DELL EMC PARTNER PROGRAM TERMS AND CONDITIONS (Europe, Middle East & Africa version)
By participating in the Dell EMC Partner Program (“Program”), the company or entity submitting the channel partner application (“you” or “Channel Partner” – “your” shall be construed accordingly), being a party to these terms and conditions (“Terms”) with Dell EMC , agrees to be bound by these Terms as from your acceptance of these Terms (“Effective Date”). Unless otherwise specified by Dell EMC, these Terms shall govern subprograms, including marketing and incentive programs that are offered to you as a participant in the Program. For the purposes of this Program, “Dell EMC” means, as applicable, the Dell Affiliate with which you have executed the Dell Ordering Agreement (as described in Section 2.2 below) or if no such Dell Ordering Agreement exists, then Dell Affiliate means Dell Products, with a place of business at Raheen Industrial Estate, Limerick, Co. Limerick, Republic of Ireland, (herein referred to as “Dell”) and/or the EMC Affiliate with which you have executed the EMC Ordering Agreement (as described in Section 2.2 below) or if no such EMC Ordering Agreement exists, then EMC Affiliate means EMC Information Systems International, with a place of business at IDA Industrial Estate, Ovens, County Cork, Republic of Ireland (herein referred to as “EMC”) (collectively, referred to herein as “Dell EMC”). “Affiliate” means any legal entity controlling, controlled by, or under common control with either Dell or EMC and “Dell EMC Affiliate” shall be construed accordingly.
1. ELIGIBILITY. Throughout your participation in the Program, you must (a) maintain good credit standing with Dell, EMC and/or all Dell EMC Affiliates as applicable; (b) maintain a current Program registration profile, including yearly updates and (c) provide prompt, written notification to Dell EMC of any changes that may affect your participation in the Program. Additional requirements regarding your Channel Partner status may be found here and may be updated upon reasonable notice to Channel Partners at Dell EMC’s sole discretion.
2. GOVERNING DOCUMENTS.
2.1 Program Terms. These Terms shall apply to your participation in the Program and supersede any previous program terms or agreements in place between you and Dell or EMC.
2.2 Ordering Agreements. These Terms do not authorize Channel Partner to purchase Dell EMC products or services for re-sale/licensing directly from a Dell EMC Affiliate or to perform implementation, installation or support services for any Dell EMC product. If Channel Partner purchases products or services directly from Dell, Channel Partner will order from the applicable Dell entity until further notice, and such purchases are subject to and governed by either the then-current applicable Dell entity Reseller Terms of Sale, or any existing agreement that you have with Dell, or a Dell EMC Affiliate, that authorizes you to purchase Dell products directly (collectively the “Dell Ordering Agreement”). If Channel Partner purchases products or services directly from EMC, Channel Partner will order from the applicable EMC entity until further notice, and such purchases are subject to and governed by the existing purchasing agreement with EMC or a Dell EMC Affiliate that authorizes you to purchase EMC products directly (“EMC Ordering Agreement”). Channel Partners with no EMC Ordering Agreement or Dell Ordering Agreement may purchase Dell EMC products and services from a Dell EMC authorized distributor only.
2.3 Precedence. To the extent there are any conflicting provisions regarding Program, Information, Confidential Information (as defined in Section 7), Personal Data (as defined in Section 8) incentives, rebates, pricing (each provided as a result of the Program) or interpretation of these Terms, these Terms shall prevail and control, followed by the EMC Ordering Agreement or Dell Ordering Agreement.
3. PARTNER PORTAL ACCESS.
3.1 Scope and Grant of License. Dell EMC may provide to you, or you may receive, (i) information through Program websites, currently identified as the “Partner Portal” which contain information, materials, and tools pertaining to Dell EMC products and services; (ii) other information related to the Program not obtained through the Partner Portal; and (iii) Customer Data (as defined below) (collectively the “Information”). Dell EMC grants Channel Partner a limited, non-exclusive, nontransferable, non-sublicenseable right and license, during the period in which these Terms are in effect, to access the Partner Portal and to use the Information solely in accordance with the provisions of this Section 3 (Partner Portal Access), Section 7 (Confidential Information) and Section 8 (Personal Data). All Information shall remain the property of Dell EMC.
3.2 Restriction on Usage. Channel Partner shall use the Information only for the purposes of (i) marketing and delivery of Dell EMC products or services obtained by Channel Partner from Dell EMC or a Dell EMC authorized distributor; (ii) development of Channel Partner services utilizing Dell EMC products and services; and/or (iii) assisting Dell EMC to sell and/or license Dell EMC products and services. Channel Partner shall promptly notify Dell EMC of the termination or reassignment of any Channel Partner personnel who have been granted access hereunder. If Partner obtains “Customer Data”, meaning contacts and other information related to Dell EMC’s customers, including prospective customers and leads for Partner to market and sell Dell EMC products and services to, Partner agrees; (i) that all Customer Data is considered Dell EMC’s Confidential Information (as defined in Section 7 below) and that you shall keep all Customer Data confidential, and shall not disclose Customer Data to any third party without Dell EMC’s prior written consent; (ii) that you will only access, retain and use Customer Data solely for the purpose of marketing and selling Dell EMC products and services; (iii) that you will not sell, rent, transfer, distribute, or otherwise disclose or make available any Customer Data to any third party (including subcontractors, agents, outsourcers, or auditors), without prior written permission from Dell EMC, unless and to the extent required by law; and (iv) that you will comply with Section 8 and the Data Processing Schedule in respect of any Customer Data that is Personal Data (as defined in Section 8).
4. PARTNER TRAINING OBLIGATIONS.
Channel Partner shall use good faith and reasonable efforts to conform to any training obligations required by Dell EMC for its Channel Partner status, currently located at the Partner Portal, within ninety (90) days after the training becomes available from Dell EMC, or such earlier date as specified by Dell EMC. The charges associated with this training, if any, shall be payable by the Channel Partner.
5. PARTNER COMMUNICATIONS. In connection with your participation in the Program, Dell EMC may contact you and/or any of your personnel (by email, SMS, mail, telephone or other means) regarding news or information related to any element of the Program, including sub-programs and Program related marketing activities and incentives aimed at end user customers ("Channel Partner Communications"). It is a condition of your participation in the Program and your access and use of the Portal that you and your personnel receive such Channel Partner Communications. End user customers who receive communications related to Program related marketing activities and incentives must be able to unsubscribe at any time. Separately, Dell EMC may contact you or any of your personnel (by email, mail, SMS, telephone or other means) regarding Dell EMC offers and promotions (“Marketing Communications”). Recipients of Marketing Communications from Dell EMC may unsubscribe at any time.
6. AVAILABILITY. Access to the Partner Portal may be unavailable without notice at certain times, and Dell EMC will not be liable for any damages that may result from such lack of availability.
7.1 This provision covers confidential information disclosed only in connection with the Program. In connection with these Terms, you may have access to or be exposed to Dell EMC Information that is not generally known to the public, whether such information is in written, oral, electronic, web site-based, or other forms (collectively, "Confidential Information"). You will keep all Dell EMC Confidential Information strictly confidential for a period of three (3) years after the termination of these Terms, using at least the same degree of care as you use to protect your own confidential information, but no less than reasonable care. You will share Confidential Information only with your employees who have a need to know and who are subject to legally binding obligations to keep such information confidential. These confidentiality obligations do not apply to any Confidential Information that (a) you can demonstrate was in your possession before your receipt from Dell EMC; (b) is or becomes publicly available through no fault by you; or (c) you rightfully received from a third party without a duty of confidentiality. If you are required by a government body or court of law to disclose any Dell EMC Confidential Information, you agree to give Dell EMC reasonable advance notice so that Dell EMC may contest the disclosure or seek a protective order. Partner acknowledges that damages for improper disclosure of Confidential Information may be irreparable and that Dell EMC shall be entitled to equitable relief, including injunction and preliminary injunction, in addition to all other remedies available at law or in equity.
7.2 Notwithstanding any separate confidentiality agreement you may have with Dell EMC, and subject to the parties’ compliance with Section 8, you agree that information regarding your business with Dell EMC and information you provide to Dell EMC in connection with the Program, including end user information, may be accessed and used by Dell EMC and Dell EMC Affiliates and their employees and contractors for sales and marketing purposes and for any purpose related to the Program or the relationship between you and Dell EMC and may be disclosed to relevant Dell EMC distributors, resellers, governing body or end-users for the purposes of fulfilling Dell EMC’s obligations to you and your end-user. To the extent necessary in provision of Dell EMC products or services and subject to the parties’ compliance with Section 8, you agree that Dell EMC may communicate directly with Channel Partner’s end users.
8. Personal data.
8.1 “Personal Data” shall have the meaning in the General Data Protection Regulation (EU) 2016/679.
8.2 Dell may provide you with Personal Data (e.g. Customer Data) for you to Process (as defined in the Data Processing Schedule attached hereto) either as a Controller OR as our Processor or Subprocessor (as such terms are defined in the Data Protection Schedule). You may provide Dell EMC with Personal Data (e.g. lead registration or lead generation information) for Dell EMC to Process as a Controller OR as your Processor or Subprocessor.
8.3 To the extent that, in the performance of your obligations under these Terms, you Process Personal Data received from Dell EMC either as a Controller or a Processor or Subprocessor, you hereby agree to comply with the Data Processing Schedule. To the extent that you provide Dell EMC with Personal Data and Dell EMC Processes such data either as a Controller or as a Processor or Subprocessor, Dell EMC shall also comply with the Data Processing Schedule.
8.4 Dell EMC may use account-related data, technical and related information about use and performance of the Dell EMC products or services derived from the provision of the products or services under these Terms (which may include Personal Data) to assess, enhance and/or improve Dell’s products, services, solutions, technologies, communications and relationship with you. Dell is an independent Controller of this data. More information about Dell’s data privacy practices can be found here.
9. ADMINISTRATION and AUDIT. During the term of these Terms and a period of five (5) years thereafter you will maintain legible, accurate and complete books and records concerning these Terms and your activities hereunder. At the end of this retention period, you will appropriately dispose of all records. Upon Dell EMC's request, you will cooperate with and assist Dell EMC with any audit, review, or investigation ("Audit") that relates to (i) these Terms or your compliance with Laws and Regulations (as defined below); (ii) your marketing, sale, distribution, licensing, or delivery of Dell EMC products and services, whether sourced from Dell EMC or a third-party; (iii) any rebates, incentives, concessions, or other amounts paid or payable by Dell EMC; (iv) compliance with logo use standards, or (v) any amounts due to Dell EMC. In connection with an Audit, you will deliver all records, information, and documents reasonably requested by Dell EMC. Dell EMC has the right to conduct onsite Audits, and you will grant Dell EMC and its employees and representatives reasonable access to information, records, personnel, and customers (including customer agreements to verify your compliance with these Terms) and provide entry and access to your premises or other locations (during normal business hours) where such information and records are located. Failure to cooperate with an Audit or provide the information or records requested by Dell EMC is a material breach of these Terms. Dell EMC will pay the costs of an Audit except where a discrepancy of five (5) percent or more is discovered in the information disclosed by you, in which case you agree to be responsible for all reasonable costs. Dell EMC may deny any claim that it believes, in its sole discretion, does not conform to these Terms, the Program, or subprogram terms. Dell EMC may, without prior notice, immediately suspend or terminate an order or your participation in the Program if you provide to Dell EMC or end-users any inaccurate, incomplete, or fraudulent claims or information or if you engage in activities that may cause damage, embarrassment or adverse publicity to Dell EMC, or any of its officers, directors or employees. Dell EMC’s records and systems shall be authoritative and conclusive for purposes of determining your eligibility and Program benefits and for performing any computation under the Program. Dell EMC reserves the right to interpret the rules of the Program in its sole discretion.
10. BUSINESS CONDUCT AND ANTI-CORRUPTION LAWS.
You represent and warrant that you understand and agree to comply with your obligations under the Dell EMC Partner Code of Conduct available here. At all times, you are required to comply with all applicable laws and regulations, including anti-bribery, export, trade, data protection and privacy, antitrust and competition laws and regulations (“Laws and Regulations”). You will not take or allow any third party to take any action or engage in any practice that would violate Laws and Regulations. Any violation of this Section 9 by you or by persons working for you or on your behalf will constitute the basis for the immediate termination of your business relationship(s) with Dell EMC, including all related contracts.
11. INCENTIVE, REBATE, MDF AND OTHER PORTAL TERMS. You will comply with all terms posted to the Partner Portal regarding any subprograms, tools or products, including, but not limited to:
a. Dell EMC Partner Program Incentive Terms and Conditions - EMEA that are posted here;
b. Dell EMC Deal Registration Terms and Conditions – EMEA that are posted here.
12. LOGO AND TRADEMARK.
12.1 Dell EMC Logo, Trademark and Domain Usage. You agree that trademarks, service marks, trade or company names, product and service identifications, internet domains/internet addresses, logos, artwork and other symbols and devices associated with Dell EMC, Dell EMC Affiliates, and Dell EMC’s products and services (the “Dell EMC Marks”) are and shall remain Dell EMC’s property. You acknowledge that any provided images and artwork of Dell EMC products or services are subject to Dell EMC copyright and you will not alter these images or use them outside of the context in which they were provided to you. You agree that you will not use the Dell EMC Marks in search engine advertising, either as a keyword or in advertisements appearing on search engines or in email addresses, without Dell EMC’s prior written permission. Additionally, you may not register or use any domain name or business name containing or confusingly similar to any Dell EMC Marks.
12.2 Program Logo. All Dell EMC Program Logos will be governed by the Dell EMC Channel Partner Logo and Trademark Use Document found here.
13. INDEMNIFICATION. To the fullest extent permitted by law, you shall indemnify, defend, and hold harmless Dell EMC, Dell EMC Affiliates, and their respective successors and assigns from any claim, demand, cause of action, debt, or liability (including reasonable attorney or legal fees, expenses, and court costs) arising from your violation of Laws and Regulations.
14. LIMITATION OF LIABILITY. In no event will Dell EMC be liable for any loss of business, income, or profits, or for lost or corrupted data or software. Dell EMC will have no liability for any consequential, special, punitive, reliance, exemplary, incidental, or indirect loss or damages. Dell EMC’s aggregate liability for all claims in connection with these Terms shall be limited to $500 (five hundred U.S. dollars) or the equivalent amount in the currency of the country in which your company headquarters is located. The aforementioned limitations shall not apply to limit liability for fraud and any other liability that cannot be excluded by law.
15. TERM AND TERMINATION.
15.1 Term and Termination. These Terms shall commence upon the Effective Date and continue until terminated in the manner set forth below. You may withdraw from the Program at any time by notifying Dell EMC in writing. Dell EMC may suspend or terminate your participation in the Program, in whole or in part, without prior written notice: (i) for any breach of these Terms or any other agreement related to your participation in the Program, (ii) for any attempt to impair the integrity of the Program as determined by Dell EMC or (iii) for any violation of Laws and Regulations as set out in Section 9. In addition, Dell EMC, in its sole discretion, may terminate these Terms or the Program, in whole or in part, for all participants, or for you alone, with or without cause, upon ten (10) days’ notice.
15.2 Effect of Termination. Upon termination of these Terms or the Program, the license and rights granted hereunder shall terminate completely and Channel Partner shall cease to use Information and shall promptly return to Dell EMC all tangible copies of the Information in its possession at Channel Partner’s own cost. Nothing in this Section shall limit Dell EMC's rights to pursue other legal remedies, including immediate court or judicial relief. All provisions that by their nature are intended to survive the termination shall survive.
15.3 Termination of Partner Portal Access. Dell EMC has the right to terminate or discontinue access to the Information or Partner Portal, at its convenience, by sending written notice thereof which will be effective upon receipt.
16.1 Assignment. You may not assign these Terms, or any benefits due to you under the Program, nor delegate any obligations hereunder, to any third party without the express written consent of Dell EMC.
16.2 Independent Contractors. You and Dell EMC are independent contractors and shall have no authority to bind the other. Neither these Terms nor your participation in the Program shall be deemed to create a partnership, agency, joint venture, franchise, or other similar arrangement, and the employees, agents, or representatives of one party shall not be deemed to be employees, agents, or representatives of the other party.
16.3 Force Majeure. Except for payment obligations where applicable, neither party will be liable for failure to perform its obligations during any period if performance is delayed or rendered impracticable or impossible due to reasonably unforeseeable circumstances beyond that party’s reasonable control.
16.4 Governing Law. You agree that these Terms, any dispute arising from, out of, or relating to the Program or these Terms hereunder will be governed exclusively by the laws of England, except where local mandatory laws cannot be derogated from by way of contract.
16.5 Modifications. Dell EMC reserves the right to modify the Program, including, without limitation, the eligibility requirements, Program benefits (including any discounts and pricing), and these Terms, at any time without prior notice via the Partner Portal. Your continued participation in the Program will constitute your binding acceptance of the changes and your consideration supporting any such modification. Any future updates are deemed to be incorporated to this Terms by reference to this section.
16.6 Severability. If any provision herein is void or unenforceable, you and Dell EMC agree to delete such provision and agree that the remainder of these Terms will continue to be in effect.
16.7 Publicity. You shall not directly or indirectly issue or release any written publicity, marketing collateral or other public announcement, relating in any way to these Terms, without the prior written approval of Dell EMC.
16.8 Entire Agreement. The entire relationship between you and Dell EMC is defined in these Terms and the further Dell EMC Program related terms referenced herein. Both parties expressly disclaim any reliance on any oral statements, representations, or courses of conduct or any representations or statements not expressly set forth in these Terms.
16.9 Territory scope. If you are situated outside the European Economic Area (“EEA”) and purchase Dell EMC products and/or services from a Dell EMC authorized distributor located outside the EEA, you are allowed to sell such Dell EMC products and services in the territory only in which the Dell EMC authorized distributor, from whom you purchased such Dell EMC products and/or services, is authorized by Dell EMC to sell into. For the avoidance of doubt, this section 16.9 shall NOT apply within the EEA.
Data Processing Schedule
In this Schedule, the terms “Data Subject”, Controller”, “Processor”, and “Processing” (and its derivatives) shall have the meanings set out in the relevant “Data Protection Laws”, meaning those data protection and/or privacy related laws, statutes, directives, or regulations (and any amendments or successors thereto) to which the parties to these Terms are subject and which apply to the parties’ respective data protection and/or privacy obligations under these Terms (including but not limited to Regulation (EU) 2016/679 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data (General Data Protection Regulation or “GDPR”)). “Subprocessor” means a third party engaged by either party, acting as a Processor, (including without limitation an affiliate and/or subcontractor) in connection with the Processing of the Personal Data in relation to the provision of the Services.
A. The parties agree to comply with their respective obligations under any relevant Data Protection Laws that apply to the relationship contemplated under these Terms and to Process any Personal Data only in compliance with applicable Data Protection Laws.
B. The parties agree that the security measures described in Annex 1 (Information Security Measures) provide an appropriate level of security for the protection of Personal Data to meet the requirements of this Schedule.
C. Controller to Controller: Where one party acting as a Controller (“Disclosing Controller”) discloses Personal Data to the other party to also Process as a Controller (“Receiving Controller”) the following obligations will apply :-
(i) unless the parties otherwise agree in writing, Receiving Controller will Process the Personal Data solely for the purpose of performing its obligations under these Terms and in accordance with applicable Data Protection Laws;
(ii) Disclosing Controller will have obtained all rights and authorizations necessary to disclose the Personal Data to Receiving Controller pursuant to these Terms, including but not limited to giving the appropriate notices and, where necessary, obtaining consents from the Data Subject (in accordance with Data Protection Laws) to the disclosure of their Personal Data to Receiving Controller in connection with the Program;
(iii) If Disclosing Controller discloses Personal Data for the purpose of Receiving Controller sending marketing communications, Disclosing Controller agrees to obtain the relevant Data Subjects' prior consent to such disclosure and use by Receiving Controller;
(iv) Receiving Controller will deal promptly with all reasonable inquiries from Disclosing Controller or a Data Subject relating to the Personal Data, including requests for access or correction of Personal Data and information about Receiving Controller’s practices, procedures and/or complaints process; and
(v) Receiving Controller will ensure that it has appropriate technical and organisational measures in place to reasonably ensure that the security, confidentiality, integrity, availability and resilience of Processing systems and services involved in the Processing of any Personal Data are commensurate with the risk in respect of such Personal Data and to guard against any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data transmitted, stored or otherwise Processed in accordance with these Terms (a “Personal Data Breach”).
D. Controller to Processor: where one party acting as a Controller discloses Personal data to the other party to Process as a Processor or Subprocessor on its behalf, the party acting as a Processor or Subprocessor shall :-
(i) Process the Personal Data only in accordance with the Controller’s instructions, unless required to do so by applicable law. The subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data, the categories of Data Subjects and the obligations and rights of the Controller shall be set out in the relevant Dell Ordering Agreement, EMC Ordering Agreement, service description, statement of work or other contractual terms agreed between the parties;
(ii) Process the Personal Data provided by the Controller only to the extent necessary to perform its obligations under these Terms;
(iii) not disclose the Personal Data to any third party (other than an Affiliate or authorized Subprocessor) except as necessary and only for the purposes of:
(a) complying with the Controller’s instructions;
(b) complying with this Data Protection Schedule; or
(c) complying with the law or a binding order of a governmental body. Unless it would violate the law or a binding order of a government body, Processor will give the Controller notice of any legal requirement or order referenced in this provision;
(iv) ensure that it has in place procedures requiring that any personnel or third party authorized by them (including any affiliate or authorized Subprocessor) that has access to the Personal Data received from the Controller is under a duty of confidence and will respect and maintain the confidentiality and security of the Personal Data; and
(v) ensure that it has appropriate technical and organisational measures in place to reasonably ensure that the security, confidentiality, integrity, availability and resilience of Processing systems and services involved in the Processing of any Personal Data are commensurate with the risk in respect of such Personal Data and to guard against any Personal Data Breach;
(vi) upon becoming aware of a Personal Data Breach, notify the Controller without undue delay (and in any event within 72 hours) and provide written details of the Personal Data Breach to the extent such information is known or available to the Processor at the time, including the type of data affected, how the breach occurred, the identity of affected person(s), the likely consequences of the Personal Data Breach and the measures taken or proposed to be taken to address it, providing further information as soon as such information becomes known or available;
(vii) upon reasonable prior written request, provide the Controller with such information as may be reasonably necessary under applicable law to demonstrate Processor’s compliance with this Data Protection Schedule;
(viii) upon reasonable prior notice, provide reasonably requested cooperation and assistance to the Controller regarding the Processing of the relevant Personal Data to enable Controller to carry out data protection impact assessments and/or prior consultations with data protection authorities as may be required;
(ix) not engage a Subprocessor to Process the Controller’s Personal Data without (i) Controller’s prior written consent; and (ii) a written agreement requiring the Subprocessor to Process the Personal Data only on instructions from the Processor (itself acting on instructions from the Controller) and imposing equivalent data protection obligations upon such Subprocessor as those imposed on Processor under this Data Protection Schedule. Processor shall remain liable for all acts and omissions of the Subprocessor. Processor shall make available to Controller a list of such Subprocessors it currently engages to support the provision of its obligations upon written request. Controller hereby consents to Processor appointing its affiliates and subcontractors to Process Controller’s Personal Data for the purposes of this Data Protection Schedule. Processor will notify Controller in advance of any changes to approved Subprocessors. Processor shall not unreasonably object to any intended changes of Subprocessor;
(x) promptly notify Controller of, and cooperate with the Controller to address, any requests from individuals or applicable data protection authorities relating to the Processing of Personal Data under these Terms, including requests from individuals seeking to exercise their rights under any applicable Data Protection Laws. Processor shall not respond to such communications directly without Controller’ prior authorization, unless legally compelled to do so;
(xi) at the expiry or termination of these Terms or Channel Partner’s Program participation, or otherwise at Controller’s option (as may be requested in writing), delete or return all Personal Data to Controller as soon as reasonably practicable, except where the Processor is required to retain copies under applicable law, in which case Processor will limit and protect that Personal Data from any further Processing except to the extent required by applicable law;
(xii) in respect of Personal Data identified as having originated in the European Economic Area (“EEA”), not transfer such Personal Data to any third party located outside of the EEA unless (i) the fulfilment of the obligations of the Processor under these Terms requires the transfer of Personal Data outside the EEA; and (ii) Processor has entered into the Standard Contractual Clauses (meaning the standard contractual (Controller to Processor) clauses approved by the EU Commission for transfers of personal data to countries outside the EEA that have not been deemed by the European Commission as providing an adequate level of data protection) with the Controller (where requested by Controller) and the third party located outside the EEA. The parties may agree to apply appropriate safeguards other than the Standard Contractual Clauses where these are available to address transfers of Personal Data to countries outside the EEA; and
(xiii) notify Controller as soon as reasonably practicable if Processor is of the opinion that a Controller instruction infringes applicable Data Protection Laws and Processor shall not be required to comply with such infringing instruction.
Annex 1 to Data Processing Schedule Information Security Measures (Technical and Organizational Measures)
This information security overview applies to the parties’ corporate controls for safeguarding personal data which is processed and transferred amongst the parties’ group companies.
The parties have implemented corporate information security practices and standards that are designed to safeguard the corporate environment and to address: (1) information security; (2) system and asset management; (3) development; and (4) governance. These practices and standards undergo a formal review on an annual basis.
It is the responsibility of the individuals across the organization to comply with these practices and standards. To facilitate the corporate adherence to these practices and standards, the function of information security provides:
1. Strategy and compliance with policies/standards and regulations, awareness and education, risk assessments and management, contract security requirements management, application and infrastructure consulting, assurance testing and drives the security direction of the company.
2. Security testing, design and implementation of security solutions to enable security controls adoption across the environment.
3. Security operations of implemented security solutions, the environment and assets, and manage incident response.
4. Forensic investigations with security operations, legal, data protection and human resources for investigations including eDiscovery and eForensics.
Asset Classification and Control
The parties’ practice is to track and manage physical and logical assets. Examples of the assets that might be tracked include:
- Information Assets, such as identified databases, disaster recovery plans, business continuity plans, data classification, archived information.
- Software Assets, such as identified applications and system software.
- Physical Assets, such as identified servers, desktops/laptops, backup/archival tapes, printers and communications equipment.
The assets are classified based on business criticality to determine confidentiality requirements. Industry guidance for handling personal data provides the framework for technical, organizational and physical safeguards. These may include controls such as access management, encryption, logging and monitoring, and data destruction.
As part of the employment process, employees undergo a screening process applicable per regional law. Dell EMCs annual compliance training includes a requirement for employees to complete an online course and pass an assessment covering information security and data privacy. The security awareness program may also provide materials specific to certain job functions. The partners commit to a similar compliance standard.
Physical and Environmental Security
The parties use a number of technological and operational approaches in their physical security programs in regards to risk mitigation. The security teams work closely with each company site to determine appropriate measures are in place and continually monitor any changes to the physical infrastructure, business, and known threats. It also monitors best practice measures used by others in the industry and carefully selects approaches that meet both uniqueness’s in business practice and expectations of the parties. The parties balance their approach towards security by considering elements of control that include architecture, operations, and systems.
Communications and Operations Management
The IT organization manages changes to the corporate infrastructure, systems and applications through a centralized change management program, which may include testing, business impact analysis and management approval, where appropriate.
Incident response procedures exist for security and data protection incidents, which may include incident analysis, containment, response, remediation, reporting and the return to normal operations.
To protect against malicious use of assets and malicious software, additional controls may be implemented, based on risk. Such controls may include, but are not limited to, information security practices and standards; restricted access; designated development and test environments; virus detection on servers, desktops and notebooks; virus email attachment scanning; system compliance scans; intrusion prevention monitoring and response; logging and alerting on key events; information handling procedures based on data type, e-commerce application and network security; and system and application vulnerability scanning.
Access to corporate systems is restricted, based on procedures to ensure appropriate approvals. To reduce the risk of misuse, intentional or otherwise, access is provided based on segregation of duties and least privileges.
Remote access and wireless computing capabilities are restricted and require that both user and system safeguards are in place.
Specific event logs from key devices and systems are centrally collected and reported on an exceptions basis to enable incident response and forensic investigations.
System Development and Maintenance
Publicly released third party vulnerabilities are reviewed for applicability in each party’s environment. Based on risk to the parties’ business and customers, there are pre-determined timeframes for remediation. In addition, vulnerability scanning and assessments are performed on new and key applications and the infrastructure based on risk. Code reviews and scanners are used in the development environment prior to production to proactively detect coding vulnerabilities based on risk. These processes enable proactive identification of vulnerabilities as well as compliance.
The information security, legal, privacy and compliance departments work to identify regional laws and regulations applicable to the parties. These requirements cover areas such as intellectual property of the parties and our customers, software licenses, protection of employee and customer personal information, data protection and data handling procedures, trans-border data transmission, financial and operational procedures, regulatory export controls around technology, and forensic requirements.
Mechanisms such as information security programs, executive privacy councils, internal and external audits/assessments, internal and external legal counsel consultation, internal controls assessments, internal penetration testing and vulnerability assessments, contract management, security awareness, security consulting, policy exception reviews and risk management combine to drive compliance with these requirements.