GDPR DATA PROCESSING ADDENDUM
Posted: 24, Sept, 2024
This Data Processing Addendum including, its Schedules and Appendices (the “DPA”) forms part of the Terms of Service[S1] for the use of HIKVISION Services (as defined therein) by Customer (the “Terms”) as updated from time to time between Customer and HIKVISION and which reflects the parties’ agreement with regard to the processing of personal data.
By continuing to use the HIKVISION Services, Customer enters into this DPA as at the date of deemed acceptance by Customer of the DPA through such continued use of the HIKVISION Services (“Effective Date”), on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Authorized Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” or “you”/”your” shall include Customer and Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Terms.
In the course of providing the HIKVISION Services to Customer pursuant to the Terms, HIKVISION may process personal data of Customer and the parties agree to comply with the following provisions with respect to any such processing.
This DPA only applies if Customer is a corporate customer.
HOW TO EXECUTE THIS DPA:
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;
“Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the Data Protection Laws of the European Economic Area (“EEA”) and/or the United Kingdom, and (b) is permitted to use the HIKVISION Services pursuant to the Terms;
“Customer Data” means the personal data of data subjects whose data are collected and processed by the Customer;
“Data Protection Laws” means any applicable data protection or privacy laws, rules and regulations. It shall include as applicable (a) the EU e-Privacy Directive 2002/58/EC as implemented by countries within the EEA; (b) the GDPR, (c) the UK Data Protection Act 2018 and the UK Privacy and Electronic Communications (EC Directive) Regulations 2003, and (d) other laws, rules and regulations that are similar, equivalent to, or successors to the laws that are identified in (a) through (c) above;
1. Subject matter and duration of the processing of Customer Data
Customer Data will be processed by Hikvision:
- in order to provide Customer with the HIKVISION Services; and
- for the duration of the Customer’s use of HIKVISION Services.
2. The nature and purpose of the processing of Customer Data
3. The types of Customer Data to be processed
|
Types of Customer Data |
|
|
Device management |
device information, e.g. the device ID, device serial number |
|
Handover by Transferring & Handover by Sharing |
email address of the user who is selected to be sharing the device with |
|
Company-Employee |
the names, photos, identification number of Customer’s employee, job position, group number of Customer’s employee, account information of Customer’s employee( phone number, e-mail address), etc. |
|
Operation Log |
the name, e-mail address of Customer’s employee, the corresponding site and device information and operation content which is conducted by Customer’s employee |
|
Health monitoring |
the site owners’ e-mail address or any designated party’s e-mail, health report |
|
Site Information Management |
the site’s name, site owner’s name, site owner’s phone number or e-mail, site address, number of devices, device name, serial number, model, etc. |
|
Video live view or video play back (after obtaining the Site owner’s permission) |
the video and/or audio content from the Site Owner’s Products (as defined in the Terms) |
|
Cellular IoT Data Service |
the usage record of the data and data package |
|
Alarm Receiving Center |
video or audio content captured by the device, email address of the function users |
4. The categories of data subject to whom Customer Data relates
- Data subjects whose data are collected and processed via the Products purchased by the Site Owner e.g. through security camera footage, only after Customer obtains the permission from the Site Owner.
- Customer’s employee.
- The Site Owner.
5. The obligations and rights of Customer
The obligations and rights of Customer are set out in the Terms and this DPA.
Appendix B
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Hikvision will implement and maintain technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.
Encryption. The encryption standard used is Advanced Encryption Standard AES256 or AES-128-ECB. The data are encrypted at rest when it is stored in the database. TLS Protocol, DTS, or the https Protocal is used for transmissions to protect the personal data. The current encryption algorithm has passed ISO 27001 certification.
Security Review. Hikvision will conduct periodic reviews of the security of Hikvision Services and adequacy of its data security measures as measured against industry security standards and its policies and procedures, to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic review.
Access controls. Hikvision will maintain access controls and policies to manage what access is allowed to Hikvision Services from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. Hikvision provides access to Customer Data to those employees, contractors and Sub-processors who have legitimate business need for such access privileges. When an employee, contractor or sub-processor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee continues to be an employee of Hikvision or its affiliates.
Hikvision will take appropriate steps to ensure compliance with the technical and organisational measures by its employees, contractors and Sub-processors to the extent applicable to their scope of performance. Hikvision ensures that all persons authorised to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All access to Hikvision platform by employees and contractors is logged and routinely audited.
Personnel management. Hikvision employees are required to conduct themselves in a manner consistent with Hikvision policies and requirements regarding confidentiality, business ethics, and professional standards. Hikvision conducts reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations. Hikvision employees are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Hikvision’s confidentiality and data protection policies. Hikvision employees are provided with security training. Employees handling Customer Data are required to complete additional requirements appropriate to their role.
Internal Policies and Procedures. Hikvision will adopt and enforce internal policies and procedures to protect personal data, including a) to identify reasonably foreseeable and internal risks to security and unauthorised access to Hikvision Services, b) minimise security risks, e.g. risk assessment and regular testing. Hikvision will maintain corrective action and incident response plans to respond to potential security threats.
Appendix C
SUbprocessor List
1