IMDS Data Privacy
IMDS Data Privacy
IMDS Data Privacy
The data security measures will be subject to technological progress to ensure con-
tinued adequate level of protection and may be implemented without prior notice,
unless otherwise agreed in any client-specific contract. Copies or duplicates of per-
sonal data are only made for technical purposes and as far as it is required for DXC
to meet its legal and contractual obligations.
Processor regularly furnishes proof of meeting its obligations, including but not lim-
ited to the full implementation of the agreed technical and organizational measures.
Transfer Control
Processor shall implement the below listed measures to ensure that personal data
cannot be read, copied, modified or deleted by unauthorized individuals during the
transfer of data or during the transport of the data media and that it is possible to
check and verify to whom personal data are transferred via networks.
• Firewall systems, proxy servers, NAT network compilation
• Possibility of email encryption and signature
• Data transfer control including encryption of data carriers / media
• Data transfer via secured data transfer protocols
• Encrypted VPN (virtual private network) with two-factor authentication
• Shipping of data tapes and other media exclusively by courier in secured
containers, including documentation
Input Control
Regarding the User Administration the Processor shall implement the below listed
measures to check and verify whether and by whom personal data have been en-
tered into or deleted from the data processing systems.
• Documentation of administered activities (setup of USER Accounts, change
management, access and authentication procedures, etc.)
• System log files activated by default with on-demand control
• Archiving of password resets and access requests (request / approval pro-
cess)
The Controller is responsible regards the Input Control of contact data published
within Material Data Sheets.
Order Control
Processor shall implement the below listed measures to ensure that personal data
are exclusively processed according to agreement and Controller’s instruction.
• Adherence to the obligations as defined in the Terms of Use, this Privacy
Statement of DXC and, where appropriate EU standard contract provisions
• Control rights of Controller
Availability Control
Processor shall implement the below listed measures to ensure that personal data
are protected from destruction or loss.
• Comprehensive and extensive data backup and recovery
• Disaster recovery and business continuity
• Storage and archiving policies
• Automatic anti-virus and anti-spam scans, including policies
Adequately equipped data centres, including physically separated backup data cen-
tres, if contractually agreed, as well as air conditioning and protection against other
damaging environmental and sabotage impacts, including
• Uninterruptible power supply
• Redundant hardware and network systems, if contractually agreed
• Alarm and security systems (smoke, fire, water)
Separation Rule
Processor shall implement the below listed measures to ensure that personal data
that are envisaged for different purposes can be processed separately.
• Data of different customers will be stored physically and/or logically sepa-
rately (multi- customer systems)
• Access request and authentication processes ensure a separated processing
of data of different customers or customer segments
• Separated test and production systems
(8) Subcontracting
“Subcontracting” means third-party processing in terms of this Privacy Statement
covering only services directly relating to the operation of the IMDS platform. Ancil-
lary services, such as operation and maintenance of the company-wide technical
infrastructure, use of telecommunication services for company-wide communication
and data management as well as services required in connection with the central
customer / supplier management, are not in scope. The obligation of Processor to
ensure compliance with data protection and data security regulations even in these
cases, including Section V of the EU General Data Protection Regulation, remains
unaffected.
Processor carefully selects the subcontractor, taking into particular consideration the
technical and organizational measures taken by the subcontractor.
If data are not exclusively processed by subcontractors within the EU or the EEA,
the provisions of Section (8), (9) and (10) of this Privacy Statement of DXC likewise
apply to the subcontractor. A list of current subcontractors engaged by DXC for the
provision of services shall be made available upon request to the Controller. Notwith-
standing Controller’s rights under applicable data protection laws, the continued use
of the IMDS service by Controller is deemed to constitute an affirmative action and
therefore consent by the Controller to the Terms and Conditions as amended and
communicated from time to time.
(13) Miscellaneous
As far as this Privacy Statement of DXC does not stipulate a deviation the Terms of
Use shall apply.
If individual parts of this Privacy Statement of DXC are invalid, the invalidity of such
parts shall not affect the validity of the Privacy Statement of DXC as a whole.