Last Update: 05/2018
Present in 22 countries, the Axway Group (“Axway”) wishes to establish a common culture of transparency, trust, integrity and responsibility both internally for our employees and among external parties as well as with its business partners with which Axway works.
In this respect, Axway undertakes to respect the laws and regulations in force in the countries in which it is based and in which it operates, including privacy regulations.
“We all make the assessment that we are living in an increasingly data-driven world; this is essential to understand that we are all responsible for ensuring that our behavior is consistent with ethical practices including the necessary protection of individuals privacy.” Sébastien Guiraud, Axway Data Protection Officer.
As a responsible company, and regarding its high experience and leadership in management of data flows, Axway wants to impact positively in the security and privacy of individuals around the world.
In the context of the effectiveness of the EU General Data Protection Regulation (GDPR) and the increasing number of privacy regulations around the world, Axway is committed to a global privacy compliance program to promote, harmonize and level up its practices of privacy on any personal data processing which it controls (as a controller) or which it processes on behalf of other organizations (as a processor).
The present document has been developed to enhance knowledge and awareness about the principles of Axway Privacy Compliance Program as well as presenting Axway’s approaches regarding some common questions and practices that Axway business partners would legitimately have regarding Axway privacy compliance (“Axway Privacy Compliance Program”).
Please note that despite Axway is committed to be compliant with all privacy laws and regulations in force in the countries in which Axway is based and in which it operates, Axway Privacy Compliance Program mostly refers to the GDPR not only due to the context of its imminent effectiveness but as well because it is the latest (and certainly the most challenging) in the current applicable privacy regulations.
Warning: Axway does not provide legal or auditing advice or represent or warrant that its services or products will ensure that clients and its business partners are in compliance with any law or regulation.
ACCOUNTABILITY AND PRIVACY BY DESIGN
DATA PROTECTION OFFICE. Axway designates a Data Protection Officer, located in France, who leads a network of internal Local Data Protection Managers located in France, the USA and Australia (“Data Protection Office”). Axway Data Protection Office presents expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR. Most of our Data Protection Office members can communicate in French, English and German which make it easily accessible externally to individuals or national data protection authority but also internally within Axway’s organization.
Across Axway’s organization, Axway Data Protection Office will:
- Monitor and enforce the application of any data protection laws and regulations in force in the countries in which it is based and in which it operates;
- Promote awareness and understanding of the risks, rules, safeguards and rights in relation to personal data processing;
- handle complaints lodged by individual, or by a company, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with one or multiple national data protection authorities is necessary;
- cooperate with, including sharing information with national data protection authorities;
- conduct investigations on the application of applicable data protection laws and regulations;
- fulfil any other tasks related to the protection of personal data.
As part of these duties to monitor compliance, Axway Data Protection Office will, in particular:
- maintain a written record of processing activities carried out on behalf of each controller (see Axway’s compliance commitment in section “ASSESSMENT AND RECORDS OF PROCESSING ACTIVITIES” below);
- carry out, when necessary, data protection impact assessment (see Axway’s compliance commitment in section “DATA PROTECTION ASSESSMENT (DPIA)” below);
- notify the controller on becoming aware of a personal data breach without undue delay (see Axway’s compliance commitment on section “SECURITY AND DATA BREACH NOTIFICATION” below).
You can reach out at any moment Axway Data Protection Office by either emailing at email@example.com, or writing to Axway’s Data Protection Office, at:
- USA address: Axway Inc, 6811 E. Mayo Blvd, 4th Floor, Phoenix, AZ 85054, USA.
- EMEA address: Axway Software, Tour W, 102 Terrasse Boieldieu - 92807 Puteaux Cedex, FRANCE.
- APAC address: Axway Australia, Suite 1301, 99 Mount Street, North Sydney, 2060 NSW, AUSTRALIA
ASSESSMENT AND RECORDS OF PROCESSING ACTIVITIES. Axway reviews on a continuing basis where and how its relevant services collect, use, store and dispose of personal data and updates policies, standards, governance and documentation on a scheduled basis, in order to meet the principles of data protection by design and data protection by default (e.g. by ensuring only the minimum amount of personal data necessary is processed).
Records of processing activities (including processing on behalf of its customers) are maintained by Axway. That records will contain all the information required under the GDPR such as purposes of the processing, categories involved, envisaged time limits, the general description of the technical and organizational security measures and, where applicable, the transfers of personal data to a third country or an international organization, including the identification of that third country or international organization. Such records will be available to the controller and/or the supervisory authority upon request.
PRINCIPLE OF LOYALTY AND PROTECTION OF CONFIDENTIALITY. Axway pays particular attention to the various information, including personal information, made available to employees and outside and/or casual employees in the performance of their duties. As a result, they have the duty to preserve confidential or restricted information and must provide adequate protection for such documents. This principle is part of Axway Code of Ethics which is enforceable to all Axway employees. In addition, all Axway employees are subject to confidentiality requirements through a specific confidentiality clause in their employment contract.
EMPLOYEE TRAINING AND AWARENESS. Axway requires its employees to attend compulsory training sessions on data privacy and security. Training will be organized as often as necessary to ensure that Axway employees are kept informed of Axway policies and procedures, any changes in its role and of any regulatory changes.
The content of the training can be adapted to the role that the employee occupies. Similarly, Axway subsidiaries, depending on their specific needs or regulations, may require additional training.
Axway is asking its business partners or stakeholders to commit to the same training and awareness requirements. Training of employees working for business partners or stakeholders will usually be provided by business partners or other parties selected for this purpose.
CONTRACTUAL COMMITMENTS. Working in conjunction with our own partners and customers, Axway periodically reviews its contractual commitments and updates as needed to comply with data protection laws and regulations in force.
AXWAY SUPPLIER/VENDOR COMPLIANCE PROGRAM. Axway periodically reviews its supplier contracts to ensure compliance throughout its supply chain with data protection laws and regulations in force in the countries in which it is based and in which it operates, including the GDPR requirements. As part of Axway supplier/vendor compliance program, Axway implements a DPIA policy (please refer to section “DATA PROTECTION IMPACT ASSESSMENT DPIA)” below).
CONTINUING ENHANCEMENT AND MONITORING. Axway Privacy Compliance Program is available at: https://www.axway.com/gdpr
The Axway Privacy Compliance Program will be periodically revised and updated to take into account the necessary adjustments and/or enhancements provided by Axway within its organization as well as the changes in the laws and regulations in force. Where a change significantly affects the level of protection of processing conditions, the information should be given to the customer (acting as the controller) in such a timely fashion that the customer (acting as the controller) has the possibility to object to the change or to terminate the contract before the modification is made (for instance, on any intended changes concerning the addition or replacement of subcontractors, before the data are communicated to the new sub-processor).
Periodic audits may be conducted by the Data Protection Office and Axway Internal Audit Department to verify compliance with practices within Axway’s organization.
DATA PROTECTION IMPACT ASSESSMENT (DPIA).
Axway conducts DPIAs or Privacy Impact Assessments (both terms indifferently refer to the same notion) when specific risks occur to the rights and freedoms of individuals.
Axway implements its DPIA policy in accordance with:
- Privacy Impact Assessment (PIA), Commission nationale de l’informatique et des libertés (CNIL), 2015, and ;
- international standard guidelines for methodologies used for carrying out a DPIA (ISO/IEC 29134 (project), Information technology – Security techniques – Privacy impact assessment – Guidelines, International Organization for Standardization (ISO).)
Axway periodically reviews DPIAs and the processing it assesses, at least when there is a change of the risk posed by processing the operation and/or when using new technologies and the data processing is likely to result in a risk to individuals. The DPIA needs to be signed off at an appropriate level, e.g. by the board, a managing partner, risk partner etc. For Axway, all DPIAs are signed by Axway DPO.
Customer’s cooperation required. In most situation, Axway doesn’t have access to customer personal data and cannot identify the nature and/or the sensitivity of personal information Axway is processing on the behalf of its customers. When Axway acts as processor of customer personal data (such as Could/SaaS activities), Axway requests its customers in their quality of controllers to provide transparent information to Axway to determine if a DPIA has to be conducted and if specific technical and organizational security measures have to be implemented (prior processing such personal data by Axway). If an outcome of the DPIA is that a risk cannot be mitigated, reduced or eliminated the controller and the processor will need to consider whether to reject the activity or to accept the risk. Any serious risks identified by the DPIA may need to be reported to the national data protection authorities to seek its opinion as to whether the intended processing operation complies with the GDPR (please refer to section “EU LEAD SUPERVISORY AUTHORITY” below).
AXWAY RESPONSABILITIES – AXWAY ACTING AS CONTROLLER AND/OR PROCESSOR
Axway provides different kind of services for its customers – Consulting Services, Cloud services, SaaS, Perpetual/temporary License on premise, Support services…
Under its business activities, Axway needs to process personal data in quality of controller. However, Axway doesn’t necessarily process personal data on behalf of a third party (such as Axway customer) – as a processor.
Axway doesn’t act as processor for its activities – e.g. Axway’s activities of Software publisher. Under its activities to publish standard Software and associated support services, Axway doesn’t process personal data on behalf of its customers. Under the Guide for processors edited by CNIL, (September 2017), the French personal data protection authority confirms that a Software publisher should not be considered as processor regarding the GDPR.
To determine whether Axway is a processor or the controller, see the Opinion 1/2010 of the Article 29 Data Protection Working Party (WP29) of 16 February 2010, which sets out the bundle of indicators to be used when analyzing on a case-by-case basis:
- level of instructions given by the client to the service provider: what margin of manoeuvre does the service provider have in delivering its service?
- extent of monitoring over the execution of the service: to what extent does the client "supervise" the service?
- added-value provided by the service provider: does the service provider boast in-depth expertise in the field?
- degree of transparency over use of a service provider: is the service provider's identity known to the data subjects using the client's services?”
AXWAY ACTING AS A CONTROLLER. As a controller, Axway processes under its responsibility personal data in accordance with the following principles: purpose limitation, data minimization, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and specific requirements in respect of personal data transfers outside EEA.
Axway ensures lawful, fair and transparent processing in respect of individuals which personal data are being processed by Axway.
In particular, individuals are made aware of the risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. Such information is addressed to the public or to the data subjects through all Axway Websites in Axway Privacy Statement available at any time notably here.
In order to ensure that the personal data are not kept longer than necessary, Axway establishes time limits for erasure or for a periodic review. Axway works to ensure that personal data which are inaccurate are rectified or deleted.
Provided the respect of general principles for the transfer of personal data (see Axway’s compliance commitment in section “TRANSFER OUTSIDE EEA” below), Axway that is part of a group of companies has a legitimate interest in transmitting personal data with other Axway affiliates (which may be located in a third country) for internal administrative purposes, including the processing of clients' or employees' personal data.
Personal data of Customer’s personnel. In the context of business relationship with its customers and/or partners, please note that Axway only processes personal data (limited to business contact details) of its customer’s personnel (employees, agents and subcontractors) as controller - as defined by the GDPR - for purposes of contract administration, marketing and it will do so strictly in accordance with GDPR.
AXWAY ACTING AS A PROCESSOR. Axway is a processor if Axway processes personal data on behalf of, on instructions from and under the authority of its customers (acting as controllers). It is the responsibility and the liability of Axway customers and partners (acting as controllers) to implement effective measures and be able to demonstrate the compliance of processing activities even if the processing is carried out by Axway in quality of data processor on their behalf. In order to assist their customers and partners in their compliance, Axway is committed to respect the direct obligations required to data processor by applicable data protection laws such as to:
- designate a data protection officer where required (see Axway’s compliance commitment in section “DATA PROTECTION OFFICE” above);
- maintain a written record of processing activities carried out on behalf of each controller (see Axway’s compliance commitment in section “ASSESSMENT AND RECORDS OF PROCESSING ACTIVITIES” above);
- adduce adequate safeguards related to cross border transfers (see Axway’s compliance commitment in section “TRANSFER OUTSIDE EEA” below);
- and notify the controller on becoming aware of a personal data breach without undue delay (see Axway’s compliance commitment in section “SECURITY AND DATA BREACH NOTIFICATION” below).
As processor, unless otherwise expressly agreed, Axway is committed to delete or return all the personal data to its customer after the end of the provision of services relating to processing, and to delete existing copies.
SECURITY AND DATA BREACH NOTIFICATION
Axway implements specific technical and organizational measures and policies to ensure to effectively detect, report and investigate a personal data breach and in case of personal data breach to manage required notifications under the GDPR and other applicable data protection regulations (such as Australian Privacy Amendment (Notifiable Data Breaches) Act 2017 No. 12, 2017 and/or the Cyber Security Law in China). Notification to the supervisory authority is a part of Axway incident response plan. Axway Data Protection Office works together with Axway Computer Security Incident Response Team (CSIRT) to address these requirements.
In the event of personal data breach, Axway acting as processor will promptly or “without undue delay” notify its customer of the personal data breach and provide any information its customers may reasonably require relating to that personal data breach.
Notification is not systematically required under GDPR. Prior putting in place a notification process with its customer, Axway and its customer will conduct a Data Protection Impact Assessments to assess and mitigate the risks to occur to the rights and freedoms of individuals. Please note that:
- Article 33 (1) GDPR, the notification to the supervisory authority is not required if the breach is “unlikely to result in a risk to the rights and freedoms of natural persons”.
- Article 34 GDPR, the communication to data subjects is not required if the data controller has implemented appropriate technical and organizational protection measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption. The threshold for notification to data subjects is that there is likely to be a high risk to their rights and freedoms.
The controller retains overall responsibility for the protection of personal data and Axway encourages its customers to make customer’s personal data essentially unintelligible to unauthorized parties and put in place adequate backups.
SUBPROCESSING - CROSS-BORDER DATA TRANSFER
SUBPROCESSING. Axway ensures that all its sub-processors provide the same guarantees as to the implementation of appropriate technical and organizational measures so that the processing activities meet the requirements of the GDPR. If a sub-processor does not fulfill its obligations regarding the protection of personal data, Axway remains fully liable to the controller.
Axway entrusts all or part of the processing activities to any Axway legal entities or any sub-processor listed here. Axway informs its customers (acting as controllers) in advance and this information clearly indicates the outsourced processing activities and the identity of the sub-processors.
Where a modification would affect the level of the protection offered by Axway, the controller has the possibility to object to the change or to terminate the contract before the data are communicated to the new sub-processor.
EU LEAD SUPERVISORY AUTHORITY. As a controller and (when applicable) as a processor, Axway identifies the CNIL as its lead data protection supervisory authority. Despite Axway operates in multiple EU member states, Axway has its EU headquarter established in France (“place of central administration” in accordance with WP29 Guidelines on Personal data breach notification under Regulation 2016/679”). In cases involving controller established in the EU and the controller’s lead supervisory has been clearly identified in a relevant Data Protection Agreement signed by Axway, Axway acting as processor agrees to identify the Controller’s lead supervisory authority as the competent lead supervisory authority.
TRANSFER OUTSIDE EEA. Axway is responsible towards all its customers to process the personal data transferred outside EEA on the customers' behalf and in accordance with the applicable data protection law. In order to adduce adequate safeguards with respect to applicable data protection law Axway has put in place Contractual Standard Clauses with all its subcontractors/processor outside EEA (which process or have access to customers’ personal data). Axway signed these Contractual Standard Clauses (and is continuing to update them) on behalf of all its customers. Please refer to the updated list of Axway’s legal entities and subprocessors here.