Data Privacy Policy

As an expert in digital transformation and data management, Victor Buck Services (“VBS”) processes Personal Data of others entities within the context of service delivery agreed by a contractual agreement.

This data privacy policy (“Data Privacy Policy”) defines how VBS intends to process Personal Data as part of the services provided.

The scope of this Data Privacy Policy covers all Personal Data processed by VBS as a Data Processor.

1. IDENTITY AND CONTACT DETAILS

Controller:Victor Buck Services S.A.
Short name:Victor Buck Services
Direction:Stéphanie Noël, Arnaud Wulgaert
Telephone number:(+352) 49 98 66 – 1
Email address:info@victorbuckservices.com
Web page (url):www.victorbuckservices.com
Controller:Victor Buck Services Asia Pte. Ltd.
Short name:Victor Buck Services
Direction:Stéphanie Noël, Arnaud Wulgaert, Isabelle Alvarez
Telephone number:(+65) 6593 5391
Email address:info@victorbuckservices.com
Web page (url):www.victorbuckservices.com
Data protection officer (DPO):Jean-Pierre Wilvers
Telephone number:+352 49 98 66 – 609
Email address:privacy@victorbuckservices.com
Internal or external:Internal
Controller:Victor Buck Services Asia Pte. Ltd.
Short name:Victor Buck Services
Direction:Stéphanie Noël, Arnaud Wulgaert, Isabelle Alvarez
Telephone number:(+65) 6593 5391
Email address:info@victorbuckservices.com
Web page (url):www.victorbuckservices.com
Data protection officer (DPO):Isabelle Alvarez
Telephone number:+65 6593 5391
Email address:Privacy_Asia@victorbuckservices.com
Internal or external:Internal

2. MANAGEMENT STATEMENT

The General Data Protection Regulation (“GDPR”) entered into force on the 25th May 2018 repealing the former applicable European Directive 95/46/CE. The law of the 1st August 2018 completes the GDPR in the Grand-Duchy of Luxembourg.

The GDPR has reinforced data subjects’ rights and increased responsibility and accountability obligations of organizations.

Capitalized Terms included in this policy shall have the meaning assigned to them in paragraph 7.

In this policy, we intend to define all information regarding how we process Personal Data in accordance with laws, regulations and contractual agreements including Controller’s instructions. 

VBS is fully committed to the implementation of a strong framework for managing and protecting Personal Data. Hence, VBS has appointed a Data Protection Officer for coordinating, supporting and advising on each topic related to Personal Data management.

VBS undertakes to process Personal Data in accordance with the applicable laws and regulations and, especially, to implement appropriate technical measures aiming at protecting Personal Data against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing.

VBS ensures that its employees or third-parties authorized to access Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Awareness-raising and training sessions are regularly provided to employees.

VBS agrees to process Personal Data lawfully in accordance with the lawful documented instructions of its clients, the latter acting as Controller. Hence, taking into account the nature of the process, VBS will reasonably assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of this latter’s obligation to respond to requests for exercising data subject’s rights.

VBS Management has approved this policy and understands the importance of managing Personal Data based on a risk approach and to ensure that rights and freedoms of data subjects are protected.

Note: VBS reserves the rights to modify this Data Privacy Policy at any time, which updated version will be available on VBS’ website or on demand. 
 

3. PURPOSE OF THE PROCESSING AS A PROCESSOR

3.1 SERVICE PROVISION

Personal Data of data subjects will be processed as part of the performance of VBS services pursuant to the execution of a contract or any other type of agreement. 

Clients are responsible for determining and knowing what data and what type of data are transferred into VBS’ environments for processing. VBS is then responsible to take reasonable and appropriate organizational and technical measures to protect data as well as processing data according to documented instructions of clients.

The following services are provided by VBS and may include Personal Data processing:

(hereinafter “Services”) 

To the extent that Personal Data are processed in the performance of Services, the processing shall be governed by a contract, usually in the form of a Data Protection Agreement, that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects and the obligations and rights of the Controller and the Processor.
 

3.2 CATEGORIES OF PERSONAL DATA/DATA SUBJECT

For the performance of Services, VBS collects data from its clients that may include Personal Data of data subjects.

When providing Personal Data to VBS, clients must ensure that Personal Data have been collected from data subjects in full compliance with the applicable Data protection legislation. 

In any circumstances, VBS will process all data, regardless of the fact that data actually include or not Personal Data, with the same high level of security in accordance with the client’s documented instructions. In the case where client does not instruct VBS, VBS will implement its standard processes and measures.

3.3 CATEGORIES OF RECIPIENTS

Personal data processed by VBS as a Processor will only be disclosed to third parties as defined in documented instructions from the client, or when required by law. VBS reserves its rights to suspend or cease a processing of Personal Data if VBS becomes aware that such processing may not be compliant with Data protection legislation.

3.4 TRANSFER TO THIRD COUNTRIES

Personal Data may be transferred outside of the EEA within the context of a contractual agreement following documented instructions and approval of the client, in particular to VBS’ subsidiary in Singapore, Victor Buck Services Asia Pte Ltd. In this case, VBS has implemented appropriate safeguards to ensure security of Personal Data. These include, but are not limited to:

3.5 SUBCONTRACTING

Within the framework of the performance of a service, data processing may be subcontracted to a third-party (“Subcontractor”). In that case, VBS will beforehand ask permission to the client for this outsourcing and, then, will take necessary measures to monitor and control the processing as performed by the Subcontractor. When appointing a Subcontractor, VBS will do so only by way of a written agreement that imposes the same privacy, confidentiality and security obligations in compliance with data protection legislation and applicable privacy standards.

4. RETENTION PERIOD AND DATA SUBJECT RIGHTS

VBS processes Personal Data for the execution of its Services based on contractual obligations. Retention instructions for each data processing shall be defined by the client and communicated to VBS, otherwise retention periods will be based on VBS standard retention policy. 

These retention policies shall be defined according to business and operational needs for the delivery of the service and shall not replace legal, regulatory, contractual or other business requirements of the client to store and/or archive Personal Data.

Personal Data retained for that purpose are only stored for traceability, queries/retrieval request from client and investigation needs and cannot be modified in order to ensure their integrity for the purpose of investigation needs. As such, these Personal Data are not subject to the right of rectification.

In any case, deviation with the VBS standard retention policy would involve additional costs for the client.
 

5. SECURITY MECHANISMS

In order to protect all Personal Data processed and mitigate the risks for the rights and freedom of the data subjects, VBS will apply security measures (classified in legal, organizational and technical measures) to ensure integrity, confidentiality and availability of Personal Data and to respect the rights of the data subjects.

In addition to complying with client’s documented instructions, if any, VBS has defined security measures to protect data received from clients as part of the data processing related to the service.

VBS has implemented an Information Security Management System that is certified against ISO/IEC 27001:2013 standard. VBS Management is strongly committed to information security management and to put in place a governance framework aligned with best practices and in compliance with applicable laws and regulations. The scope of the initial certification covering PSDC Scanning Service, PSDC Archiving Service and Archiving Service as well as their support processes has been extended to other Services including Customer Communication Services, Content Services and all support Services of the foregoing. 

Subchapters below summarize VBS commitments towards all security control domains defined by the ISO/IEC 27002 standard. The security controls and initiatives are not limited to the examples mentioned in this document, but the objective is to give an overview of VBS maturity in terms of information security. 
 

5.1 INFORMATION SECURITY POLICY

VBS has defined a documentation framework for information security based on policies. These policies describe VBS requirements and needs regarding protection of assets and information, compliance with applicable laws and regulations as well as contractual obligations.

VBS measures include, but are not limited to:

5.2 INFORMATION SECURITY ORGANIZATION

VBS has defined a process for managing information security within the organization to ensure that information security responsibilities, activities and tasks are well managed and allocated.

VBS measures include, but are not limited to the following:

5.3 RISK ASSESSMENTS

VBS has defined a process for performing regular risks assessment on its assets to determine its risk level. Outputs of those risk assessments are reviewed by the information security committee. Risks are addressed with treatment plans. Residual risks are accepted by the corresponding authority. 

5.4 ASSET MANAGEMENT

VBS has defined a process for classifying and managing all assets (informational and tangible assets) depending on the classification level. 

VBS measures include, but are not limited to the following:

5.5 HUMAN RESOURCES SECURITY

Human resources processes take into account information security requirements for each activity, such as employees onboarding, change of position, employees’ departure, terms and conditions of employment, confidentiality agreements, awareness, training and employees’ evaluation. 

VBS measures include, but are not limited to the following:

5.6 ACCESS MANAGEMENT

Access to information and assets is based on data classification and on roles and responsibilities following a need to know basis.

VBS measures include, but are not limited to the following:

5.7 PHYSICAL AND ENVIRONMENTAL SECURITY

Building access control, clear desk policy and ensuring adequate protection of business premises as well as the information and assets that reside within them are essential. 

VBS measures include, but are not limited to the following:

5.8 OPERATIONAL SECURITY

Operational security is defined at different levels to ensure that confidentiality, integrity and availability of information are ensured depending on business needs.

VBS measures include, but are not limited to the following:

5.9 NETWORK SECURITY

Protection of information in networks and its supporting information processing facilities and security of information transferred within VBS and with any third parties are implemented.

VBS measures include, but are not limited to the following:

5.10 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

To be able to spread information security requirements across all information systems and during the entire lifecycle of the information system acquisition, development and maintenance, VBS processes include required steps.

VBS measures include, but are not limited to the following:

5.11 SUPPLIER RELATIONSHIPS MANAGEMENT

For ensuring an adequate protection of VBS assets and to maintain an agreed level of information security as part of the Services provided, information security is integrated within purchasing process.

VBS measures include, but are not limited to the following:

5.12 INFORMATION SECURITY INCIDENT MANAGEMENT

Information security events and weaknesses associated with information systems are controlled in a manner allowing timely corrective actions to be taken.

VBS measures include, but are not limited to the following:

5.13 BUSINESS CONTINUITY MANAGEMENT

To minimize impact to VBS business in the event of a disaster, business continuity process and disaster recovery process are defined and implemented.

VBS measures include, but are not limited to the following:

5.14 COMPLIANCE

Compliance of VBS with applicable laws, regulations, contractual agreements and the internal policies is monitored and assessed through different processes.

VBS measures include, but are not limited to:

6. DATA BREACH NOTIFICATION

A Personal Data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data (“Personal Data Breach”). This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing Personal Data.

A Personal Data Breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of Personal Data. In short, there will be a Personal Data Breach whenever any Personal Data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorization; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

When a Personal Data Breach has been identified and proven in the execution of Services, VBS will notify the client without undue delay and assist the client for any related question. Conversely, VBS expects the Controller, when detecting any Personal Data Breach or security incident potentially impacting Services and/or data subject’ rights, to notify VBS without undue delay. It shall be noted that, most of the time, Personal Data breach will be identified by the client or data subject and not by VBS. Furthermore, at this step of the process, there is no analysis of who is responsible of the incident.

All information related to the record and management of data breaches are detailed in an Incident Management procedure.

7. DEFINITION