relation to the Contract Data Processing, FCTG is the Processor and the Client is the Controller.

This Data Processing Addendum ("DPA") forms part of the Travel Management Agreement and specifies the rights and obligations of the Parties in connection with the Contract Data Processing. This DPA shall not replace any comparable or additional rights relating to processing of Personal Data contained in any Travel Management Agreement (including any existing data processing agreement that may have been agreed between the Client and FCTG).

By agreeing to the Travel Management Agreement, the Client enters into this DPA on its own behalf and, to the extent required under applicable data protection laws, on behalf of its Affiliates, if and to the extent FCTG processes Personal Data for which such Affiliates qualify as Data Controller.

In consideration of the Parties’ mutual rights and obligations set out in the Travel Management Agreement and this DPA, the Parties agree as follows:

1. DEFINITIONS
Capitalised terms used herein shall have the meaning assigned to them in the Travel Management Agreement or in Section 15 (List of Definitions) below.  Unless otherwise defined herein, the definitions of the EU General Data Protection Regulation 2016/679 ("GDPR"), in particular the terms "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processor", "Processing" and "Supervisory Authority" shall apply.

2. SUBJECT MATTER OF DPA
2.1 FCTG shall process Client Personal Data for the purpose of providing the services described in the Travel Management Agreement ("Contract Services") and any additional services under this DPA ("Processing Services") to the Client ("Admissible Purpose").  The Parties agree and acknowledge that the Client will be qualified as Controller and FCTG will be qualified as Processor when processing Client Personal Data hereunder.

2.2 Annex 2.2 sets forth details of

(a) purposes of Processing;

(b) duration of Processing

(c) categories of Client Personal Data;

(d) categories of Data Subjects concerned by the Processing.

2.3 When processing any Client Personal Data outside of the territory of the European Union or the EEA or engaging in any act or practice regarding Client Personal Data where that act or practice is subject to data protection laws in jurisdictions outside the territory of the European Union or EEA, FCTG shall comply with those applicable data protection laws, and in particular will provide appropriate safeguards to ensure an adequate level of data protection in accordance with Art. 44 et seq GDPR.

2.4 FCTG shall process Client Personal Data only on behalf of the Client and in strict accordance with the Client's written instructions, including with regard to transfers of Personal Data to a Third Country or an international organisation, unless required to do so by Union or Member State law to which FCTG is subject.  In such a case, FCTG shall inform the Client of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest.  For the avoidance of doubt, whenever this DPA or the Travel Management Agreement include provisions relating to the Processing of Client Personal Data (e.g. an obligation to anonymise certain Client Personal Data) such Processing shall be considered an instruction of the Controller pursuant to this DPA.

2.5 The Processing shall at all times be conducted in a professional manner and in compliance with the principles of proper data processing, the provisions of the Travel Management Agreement, this DPA and applicable law.

3. REQUIRED TECHNICAL AND ORGANISATIONAL MEASURES
3.1 FCTG shall take all reasonable efforts to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services as well as the ability to restore the availability and access to Client Personal Data in a prompt manner in the event of a physical or technical incident as appropriate for the Processing of Client Personal Data hereunder and as required under applicable law.  Having regard to the state of technological development, the cost of implementing such measures and the nature, scope and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, FCTG shall implement appropriate technical and organisational measures in order to:

(a) prevent (i) unauthorised or unlawful processing of the Client Personal Data; and (ii) the accidental loss or destruction of, or damage to, the Client Personal Data; and

(b) ensure a level of security appropriate to (i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and (ii) the nature of the Client Personal Data to be protected,

including, as appropriate, the measures referred to in Article 32 GDPR ("Data Security Standards").

3.2 Without prejudice to the generality of the foregoing, the Data Security Standards that FCTG shall implement and maintain are defined in Annex 3.2.

3.3 Acknowledging that the Data Security Standards are subject to technical progress and development, the Parties agree that FCTG shall be authorised to implement adequate alternative technical and organisational measures provided, however, that such measures shall not materially fall short of the level of security provided by the Data Security Standards and shall comply with the requirements under applicable laws.

4. DATA SUBJECT RIGHTS
4.1 FCTG shall correct, delete, block or otherwise process Client Personal Data and shall take any other measures in relation to requests from Data Subjects in relation to their rights under applicable laws ("Data Subject Requests") only in accordance with and subject to the written instructions of the Client.  FCTG shall promptly provide any required information and use best efforts to assist the Client in dealing with any Data Subject Requests.

4.2 The Client shall be solely responsible for dealing with Data Subject Requests.  FCTG shall promptly notify the Client of any Data Subject Requests or other enquiries relating to this DPA without responding to such requests or enquiries unless expressly otherwise instructed by the Client.

5. FURTHER OBLIGATIONS OF FCTG
5.1 FCTG shall maintain a written record of all categories of processing activities carried out on behalf of a Client in accordance with Art. 30 par. 2 GDPR.

5.2 FCTG shall reasonably assist the Client in relation to:

(a) preparation of the records of processing activities in accordance with Art. 30 GDPR in relation to the Processing under this DPA and shall immediately upon request provide the Client with any information required for this purpose in a format reasonably requested by the Client;

(b) data protection impact assessments (DPIA) in accordance with Art. 35 GDPR; and

(c) any requests or consultations with the responsible Supervisory Authority.

5.3 FCTG shall ensure that any personnel undertaking or involved in the Processing under this DPA are properly qualified and trained and have committed themselves to keep Client Personal Data confidential or are under an appropriate statutory obligation of confidentiality in accordance with applicable law which shall survive termination of this DPA.

5.4 FCTG has appointed a data protection officer. The appointed person may be reached at data.protection@uk.fcm.travel. If you would like further information about the protections we’ve put in place, please contact your local DPO at the email address set out here.

6. SUB-PROCESSING
6.1 FCTG shall be authorised to engage other Processors in relation to the Contract Data Processing ("Sub-Processor") only in accordance with and to the extent permitted by applicable laws.

6.2 Any engagement of a Sub-Processor requires prior documented consent of the Client which shall not be unreasonably withheld.  The Client hereby consents to FCTG continuing to use any of FCTG’s Affiliates and all Sub-Processors already engaged by FCTG as at the date of this Addendum (a full list is available on request by contacting the FCTG data protection officer).  The Client shall promptly take any reasonable action required or appropriate to facilitate or support any transfer of Client Personal Data to approved Sub-Processors (e.g. updating registrations with Supervisory Authorities).

6.3 FCTG shall provide a mechanism at Trust and Compliance page to subscribe to notifications of new Sub-Processors, to which the Client shall subscribe, and if the Client subscribes, FCTG shall provide notification of any new Sub-Processor.  If, within two weeks of receipt of any such notice, the Client notifies FCTG in writing of any objections to the proposed appointment for legitimate reasons FCTG shall work with the Client in good faith to take reasonable measures to address the objections raised by the Client and where such a measures cannot be agreed within three weeks from FCTG's receipt of the Client's notice, notwithstanding anything in the Travel Management Agreement, the Client may by written notice to FCTG with immediate effect terminate the Travel Management Agreement to the extent that it relates to the Contract Services which require the use of the proposed Sub-Processor.  ‘Legitimate reasons’ shall be deemed given if there is an indication based on objective facts which reasonably support the assumption that the engagement of the Sub-Processor would breach applicable law or this DPA.

6.4 Where FCTG engages a Sub-Processor for carrying out specific processing activities on behalf of the Client, FCTG shall enter into a written agreement with the Sub-Processor which includes terms which offer at least the same level of protection for Client Personal Data as those set out in this DPA and meet the requirements of Art. 28 par 3 GDPR.  The agreement with the Sub-Processor shall include a direct audit right for the Client or other appropriate audit mechanisms (e.g. third party audits or audits conducted by FCTG on behalf of the Client).

6.5 FCTG shall conduct regular audits as required under applicable law to ensure that the Sub-Processor complies with the Data Security Standards, applicable laws and its other contractual obligations.

6.6 In case of non-compliance of the Sub-Processor with its contractual obligations relating to Client Personal Data, FCTG shall remain fully liable to the Client for any damages caused by such non-compliance and shall indemnify and hold harmless the Client against any claims or damages in connection with or resulting from the engagement of the Sub-Processor.

7. RESTRICTED TRANSFERS
7.1 The Parties will immediately upon reasonable request of either Party and prior to commencement of any Restricted Transfer (i) enter into the standard clauses set forth in the Commission Decision dated February 5, 2010 (2010/87/EU) and/or (ii) enter into or establish any other appropriate instruments or undertakings required under applicable law to effect such Restricted Transfer without breach of such applicable law.  If so required by applicable law, FCTG shall cause any Sub-Processor to enter into such instruments or undertakings directly with the Client or shall enter into such instruments or undertakings with the Sub-Processor in the name and on behalf of the Client based on an appropriate Power of Attorney to be issued by the Client promptly upon request of FCTG.

7.2 "Restricted Transfer" means any transfer of Client Personal Data by or to any of the Parties or a Sub-Processor which would be prohibited by applicable law in the absence of the instruments or undertakings referred to in Section 7.1 above.

7.3 When processing Client Personal Data outside of the territory of the European Union or the EEA or engaging in any act or practice regarding Client Personal Data where that act or practice is subject to data protection laws in jurisdictions outside the territory of the European Union or EEA, FCTG shall comply with those data protection laws, and in particular will provide appropriate safeguards to ensure an adequate level of data protection in accordance with Art. 44 et seq GDPR.

8. INSPECTIONS AND AUDITS
8.1 FCTG shall make available to the Client on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits in relation to the Processing of Client Personal Data, including inspections of the data-processing facilities of FCTG, by the Client or an auditor mandated by the Client, to the extent required by applicable law and in accordance with this Section 8.

8.2 FCTG shall, upon the Client’s request in writing, provide the Client with a summary of the results of its latest internal data security audit.  In addition, FCTG will, upon Client's request and not more than once each year, participate in a written information security questionnaire process of the Client evaluating FCTG’s compliance with the Data Security Standards.

8.3 Information and audit rights of the Client under Section 8.1 shall only arise under this Section if and to the extent that (i) the Travel Management Agreement does not otherwise provide for information and audit rights meeting the relevant requirements of applicable law (including Art. 28 par. 3(h) GDPR) and (ii) the information provided under Section 8.2 is not sufficient for the Client to comply with its inspection and audit obligations under applicable law.

8.4 The Client shall give FCTG at least three (3) weeks' notice of any audit or inspection to be conducted and shall avoid causing any damage, injury or disruption to FCTG's premises, equipment, personnel and business.  FCTG need not give access to its premises for the purposes of such an audit or inspection:

(a) to any individual unless he or she produces reasonable evidence of identity and authority;

(b) for the purposes of more than one audit or inspection in any calendar year, except for any additional audits or inspections which the Client is requested to carry out by a Supervisory Authority or any similar regulatory authority responsible for the enforcement of applicable laws.

8.5 In the event that the Client identifies any deficiencies or irregularities related to the Processing of Client Personal Data, FCTG will discuss such findings with the Client and the Parties shall work together to develop a mutually agreeable remediation plan.  If and to the extent applicable law specifically requires, or will require, changes to the preceding or additional audit rights to be granted to the Client, this DPA shall be construed and/or amended in a way that it complies with such additional requirements.  FCTG shall immediately inform Client, if in its opinion, an instruction pursuant to this Section infringes any EU Data Protection laws or other EU or Member State data protection provisions (Art. 28 par. 3 GDPR).

8.6 No documentation or information may be copied, shared, transmitted or removed from FCTG's premises, except as mutually agreed or required by applicable law.  Any non-public documentation and information disclosed to the Client in accordance with this Section shall be deemed proprietary and confidential information of FCTG.  The Client shall not disclose such documentation or information to any third party or use it for any purpose other than evaluating FCTG’s compliance with the Data Security Standards.

9. PERSONAL DATA BREACHES AND INCIDENTS
9.1 The Parties are aware that applicable law may impose a duty on the Client to inform the competent Supervisory Authority and the Data Subject in the event of Personal Data Breach affecting Client Personal Data.  Such incidents must therefore be notified to the Client, regardless of their origin.  FCTG shall promptly notify the Client of any technical, organisational or other incidents (including incidents at Sub-Processors) which have resulted or may result in a Personal Data Breach in the sense of Art. 33 par. 1 GDPR affecting Client Personal Data ("Data Security Incident").  Data Security Incidents include in particular, but are not limited to, the following:

(a) any actual or suspected unauthorised access, disclosure, loss, download, theft, blocking, encryption or deletion by malware or other unauthorised action in relation to Client Personal Data by unauthorised third parties;

(b) any actual or suspected operational incidents which have an impact on the Processing of Client Personal Data;

(c) any actual or suspected breach of this DPA or applicable law by FCTG, its employees or agents to the extent that such breach affects the integrity and security of Client Personal Data or materially adversely impacts FCTG's obligations under this DPA; or

(d) any legally binding request for disclosure or seizure of Client Personal Data by a law enforcement or other public authority unless FCTG is prohibited by statutory law to notify such incident to the Client.

9.2 FCTG's notification of a Data Security Incident to the Client must be comprehensive and include in particular any information required under Art. 33 par. 3 GDPR and/or required by applicable laws.

9.3 Notification must be made by email to the contact specified in the Travel Management Agreement and, where the Client has provided FCTG with relevant contact details, the Client’s Data Protection Officer.

9.4 In the event that FCTG is required under applicable law to notify a Data Security Incident to a Supervisory Authority or other authority, the Data Subjects concerned or any other third parties (e.g. if the Data Security Incident results in a Personal Data Breach for which FCTG is itself responsible as Controller), FCTG shall, to the extent permitted under applicable law and reasonably possible, liaise and coordinate with the Client prior to making such notification.  The Parties shall use their best efforts to agree on a joint approach with a view to prevent any contradicting or inconclusive notifications.  This includes providing each other with the details of any notification and the date and time on which notification will be made.

9.5 In the event of a Data Security Incident, FCTG shall promptly take any measures required and appropriate under applicable law and technical standards to restore the confidentiality, integrity and availability of the Client Personal Data and the resilience of the processing systems and services and to mitigate the risk of harm and/or any detrimental consequences for the Data Subjects affected or potentially affected by the Data Security Incident.

9.6 The Parties shall use best efforts to support each other in the event of any audits, enquiries, investigations or other proceedings initiated by a Supervisory Authority or any other public body in relation to the Contract Data Processing.  To the extent permitted under applicable law, either Party shall immediately notify the other Party of such proceedings.

10. COSTS OF PROCESSING SERVICES
10.1 Unless expressly provided otherwise herein or in the Travel Management Agreement, the Client shall promptly upon being invoiced by FCTG compensate FCTG for any costs and expenses reasonably incurred and required in rendering the Processing Services hereunder (i.e. services which go beyond the Contract Services and which are not based on statutory obligations of FCTG).

10.2 The preceding shall not apply to any immaterial non-recurring costs which the Parties may reasonably expect to be covered by the fees and charges payable under the Travel Management Agreement.  For the avoidance of doubt, this does not include any Processing Services provided in accordance with Sections 4 - 8.

11. CLIENT'S OBLIGATIONS
11.1 The Client shall promptly take any action required to comply with its own obligations under applicable law in relation to the Processing of Client Personal Data hereunder (e.g. effect any required notification of Data Subjects).

11.2 The Client warrants that (i) it is entitled to engage and to provide the Client Personal Data to FCTG and (ii) the Processing of the Client Personal Data, provided that FCTG complies with applicable laws and the provisions of this DPA, does not infringe any third party rights.

12. RETURN AND DELETION OF CLIENT PERSONAL DATA
12.1 Upon termination of the Travel Management Agreement or anytime upon request of the Client, FCTG shall promptly delete and procure the deletion of all copies of Client Personal Data.  If and to the extent a deletion is not reasonably practicable, FCTG shall ensure that the Client Personal Data concerned are anonymised or permanently blocked and protected against unauthorised access, disclosure or use.  The Client may in its absolute discretion by written notice require FCTG to return a complete copy of all Client Personal Data to the Client by secure file transfer in such format as is reasonably notified by the Client to FCTG.  FCTG shall comply with any such written request.

12.2 FCTG may retain Client Personal Data to the extent required by applicable law and only to the extent and for such period as required by applicable law and always provided that FCTG shall ensure that such retained Client Personal Data is (i) kept confidential and protected against unauthorised access, disclosure or use and (ii) only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.

12.3 Upon written request of the Client, FCTG shall provide written certification to the Client that it has fully complied with this Section.

13. BREACH OF THIS DPA
In the event of a breach of this DPA, the relevant provisions of the Travel Management Agreement shall apply.

14. AMENDMENT FOR DATA PROTECTION COMPLIANCE
14.1 Either Party may by at least two weeks' written notice to the other Party from time to time propose any amendments to this DPA which such Party reasonably considers to be necessary to address the requirements of applicable law.  If any Party gives such notice, the Parties shall promptly co-operate (and ensure that any affected Sub-Processors promptly co-operate) to ensure that appropriate amendments are made to address the requirements identified in the notice as soon as is reasonably practicable.

14.2 In the event of any changes of applicable law or guidance by a Supervisory Authority or any specific instructions or orders by a Supervisory Authority in relation to this DPA, the Parties shall promptly amend this DPA as reasonably required and appropriate to ensure compliance with such changed legal requirements.

15. LIST OF DEFINITIONS
"Admissible Purpose" has the meaning assigned in Section 2.1.

"Affiliate" means any legal entity directly or indirectly controlling or controlled by or under direct or indirect common control with the specified entity. "Control", for the purposes of this definition, means the power to direct the management and policies of such entity, directly or indirectly, whether through the ownership of voting securities, by contract (including franchise or trademark licence agreement) or otherwise.

"Client" means the entity that has entered into a Travel Management Agreement with FCTG and, for the purposes of this DPA only, and except where indicated otherwise, includes the Client’s Affiliates.

"Client Personal Data" means any Personal Data processed by FCTG on behalf of the Client pursuant to or in connection with the Travel Management Agreement.

"Contract Data Processing" has the meaning assigned to the term in the Background Section.

"Contract Services" has the meaning assigned to the term in Section 2.1.

"Data Security Incident" has the meaning assigned to the term in Section 9.1.

"Data Security Standards" has the meaning assigned to the term in Section 3.1.

"Data Subject Requests" has the meaning assigned to the term in Section 4.1.

"DPA" has the meaning assigned in the Background Section.

"EEA" means the European Economic Area.

"FCTG" means the Flight Centre Travel Group entity which is a party to the Travel Management Agreement and this DPA, being one or more of the following entities trading as FCM Travel Solutions; Flight Centre (UK) Limited, Flight Centre Travel Group (Ireland) Limited, Flight Centre Travel Group (Germany) GmbH, Flight Centre Travel Group (Europe) AB, Flight Centre Travel Group (Netherlands) B.V., and, to the extent any Affiliate of the aforementioned entities processes Personal Data on behalf of the Client in the territory of the European Union of the EEA, "FCTG" shall mean and include that Affiliate.

"GDPR" has the meaning assigned to the term in Section 1.

"Processing Services" has the meaning assigned to the term in Section 2.1.

"Sub-Processor" has the meaning assigned to the term in Section 6.1.

"Third Country" means the countries which are not a member of the EU or EEA and have not been recognized by the European Commission as providing an adequate level of Personal Data protection. The countries that have been so recognised include, as of November 2017, Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.

"Travel Management Agreement" has the meaning assigned in the Background Section.

16. FINAL PROVISIONS
16.1 Order of precedence.   This DPA varies the terms of the Travel Management Agreement and the provisions of this DPA are incorporated into and form part of the Travel Management Agreement as if set out in the Travel Management Agreement in full.  In the event of any conflict or inconsistency, the provisions of this DPA shall take precedence over the provisions of the Travel Management Agreement.  Otherwise, the provisions of the Travel Management Agreement shall remain in full force.

16.2 Written form.   No change of or amendment to this DPA and any of its terms shall be valid and binding unless made in writing and unless they make express reference to being a change or amendment to this DPA.  The foregoing shall also apply to the waiver of this mandatory written form.

16.3 Severance.   Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.  This shall apply accordingly in the event of any unintended gaps.


Annex 2.2

Purpose of the Processing, Duration of the Processing, Categories of Client Personal Data and Data Subjects Concerned by the Processing

1. PURPOSE OF PROCESSING
Any Processing hereunder will be performed exclusively for the purpose of executing the Travel Management Agreement (limitation of admissible purpose).

2. DURATION OF PROCESSING
The duration (term) of this DPA is equal to the term of the Travel Management Agreement and this DPA shall terminate automatically when the Travel Management Agreement terminates, with the exception of any provisions intended to survive termination hereof or the Travel Management Agreement.  Any right to terminate this DPA separately prior to such termination date shall be excluded to the extent permitted by applicable law.

3. CATEGORIES OF CLIENT PERSONAL DATA

  • Traveller Profile Data.   Name, residential address, telephone number, email, job title, office location, employee number, passport and visa information (including date of birth, nationality, place of birth, passport number and expiry date), driving licence number and information, mileage and frequent flyer/guest card numbers.
  • Passenger Name Record (“PNR”) Data.   Traveller Profile Data processed in PNR format associated with reservation data, including flight dates and routings, flight numbers, hotel reservations, car rental bookings, rail bookings, ticketing information, authorisation solutions and travel risk management.    
  • Payment Data.   Credit/debit card details and bank details (if required under the payment arrangements in the Travel Management Agreement).
  • Dietary and Special Assistance Information.   Provided in connection with travel arrangements (such as meal requests or special assistance requirements) which potentially concern health or indicate religious belief.
  • Emergency Contact Details.   Name and telephone number of travellers’ partners/emergency contacts.

4. CATEGORIES OF DATA SUBJECTS CONCERNED

  • Employees, agents and contractors (“Personnel”) of the Client and the Client’s Affiliates.
  • Emergency contacts and/or partners of the Client’s Personnel and the Client’s Affiliates’ Personnel.
     

Annex 3.2

DATA SECURITY STANDARDS

1. DATA SECURITY GOVERNANCE
FCTG maintains internal organisational and governance procedures to appropriately manage information throughout its lifecycle.  FCTG regularly tests, assesses and evaluates the effectiveness of its Data Security Standards.

2. PHYSICAL ACCESS CONTROL
FCTG uses a variety of measures to prevent unauthorised access to the physical premises where Personal Data are processed.  Those measures include:

  • Centralised key and code management, card-key procedures
  • Batch card systems including appropriate logging and alerting mechanisms
  • Surveillance systems including alarms and, as appropriate, CCTV monitoring
  • Receptionists and visitor policies
  • Locking of server racks and secured equipment rooms within data centres

3. VIRTUAL ACCESS CONTROL
FCTG implements appropriate measures to prevent its systems from being used by unauthorised persons. This is accomplished by:

  • Individual, identifiable and role-based user account assignment
  • Role-based and password protected access and authorisation procedures
  • Centralised, standardised password management and password policies (minimum length/characters, change of passwords)
  • Deactivation of user accounts after 5 failed login attempts
  • Automatic log-off in case of inactivity
  • Anti-virus management

4. DATA ACCESS CONTROL
Individuals that are granted use of FCTG systems are only able to access the data that are required to be accessed by them within the scope of their responsibilities and to the extent covered by their respective access permission (authorisation) and such data cannot be read, copied, modified or removed without specific authorisation. This is accomplished by:

  • Authentication at operating system level
  • Separate authentication at application level
  • Authentication against centrally managed authentication system
  • Segregation of duties and authorisations between users, administrators and system developers
  • Change control procedures that govern the handling of changes (application or OS) within the environment
  • Remote access only via VPN including appropriate authorisation and authentication
  • Logging of system and network activities to produce an audit-trail in the event of system misuse

5. DISCLOSURE CONTROL
FCTG implements appropriate measures to prevent data from being read, copied, altered or deleted by unauthorised persons during electronic transmission and during the transport of data storage media. FCTG also implements appropriate measures to verify to which entities’ data are transferred. This is accomplished by:

  • Data transfer protocols including encryption for data carrier/media
  • Profile set-up data transfer via Secure File Transfer Protocol
  • Encrypted VPN
  • No physical transfers of backup media

6. DATA ENTRY CONTROL
FCTG implements appropriate measures to monitor whether data have been entered, changed or removed (deleted), and by whom. This is accomplished by:

  • Documentation of administration activities (user account setup, change management, access and authorisation procedures)
  • Archiving of password-reset and access requests
  • System log-files enabled by default
  • Storage of audit logs for defined periods of time for audit trail analysis
  • Centralisation of audit logs to correlate incidents cross-system

7. INSTRUCTIONAL CONTROL
FCTG implements appropriate measures to ensure that data may only be processed in accordance with the instructions of the Client. Those measures include:

  • Binding policies and procedures on FCTG employees
  • Where sub-processors are engaged in the processing of data, including appropriate contractual provisions to the agreements with sub-processors to maintain instructional control rights

8. AVAILABILITY CONTROL
FCTG maintains appropriate levels of redundancy and fault tolerance for accidental destruction or loss of data, including:

  • Extensive and comprehensive backup and recovery management systems
  • Documented disaster recovery and business continuity plans and systems
  • Storage and archive policies
  • Anti-virus, anti-spam and firewall systems and management including policies
  • Data centres are appropriately equipped according to risk, including physically separated back up data centres, uninterruptible power supplies (backup generators), fail redundant hardware and network systems and alarm and security systems (smoke, fire, water)
  • Network built to N+1 redundancy levels throughout
  • Server clustering used in most applications to protect against hardware failures
  • Mirror of hard disks is used in all systems (eg RAID), in both local storage and SAN-based storage environments
  • On-site UPS systems provide uninterrupted power to platforms and on-site generator systems provide long-term power in the event of a prolonged outage
  • All critical systems have fail redundant services running in parallel in secondary data centre

9. SEPARATION CONTROL
FCTG implements appropriate measures to ensure that data that are intended for different purposes are processed separately. This is accomplished by:

  • Access request and authorisation processes provide brand-client data separation (logical application-based segregation)
  • Separation of functions (productions/testing)