Cookies

We have placed cookies on your device to improve the performance of this website. Please click on 'Accept cookies' in order to pursue your navigation.

To learn more about our cookies management policy, click here.

 

Victor Buck Services

Data Privacy policy

As an expert in digital transformation and data management, Victor Buck Services processes personal data of others entities within the context of service delivery agreed by a contractual agreement.

This data privacy policy defines how Victor Buck Services intends to process Personal Data as part of the services provided.

The scope of this policy covers all personal data processed by Victor Buck Services as a processor.

 

1.Identity and contact details

 

Controller:

Victor Buck Services S.A.

Short name:

Victor Buck Services

Direction:

Edith Magyarics, Arnaud Wulgaert

Telephone number:

(+352) 49 98 66 - 1

Email address:

info@victorbuckservices.com

Web page (url):

www.victorbuckservices.com

 

Controller:

Victor Buck Services Asia Pte. Ltd.

Short name:

Victor Buck Services

Direction:

Edith Magyarics, Arnaud Wulgaert, Isabelle Alvarez

Telephone number:

(+65) 6593 5391

Email address:

info@victorbuckservices.com

Web page (url):

www.victorbuckservices.com

 

Data protection officer (DPO):

Helene TOVAGLIARO

Telephone number:

+352 49 98 66 – 246

Email address:

privacy@victorbuckservices.com

Internal or external:

Internal

 

 

2.Management statement

The General Data Protection Regulation is coming into force on the 25th May 2018.

This legislation is superseding current data privacy laws, giving more rights to data subjects as an individual and more obligations to organizations holding personal data.

In this policy, we intend to define all information regarding how we process personal data in accordance with laws, regulations and contractual agreements including controller’s instructions.

Victor Buck Services is fully committed to the implementation of a strong framework for managing and protecting personal data. Hence, Victor Buck Services has appointed and named a Data Protection Officer for coordinating, supporting and advising on each topic related to personal data management.

Victor Buck Services undertakes to process personal data in accordance with the applicable laws and regulations and, especially, to implement appropriate technical measures aiming at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing.

Victor Buck Services ensures that its employees or third-parties authorized to access personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Victor Buck Services agrees to process Personal Data fairly and lawfully in accordance with the lawful documented instructions of its clients. Hence, taking into account the nature of the process, Victor Buck Services will reasonably assist the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of this latter’s obligation to respond to requests for exercising data subject’s rights.

Victor Buck Services Management has approved this policy and understands the importance of managing personal data based on a risk approach and to ensure that rights and freedoms of data subjects are protected.

Note: Victor Buck Services reserves the rights to modify this Data Privacy Policy at any time and will communicate any change by appropriate channels.

 

3.Purpose of the processing as a processor

3.1Service provision

Personal data of data subjects will be processed as part of the delivery of Victor Buck Services services.

Clients are responsible for determining and knowing what data and what type of data are transferred into Victor Buck Services environments for processing. Victor Buck Services is then responsible to take reasonable and appropriate organizational and technical measures to protect data as well as processing data according to documented instructions of clients.

 

The following services are provided by Victor Buck Services and may include personal data processing:

  • Customer communication services
  • Content services

3.2Categories of personal data

Categories of personal data are not known by Victor Buck Services as it is not required for the performance of the service. Hence, Victor Buck Services will process all data, regardless of the fact that data actually include or not personal data, with the same level of security and depending on client’s documented instructions. In the case where client does not instruct Victor Buck Services, Victor Buck Services will implement its standard processes and measures.

3.3Categories of recipients

Personal data processed by Victor Buck Services as a processor will only be disclosed to third parties as defined in documented instructions from the client, or when required by law.

3.4Transfer to third countries

Personal data may be transferred outside of the EEA within the context of a contractual agreement following documented instructions and approbation from the client, in particular to Victor Buck Services’ subsidiary in Singapore, Victor Buck Services Asia Pte Ltd. In this case, Victor Buck Services has implemented appropriate safeguards to ensure security of personal data. These include, but are not limited to:

  • Encryption process shall be implemented as far as possible for transferring any data.
  • Data minimization principle shall be applied to ensure that, as far as possible, only necessary data are transferred in the context of the processing.
  • Access is limited to authorized employees only.
  • Data is deleted after processing.
  • Quality controls are implemented to ensure control of the outputs.

3.5Subcontracting

Within the framework of the performance of a service, data processing may be subcontracted to a third-party. In that case, Victor Buck Services will beforehand ask permission to the client for this outsourcing and, then, will take necessary measures to monitor and control the third-party. When appointing a subcontractor Victor Buck Services will do so only by way of a written agreement with its subcontractor that imposes the same privacy and security obligations, as well as confidentiality obligations on the subcontractor to comply with data protection legislation and applicable privacy standards.

 

4.Retention period and data subject rights

Personal data are processed for a duration equivalent to the limitation period. Victor Buck Services processes personal data based on contractual obligations. Retention policies for each data processing shall be defined by the client and communicated to Victor Buck Services, or will be based on Victor Buck Services standard retention policy. These retention policies shall be defined according to business and operational needs for the delivery of the service and shall not replace legal, regulatory, contractual or other business requirements of the client to store and/or archive personal data.

Personal data retained for that purpose (apart from Presentation Services) are only stored for traceability, queries/retrieval request from client and investigation needs and cannot be modified in order to ensure their integrity for the purpose of investigation needs and therefore these are not subject to the right of rectification.

In case where the client does not instruct Victor Buck Services for the retention period to apply, Victor Buck Services has defined a standard retention policy as described in Appendix A. The client shall approve this retention policy.

In any case, deviation with the Victor Buck Services standard retention policy would involve additional costs for the client.

 

5.Security mechanisms

In order to protect all personal data processed and mitigate the risks for the rights and freedom of the data subjects which may result in the processing of their personal data, Victor Buck Services will apply security measures (classified in legal, organizational and technical measures) to ensure integrity, confidentiality and availability of personal data and to ensure the rights of the data subjects.

In addition to complying with client’s documented instructions, if any, Victor Buck Services has defined security measures to protect data received from clients as part of the data processing related to the service.

Victor Buck Services has implemented an Information Security Management System that has been assessed and found to be in accordance with the requirements of ISO/IEC 27001:2013. Victor Buck Services Management is strongly committed to information security management and to put in place a governance framework aligned with best practices and in compliance with applicable laws and regulations. Hence, if Victor Buck Services’ ISMS covers PSDC Scanning Service, PSDC Archiving Service and Archiving Service as well as their support processes, Victor Buck Services intends to extend the scope of certification and has already spread an information security culture and best practices within the organization as a whole.

Subchapters below summarize Victor Buck Services commitments towards all security control domains defined by the ISO/IEC 27002 standard. The security controls and initiatives are not limited to the examples mentioned in this document, but the objective is to give an overview of Victor Buck Services maturity in terms of information security.

5.1Information Security Policy

Victor Buck Services has defined a documentation framework for information security based on policies. These policies describe Victor Buck Services requirements and needs regarding protection of assets and information, compliance with applicable laws and regulations as well as contractual obligations.

Victor Buck Services measures include, but are not limited to:

  • The definition of a Victor Buck Services Global Policy.
  • The definition of a specific Information Security Policy for the ISMS.
  • An annual review of main policies.
  • A process for improving, developing and maintaining the documentation framework (policies, procedures, work instructions, etc.).

5.2Information Security Organization

Victor Buck Services has defined a process for managing information security within the organization to ensure that information security responsibilities, activities and tasks are well managed and allocated.

Victor Buck Services measures include, but are not limited to:

  • A formalized commitment of Victor Buck Services Management towards information security, the definition of information security objectives, the delivery of resources and budget needed to comply with the information security strategy.
  • Information security responsibilities and the related tasks have been defined and allocated to the relevant functions.
  • An Information Security Committee is meeting regularly to discuss related topics.

5.3Asset Management

Victor Buck Services has defined a process for classifying and managing all assets (informational and tangible assets) depending on the classification level.

Victor Buck Services measures include, but are not limited to:

  • Classification of information is defined with different levels depending on information security criteria, client information being treated always as confidential.
  • Inventory of assets is kept up-to-date.

5.4Human Resources Security

Human resources processes take into account information security requirements for each activity, such as employees onboarding, change of position, employees departure, terms and conditions of employment, confidentiality agreements, awareness, training and employees evaluation.

Victor Buck Services measures include, but are not limited to:

  • A defined list of tasks for new joiners for ensuring that they are competent and fit for purpose for the role(s) (background checks) and that they are informed and understood their responsibilities.
  • A defined list of tasks for leavers for ensuring that all assets have been got back.
  • Formal employees contract that includes confidentiality requirements and adherence to information security processes.
  • An Information security awareness program to keep employees aware of their role and responsibilities in relation with information security. In addition, specific awareness and training are provided to employees regarding privacy and data protection.
  • Jobs description that includes information security responsibilities.

5.5Access Management

Access to information and assets is based on data classification and on roles and responsibilities following a need to know basis.

Victor Buck Services measures include, but are not limited to:

  • Accesses are assigned depending on roles that are allocated based on employees’ function and on “need-to-know” principle.
  • Specific access rights are subject to approval.
  • Privileged access rights are restricted and controlled allocated following segregation of duties principle,  and limited to what is strictly necessary.
  • Access rights review are performed at regular intervals.
  • String password management practices are in place for protecting and managing passwords.

5.6Physical and Environmental Security

Building access control, clear desk policy and ensuring adequate protection of business premises as well as the information and assets that reside within them are essential.

Victor Buck Services measures include, but are not limited to:

  • Access to Victor Buck Services premises is controlled through nominative access cards.
  • Access cards are given access to specific areas on the “need-to-access” principle, with proper logging
  • Victor Buck Services has contracted with recognized and multi-certified provider for renting private s in two high-end Data Centers.
  • CCTV is in place at each entry area containing PII data.
  • Intrusion detection devices are deployed and connected to a 24x7 monitoring specialized security company
  • A department is in charge of building security.
  • A clear desk policy has been defined and communicated to all employees.
  • Victor Buck Services shreds itself all sensitive paper.

5.7Operational Security

Operational security is defined at different levels to ensure that confidentiality, integrity and availability of information are ensured depending on business needs.

Victor Buck Services measures include, but are not limited to:

  • Each laptops, workstations and servers is equipped by an anti-virus managed centrally and updated.
  • Hard drives laptops are encrypted.
  • Change management process is in place following ITIL best practices.
  • Use of resources is monitored and tuned depending on capacity requirements to ensure the required system performance and detection of unavailability.Backup copies of information, software and system are done and tested regularly based on a defined backup policy.
  • A log management architecture is in place for recording user activities, exceptions and information security events in a non-alterable form.
  • Technological watch and regular scanning is in place for detecting technical vulnerabilities in order to evaluate and implement appropriate measures to timely address the associated risk.
  • Manual penetration testing exercises are executed regularly to identify vulnerabilities on web platforms where personal data may be accessible.
  •  
  • Quality assurance checks are performed by Victor Buck Services or by Victor Buck Services and the concerned client for irst production process .before the actual distribution
  • Specific monitoring controls are in place for identifying errors and failures, including  :
  • - checklists and dashboard to ensure completeness and accuracy of productions automated software to detect processing errors such as alteration of files, file specifications exceptions, application errors, printing and mailing issues
  • Documented procedures and four eyes principles on specific cases of manual manipulation of files

5.8Network Security

Protection of information in networks and its supporting information processing facilities and security of information transferred within Victor Buck Services and with any third parties are implemented.

Victor Buck Services measures include, but are not limited to:

  • Network security controls are implemented to protect information in systems and applications.
  • Segregation of networks is in place into domains depending on the perimeter and the organizational units (e.g. : development, testing and production environment)
  • Information transfer policies are defined and implemented including communication channels that have to be used depending on the information classification.
  • Remote access.

5.9Information Systems Acquisition, Development and Maintenance

To be able to spread information security requirements across all information systems and during the entire lifecycle of the information system acquisition, development and maintenance, Victor Buck Services processes include required steps.

Victor Buck Services measures include, but are not limited to:

  • Information security requirements have to be defined and included in each new information system acquisition project.
  • Pre-production and post-production quality assurance checksare are performed depending along the development lifecycle
  • Change Management Governance Charter is defined to cover process, steps and requirements when a change is intended on a client environment, with approval of the latter following user acceptance testing sub-cylce
  • Functional Requirements document is defined for each change that has an impact on client environment and client approval is required before implementation.
  • Release Management Process is defined to ensure changes are captured and reviewed adequately before being promoted. 
  • Development lifecycle process includes how information security requirements have to be identified, design, implemented and tested.
  • Data used in development and testing environment is provided by the client itself.

5.10Supplier Relationships Management

For ensuring an adequate protection of Victor Buck Services assets and to maintain an agreed level of information security as part of the services provided, information security is integrated within purchasing process.

Victor Buck Services measures include, but are not limited to:

  • Information security needs and requirements are defined , established and formalized within agreements.
  • Supplier assessment process is in place for regularly monitor and review supplier service delivery and conformity with information security requirements, including specific onsite audits by Victor Buck Services internal auditor or internal controller.

5.11Information Security Incident Management

Information security events and weaknesses associated with information systems are  controlled in a manner allowing timely corrective actions to be taken.

Victor Buck Services measures include, but are not limited to:

  • A specific procedure is enforced to ensure a quick, effective and orderly response to information security incidents.
  • Employees are informed about their responsibilities to report information security events through appropriate channels.
  • Tools to detect potential information security incidents are in place.
  • Periodic reviews of information security incidents are done to reduce the likelihood or impact of future incidents.
  • Incident reports are formalized to communicate with transparency about an information security incident.

5.12Business Continuity Management

To minimize impact to Victor Buck Services business in the event of a disaster, business continuity process and disaster recovery process are defined and implemented.

Victor Buck Services measures include, but are not limited to :

  • Based on business impact analysis, business continuity and disaster recovery plans are defined, reviewed and tested to ensure that business continuity objectives are achieved.
  • Information technology sensitive assets are replicated in both of our datacenters.
  • Other specific resiliency measures, such as call cascades procedures, are in place in accordance with business requirements.

5.13Compliance

Compliance of Victor Buck Services with applicable laws, regulations, contractual agreements and the internal policies is monitored and assessed through different processes.

Victor Buck Services measures include, but are not limited to:

  • Victor Buck Services’ ISMS is regularly audited by an independent and accredited certification body.
  • Internal audit function is in charge of assessing Victor Buck Services conformity with defined criteria according to a management approved audit plan
  • Legal advisor is in charge of legal watch and to carry out review of signed contracts with third-parties to ensure inclusion of data protection provisions.
  • Technical audits are performed depending on the criticality of the information systems.

 

6.Data breach notification

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorization; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

When a personal data breach has been identified and proven, Victor Buck Services will notify the client without undue delay and assist the client for any related question. It shall be noted that, most of the time, personal data breach will be identified by the client or data subject and not by Victor Buck Services. Furthermore, at this step of the process, there is no analysis of who is responsible of the incident.

All information related on the record and management of data breaches can be found in deeper detail in the Incident Management procedure.

 

7.Appendix A

CUSTOMER COMMUNICATION SERVICES

Retention Period

Retention Period of Input/Incoming data

Retention Period of Intermediary data

Retention Period of Output data

TESTING ENVIRONMENT

 

 

 

Test data – Projects

(Customer must ensure that such test data do not contain Personal Data)

90 days after completion date of the Project (*)

User Acceptance Testing (“UAT”)

1 year from reception date

1 year from creation date

1 year from distribution date

DOCUMENT PRODUCTION ENVIRONMENT

 

 

 

Personal Data used to produce document

2 years from reception date

2 years from creation date

As per Distribution Environment below

DISTRIBUTION ENVIRONMENT

 

 

 

Classical Distribution Channels:

- Fax

- Emailing

- File transfer

 

-

-

2 years from distribution date

Web/Repository Presentation Channels (Web based applications)

 

-

-

10 years from distribution date

(*)        Any project put on hold will be considered as such for a maximum period of 90 days after which Test Data will be deleted. Any such project requiring to be relaunched will be subject to a new project planning which may incur additional timing, analysis and costs.

 

CONTENT SERVICES

Retention Period

Retention Period of Input/Incoming data

Retention Period of Intermediary data

Retention Period of Output data

TESTING ENVIRONMENT

 

 

 

Test data – Projects

(Customer must ensure that such test data do not contain Personal Data)

90 days after completion date of the Project (*)

User Acceptance Testing (“UAT”)

1 year from reception date

1 year from creation date

1 year from distribution date

PRODUCTION ENVIRONMENT

 

 

 

Scanning & Imaging

Physical documents are sent back to client

2 years from creation date

2 years from distribution date

Archiving, including VGIL service

-

-

As defined in contractual agreement

PSDC Scanning

Physical documents are sent back to client

2 years from creation date

2 years from distribution date

PSDC Archiving

-

-

As defined in contractual agreement

(*)        Any project put on hold will be considered as such for a maximum period of 90 days after which Test Data will be deleted. Any such project requiring to be relaunched will be subject to a new project planning which may incur additional timing, analysis and costs.

 

DOCUMENT OUTSOURCING SERVICES

Retention Period

Retention Period of Input/Incoming data

Retention Period of Intermediary data

Retention Period of Output data

Digital Mail Room

Customer instructions

Print Room

 

Appendix B

7.1Definition

  • Personal Data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
  • Cookies: A cookie is a text file that a Web browser stores on a user’s machine. 
  • IP address: An IP address is a unique address that identifies a device on the Internet or a local network. It allows a system to be recognized by other systems connected via the Internet protocol.