DATA PROCESSING POLICY (The "Policy")
This document sets forth Mars, Inc. and its subsidiaries, including Mars benefits trustees’ (“Mars”) Policy on the acceptable Processing of Personal Data. In particular, it provides detail on the necessary data privacy and security requirements applicable to all suppliers to the extent that they collect, maintain and Process Personal Data. We refer to people covered by this Policy as “Suppliers.”
In this Policy, the following terms shall have the meanings set out below:
(a)“Data Subject” means a living individual who is the subject of any of the personal data;
(b)“Data Privacy Legislation” means all laws and regulations, in any country, region, district, state, municipality, or jurisdiction of the world, which protect the security of information or privacy rights of individuals, in so far as those laws and regulations apply to the Processing of Personal Data subject to this Policy and any Agreement(s) to which this Policy applies;
(c)“Data Security Breach” means, (1) any unauthorized access to or acquisition of data that compromises the security, confidentiality or integrity of Personal Data, or (2) any unauthorized disclosure of, access to or use of any Personal Data, or (3) any unauthorized intrusion into systems containing Personal Data resulting in unauthorized access or access in excess of authorization. This definition shall apply without regard to whether the data Security Breach takes place in Mars’ [or the specific Mars entity controlling the systems] systems or your own;
(d)“EEA” means the European Economic Area;
(e)“GDPR” means the European General Data Protection Regulation 2016/679;
(f)“Personal Data” shall mean any information which relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable living individual or household which is Processed by you in the course of providing services on our behalf under this Agreement;
(g)“Process/Processing” shall mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
(h)“SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council according to the Commission implementing decision of 4 June 2021;
(i)“we”, “us”, “our” means [the entity disclosing the data];
(j)“you” means [the entity receiving the data];
(k)“writing,” “written,” where referring to written authorizations, shall include both written and electronic communications;
(l)“Policy” means this Policy and any Agreement(s) to which it applies.
3. DATA PRIVACY
3.1 You shall:
(a) Comply, at your own cost, with Data Privacy Legislation, and if not already required by such Data Privacy Legislation, use all commercially reasonable endeavors to assist Mars in its own compliance with Data Privacy Legislation. This includes, without limitation, the preparation of necessary notifications, registrations and documentation which Mars may be required to make or enter into in order to comply with Data Privacy Legislation in connection with this Agreement.
(b) Not do, or cause or permit to be done, anything in relation to the information provided to or Processed by you on our behalf which may result in a breach by Mars of any applicable laws, regulations, regulatory requirements, or the Data Privacy Legislation.
(c) Only Process the Personal Data in accordance with our documented instructions unless otherwise required by Data Privacy Legislation to which you are subject. In such a case, the Supplier shall inform us of that legal requirement before carrying out the required Processing, unless that law prohibits such information on important public interest grounds.
(d) Shall not benefit commercially from the Personal Data apart from Processing according to our instructions and shall not use the Personal Data received from us to provide services to another person or entity;
(e) At our request, provide an updated list of the types of data you hold on our behalf;
(f) Put in place measures to ensure:
(i) that any employees who have access to Personal Data have received appropriate training on their responsibilities and do not Process the Personal Data except on instructions from us unless required to do so by Data Privacy Legislation to which you are subject; and
(ii) that any employees, contractors or other agents who have access to Personal Data are reliable and have committed themselves to confidentiality and that such confidentiality commitments continue to apply beyond the termination of the employment.
(g) Adopt, at their own cost, all reasonable recommendations which we may make concerning measures, programs and procedures to be adopted to ensure ongoing compliance with the data privacy provisions of this Policy, including any company policies which we may have regarding information security that may be applicable to the services you provide pursuant to this Policy, which we notify to you.
(h) Where the Processing of Personal Data by you (1) relates to Data Subjects located in the European Union, EEA, United Kingdom or Switzerland or is otherwise subject to the GDPR and (2) takes place in a country outside the EEA, you are required to execute the SCCs with Mars it being understood that (1) we shall be the "data exporter" and you shall be the "data importer" (as defined in the SCCs); (2) the general provisions of the SCCs and the relevant provisions relating to Module Two (Controller to Processor personal data transfers) shall be selected as applicable to the parties; (3) in Clause 9 of the SCCs, option 2 (general written authorisation) shall be considered chosen by and applicable to the parties and thirty (30) calendar days shall be the specified time period for changes to the list of subprocessors; (4) in Clause 11 of the SCCs, the optional provision shall not be considered chosen by and applicable to the parties; (5) in Clause 17 of the SCCs, option 2 shall be considered chosen by and applicable to the parties and the governing law shall be the law of the Netherlands; and (5) in Clause 18 of the SCCs, the choice of forum and jurisdiction shall be the law of the Netherlands. The SCCs will not be required if you are located in a country outside the EEA for which the European Commission has decided by means of an adequacy decision that such country, or a territory or specific sector within that country (in case the transfer is made to such territory or specific sector), ensures an adequate level of data protection (as described in Art. 45 GDPR).
(i) Not transfer or remove Personal Data across international or jurisdictional boundaries, to the extent such transfers are subject to restrictions under applicable Data Privacy Legislation, unless:
(i) We, and where legally required the Data Subject, have consented to such transfer in writing and such transfer complies and continues to comply with the requirements for international data transfers under applicable Data Privacy Legislation or;
(ii) Such transfer is required by applicable Data Privacy Legislation to which you are subject. In such a case, you shall inform us of that legal requirement before carrying out the required Processing, unless that law prohibits such information on important public interest grounds;
(j) Not subcontract any of your duties under this Policy unless:
(i) The subprocessor is listed in an agreed exhibit, which contains the list of subprocessors approved by us;
(ii) The subprocessor is subject to a written agreement to the extent that the agreement relates to European Personal Data or other applicable Data Privacy Legislation, and which imposes on the subprocessor at least the same obligations that are imposed on you under this Policy to the extent applicable to the nature of the services provided by such subprocessor, including obligations to allow inspection and audit of their Processing activities;
(iii) You have carefully chosen the subprocessor under particular consideration of the appropriateness of the technical and organizational security measures taken by the subprocessor. The corresponding test documents shall be made available to us upon reasonable request;
(iv) If you wish to replace a subprocessor or appoint an additional subprocessor, you shall inform us thereof with at least thirty (30) calendar days' prior written or electronic notice. We are entitled to object to the engagement of such new subprocessor within thirty (30) calendar days after receipt of this notice. If we object to the assignment, we shall work together in good faith to agree on a reasonable solution regarding the engagement of the new subprocessor; and
(v) Any consent which we give pursuant to this clause or this Agreement generally for subcontracting will not relieve you of any liability for the performance of their obligations under this Policy. You are liable to us for the subprocessor's compliance with the data protection obligations that you have contractually imposed upon the subprocessor in accordance with this Policy.
(k) Notify us no later than seven (7) calendar days after you receive a request from a Data Subject to have access to Personal Data or exercise any other applicable Data Subject rights, or if you receive any other complaint or request relating to our obligations under the Data Privacy Legislation and assist us insofar as reasonably possible in responding to any such complaint or request, including, without limitation:
(i) Where authorised by us in writing, by allowing Data Subjects to know whether their Personal Data is sold or disclosed and to whom, have access to their Personal Data or to have that Personal Data corrected, deleted, or blocked within the relevant time frames set out by applicable Data Privacy Legislation, and not be discriminated against for exercising these rights;
(ii) By providing us with any information Mars requests relating to the Processing of Personal Data under this Policy; and
(iii) By providing us with any Personal Data you hold in relation to a Data Subject, if required, in a commonly-used, structured, electronic, and machine-readable format.
(l) If we are required by the Data Privacy Legislation to carry out a Privacy Impact Assessment in relation to the services you provide pursuant to this Policy, you will, at their own cost, provide us with such support and information as we may reasonably require in carrying out such assessment;
(m) If we must provide information about our data or your Processing to a governmental or administrative authority or a third party, you shall upon first request assist Mars in providing such information, in particular by making all information and documents relating to the Processor of Personal Data provided by us in matter of this Policy immediately available. This includes, but is not limited to the technical and organizational measures taken by you, the technical procedures, the places where the Personal Data was Processed and the persons involved in the Processing;
(n) Make available to us all information necessary to demonstrate compliance with this Policy and allow for and contribute to audits, including inspections conducted by us or another auditor mandated by us, including those of any of your agents or subprocessors to whom you have been permitted by us to disclose the Personal Data, with such audits to occur no more frequently than once per calendar year (except where based upon a reasonable belief that you have failed to comply with the terms of this Policy or applicable Data Privacy Legislation) and subject to reasonable security controls and comply with all reasonable requests or directions by us to enable us to verify and/or procure that you are in full compliance with your obligations under this Policy;
(o) Immediately, and in any case within forty-eight (48) hours, inform us in writing if in your opinion one of our instructions or assertions of rights under this Policy infringes applicable Data Privacy Legislation;
(p) If so requested by us at any time, you shall provide us with a copy of the Personal Data or (at our option) destroy it and provide us with a suitable certification of return or destruction; and
(q) Within a reasonable period of time after termination of your provision of services relating to Personal Data, delete or return all the Personal Data to us and delete any existing copies of the Personal Data and provide a suitable certification of return or destruction, save where applicable law requires that the Supplier retain copies of such data. You may only retain copies where you are required to do so by applicable law and only for so long as required to do so.
4.1 You must:
(a) At a minimum, implement and maintain appropriate technical and organisational measures to ensure the security and protection of Personal Data, taking into account the nature and sensitivity of the information to be protected, the risk presented by Processing, the state of the art, and the costs of implementation, in compliance with applicable Data Privacy Legislation. Such measures shall include appropriate physical, electronic and procedural safeguards to:
(i) Ensure the security and confidentiality of Personal Data;
(ii) Protect against any threats or hazards to the security or integrity of Personal Data;
(iii) Prevent unauthorised access to or use of Personal Data;
(iv) Protect Personal Data in transit against mass surveillance by appropriate safeguards such as encryption where possible; and
(v) Protect content and/or meta data from unauthorized remote or direct access to the internet backbone, switches, hubs, cables and alike.
(b) Without limiting any other obligations in connection with services provided under this Policy, and as a minimum standard, you shall implement the technical and organizational measures specified in Exhibit A prior to beginning to Process information we provided to you and ensure that Processing of information we provided to you is carried out in accordance with those measures. You shall have the right to implement alternative adequate technical and organizational measures after our prior express agreement in writing, as long they do not drop below the security level of the technical and organizational measures specified in Exhibit A. You must obtain approval for any material alterations with us beforehand in writing. Such agreements must be kept for the duration of any Agreement(s) that include this Policy.
(c) Upon our reasonable request, you shall prove to us your compliance with the technical and organizational measures determined in Exhibit A. Such proof can be furnished at the request of us by submitting a current certificate or report from an independent authority (such as an auditor) or an appropriate certification. Our rights of control and auditing according to Section 3.1(m) and Section 3.1(n) shall remain unaffected. You shall promptly, and in any case no later than forty-eight (48) hours, notify us of any reason why you cannot or are not likely to be able to comply with the security provisions in this paragraph, in which case we shall, at our sole discretion, be entitled to suspend or terminate the provision of any services provided by you.
(d) You must immediately, and in any case no later than twenty-four (24) hours, notify us at the following email address: [email protected] if you know, discover or reasonably believe that there has been a Data Security Breach;
(e) In the event of a Data Security Breach, and at your own cost, (1) investigate, correct, mitigate, remediate and otherwise handle the Data Security Breach, including without limitation, by identifying Personal Data affected by the Data Security Breach and taking sufficient steps to prevent the continuation and recurrence of the Data Security Breach; and (2) provide information and assistance reasonably needed to enable us to evaluate the Data Security Breach and, as applicable, to provide timely notices disclosing a Data Security Breach and to comply with any obligations (including but not limited to those imposed by applicable Data Privacy Legislation) to provide information on the Data Security Breach to relevant regulators, affected individuals and as otherwise required by applicable law; and
(f) Indemnify, defend, and hold harmless us against all costs, claims, losses, damages, liabilities and expenses (including but not limited to legal costs and fees) that we may incur as a result of such Data Security Breach caused by your acts or omissions or those of any of your authorized subcontractors, including but not limited to, the expenses incurred in investigating the Data Security Breach and notifying affected individuals, and providing these individuals with the support necessary under the circumstances and imposed by applicable Data Privacy Legislation, such as credit monitoring. Notwithstanding the foregoing, we shall retain the right to control the defense of any claim or legislation arising from any Data Security Breach.
5. Final Provisions
(a) You shall be liable in accordance with the statutory provisions for damages applicable to us resulting from your culpable breach of this Policy or obligations under applicable Data Privacy Legislation affecting you. In this regard any limitation of liability otherwise agreed between the parties shall not apply. As far as third parties assert claims against us which are caused by your culpable breach of this Policy or an obligation under applicable Data Privacy Legislation, you shall upon first request indemnify and hold us harmless against these claims.
(b) You shall have the burden of proof that any damages and fines are not based on a circumstance for which you are responsible, as far as the respective cause lies in the Processing of Personal Data provided by us within your sphere of responsibility.
(c) In case of conflicts between this Policy and other Agreement(s), Purchase Orders, Statements of Work or other Arrangements between the parties, the provisions of this Policy shall prevail.
(d) We reserve the right at our sole discretion to determine the appropriate action to be taken in the event that you violate this Policy. Such action may include our termination of any existing Agreement that is subject to this Policy.
(e) We reserve the right to change this Policy at any time and for any reason.
Vendor Security Assessment
- Suppliers must have a security policy demonstrating that they are committed to implementing an effective information security framework.
- Suppliers must validate that the security policy is fully implemented within their organizations.
- Suppliers’ security policy and management must be compliant with ISO/IEC standards 27001:2013 (or equivalent standards). Suppliers’ security must be certified by an accredited certification body.
- Suppliers must have a person or department responsible for security management.
- Suppliers must have sufficient resources and facilities made available to ensure security of information.
- Suppliers must have an effective system of recruiting and vetting personnel and training personnel in relation to security responsibilities and disclosure of information.
- Suppliers’ staff and contractors must be bound to maintain the confidentiality of all appropriate data including Personal Data pursuant to executed confidentiality obligations, and for Mars data, must be bound by confidentiality provisions at least as protective as those confidentiality obligations executed by Suppliers who are recipients of Mars data.
- Suppliers must have confidentiality policies in place to support implementation and enforcement of these obligations.
- Suppliers must have security awareness training required for personnel. Suppliers must conduct such training at least annually.
- Suppliers must have an adequate procedure for authenticating the identification of intended recipients of information prior to disclosure.
- Suppliers must have an adequate procedure for authorizing and securing temporary removal of Personal Data to temporary storage.
Physical Security Measures
- Suppliers must have security controls implemented to prevent unauthorized access to its physical sites (Badge IDs, Biometrics, Physical Escort or equivalent).Suppliers must adequately control (e.g. card readers, video surveillance) access to the building or room where the information is stored and/or Processed.
- Suppliers must keep a list of personnel with access to facilities storing data. Suppliers must include third parties (e.g. maintenance firms) in such list.
- If applicable, Suppliers must take appropriate measures to ensure passers-by cannot read information off screens or documents.
- If access is given to anyone outside the organization (e.g., to provide IT support), Suppliers must put appropriate security procedures in place to manage and oversee such access.
- Suppliers must lock away paper-based information at night, and maintain a list of personnel with access to such paper media.
- Suppliers must securely dispose of media and/or printed material when no longer required (e.g., through secure cross-cut shredding).
Computer Security Measures
- Suppliers must adequately secure (e.g., have measures been taken to make it resistant to attack) the site(s) where Mars data will be sent to and stored.
- Suppliers must have authentication and logical access controls, including passwords, to control different levels of access to information depending upon requirements.
- Suppliers must require unique IDs for all personnel.
- Suppliers must have strong password requirements based on industry standards and appropriate to the data involved.
- Suppliers must physically or virtually separate Mars data from other clients’ data. If Mars data is commingled with other clients’ data, Suppliers must notify Mars.
- Suppliers must restrict access to data to a need-to-know basis.
- Suppliers must encrypt all laptops, removable media storage that store Personal Data.
- Suppliers must have appropriate security technologies in place to detect potential breaches or malware infections.
- If personnel are permitted to work remotely, Suppliers must have security features in place to secure remote connectivity.
- Suppliers must have a program for identifying vulnerabilities and a program for applying patches in a timely manner.
- Suppliers must have pertinent logs secured and retained for at least 60 days for forensic analysis.
- Suppliers must have adequate procedures for secure destruction of systems and media used for data storage before being reused for other purposes.
- Suppliers must have adequate measures that ensure Personal Data in transit is protected by appropriate technical safeguards such as encryption, where appropriate.
- Suppliers must have adequate measures to provide secure access to network devices for authorized personnel (eg: firewalls, routers, Switches, etc.)
Secure System Development Lifecycle
- Suppliers must have a secure coding program that ensures at a minimum that OWASP top 10 are addressed:
- A1 Injection
- A2 Broken Authentication and Session Management (was formerly A3)
- A3 Cross-Site Scripting (XSS) (was formerly A2)
- A4 Insecure Direct Object References
- A5 Security Misconfiguration (was formerly A6)
- A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection)
- A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access)
- A8 Cross-Site Request Forgery (CSRF) (was formerly A5)
- A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration)
- A10 Unvalidated Redirects and Forwards
- Suppliers must also ensure that he OWASP Mobile Top 10 are addressed:
- M1 – Improper Platform Usage
- M2 – Insecure Data Storage
- M3 – Insecure Communication
- M4 – Insecure Authentication
- M5 – Insufficient cryptography
- M6 – Insecure Authorization
- M7 – Client Code Quality
- M8 – Code Tampering
- M9 – Reverse Engineering
- M10 – Extraneous Functionality
- Suppliers must have a change management process in place that requires all changes to be approved and tested prior to any change in production. The change management process must include roll back procedures.
- Suppliers must have adequate segregation of duties to prevent developers from making unauthorized changes to production.
- Suppliers must have an isolated development environment.
Dealing with Security Breaches
- Suppliers must have effective antivirus and anti-hacking measures in place to prevent the compromising of the integrity of data or systems.
- Suppliers must have an adequate procedure for authenticating the identification of intended recipients of information prior to disclosure.
- Suppliers must have an appropriate policy in place requiring all staff and system users to recognize and report breaches of security to the nominated security officer.
- Suppliers must have adequate procedures in place to manage and mitigate the risk arising from such breaches.
- Suppliers must have an adequate incident response procedure in place to ensure security incidents are investigated and resolved including lessons learned.
Business Continuity and Disaster Recovery
- Suppliers must have adequate business continuity and disaster recovery plans in place to provide effective protection against likely risks, for example, loss, damage, or corruption of information arising from:
- Human error,
- Computer virus,
- Network failure,
- Flood, and
- Other disasters.
- Suppliers must have their business continuity and disaster recovery plans regularly tested.
- Suppliers must have adequate protection against possible loss of information due to failure of power supply (e.g. provision of uninterrupted power supply).
- Suppliers must have effective data backup and systems recovery operations that are independently tested.
Audit and Compliance Arrangements
- Suppliers must have tamper-proof audit trails maintained for all incident security actions affecting data.
- Suppliers must have regular random audit/assurance checks carried out to confirm security procedures are operating as expected.
Mars may require Supplier to re-attest to its security posture on an annual basis or if the supplier experiences a security event or if the security posture is detected to change under the continuous monitoring program.
UPDATED JUNE 2021