Last Update: 06/2018
Present in 22 countries, the Axway Group (“Axway”) is committed to maintaining a common culture of transparency, trust, integrity, and responsibility -- both internally for our employees and externally for our customers and business partners.
The Axway Privacy Compliance Program supports this culture with policies that ensure we operate in accordance with the laws and regulations in force in the countries where we do business, including the EU’s General Data Protection Regulation (GDPR).
“We are living in an increasingly data-driven world and, at Axway, we are all responsible for ensuring that our behavior is consistent with ethical practices, including the protection of individuals’ privacy.” Sébastien Guiraud, Axway Data Protection Officer.
The Axway Privacy Compliance Program is designed to promote, harmonize, and level up our practices for protecting the privacy of any personal data we control (acting as a controller) or process on behalf of other organizations (acting as a processor). Please see below for further information
ACCOUNTABILITY AND PRIVACY BY DESIGN
DATA PROTECTION OFFICE. Axway designates a Data Protection Officer, located in France, who leads a network of internal Local Data Protection Managers in France, the USA, and Australia (“Data Protection Office”). The Data Protection Office is staffed by experts in national and European data protection laws and practices who have an in-depth understanding of GDPR. Most of our Data Protection Office members can communicate in French, English, and German. Across the organization, the Axway Data Protection Office will:
- Monitor and enforce the application of any data protection laws and regulations in force in the countries in which Axway is based and in which it operates
- Promote awareness and understanding of the risks, rules, safeguards, and rights in relation to personal data processing
- Investigate complaints lodged by individuals or companies and inform the complainant of the progress and outcome of the investigation within a reasonable period, especially if further investigation or coordination with one or multiple national data protection authorities is necessary
- Cooperate and share appropriate information with national data protection authorities
- Conduct investigations on the application of applicable data protection laws and regulations fulfill any other tasks related to the protection of personal data.
As part of these duties to monitor compliance, the Axway Data Protection Office will, in particular::
- Maintain a written record of processing activities carried out on behalf of each controller (see Axway’s compliance commitment in section “ASSESSMENT AND RECORDS OF PROCESSING ACTIVITIES” below)
- Carry out, when necessary, data protection impact assessment (see Axway’s compliance commitment in section “DATA PROTECTION ASSESSMENT (DPIA)” below)
- Notify the controller of a personal data breach without undue delay (see Axway’s compliance commitment on section “SECURITY AND DATA BREACH NOTIFICATION” below)
Axway Data Protection Office contact information:
- Global email: email@example.com
- USA address: Axway Inc., 16220 N Scottsdale Road, Suite 500, Scottsdale, AZ 85254, USA.
- EMEA mailing address: Axway Software, Tour W, 102 Terrasse Boieldieu - 92807 Puteaux Cedex, FRANCE.
- APAC mailing address: Axway Australia, Suite 1301, 99 Mount Street, North Sydney, 2060 NSW, AUSTRALIA
ASSESSMENT AND RECORDS OF PROCESSING ACTIVITIES. Axway reviews on a continuing basis where and how its relevant services collect, use, store, and dispose of personal data. In addition, Axway updates policies, standards, governance, and documentation on a scheduled basis to meet the principles of data protection by design and data protection by default (e.g. by ensuring only the minimum amount of personal data necessary is processed).
Records of processing activities (including processing on behalf of customers) are maintained by Axway. Records will contain all the information required under GDPR such as purposes of the processing, categories involved, envisaged time limits, general description of the technical and organizational security measures and, where applicable, the transfers of personal data to a third country or an international organization, including the identification of that third country or international organization. Such records will be available to the controller and/or the supervisory authority upon request.
PRINCIPLE OF LOYALTY AND PROTECTION OF CONFIDENTIALITY. Axway pays particular attention to the various types of information, including personal information, made available to employees and outside and/or casual employees in the performance of their duties. As a result, they have the duty to preserve confidential or restricted information and must provide adequate protection for such documents. This principle is part of Axway Code of Ethics which applies to all Axway employees. In addition, all Axway employees are subject to confidentiality requirements through a specific confidentiality clause in their employment contract.
EMPLOYEE TRAINING AND AWARENESS. Axway requires its employees to attend training sessions on data privacy and security. Training will be organized as often as necessary to ensure that Axway employees are kept informed of Axway policies and procedures, and any regulatory changes.
The content of the training can be adapted to specific employee roles. Similarly, Axway subsidiaries, depending on their specific needs or regulations, may require additional training.
Axway is asking its business partners or stakeholders to commit to the same training and awareness requirements. Training of employees working for business partners or stakeholders will usually be provided by business partners or other parties selected for this purpose.
CONTRACTUAL COMMITMENTS. Working in conjunction with our own partners and customers, Axway periodically reviews its contractual commitments and makes updates as needed to comply with data protection laws and regulations in force.
AXWAY SUPPLIER/VENDOR COMPLIANCE PROGRAM. Axway periodically reviews its supplier contracts to ensure compliance throughout its supply chain with data protection laws and regulations in force in the countries in which it is based and in which it operates, including GDPR. As part of Axway supplier/vendor compliance program, Axway implements a DPIA policy (please refer to section “DATA PROTECTION IMPACT ASSESSMENT DPIA)” below).
CONTINUING ENHANCEMENT AND MONITORING. Axway Privacy Compliance Program is available at: https://www.axway.com/gdpr
The Axway Privacy Compliance Program will be periodically adjusted and/or enhanced to keep pace with changes to the organization as well as the changes in the laws and regulations in force. Where a change significantly affects the level of protection of processing conditions, the information will be given to the customer (acting as the controller) in a timely fashion to provide the customer (acting as the controller) the opportunity to object to the change or to terminate the contract before the modification is made (for instance, on any intended changes concerning the addition or replacement of subcontractors, before the data are communicated to the new sub-processor).
Periodic audits may be conducted by the Data Protection Office Axway Internal Audit Department to verify compliance with practices within Axway.
DATA PROTECTION IMPACT ASSESSMENT (DPIA).
Axway conducts DPIAs or Privacy Impact Assessments (both terms indifferently refer to the same notion) when specific risks occur to the rights and freedoms of individuals.
Axway implements its DPIA policy in accordance with:
- Privacy Impact Assessment (PIA), Commission nationale de l’informatique et des libertés (CNIL), 2015
- International standard guidelines for DPIA
ISO/IEC 29134 (project), Information technology – Security techniques – Privacy impact assessment – Guidelines, International Organization for Standardization (ISO)
Axway periodically reviews DPIAs and the processing it assesses, at least when there is a change in the risk posed by processing the operation and/or when using new technologies and the data processing is likely to result in a risk to individuals. The DPIA requires sign off at an appropriate level, e.g. the board, a managing partner, risk partner, etc. For Axway, all DPIAs are signed by the Axway Data Protection Officer.
The customer’s cooperation is required. In most situations, Axway does not have access to customer personal data and cannot identify the nature and/or the sensitivity of personal information it is processing on the behalf of customers. When Axway acts as the processor of customer personal data (such as Cloud/SaaS activities), we ask our customers (acting as controller) to provide transparent information to determine if a DPIA should be conducted and if specific technical and organizational security measures should be implemented prior to processing the personal data.
If the outcome of the DPIA is that a risk cannot be mitigated, reduced, or eliminated the controller and the processor will need to consider whether to reject the activity or to accept the risk. Any serious risks identified by the DPIA may need to be reported to the national data protection authorities to seek its opinion as to whether the intended processing operation complies with GDPR (please refer to section “EU LEAD SUPERVISORY AUTHORITY” below).
AXWAY RESPONSIBILITIES – AXWAY ACTING AS CONTROLLER AND/OR PROCESSOR
Axway provides different kind of services for its customers, including Consulting, Cloud, SaaS, Perpetual/temporary License on premise, and Support.…
As part of these activities, Axway needs to process personal data as a controller. However, Axway doesn’t necessarily process personal data on behalf of a third party (such as an Axway customer) as a processor.
Axway doesn’t act as processor for all activities. As a software publisher, Axway doesn’t process personal data on behalf of its customers. Under the Guide for Processors edited by CNIL, (September 2017), the French personal data protection authority confirms that a software publisher should not be considered a processor under GDPR.
To determine whether Axway is a processor or the controller, see the Opinion 1/2010 of the Article 29 Data Protection Working Party (WP29) of 16 February 2010, which identifies indicators to be used when analyzing on a case-by-case basis:
- Level of instructions given by the client to the service provider: What margin of manoeuvre does the service provider have in delivering its service?
- Extent of monitoring over the execution of the service: To what extent does the client "supervise" the service?
- Added-value provided by the service provider: Does the service provider boast in-depth expertise in the field?
- Degree of transparency over use of a service provider: Is the service provider's identity known to the data subjects using the client's services?”
AXWAY ACTING AS A CONTROLLER. As a controller, Axway processes personal data in accordance with the following principles: purpose limitation, data minimization, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and specific requirements for personal data transfers outside EEA.
Axway ensures lawful, fair, and transparent processing of individuals’ personal data. The Axway Privacy Statement provides information on the risks, rules, safeguards, and rights in relation to the processing of personal data. Such information is addressed to the public or to the data subjects through all Axway Websites at any time.
To ensure that personal data is not kept longer than necessary, Axway establishes time limits for erasure or for a periodic review. Axway works to ensure that inaccurate personal data is rectified or deleted.
Axway transmits personal data to other Axway affiliates (which may be located in a third country) for internal administrative purposes, including the processing of customer or employee's personal data. (See Axway’s compliance commitment for the transfer of personal information in section “TRANSFER OUTSIDE EEA” below.)
Personal data of customer’s personnel. In the context of business relationship with its customers and/or partners, Axway only processes personal data (limited to business contact details) of its customer’s personnel (employees, agents, and subcontractors) as controller -- as defined by the GDPR -- for purposes of contract administration and marketing and it will do so strictly in accordance with GDPR.
AXWAY ACTING AS A PROCESSOR. Axway is a processor as soon as it receives personal data on behalf of, on instructions from, and under the authority of its customers (acting as controllers). It is the responsibility and the liability of Axway customers and partners (acting as controllers) to implement effective measures and be able to demonstrate the compliance of processing activities even if the processing is carried out by Axway acting as data processor on their behalf. As a processor, Axway takes the following actions in accordance with GDPR:
- Designate a data protection officer where required (see Axway’s compliance commitment in section “DATA PROTECTION OFFICE” above)
- Maintain a written record of processing activities carried out on behalf of each controller (see Axway’s compliance commitment in section “ASSESSMENT AND RECORDS OF PROCESSING ACTIVITIES” above)
- Implement adequate safeguards for cross-border transfers (see Axway’s compliance commitment in section “TRANSFER OUTSIDE EEA” below)
- Notify the controller on becoming aware of a personal data breach without undue delay (see Axway’s compliance commitment in section “SECURITY AND DATA BREACH NOTIFICATION” below)
As processor, unless otherwise expressly agreed, Axway will delete or return all personal data to its customer after the end of the provision of services relating to processing and delete existing copies.
SECURITY AND DATA BREACH NOTIFICATION
Axway implements specific technical and organizational measures and policies to effectively detect, report, and investigate a personal data breach. In the event of a personal data breach, Axway will manage required notifications under GDPR and other applicable data protection regulations, such as Australian Privacy Amendment (Notifiable Data Breaches) Act 2017 No. 12, 2017 and/or the Cyber Security Law in China. Notification to the supervisory authority is also part of the Axway incident response plan. The Axway Data Protection Office works with the Axway Computer Security Incident Response Team (CSIRT) to address these requirements.
In the event of personal data breach, Axway acting as processor will promptly or “without undue delay” notify its customer of the personal data breach and provide any information its customers may reasonably require.
Notification is not systematically required under GDPR. Prior to putting in place a notification process, Axway and its customer will conduct a Data Protection Impact Assessment to assess and mitigate the risks to the rights and freedoms of individuals. Please note:
- Article 33 (1) GDPR, the notification to the supervisory authority is not required if the breach is “unlikely to result in a risk to the rights and freedoms of natural persons.”
- Article 34 GDPR, the communication to data subjects is not required if the data controller has implemented appropriate technical and organizational protection measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption. The threshold for notification to data subjects is that there is likely to be a high risk to their rights and freedoms.
The controller retains overall responsibility for the protection of personal data and Axway encourages its customers to make customer’s personal data essentially unintelligible to unauthorized parties and put in place adequate backups.
SUBPROCESSING - CROSS-BORDER DATA TRANSFER
SUBPROCESSING. Axway ensures that all its sub-processors provide the same guarantees as to the implementation of appropriate technical and organizational measures so that the processing activities meet the requirements of GDPR. If a sub-processor does not fulfill its obligations regarding the protection of personal data, Axway remains fully liable to the controller.
Axway entrusts all or part of the processing activities to any Axway legal entities or any sub-processor listed here. Axway informs its customers (acting as controllers) in advance and this information clearly indicates the outsourced processing activities and the identity of the sub-processors.
Where a modification would affect the level of the protection offered by Axway, the controller can object to the change or terminate the contract before the data is communicated to the new sub-processor.
EU LEAD SUPERVISORY AUTHORITY. As a controller and (when applicable) as a processor, Axway identifies the CNIL as its lead data protection supervisory authority. While Axway operates in multiple EU member states, Axway has its EU headquarter established in France (“place of central administration” in accordance with WP29 Guidelines on Personal data breach notification under Regulation 2016/679”). In cases involving controller established in the EU and the controller’s lead supervisory has been clearly identified in a relevant Data Protection Agreement signed by Axway, Axway acting as processor agrees to identify the Controller’s lead supervisory authority as the competent lead supervisory authority.
TRANSFER OUTSIDE EEA. Axway is responsible to all its customers to process the personal data transferred outside EEA on the customers' behalf and in accordance with the applicable data protection law. In order to provide adequate safeguards with respect to applicable data protection law, Axway has put in place Contractual Standard Clauses with all its subcontractors/processor outside EEA that process or have access to customers’ personal data. Axway signed these Contractual Standard Clauses (and is continuing to update them) on behalf of all its customers. Please refer to the updated list of Axway’s legal entities and sub-processors here.
Note: Axway does not provide legal or auditing advice or represent or warrant that its services or products will ensure that clients or business partners are in compliance with any law or regulation.