Data Terms
These Data Terms (including the schedules) are entered into by You and Samsung and supplement the Agreement. These Data Terms will be effective, and replace any previously applicable terms relating to their subject matter (including any data processing amendment or data processing addendum relating to the subject matter herein), from the date you agree to the Agreement, including any amendments thereto.
If you are accepting these Data Terms on behalf of another individual or entity, you warrant that: (a) you have full legal authority to bind such individual or entity to these Data Terms; (b) you have read and understand these Data Terms; and (c) you agree, on behalf of the applicable individual or entity, to these Data Terms. If you do not have the legal authority to bind such individual or entity, please do not accept these Data Terms.
A. Definitions
“Adequate Jurisdiction” means (a) any country in the EEA, as well as any country that the European Commission has formally determined provides adequate protection for personal data as reflected in a published adequacy finding (or any third country subject to a determination having an equivalent effect for the purposes of Chapter V of the EU GDPR), (b) any third country, territory, or one or more specific sectors within that third country listed in the FDPIC’s list of adequate countries (found at https://www.edoeb.admin.ch/edoeb/en/home/data-protection/handel-und-wirtschaft/transborder-data-flows.html), or otherwise acknowledged as a country deemed adequate for the purpose of Swiss Data Protection Law by the Federal Data Protection and Information Commissioner or (under the Revised Data Protections Laws) the Swiss Federal Council, and/or (c) any (i) third country; (ii) territory or one or more sectors within a third country; (iii) international organization; or (iv) description of such a country, territory, sector or organization, in each case that, pursuant to sections 17A and 17B of the UK Data Protection Act 2018, the Secretary of State has determined provides an adequate level of protection for Personal Data.
“Data Protection Laws” means any and all applicable privacy and data protection laws, regulations, and decisions applicable to You and/or Samsung.
“EEA” means the European Economic Area, which includes all member states of the European Union, and (as at the date of these Data Terms), Norway, Iceland, and Liechtenstein.
“EU Controller Model Clauses” means Module One of the model clauses for transfers from controllers in the EU to controllers established outside the EU or EEA approved by European Commission Implementing Decision 2021/914 of 4 June 2021 (as amended, superseded or replaced from time to time), as amended and incorporated in accordance with Schedule 1 and Schedule 2.
“EU Processor Model Clauses” means Module Two of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 approved by European Commission Decision C(2021) 3972 final (as amended, superseded or replaced from time to time), as amended and incorporated in accordance with Schedule 1 and Schedule 2.
“EU GDPR” means General Data Protection Regulation 2016/679.
“FDPIC” means the Federal Data Protection and Information Commissioner.
“Personal Data” means any information relating to an identified or identifiable natural person.
“Processing” means any operation or set of operations that is performed upon Personal Data or on sets of Personal Data, whether or not by automated or automatic means.
“Supervisory Authority” means the relevant competent authority responsible for data privacy and protection where You or Samsung are established.
“Swiss Data Protection Laws” means any law, enactment, regulation or order in Switzerland concerning the Processing of data relating to living persons, including the Federal Act on Data Protection of 19 June 1992 (SR 235.1) (“FADP”) and the revised version of the FADP dated 25 September 2020 (the “Revised FADP”).
“UK Controller Model Clauses” and/or “UK Processor Model Clauses” means the template IDTA B1.0 issued by the Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised from time to time under Section 5.4 of those Mandatory Clauses, as amended in accordance with Schedule 3.
“UK GDPR” means the GDPR as it forms part of retained EU law in the UK, as defined in the European Union (Withdrawal) Act 2018 and as amended (if applicable) by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
“UK ICO” means the UK Information Commissioner’s Office.
B. Processing and Security of Personal Data
1. Each party shall at all times comply with all applicable Data Protection Laws, including obtaining any necessary consents and providing any necessary notices and/or disclosures, in relation to its Processing of any Personal Data. Each party shall at all times, and in accordance with any applicable laws, implement appropriate security measures, including without limitation administrative, technical, and physical measures, designed to ensure the security, confidentiality, and integrity of Personal Data prior to and during Processing of Personal Data. Such safeguards should be commensurate with the type and amount of Personal Data being Processed and should, at a minimum, protect Personal Data against reasonably anticipated threats or hazards, including from unauthorized access, loss, destruction, use, modification, or disclosure.
2. You shall promptly give written notice to and/or fully cooperate with Samsung:
(A) if You cannot comply, or have not complied, with any portion of these Data Terms and/or Agreement, including the reasons for noncompliance;
(B) if You have breached, or if Processing of Personal Data were to continue would breach, any Data Protection Laws, in such case You will take all reasonable and appropriate steps to remedy such noncompliance, or cease further processing of Personal Data and Samsung may terminate these Data Terms and/or Agreement immediately, cease access to Personal Data, including Shared Personal Data (defined hereunder), and/or take any other reasonable action;
(C) if You receive any complaint, inquiry, or request from a data subject or governmental or regulatory authority regarding Shared Personal Data, in which case You shall notify Samsung within one (1) business day from receipt of such complaint, inquiry, or request. You shall not respond to such third party or any third party for or on behalf of Samsung unless Samsung provides express written permission; and
(D) relating to any obligations Samsung may have under applicable Data Protection Laws, including without limitation responding to regulatory or governmental authorities or data subjects.
3. You shall provide Samsung with all necessary materials, documents, and any other information to enable Samsung to confirm that You have complied with your obligations under these Data Terms. You shall also allow Samsung, or an auditor mandated by Samsung, at any time and at your sole cost and expense, to carry out audits to determine whether or not any Shared Personal Data is being or has been Processed in compliance with Data Protection Laws and the terms of these Data Terms, and You shall comply with such request. Following completion of any audit conducted pursuant to these Data Terms, Samsung shall have the right to notify You in writing of any alleged risks or threats identified during such audit and/or non-conformance to generally accepted trade practice in the industry (each a “Security Issue”). To the extent that such Security Issues exist and are Your responsibility, You shall, within ten (10) days of receipt of such written notification, either correct such Security Issues or provide Samsung with a plan acceptable to Samsung for remediating the Security Issues. If (i) the Security Issues are not corrected, or (ii) if an acceptable plan for correcting them is not agreed to during such period, or (iii) if an acceptable plan is not executed according to its schedule, in addition to any other rights and remedies available to Samsung, Samsung may, by giving You written notice thereof, immediately terminate these Data Terms and/or Agreement, in whole or in part.
C. Samsung Obligations as Processor
This Section C (Samsung Obligation as Processor) shall apply to the extent Samsung acts as a processor in relation to Shared Personal Data under applicable Data Protection Laws:
1. Samsung shall only Process the Shared Personal Data on Your documented instructions, which are set out in Schedule 5, unless required to do so under applicable Data Protection Laws to which Samsung is subject, in which case to the extent permitted by applicable law Samsung shall inform You of that legal requirement before Processing, unless applicable Data Protection Laws prohibit such information on important grounds of public interest. Samsung shall inform You if it cannot comply, or have not complied, with any portion of these Data Terms or Data Protection Laws as a data processor.
2. Samsung shall ensure that the persons authorized to Process the Shared Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. You authorize Samsung to appoint and permit any of its subprocessors to appoint subprocessors in accordance with these Data Terms. Samsung may continue to use those subprocessors already engaged by Samsung at the date of execution of these Data Terms. Samsung shall give You prior written notice of the appointment of any new subprocessor, and if within 5 calendar days of receipt of such notice You notify Samsung in writing of an objections on reasonable grounds related to the Processing of Shared Personal Data, Samsung may appoint or disclose such Shared Personal Data to that proposed subprocessor provided that (i) reasonable steps have been taken to address the objections raised by You and (ii) prior to such disclosure, Samsung enters into a written, valid and enforceable agreement with such third party that includes terms that are no less restrictive than the obligations applicable to the Shared Personal Data as contained in these Data Terms.
4. Samsung shall provide all reasonable assistance to You to allow You to comply with Your obligations under Data Protection Law, including obligations related to responding to requests from Users to exercise their rights under Data Protection Law.
5. Samsung shall retain the Shared Personal Data only for as long as necessary to perform the purposes set out in Schedule 4, or as required by Data Protection Law. To the extent possible, and subject to applicable law, at Your choice, Samsung shall delete or return Shared Personal Data after the purposes in Schedule 4 are fulfilled.
6. Samsung shall notify You without undue delay upon becoming aware of a Data Security Breach (defined hereunder) affecting the Shared Personal Data.
7. To the extent required under applicable Data Protection Laws, Samsung shall make commercially reasonable efforts to provide to You on request all information necessary to demonstrate Samsung’s compliance as processor under these Data Terms. To the extent required under applicable Data Protection Laws, Samsung acknowledges and agrees that You shall have the right, at any time during the term of these Data Terms, including any renewal thereof, to request that Samsung engage a third party, or allow You at Your sole cost and expense, such third party (as well as duration, time, range and other relevant details) to be mutually agreed upon by the parties, to conduct an independent audit of Samsung’s privacy and security practices in relation to Samsung’s Processing of the Shared Personal Data as processor under these Data Terms.
D. Shared Personal Data
This Section D (Shared Personal Data) shall apply to the extent Samsung acts as a controller in relation to Shared Personal Data under applicable Data Protection Laws:
1. During the term of these Data Terms, Samsung may share, transfer, or otherwise make available certain Personal Data to You otherwise make available certain Personal Data to You (as a controller), and which are set out in Schedule 4. You shall Process Shared Personal Data solely and exclusively for the purposes set forth in Schedule 4 and for no other purpose, and shall not retain Shared Personal Data for longer than is necessary to carry out the aforementioned purposes.
2. You shall provide to Samsung written notice of any Data Security Breach affecting Shared Personal Data immediately upon becoming aware and in no event later than one (1) business day following the occurrence of such Data Security Breach. Such notice shall summarize in reasonable detail the impact of such Data Security Breach upon Samsung and data subjects whose Shared Personal Data is affected by such Data Security Breach and the corrective action to be taken by You. In the event of any Data Security Breach affecting Shared Personal Data, You shall also take or, at Samsung’s request, assist Samsung in taking all remediation efforts that are required by applicable laws as a consequence of any Data Security Breach. For the purposes of this section, “Data Security Breach” means potential or actual losses resulting from (i) the loss or misuse (by any means) of Shared Personal Data; (ii) the inadvertent, unauthorized, and/or unlawful processing, disclosure, access, alteration, corruption, transfer, sale, rental, destruction, or use of Shared Personal Data; or (iii) any other act or omission that compromises or may compromise the security, confidentiality, or integrity of Shared Personal Data.
3. You shall not share, transfer, or otherwise make available the Shared Personal Data without ensuring that adequate and equivalent protections, including without limitations any requirements under applicable laws and these Data Terms, are afforded to the Shared Personal Data. You shall enter into written, valid and enforceable agreements with Your processors or contractors prior to the sharing of Shared Personal Data.
4. For the avoidance of doubt, Samsung may use the Shared Personal Data in accordance with its applicable privacy policy, including for purposes advertising and marketing, including personalized advertising and marketing.
E. International Transfers
Transfers from EEA
(A) If a party, in the context of an establishment located within the EEA or to the extent it is otherwise subject to the EU GDPR, transfers any Shared Personal Data outside of the its country or territory to the other party, such transfer shall be governed by, and the parties hereby agree to comply with, EU Controller Model Clauses and/or EU Processor Model Clauses, as applicable, unless:
i) the data importing party is located in an Adequate Jurisdiction;
ii) the transfer is subject to a derogation in accordance with Article 49 EU GDPR; or
iii) the transfer is permitted under Data Protection Law by some other method (such as binding corporate rules).
(B) If, in accordance with clause (A) immediately above, the transfer of Shared Personal Data is governed by EU Controller Model Clauses and/or EU Processor Model Clauses:
i) such clauses are incorporated by reference to these Data Terms, and the details of the transfer are contained in Schedule 4 and details of the technical and organizational security measures implemented by the data importing party are contained in Schedule 5; and
ii) the data exporting party shall assume all rights, obligations and liability of the data exporter under the EU Controller Model Clauses and/or EU Processor Model Clauses, and the data importing party shall assume all rights, obligations and liability of the data importer under the EU Controller Model Clauses and/or EU Processor Model Clauses.
Transfers from the UK
(C) If a party, in the context of an establishment located within the UK or to the extent it is otherwise subject to the UK GDPR, transfers any Shared Personal Data outside of its country or territory to the other party, such transfers shall be governed by, and the parties hereby agree to comply with, UK Controller Model Clauses and/or UK Processor Model Clauses, as applicable, unless:
i) the data importing party is located in an Adequate Jurisdiction;
ii) the transfer is subject to a derogation in accordance with Article 49 UK GDPR; or
iii) the transfer is permitted under Data Protection Law by some other method (such as binding corporate rules).
(D) If, in accordance with clause (C) immediately above, the transfer of Shared Personal Data is governed by UK Controller Model Clauses and/or UK Processor Model Clauses:
i) such clauses are incorporated by reference into these Data Terms; and
ii) the data exporting party shall assume all rights, obligations and liability of the data exporter under the UK Controller Model Clauses and/or UK Processor Model Clauses, and the data importing party shall assume all rights, obligations and liability of the data importer under the UK Controller Model Clauses and/or UK Processor Model Clauses.
Transfers from Switzerland
(E) If a party, in the context of an establishment located within Switzerland or to the extent it is otherwise subject to Swiss Data Protection Laws, transfers any Shared Personal Data outside of its country or territory to the other party, such transfer shall be governed by, and the parties hereby agree to comply with, EU Controller Model Clauses and/or EU Processor Model Clauses, as applicable, unless:
i) the data importing party is located in an Adequate Jurisdiction; or
ii) the transfer is permitted under Swiss Data Protection Law by some other method (such as binding corporate rules).
(F) If, in accordance with clause (E) immediately above, the transfer of Shared Personal Data is governed by EU Controller Model Clauses and/or EU Processor Model Clauses:
i) such clauses are incorporated by reference to these Data Terms, and the details of the transfer are contained in Schedule 4 and details of the technical and organizational security measures implemented by the data importing party are contained in Schedule 5; and
ii) the data exporting party shall assume all rights, obligations and liability of the data exporter under the EU Controller Model Clauses and/or EU Processor Model Clauses, and the data importing party shall assume all rights, obligations and liability of the data importer under the EU Controller Model Clauses and/or EU Processor Model Clauses.
Transfers from Other Jurisdictions
(G) If a party, in the context of an establishment located within a country outside the EEA, UK, or Switzerland, or to the extent it is otherwise subject to the Data Protection Laws of such country, transfers any Shared Personal Data outside of its country or territory to the other party, such transfer shall be governed by, and the parties hereby agree to comply with, if required and applicable, the standard contractual clauses or their equivalent (“Other Jurisdiction Model Clauses”) issued by the applicable supervisory authority or governmental or regulatory (“Other Jurisdiction Supervisory Authority”), unless:
i) the data importing party is located in an adequate jurisdiction approved by the Other Jurisdiction Supervisory Authority;
ii) the transfer is subject to a derogation in accordance with applicable Data Protection Laws; or
iii) the transfer is permitted under Data Protection Laws by some other method (such as binding corporate rules).
(H) If, in accordance with clause (G) immediately above, the transfer of Shared Personal Data is governed by Other Jurisdiction Model Clauses,
i) such Other Jurisdiction Model Clauses is incorporated by reference into these Data Terms, and the details of the transfer are contained in Schedule 4 and details of the technical and organizational security measures implemented by the data importing party (as data importer) are contained in Schedule 5; and
ii) the data exporting party shall assume all rights, obligations and liability of the data exporter under such Other Jurisdiction Model Clauses, and the data importing party shall assume all the rights, obligations and liabilities of the data importer under such Other Jurisdiction Model Clauses.
F. Indemnification
You shall indemnify, defend, and hold harmless Samsung, its affiliates, and each of their respective officers, directors, employees, and agents (collectively, the “Samsung Indemnitees”) from and against any and all costs, charges, damages, expenses, penalties, fines, fees (including without limitation reasonable attorney’s fees) and losses (including without limitation fees and costs incurred in recovering the same) incurred by any Samsung Indemnitee that arises from Your negligence, gross negligence or willful misconduct, or a breach by You or any of Your employees, processors, or agents of these Data Terms and/or Agreement as it relates to Processing of Personal Data, Data Protection Laws, or a Data Security Breach.
Schedule 1
EU Controller Model Clauses and EU Processor Model Clauses Modifications
The EU Controller Model Clauses are amended as follows:
| Clause 7 | Included |
|---|---|
| Clause 11 (Redress) | Included |
| Clause 13 (Supervision) and Annex 1.C | The competent supervisory authority shall be the Office of the Data Protection Commissioner (of the Republic of Ireland). |
| Clause 17 (Governing law) | Law of Ireland (Republic of Ireland). |
| Clause 18 (Choice of forum and jurisdiction) | Courts of Ireland (Republic of Ireland). |
| Appendix Annex I.A (List of parties) | As set out in Schedule 4. |
| Appendix Annex I.B (Description of the transfer) | As set out in Schedule 4. |
| Appendix Annex II (Technical and organizational measures) | As set out in Schedule 5. |
The EU Processor Model Clauses are amended as follows:
| Clause | Amendment / Selected Option |
|---|---|
| Clause 7 (Docking Clause) | Included |
| Clause 9 (Use of sub-processors) | The data importer shall specifically inform the data exporter in writing of any intended changes to the list of sub-processors through the addition or replacement of sub-processors at least 5 days in advance, giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). |
| Clause 11 (Redress) | Included |
| Clause 13 (Supervision) and Annex 1.C | The competent supervisory authority shall be the Office of the Data Protection Commissioner (of the Republic of Ireland). |
| Clause 17 (Governing law) | Law of Ireland (Republic of Ireland). |
| Clause 18 (Choice of forum and jurisdiction) | Courts of Ireland (Republic of Ireland). |
| Appendix Annex I.A (List of parties) | As set out in Schedule 4. |
| Appendix Annex I.B (Description of the transfer) | As set out in Schedule 4. |
| Appendix Annex II (Technical and organisational measures) | As set out in Schedule 5. |
| Appendix Annex III (List of sub-processors) | As set out in Schedule 4. |
Schedule 2
EU Controller Model Clauses and EU Processor Model Clauses Modifications
(Swiss Personal Data)
Where Swiss Data Protection Laws apply, the EU Controller Model Clauses are amended as follows:
| Term | Amendment / Selected Option |
|---|---|
| References / Definitions | Where the transfer is exclusively subject to Swiss Data Protection Laws: References to EU GDPR are replaced by references to the FADP (or Revised FADP, as appropriate). References to the “EU”, “EU Member State”, “European Union” and “Union” are replaced with references to Switzerland. References to competent supervisory authority are replaced with references to FDPIC. Where the transfer is subject to both Swiss Data Protection Law and EU GDPR: References to EU GDPR are supplemented by references to the FADP (or Revised FADP, as appropriate). References to the “EU”, “EU Member State”, “European Union” and “Union” are supplemented with references to Switzerland. References to competent supervisory authority are supplemented with references to FDPIC. |
| Clause 7 (Docking Clause) | Included |
| Clause 11 (Redress) | Included |
| Clause 13 (Supervision) and Annex 1.C | Where the transfer is exclusively subject to Swiss Data Protection Laws: FDPIC. Where the transfer is subject to both Swiss Data Protection Law and EU GDPR: (i) FDPIC, insofar as the transfer is governed by the FADP; and (ii) the Office of the Data Protection Commissioner (of the Republic of Ireland), insofar as the transfer is governed by EU GDPR. |
| Clause 17 (Governing law) | Where the transfer is exclusively subject to Swiss Data Protection Laws: Swiss law. Where the transfer is subject to both Swiss Data Protection Law and EU GDPR: Irish law. |
| Clause 18 (Choice of forum and jurisdiction) | Courts of Ireland (Republic of Ireland). |
| Appendix Annex I.A (List of parties) | As set out in Schedule 4. |
| Appendix Annex I.B (Description of the transfer) | As set out in Schedule 4. |
| Appendix Annex II (Technical and organizational measures) | As set out in Schedule 5. |
| Annex III (Switzerland specific annex) |
The term “Member state” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU Controller Model Clauses. The parties acknowledge that the EU Controller Model Clauses shall protect the data of legal entities until the entry into force of the Revised FADP. |
Where Swiss Data Protection Laws apply, the EU Processor Model Clauses are amended as follows:
| Term | Amendment / Selected Option |
|---|---|
| References / Definitions | Where the transfer is exclusively subject to Swiss Data Protection Laws: References to EU GDPR are replaced by references to the FADP (or Revised FADP, as appropriate). References to the “EU”, “EU Member State”, “European Union” and “Union” are replaced with references to Switzerland. References to competent supervisory authority are replaced with references to FDPIC. Where the transfer is subject to both Swiss Data Protection Law and EU GDPR: References to EU GDPR are supplemented by references to the FADP (or Revised FADP, as appropriate). References to the “EU”, “EU Member State”, “European Union” and “Union” are supplemented with references to Switzerland. References to competent supervisory authority are supplemented with references to FDPIC. |
| Clause 7 (Docking Clause) | Included |
| Clause 9 (Use of sub-processors) | The data importer shall specifically inform the data exporter in writing of any intended changes to the list of sub-processors through the addition or replacement of sub-processors at least 5 days in advance, giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). |
| Clause 11 (Redress) | Included |
| Clause 13 (Supervision) and Annex 1.C | Where the transfer is exclusively subject to Swiss Data Protection Laws: FDPIC. Where the transfer is subject to both Swiss Data Protection Law and EU GDPR: (i) FDPIC, insofar as the transfer is governed by Swiss Data Protection Law; and (ii) the Office of the Data Protection Commissioner (of the Republic of Ireland), insofar as the transfer is governed by EU GDPR. |
| Clause 17 (Governing law) | Where the transfer is exclusively subject to Swiss Data Protection Laws: Swiss law. Where the transfer is subject to both Swiss Data Protection Law and EU GDPR: Irish law. |
| Clause 18 (Choice of forum and jurisdiction) | Courts of Ireland (Republic of Ireland). |
| Appendix Annex I.A (List of parties) | As set out in Schedule 4. |
| Appendix Annex I.B (Description of the transfer) | As set out in Schedule 4. |
| Appendix Annex II (Technical and organisational measures) | As set out in Schedule 5. |
| Annex III (list of sub-processors) | As set out in Schedule 4. |
| Annex IV (Switzerland specific changes) |
The term “Member state” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the relevant EU Processor Model Clauses. The parties acknowledge that the EU Processor Model Clauses shall protect the data of legal entities until the entry into force of the Revised FADP. |
Schedule 3
UK Controller Model Clauses and UK Processor Model Clauses Modifications
(UK Personal Data)
Where UK GDPR applies, the UK Controller Model Clauses and UK Processor Model Clauses, as applicable, are amended as follows:
For the purposes of the UK Controller Model Clauses and UK Processor Model Clauses, as permitted by clause 17 of the same, the parties agree to change the format of the information set out in Part1 as follows:
The details of the Parties in table 1 shall be as set out in Schedule 4 (with no requirement for signature);
For the purposes of table 2, the UK Controller Model Clauses shall be appended to the EU Controller Model Clauses (including the selection of modules and the application/disapplication of such optional clauses as specified above) and UK Processor Model Clauses shall be appended to the EU Processor Model Clauses (including the selection of modules and the application/disapplication of such optional clauses as specified above); and
The appendix information listed in table 3 is as set out in Schedule 4.
Schedule 4
Description of processing
| Parties | |
|---|---|
| Data Exporter (controller) | Samsung |
| Data Importer (controller) | You |
| Purpose of processing | |
| Duration and frequency of processing | Continuous for the term of the Agreement |
| Purpose of the transfer |
IAP Data: (i) To provide purchased services and products, and refunds, as applicable; and (ii) Application improvement, including analysis; and (iii) To comply with applicable law and protect against fraud and other liabilities |
| Recipients | Internal employees and third parties consistent with these Data Terms |
| Retention period | Subject to applicable law, no longer than necessary to carry out the above purposes. |
| Transfers to sub-processors | Use of any sub-processors shall be done in accordance with these Data Terms |
| Shared Personal Data | |
| Categories of personal data: |
IAP Data: (i) Identifiers (ii) Application information (iii) Transaction information, including zip code, order related |
| Categories of sensitive personal data: | None |
| Parties | |
|---|---|
| Data Exporter (processor) | Samsung |
| Data Importer (controller) | You |
| Purpose of processing | |
| Duration and frequency of processing | Continuous for the term of the Agreement |
| Purpose of the transfer | To collect and transfer to You. You will Process Shared Personal Data as a data controller in accordance with your privacy policy. |
| Recipients | Internal employees and third parties consistent with these Data Terms |
| Retention period | Subject to applicable law, no longer than necessary to carry out the above purposes. |
| Transfers to sub-processors | Amazon Web Service: to maintain data on Samsung’s behalf |
| Shared Personal Data | |
| Categories of personal data: |
Instant Plays Data: (i) Profile information, including friends lists Users connect their social account (ii) Device information, including hardware and software information (iii) Identifiers (iv) Browser, network and settings information (v) Usage information, including clicks and pages viewed, game activity and progress, and interactions with other users (vi) Information relating to service improvement, such as game crash reports, error dumps, and data used against fraud (e.g. refund abuse or click fraud) |
| Categories of sensitive personal data: | None |
| Contact details | |
|---|---|
| Data Exporter | gamelauncher@samsung.com |
| Data Importer | The contact details associated with Your account and/or that You provided during registration to the Seller Portal. |
Schedule 5
Technical and Organizational Measures
1. Management of authorization
a. Assign access rights to the Shared Personal Data processing system to the minimum extent necessary for the performance of the work according to the person in charge of the work.
b. Cancel or terminate the access rights of the Shared Personal Data processing system without delay when the Shared Personal Data handler is changed.
c. Record the details of authorizations, alterations or cancellations and keep such records.
d. Issue separate user accounts each Shared Personal Data handler and prevent sharing of such user account information with other Shared Personal Data handlers.
e. Establish and apply a password creation rule so that the Shared Personal Data handler can set and execute a secure password.
f. Take necessary technical measures such as restricting access to the Shared Personal Data processing system in case the wrong password is entered more than a certain number of times so that only the authorized personal information handler can access the Shared Personal Data processing system.
2. Access control
a. Access to the Shared Personal Data processing system should be restricted to IP addresses and so on to restrict unauthorized access.
b. Analyze the IP address connected to the Shared Personal Data processing system to detect illegal leakage of Shared Personal Data.
c. Apply secure connection methods such as virtual private networks (VPN) or secure authentication methods when a Shared Personal Data handler accesses the Shared Personal Data processing system through external networks such as internet.
d. Access control measures should be applied to Shared Personal Data processing systems, business computers, and mobile devices so that Shared Personal Data being handled is not disclosed or leaked to those who do not have the right to browse through the Internet, P2P, and sharing settings.
e. Automatically prevent system access if the Shared Personal Data handler does not process the work for a certain period of time.
3. Encryption of Shared Personal Data
a. Encrypt unique identification information (ex. Social Security Number), passwords, and biometric information, credit card numbers, bank account numbers transmitted through the information communication network or through the auxiliary storage medium, and any other sensitive information.
b. Encrypt unique identification information (ex. Social Security Number), passwords, and biometric information, credit card numbers, bank account numbers, and any other sensitive information when stored in database. Further, if passwords are stored, they shall be stored in one-way encryption so as not to be decrypted.
c. When Shared Personal Data is encrypted, it must be encrypted and stored with a secure encryption algorithm.
| Recommendation of cryptographic algorithms | |||
| Classification | USA(NIST) | Europe(ECRYPT) | Korea(KISA) |
|---|---|---|---|
| Symmetric key encryption algorithm | AES-128/192/256 3TDEA |
AES-128/192/256 Blowfish KASUMI 3TDEA |
SEED, HIGHT ARIA-128/192/256 |
| Public key cryptography algorithm | RSA- 2048 | RSAES-OAEP RSAES-PKCS1 |
RSAES-OAEP |
| One-way hash algorithm | SHA-224/256/384/512 | SHA-224/256/384/512 Whirlpool |
SHA-224/256/384/512 |
d. Procedures for the creation, use, storage, distribution, and destruction of secure cryptographic keys shall be established and enforced in order to safely store encrypted Shared Personal Data.
e. When storing unique identification information (ex. Social Security Number) in a business computer or a mobile device, it must be encrypted using commercial encryption software or a secure encryption algorithm.
4. Logging of system administrator
a. System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.
b. Log information shall be protected against tampering and unauthorized access.
5. Prevention from malicious programs
a. Install and operate a security program such as PC vaccine software that can prevent and treat malicious programs, and maintain the latest status through automatic update of the security program.
b. If a malware alert has been issued, or if you have a security update notice from your application or from the manufacturer of the operating system software, you shall do so immediately.
6. Safety measures for management workstation
a. Prevent unauthorized persons from accessing the management workstation and arbitrary operation.
b. Make sure to only use the management workstation for its original purpose.
7. Physical security measures
a. If there is a separate physical storage place for storing Shared Personal Data such as computer room or data storage room, an access control procedure shall be established and operated.
b. Documents containing Shared Personal Data and auxiliary storage media shall be kept in a safe place with lock.
8. Disaster Recovery Plan
a. Prepare and periodically check the countermeasures such as a crisis response manual for the protection of Shared Personal Data processing system in case of disaster such as fire, flood, and blackout.
9. Destruction of Shared Personal Data
a. Shared Personal Data shall be destroyed irreparably if the retention period expires or the business purpose is reached.
b. If you destroy Shared Personal Data, you shall take appropriate measures such as:
i. (Database) Perform initialization or overwrite to prevent data from being restored;
ii. Complete destruction (incineration, crushing, etc.); and
iii. Delete using dedicated device equipment.
10. Segregation control
a. The use of operational data containing Shared Personal Data or any other confidential data for testing purposes shall be avoided.
11. Information security incident management
a. Information security events shall be reported to Samsung as quickly as possible and in accordance with the Data Terms.
b. All employees shall be aware of the procedure for reporting information security events and the point of contact to which the events shall be reported.
You shall apply an enterprise information security policy according to ISO/IEC 27001 Standard or similar industry recognized practice. Controls not listed here conform to the ISO/IEC 27001 standard.