Ref. Ares(2016)6212092 - 31/10/2016
Joss Wright—Ed. (Oxford Internet Institute, Ethics Advisor)
Aggelos Kiayias (University of Edinburgh)
Thomas Zacharias (University of Edinburgh)
George Danezis (University College London)
Ethics Report
Deliverable D1.4
31st October 2016
PANORAMIX Project, # 653497, Horizon 2020
http://www.panoramix-project.eu
Revision History
Revision
0.5
1.0
1.5
1.7
Date
2016-07-31
2016-08-31
2016-10-03
2016-10-10
Author(s)
JW (OII)
JW (OII)
TZ (UEDIN)
GD (UCL)
1.5
2016-10-17
TZ (UEDIN)
1.8
2.0
2016-10-20
2016-10-31
JW (OII)
AK (UEDIN)
Description
Initial draft
Final version and submission to the EC
Requirements tables for each partner
Detailed procedures for UCL ethics review process.
Integrated input from partners regarding implementation.
Minor edits
Revised final version and submission to the EC
Executive Summary
Following the grant agreement the ethics report has a three-fold objective.
1. It details all procedures that will be implemented for data collection, storage, protection,
retention and destruction and confirmation of personal information by PANORAMIX
partners.
2. It provides copies of ethical approvals by the competent Ethics Committee and copies
of approvals for the collection of personal data by the competent University Data Protection Officer or National Data Protection authority and any relevant authorisations, if
applicable.
3. It contains templates of the informed consent form to be used.
The document is structured in three chapters, reflecting the above objectives.
Contents
Executive Summary
5
1 Introduction
1.1 Purpose of document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2 Project Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9
9
9
2 Procedures
2.1 Legal Framework . . . . . . . . . . . . . . . . . . . . . .
2.2 Personal Data . . . . . . . . . . . . . . . . . . . . . . . .
2.3 Data Management . . . . . . . . . . . . . . . . . . . . .
2.3.1 Data Collection . . . . . . . . . . . . . . . . . . .
2.3.2 Data Storage . . . . . . . . . . . . . . . . . . . .
2.3.3 Data Protection . . . . . . . . . . . . . . . . . .
2.3.4 Data Retention . . . . . . . . . . . . . . . . . . .
2.3.5 Data Destruction . . . . . . . . . . . . . . . . . .
2.3.6 Data Confirmation . . . . . . . . . . . . . . . . .
2.4 Implementation - Academic Partners . . . . . . . . . . .
2.5 Implementation - Industry Partners . . . . . . . . . . .
2.5.1 Private Electronic Voting Protocols (GRNET) .
2.5.2 Privacy-Aware Cloud Data Handling (SAP) . . .
2.5.3 Private-Preserving Messaging (Greenhost, Mobile
2.6 Notes on Data Procedures . . . . . . . . . . . . . . . . .
2.6.1 Loss of Personal Data . . . . . . . . . . . . . . .
2.6.2 Data Retention . . . . . . . . . . . . . . . . . . .
2.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
Vikings)
. . . . . .
. . . . . .
. . . . . .
. . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
11
11
11
11
11
11
12
12
12
12
12
15
16
17
17
19
19
19
20
3 Approvals
21
3.1 Academic partners (UCL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.2 Industry partners (GRNET, SAP, Greenhost, Mobile Vikings) . . . . . . . . . . . 23
4 Informed Consent
25
4.1 Academic partners (UCL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.2 Industry partners (GRNET, SAP, Greenhost, Mobile Vikings) . . . . . . . . . . . 26
4.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5 Conclusions
29
A Data Usage Agreements
A.1 GRNET Terms and Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A.2 SAP Terms and Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A.3 Greenhost Terms and Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
32
36
47
A.4 Mobile Vikings Terms and Conditions . . . . . . . . . . . . . . . . . . . . . . . . 54
D1.4 - ETHICS REPORT
1. Introduction
1.1
Purpose of document
This document sets out ethical considerations raised by the PANORAMIX project, and identifies
areas in which attention should be focused. Whilst a number of ethical issues in PANORAMIX
relate to data protection requirements, this document is not focused on legal compliance with
European data protection regulations. This document does not set out a proscriptive guide to
research ethics or attempt to enforce an idea of correct ethical behaviour. Instead this document
identifies ethical questions raised by the project, with the intention that these questions will be
considered by project researchers, rather than to define the answers to those questions.
1.2
Project Goals
PANORAMIX aims to develop a privacy-preserving communications infrastructure based on
mix networks that can be exploited by European businesses. The core goal of the project is to
develop a practical and scalable underlying mix-net infrastructure that will support a range of
possible future applications; in the project itself this infrastructure is to be applied to three specific use-cases. The example applications in the project comprise: mix-nets for electronic voting,
privacy-preserving cloud service provision with support for anonymised aggregate surveys and
statistical analysis, and privacy-preserving messaging. Each of these example applications is
supported by a partner with an existing customer base that provides the initial test-bed for the
technology.
In each of these cases the goals of PANORAMIX are to add or improve a privacy layer
over services that are already offered by the commercial partners. Due to this, data protection
requirements will, in each case, fall under the existing relationship that those partners have
with their users unless significant alterations are made to the service or if extra user data are
gathered, stored, or processed. There are some key clarifications to this, which will be discussed
below, however it is worth noting that for each partner, procedures for storage and processing of
personal data are already in place, and the projects use cases are not anticipated to gather any
extra data or require further procedures. Existing policies for handling of data are appended
to this document.
– 9 of 57 –
D1.4 - ETHICS REPORT
– 10 of 57 –
D1.4 - ETHICS REPORT
2. Procedures
2.1
Legal Framework
The European Data Protection Directive [Directive 95/46/EC] sets out a key element of the
ethical considerations for a project such as PANORAMIX, in which the major concerns are
the storing, handling, and processing of data concerning European citizens. It is worth noting
that Directive 95/46/EC is due to be replaced by the recently-adopted General Data Protection Regulation (GDPR) [Regulation (EU) 2016/679] in mid-2018. The modifications in data
management regulation that are put in place by the GDPR are reflected in this report so that
it is ensured the outcome of the project will be compliant with the new regulation.
2.2
Personal Data
Personal data are defined as: any information relating to an identified or identifiable natural
person (“data subject”); an identifiable person is one who can be identified, directly or indirectly,
in particular by reference to an identification number or to one or more factors specific to his
physical, physiological, mental, economic, cultural or social identity;” (Directive 95/46/EC
Article 2(a)) Within the context of PANORAMIX, this refers to identifiers such as names,
email addresses, and user accounts; messages, stored documents, and other data linked directly
to individual users of the services involved in the case studies. Personal data may also be
encountered by academic partners in the course of research on live internet trace. This second
case will be discussed in greater detail below.
2.3
Data Management
We provide the background principles for all the data management procedures of concern with
respect to the PANORAMIX project, namely, data collection, storage, protection, retention,
destruction and confirmation.
2.3.1
Data Collection
Data should be collected for specified, explicit and legitimate purposes. The data collection
process should allow the data subjects to give their consent. The purpose of data collection
should be explicitly determined at the time of the collection. In case of statistical purposes, the
result of processing is aggregate data and not personal.
2.3.2
Data Storage
The storage period should be reasonable with respect to the processing purposes. The data
should not be stored more than necessary and solely for the purposes for which they were
collected. In case of any detected data loss, the data subject should be informed without delay.
– 11 of 57 –
D1.4 - ETHICS REPORT
2.3.3
Data Protection
The key principles that apply to personal data protection are detailed here
• data processing should be authorised and executed fairly and lawfully. In case of any detected alteration or unauthorised disclosure, the data subject should be informed without
delay.
• special categories of processing: it is forbidden to process personal data revealing racial or
ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership,
and the processing of data concerning health or sex life. This provision comes with certain
qualifications concerning, for example, cases where processing is necessary to protect the
vital interests of the data subject or for the purposes of preventive medicine and medical
diagnosis.
• the data subject should have the right to object, on legitimate grounds, to the processing
of data relating to him/her. He/she should also have the right to object, on request and
free of charge, to the processing of personal data that the controller anticipates being
processed for the purposes of direct marketing. He/she should finally be informed before
personal data are disclosed to third parties for the purposes of direct marketing, and be
expressly offered the right to object to such disclosures.
2.3.4
Data Retention
The data controller should facilitate the data subject to access, rectify their data and practice
his/her ’right to be forgotten’ [GDPR, Article 17]. In addition, the controller should not hinder
any attempt of the data subject to transfer the collected data to another controller [GDPR,
Article 20].
2.3.5
Data Destruction
The data controller should evaluate the risks of accidental or unlawful data destruction. In case
of any detected destruction the data subject should be informed without delay.
2.3.6
Data Confirmation
Data processing should be performed transparently with respect to the natural persons concerned. The data controller must provide the data subject from whom data are collected with
certain information relating to himself/herself (the identity of the controller, the purposes of
the processing, recipients of the data, etc.). The data subject should be able to receive confirmation of their data processing. Easy-to-understand information on processing details should
be available to the data subject.
2.4
Implementation - Academic Partners
The academic partners in the project, with the exception of UCL, do not collect personal
data for experiments, research or any other purpose within the PANORAMIX consortium.
For this reason, this report does not provide any information about the data management
implementation procedures carried out by partners UEDIN, UoA, UoT, KUL.
Partner UCL, as part of WP3, designs and evaluates new designs for mix network, especially
for messaging (to support WP7), as well as novel techniques for privacy preserving statistics
and data collection (to support WP6). As part of these activities, UCL may request some data
from other user-facing partners, that is derived from users, and thus personal data, to evaluate
designs under realistic and ecologically valid usage loads.
– 12 of 57 –
D1.4 - ETHICS REPORT
We note that the purpose of some data collection will be the development of privacy-friendly
statistics collection and aggregation. Thus, the processing of personal data themselves will be
the first to benefit, in terms of privacy, from the PANORAMIX advances. Such procedures were
already researched as part of WP3 for the purpose of collecting distributions of data items, such
as the aggregate statistics discussed in
Luca Melis, George Danezis, Emiliano De Cristofaro: Efficient Private Statistics
with Succinct Sketches. 23rd Annual Network and Distributed System Security
Symposium, NDSS 2016, San Diego, California, USA, February 21-24, 2016.
Two key categories of user derived data are foreseen to be of use to the activities of the UCL
partner:
1. Aggregate statistics: Those relate to the dynamics of the traffic in messaging systems,
such as those managed by Mobile Vikings. Those statistics, include the distribution of
message sizes, the distribution of the length of conversations, the distribution of latencies
of message delivery and responses, and distributions of media or attachment sizes. The
purpose of this collection is to evidence and evaluate mix networks and anonymisation
procedures as part of the PANORAMIX project and its outputs.
2. Granular anonymised traffic records: For the purpose of testing the performance of
designed mix systems, as well as anonymisation procedures, granular anonymised traffic
records may be requested from user-facing partners to act as (i) test and evaluation inputs
to the private statistics procedures, and (ii) loads for the evaluation of mix systems. The
granular records will be anonymised by removing identifiers and replacing them with
tokens unlinkable to the accounts concerned. However, unlike the aggregate statistics
above for which we can guarantee with high assurance a good degree of unlinkability to
raw data records, those granular records may be used alongside side information to deanonymise them. Since we treat anonymised granular records as personal information, the
full UCL Ethics approval process will have to be invoked for UCL to process such data.
More information about this process is provided in Section 3.1.
The implementation procedures for academic partner UCL for the two key categories are presented in the following tables:
– 13 of 57 –
D1.4 - ETHICS REPORT
Procedure
Collection
Storage
Protection
Retention
Destruction
Confirmation
Academic Partner UCL - Aggregate statistics:
The aggregate statistics are based on raw existing business records
collected by user-facing partners (such as Mobile Vikings). Those
raw records are aggregated at the point of collection to produce distributions, and provided as such to UCL. The aggregation will be
appropriate to ensure no information any single individual is linkable
back to that individual thus rendering them anonymised statistics at
the point UCL collects them.
Given the low-sensitivity in terms of the Data Protection Act of
anonymised aggregate statistics the datasets will be stored on researchers’ main computers, and protected in-line with other business
confidential data.
Anonymisation is applied at the point of collection as the key protection mechanism. Concepts and mechanisms implementing differential
privacy properties will be used to ensure no individual information
leaks from the dataset.
The data has to be retained until the publication of all scientific
articles output from the project, possibly up to 12 months after the
end of the PANORAMIX project, to ensure any requested revisions to
the works can be carried out. Subject to a discussion related to the
quality of protection and the strength of differential privacy, some
of the aggregated anonymised data may be made available to the
scientific community for the purposes of scientific reproducibility.
In case aggregates are not needed after the above retention period,
and those that are deemed either still sensitive or not needed for
further scientific inquiry, the data will be deleted using the safe delete
option offered by commodity operating systems.
Since the data are anonymised and aggregated users cannot be individually notified of the deletion, but the partners will be notified of
the deletion and consulted before any sharing (even for aggregated
and anonymised data, that may still be business sensitive).
– 14 of 57 –
D1.4 - ETHICS REPORT
Academic Partner UCL - Granular anonymised traffic
records:
Procedure
Collection
Storage
Protection
Retention
Destruction
Confirmation
2.5
The collected data concerns business and traffic records that are already being collected from user-facing partners for the purpose of
managing and improving their services. The purpose of this collection is compatible with the aims of PANORAMIX WP3 and WP6 /
WP7 for which we propose to collect the data. This will have to be
confimed by the legal department of partners, once the exact nature
of data needed is clear (Year 2 and Year 3), and the UCL Ethics
committee.
The data will be stored on an encrypted external hard disk that is
maintained in locked facilities at UCL. Access to the hard disk (physical) and cryptographic keys (logical) will be controlled by the UCL
PI and only given to staff directly working on WP3 and WP7.
The granular traffic records will be protected, at the point of collection, by replacing all identifiers with tokens to ensure that incidental
re-identification is not easy. However, we note that such a protection protects against UCL researchers that do not have access to
side-information, but may not protect anonymity sufficiently against
others that have access to enough side information to de-anonymise
the records. For this reason we will impose a security policy that
forbids the sharing of the granular data.
The granular data will be retained until all publications relating to
PANORAMIX have gone through peer review, to ensure repeatability
of experiments and results, and changes requested by the scientific
community can be implemented. We foresee that this will be no
longer than 12 months after the conclusion of the project.
Once the retention period has passed the logical hard disk key will
be deleted making the data unusable. The hard disk will be deleted
using the secure deletion facility of commodity operating systems.
Since the granular records are anonymised, it is not possible to notify
end-users users of the deletion of specific records. However, UCL will
notify the partners from which the data was collected that the data
was deleted. Under no circumstances UCL will share the data with
other parties.
Implementation - Industry Partners
The industry partners of the consortium that handle personal data are connected with the three
use-cases, which are associated with an industry partner, as shown in the table below.1
Case Study
Private Electronic Voting Protocols
Privacy-Aware Cloud Data Handling
Privacy-Preserving Messaging
Consortium
Partner
GRNET
SAP
Mobile Vikings,
Greenhost
In each case, the partner has a pre-established relation with its customers and is engaged with
PANORAMIX with the only objective to improve the privacy protection of the existing services
that are provided to its customers. This will not result to any fundamentally new provision for
1
The industry partner Mobile Vikings has been removed from the consortium on September 27th, 2016,
however, the ethics report was performed based on information collected in Year-1 of the project.
– 15 of 57 –
D1.4 - ETHICS REPORT
their users, and as such the underlying data protection agreements are not affected by the new
service. Thus, in the below sections we report on the existing data management procedures that
are used stressing that these procedures were not put in place for the purpose of PANORAMIX.
2.5.1
Private Electronic Voting Protocols (GRNET)
GRNET operates the Zeus electronic voting platform, which has been in use for over two years.
This platform already provides privacy-preserving electronic voting through a specific mix-net
implementation. The goals of PANORAMIX are to scale and improve the privacy protections
of this platform.
The Zeus platform administers the generation and distribution of voters’ credentials, vote
collection, and posting of the tallying authorities’ public data and all other information required
for monitoring the election. The implementation procedures are presented in the following table:
Procedure
Collection
Storage
Protection
Retention
Destruction
Confirmation
Private Electronic Voting Protocols (GRNET)
The electoral committee is responsible for entering the voter registration data (that is, the electoral register). This contains name,
surname, father/mothers name, e-mail, phone number. It may also
contain an eduGain principal ID. The electoral committee asks the
users consent to vote electronically, informing them that their registration data will be stored in an electronic electoral register. The
web server hosting Zeus (Apache) keeps a log of accesses and IP addresses. The information on which voters have voted is available to
the electoral committee through the Zeus interface, and is consistent
with the standard practice in paper ballots, where voter names are
stricken off the electoral roll. The web server logs can provide only
the access patterns and cannot violate anonymity as everything is
encrypted with the election keys. The access patterns may reveal the
location of the user when voting.
The voter registration data are stored in unencrypted form only to
be used for future elections.
The data are protected according to the procedures set by GRNET’s
Networks Operations Centre; this does not offer any extra protection
to voting data, but the voting data that is stored consists only of web
server logs, as explained above, and anonymised (through mixnets)
ballots and proofs. This information is also downloadable by the
electoral committee and could be be published without any inherent
privacy risk.
The users of the system (voters and electoral committee) can access
their data (ballots, voter voting data) and download them. GRNET
does not have a formal retention or erasure policy yet as such is
still subject to regulation for e-voting in Greece; in fact, the to date
experience shows that electoral committees request that GRNET will
retain voting data, even though no such commitment has been made.
As voting data accumulates with the increasing number of elections,
a formal GRNET retention policy will be adopted and will be in
compliance with e-voting regulation (when legislated).
The data are protected by unlawful destruction in the same way that
all data in GRNET services are. As explained above, voting data are
not treated separately.
The user is informed of every election procedure that his/her data
are processed. This is supported via the user’s personal mail and
verification of the public election transcript.
– 16 of 57 –
D1.4 - ETHICS REPORT
2.5.2
Privacy-Aware Cloud Data Handling (SAP)
SAP currently offers an encrypted database solution called SEEED. PANORAMIX research
will improve the ability of SAP to extract key performance indicators (KPIs) from this existing
encrypted service. The key performance indicators will be gathered at an aggregate statistical
level, with strict privacy guarantees.
Data (survey answers) are collected and provided as input to standard big data type of
aggregate analysis. In surveys, customers are often asked to provide sensitive data (e.g. health,
religion, business secrets, etc.) which need to be strongly protected. This is currently carried
out according to SAPs existing Global Data Protection and Privacy Policy, reproduced in Appendix A.2 of this document. The procedures’ implementation under the agreement’s conditions
are summarised in the following table.
Procedure
Collection
Storage
Protection
Retention
Destruction
Confirmation
2.5.3
Privacy-Aware Cloud Data Handling (SAP)
Data are collected only after the customer’s consent and only for
fulfilling the specified processing purposes.
Personal data are stored only for as long as is absolutely necessary for
the purposes specified or other legal requirements. Thereafter, personal data are deleted or anonymised. Inaccurate data are corrected
or deleted as soon as possible.
There is continuous monitoring that data processing is in line with
applicable law. Every employee and every third party acting on behalf
of SAP are instructed that they are not permitted to process personal
data without authorisation. If personal data is to be exchanged within
the SAP Group or with other companies, it must first be checked
whether contractual agreements on data protection and privacy and
data security are required.
Continuous legal monitoring is applied to ensure compliance with any
data retention requirements that arise in a case-by-case basis.
Continuous legal monitoring is applied to ensure compliance with any
data destruction requirements that arise in a case-by-case basis.
Following the terms of agreement, a person affected may, at any time,
request information about the data stored on them, its origin, purpose
for storing, and recipients to whom the data is passed on.
Private-Preserving Messaging (Greenhost, Mobile Vikings)
Greenhost
Currently, for the purposes of PANORAMIX data collection has only been performed on
anonymized metadata, with no personally identifying information. The data collection was
email metadata over a four hour time period that was provided to UCL in order to help parameterise and design the PANORAMIX mix network. See Deliverable 7.1 for instructions on how
the data was collected in aggregate and anonymised. In PANORAMIX, Greenhost will continue
work with the PrivEx-based approach of UCL keeps data provably anonymized and not maintain entire databases, but only “succinct sketches” of databases2 that cannot be de-anonymized
but maintain the crucial information needed for PANORAMIX such as average delivery time
and average number of messages per epoch.
We will inform users via a PANORAMIX-specific special agreement if individual outbound
or inbound email is logged. In this case, the customer will be bound by Article 6 “Experimental
2
Luca Melis, George Danezis, Emiliano De Cristofaro: Efficient Private Statistics, with Succinct Sketches.
NDSS 2016.
– 17 of 57 –
D1.4 - ETHICS REPORT
Software” of the terms of agreement. More information about Greenhost procedures are shown
in the table below.
Procedure
Collection
Storage
Protection
Retention
Destruction
Confirmation
Private-Preserving Messaging (Greenhost)
Data collection is never performed on an individual, but Greenhost
does use statistics on data in order to both identify what services are
working and how they are performing. This is captured in article 5.4
of Greenhost’s customer agreement, which is explicitly agreed with
by every customer of Greenhost.
Data collected for measuring the performance of PANORAMIX is
kept for 30 days. The data is then sent to UCL for analysis, but
locally the data are then deleted. An archival copy may be captured
by regular back-ups of the Greenhost system, but archives are only
kept in general for 6 months. Thus, there is no long-term storage of
even anonymised data for PANORAMIX analysis by Greenhost.
Article 10 states that data will not be gathered without consent and
Greenhost is governed by Dutch law which includes the Dutch data
protection act. In detail, in Article 10.2 “Greenhost will not take cognizance of data stored by the customer...unless with the Customer’s
consent, access has been necessary for performance of the contract or
Greenhost is required to do so under a statutory provision or authorized order by the authorities. In that case Greenhost will endeavour
cognizance of the data to minimize, to the extent with its power and,
if possible, inform the customer of this application in an up to date
manner.”
Greenhost follows the current Data Protection Regulation, and will
continue to follow the GDPR. This gives customers the ability to
demand deletion or modification of their data. Greenhost will comply
with all Dutch data retention laws. However, currently although it
has been debated in the Dutch parliament, there is currently not a
Dutch Data Retention directive and so data retention is covered, as
noted earlier, by Article 5 of the customer agreement and so data is
only retained to optimise services. In general, Greenhost does not
retain individual traffic or even IP addresses of its customers.
The data destruction policy is covered in Article 10 of the agreement.
Note that this right continues after the customer has left Greenhost,
as Article 10 states that “The obligation of this article will remain
after the termination of the Agreement for any reason, and so much
for so long as the providing party can reasonably claim to the confidentiality of the information. Although this is not explicit, “Unlawful
destruction” would be a violation of the Contract by Greenhost, as
the service contract requires the data be available to the customer by
the definition of the Service.
Greenhost logs data automatically when needed in terms of performance, but only in aggregate without individual logs (See Deliverable
7.1 for details). Therefore, Greenhost does not ask the individual customer to confirm if the data is original or correct. However, if a sample
of data is collected for performance, any deviations would be detected
from other samples and could lead to an investigation. Also, in terms
of PANORAMIX, the aggregate anonymized data are also being analyzed by UCL, who should detect anomalies and help confirm our
analysis of how email traffic can work with a PANORAMIX-enabled
mix net.
– 18 of 57 –
D1.4 - ETHICS REPORT
Mobile Vikings
Mobile Vikings offer mobile phone services to users, with the option to sign up to an active
Viking Lab that allows participation in developing mobile technologies and services. This existing user base, who make an explicit choice to engage in individual experimental services, will
be the target of the developed PANORAMIX messaging application.
The customers of Mobile Vikings are granting the management of their personal data under the Privacy Conditions Agreement reproduced in Appendix A.4 of this document. The
procedures implementation under the agreement’s conditions are summarised in the following
table.
Procedure
Collection
Storage
Protection
Retention
Destruction
Confirmation
2.6
Private-Preserving Messaging (Mobile Vikings)
Mobile Vikings keep record registration data that contain: first name,
last name, address, email address, date of birth, phone number. Information is requested from the customers when they send emails
to verify registration data. In case of customer contacting, Mobile
Vikings may link the contact to the customer’s registration file, if
necessary.
The registration data and the data regarding the customer’s transaction with Mobile Vikings are included in a permanent record.
Among a list of legitimate use purposes, customers consent that their
data are processed for handling their orders and bills, conducting
market research, Mobile Vikings management, resolution of legal disputes, etc. On simple request, the customers can oppose the use of
their private information for purposes of direct marketing.
On simple request, the customers can access, correct, rectify and/or
change their data.
The company is compliant with all regulations of Belgian law according to data destruction.
The customers are able to verify the validity of their personal record
on simple request.
Notes on Data Procedures
In this section, we provide comments on data processing issues directly related to the project
goals that could be given longer-term consideration.
2.6.1
Loss of Personal Data
Traditional messaging and storage services operate on the basis of trust in the provider to
maintain adequate protection for data whilst retaining the ability to access that data if required.
Encrypted storage and messaging removes both the requirement for trust in the operator, as
well as the ability of the operator to retrieve data on behalf of a user whose credentials have
been lost. Fundamentally, little can be done here beyond informing users of the inability of the
operator to retrieve private data. With increasing usage and awareness of encrypted storage,
such as full disk encryption for platforms such as Microsoft Window, Apple Mac OS, Android,
and iPhone iOS, users are increasingly aware of the inability of providers to retrieve correctly
encrypted data on demand.
2.6.2
Data Retention
Following the April 2014 decision of the Court of Justice of the European Union in a case brought
by Digital Rights Ireland (C-293/12), the EU Data Retention Directive (Directive 2006/24/EC)
– 19 of 57 –
D1.4 - ETHICS REPORT
was ruled unconstitutional on the grounds that bulk collection of personal data failed to be necessary and proportionate for the purposes of law enforcement. In light of this decision, prior
existing requirements for communication providers to store data regarding customer telecommunications are no longer in force at the European level, although the specific status of national
laws that transposed the Data Retention Directive is in some cases contested. As such, any
interaction that data retention requirements might have previously had with respect to the
services offered by PANORAMIX are no longer relevant.
2.7
Summary
This completes the description of data management procedures as implemented by the PANORAMIX
consortium partners. The academic partners, with the exception of UCL, do not engage in data
collection within the consortium and thus no information is provided regarding their procedures.
For the remaining partners, only UCL has specific procedures put in place for the purposes of the
PANORAMIX project. The industry partners, GRNET, SAP, Greenhost, and Mobile Vikings,
engage in the consortium under their pre-existing relationships in terms of data management
with their user base.
It is important to stress that the PANORAMIX system does not change the nature of
existing data management procedures (collection, storage, protection, retention, destruction
and confirmation) for these partners and neither poses a hindrance in terms of the ability to
comply with current and future regulations in data management. In fact, the employment of the
PANORAMIX system will be an argument assisting in compliance arguments, since it enables
data management procedures related to collection, storage and protection to enjoy an improved
anonymity profile in comparison to a non-PANORAMIX enhanced deployment.
– 20 of 57 –
D1.4 - ETHICS REPORT
3. Approvals
3.1
Academic partners (UCL)
The only academic partner engaging in data collection for research is UCL. All research proposals involving living human participants and the collection and/or study of data derived from
living human participants undertaken by UCL staff or students on the UCL premises and/or by
UCL staff or students elsewhere requires ethical approval to ensure that the research conforms
with general ethical principles and standards.
As documented on the UCL website relating to research Ethics, ethical approval at UCL
follows a 10 step process, dependant on the nature of the research undertaken. However, blanket
pre-approval is not possible (say for all potential activities in PANORAMIX), and individual
approvals will be necessary depending on the specifics of the data and research conducted. For
this reason, there is no copies of approval that can be supplied at this stage. Nevertheless, these
will be sought and acquired in year-2 and year-3 of the project as needed and following the
procedure outlined below.
- Step 1: Researchers are advised to submit approvals being mindful of the deadlines and
timelines necessary for the Ethics committee to consider the application. The committee meets
about once a month.
- Step 2: Researchers register within the Ethics database [5], with personal details, if not
already registered. If this is a first application to the Committee, a personal account will be
established. Otherwise, the proposal will be added to the researcher’s account which can be
viewed when they enter the site http://ethics.grad.ucl.ac.uk/new_user.php
A unique Project ID for the proposal will be issued. The finance department will require
this Project ID in order to process grant applications based on this research. Once a Project ID
has been issued, the application form and guidelines will be available for download. A sample
copy of the documentation can be viewed below.
- Step 3: (not required for PANORAMIX research) Formal Sponsorship Review for Clinical
Trials Conducted in Developing Countries.
- Step 4: (not required for PANORAMIX research) Disclosure and Barring Service (DBS)
Checks. A criminal record check will be required by law if the research includes working in
’Regulated’ activity with vulnerable groups as defined by the Safeguarding Vulnerable Groups
Act 2006 or in a position of trust as defined by the Rehabilitation of Offenders Act Exception
Order 1975. Please note that UCL, in accordance with DBS guidelines, does not accept portability of DBS checks which UCL staff or students may have from previous organisations as proof
of satisfactory clearance.
- Step 5: (required for PANORAMIX) Data Protection. The subject can register for Data
Protection on the website by downloading ‘Form 2: Research Registration Form’ [6]. The form
should be completed on-line and e-mailed to: [email protected]. The Legal Services
should be able to process your application within 5 days upon which time you will be issued
with a Data Protection Registration Number1 . Please quote your data protection registration
1
See https://www.ucl.ac.uk/finance/legal/dp-foi-overview
– 21 of 57 –
D1.4 - ETHICS REPORT
number in section A2 of the application form as evidence that the project has been registered
with the UCL Data Protection Officer.
- Step 6: Risk Assessment. In order to determine whether there are any risks associated
with your research i.e., risks to yourself as the researcher and to those you are researching, it is
important to carry out a risk assessment. It is a legal requirement that all research is assessed
for risk. Submitters can refer to UCL Safety Services guidance on how to carry out a risk
assessment. The guidance includes how to record the assessment which must be authorised by
your Supervisor and retained for the submitters’ records.
- Step 7: (not required for PANORAMIX): Insurance. The insurance for all UCL studies is
provided by a commercial insurer. For the majority of studies the cover is automatic. However,
for a minority of clinical research studies the insurer requires prior notification of the project
before cover can be provided. Travel Insurance arrangements for students conducting research
overseas — for studies conducted overseas an application form will need to be completed so
that an insurance cover note can be issued.
- Step 8: Completion of the application form and appendices that are applicable to the
study ensuring that both the Principal Researcher and the Head of Department have signed
the form. The Head of Department should also indicate on the form whether the application is
being submitted for (a) Chair’s action or (b) Full Committee Review based on the criteria of
minimal risk.
→ Application Form: http://ethics.grad.ucl.ac.uk/forms/appform_sample.pdf
→ Application Guidelines: http://ethics.grad.ucl.ac.uk/forms/guidelines.pdf
→ Model Participant Information Sheet and Guidance: http://ethics.grad.ucl.ac.uk/
forms/model-participant-information-sheet-and-guidance.pdf
Recruitment Documents for Participants. All studies that involve the recruitment of participants will use recruitment documents such as information sheets and consent forms. For example forms as well as guidance on formulating your participant information sheet (see Advice on
Formulating Participant Information Sheets http://ethics.grad.ucl.ac.uk/advice.php).
- Step 9: When the application is complete, submitters are strongly encouraged to mail
physical copies of their application and supporting documentation, either via the internal UCL
mail or externally to the following new address, rather than in person, as access will be an issue
at 1-19 Torrington Place. If the application is for full committee review 13 double-sided copies
will be required and for Chair’s review, 2 copies.
INTERNAL Mailing Address
EXTERNAL Mailing Address
Helen Dougal
Research Ethics Co-ordinator
Academic Services
1-19 Torrington Place (9th Floor)
UCL
Helen Dougal
Research Ethics Co-ordinator
Academic Services
UCL
Gower Street
London
WC1E 6BT
An electronic copy should be also submitted to [email protected]
- Step 10: Following Approval. The Principal Researcher must report any proposed
changes, any adverse events and if required report progress on an annual basis (see Key Responsibilities of the Principal Researcher following Approval http://ethics.grad.ucl.ac.uk/
responsibilities.php).
– 22 of 57 –
D1.4 - ETHICS REPORT
3.2
Industry partners (GRNET, SAP, Greenhost, Mobile Vikings)
As it will explained already in Section 2.7 (see also Section 4.2), for all of PANORAMIX
users engaged in the main case studies run by the Consortium industry partners, personal
data are processed in a fully consistent manner with respect to related partner’s Terms and
Conditions that the users have already consented. Therefore, further approval documents for
data processing by industry partners are not applicable.
– 23 of 57 –
D1.4 - ETHICS REPORT
– 24 of 57 –
D1.4 - ETHICS REPORT
4. Informed Consent
Informed consent is a key principle of ethical research, ensuring that research participants are
adequately informed of the risks of taking part in experimental studies, that their participation
is voluntary, and that the information about them gathered remains under their control. The
two key principles of informed consent, taken here from the ESRC Framework for Research
Ethics (http://www.ethicsguidebook.ac.uk/consent-72), can be defined as:
- Principle 1: Research subjects must be informed fully about the purpose, methods and
intended possible uses of the research, what their participation in the research entails and
what risks, if any, are involved.
- Principle 2: Research participants must participate in a voluntary way, free from any
coercion.
We analyse how PANORAMIX project data processing activities comply with the two key
principles separately for the involved academic and industry partners.
4.1
Academic partners (UCL)
As mentioned in Section 2.5, the academic partners in the project, with the exception of UCL,
do not collect personal data for experiments, research or any other purpose.
Regarding partner UCL, all experiments that may result in data capturing due to measurement of internet traces, will be performed only after the approval of UCL’s Ethical Committee
(see Section 3.1), whose standards not only respect informed consent (hence Principles 1 and 2)
but also the participants’ right to confidentiality and the balancing of their involvement against
the potential benefit of the conducted research to the overall community.
The UCL partner does not collect data directly from users, but only indirectly though the
user-facing partners of the project. We foresee such collection is lawful under the existing Privacy
Statements of the partners (such as Mobile Vikings) allowing the collection of information for
the purposes of monitoring and improving their services.
All the data collected is anonymised, at the point UCL receives it – in a very strong sense
when it comes to aggregate data, and in a sufficient manner with respect to data protection
when it comes to granular records – thus making the legality of the collection a matter for the
user-facing partner and placing UCL in a role of Personal Data Processor rather than Personal
Data Controller. Thus UCL will have to abide by the privacy statement of the partners.
In extremis, in case specific and identifiable data needs to be collected, UCL will advise the
user-facing partners about the form user notice and consent needs to take. UCL has clear guidelines on how to formulate such consent forms as documented in http://ethics.grad.ucl.ac.
uk/forms/model-participant-information-sheet-and-guidance.pdf and http://ethics.
grad.ucl.ac.uk/advice.php
In all cases, and in the spirit of the UCL Ethics approval which requires strong data minimization and purpose limitation, such consent forms can only be drafted once the exact nature of
– 25 of 57 –
D1.4 - ETHICS REPORT
the collection and processing purpose is known in Year 2 and Year 3. However, all institutional
procedures and processes are in place once this is necessary.
4.2
Industry partners (GRNET, SAP, Greenhost, Mobile Vikings)
All subjects that engage as customers in the standard activities of the partners GRNET, SAP,
Greenhost and Mobile Vikings consent to their data processing according to the terms and
conditions agreement of each partner, provided in Appendices A.1, A.2, A.3 and A.4 respectively.
As presented in Subsections 2.5.1 2.5.2 and 2.5.3 all three agreements are consistent with EU
data protection and privacy regulations, therefore preserve Principles 1 and 2. PANORAMIX
project activities related to industry partners comply with the said principles by being fully
consistent with the terms and conditions of each partner’s agreements. In particular,
• GRNET’s existing data protection and usage agreement, “Terms and Conditions”, are
specified with respect to the existing electronic platform. Applying PANORAMIX mixnet into the Zeus e-voting system and combined with the privacy protections already
in place that anonymise personal data with respect to the use of the service, GRNETs
existing data protection and usage agreements do not need alteration for the purposes of
PANORAMIX.
• In surveys, SAP customers are often asked to provide sensitive data (e.g. health, religion,
business secrets, etc.) which need to be strongly protected. Beyond existing customer
data covered by SAPs existing Global Data Protection and Privacy Policy, no personal
information processing will be carried out for the purposes of PANORAMIX.
• The customers of Greenhost are providing data based on the existing “Usage Terms and
Conditions.” The type of data collection for PANORAMIX purposes is consented as
part of “Article 6. Experimental Software” in the agreement and are used solely for the
optimisation of the operation of the messaging system.
• The customers of Mobile Vikings are granting the management of their personal data
under the Privacy Conditions Agreement. The user base for the PANORAMIX PrivatePreserving Messaging use case consists only of already existing customers of Mobile
Vikings. Consequently, the customers’ relationship with Mobile Vikings as a data controller, in combination with their explicit consent to make use of the service, do not require
alteration to existing agreements.
4.3
Summary
As far as academic partners are concerned, only partner UCL’s foreseen engagement may result
in data processing and this will be done under the restrictions of UCL Ethical Committee’s
approval, see Sections 3.2, and 4.1.
Apart from the UCL partner’s upcoming activities, the research in PANORAMIX, and
certainly in the main case studies developed by industry partners, does not involve the gathering
of personal data in the form envisioned by traditional informed consent scenarios in research. In
these case studies, direct user experimentation is limited to the extension and improvement of
privacy protections in systems with which users are already familiar, and for which users have
made an active decision to take part.
Ethics Advisor Statement. Users in PANORAMIX are not directly studied,
subjected to treatment, asked to complete tasks, surveyed, or analysed individually.
As such, as ethics advisor I am of the opinion that seeking additional informed
– 26 of 57 –
D1.4 - ETHICS REPORT
consent for participation in the main case study research is unnecessary unless the
specific details of the research are later determined to place users at extra risk with
respect to the exposure of their personal data.
– 27 of 57 –
D1.4 - ETHICS REPORT
– 28 of 57 –
D1.4 - ETHICS REPORT
5. Conclusions
The PANORAMIX project is chiefly concerned with adding enhanced privacy considerations
to existing services. In each of the use cases electronic voting, cloud platforms, and mobile
messaging the experimental privacy enhancements do not entail a new service or experiment
in which new forms of personally-identifying information are gathered, but instead make use
of existing services. As such, the existing data protection agreements and procedures for those
services do not require amendment.
Academic work at partner UCL may utilise data collected by partner Greenhost to improve
the efficiency and fine tune the messaging application. Researchers at UCL will engage with
their institutional research ethics committees, and will practice data minimisation and anonymisation techniques to remove or delete immediately all data beyond that required to test their
techniques. The procedures to be followed have been thoroughly documented in this report.
Ethics Advisor Statement. As ethics advisor to the project, I am satisfied
that the research in the project has been designed with full consideration for ethical concerns, and that the appropriate measures are in place for compliance with
data protection and informed consent of users to participate in the research. The
PANORAMIX project is unusual, in some senses, in that the goals of the project
intrinsically aim to improve many of the traditionally-considered ethical concerns
related to data privacy and security. Further, the research of the project relies on
modifications to existing services that improve, rather than compromise, the protections of users. Despite this, the nature of the project does raise some broader
ethical considerations beyond the basic compliance with data protection. These considerations, relating to the provision of strongly-anonymous services, with the accompanying potential for untraceable abuse and criminal activity, have been raised
and actively discussed at project meetings. While such questions do not admit to
easy answers, as ethical advisor I am satisfied that consideration of these questions
have been fundamentally incorporated into the research of the project and in fact an
upcoming deliverable (D1.5, “System Abuse / Misuse and Mitigation Strategies”)
will address them.
– 29 of 57 –
D1.4 - ETHICS REPORT
– 30 of 57 –
D1.4 - ETHICS REPORT
A. Data Usage Agreements
This section reproduces the applicable data usage agreements, terms of service, or privacy
policies in place for the commercial project partners.
– 31 of 57 –
D1.4 - ETHICS REPORT
A.1
GRNET Terms and Conditions
– 32 of 57 –
GRNETTe
r
msa
ndCondi
t
i
ons(
Le
g
a
lRe
por
t
)
#Ge
ne
r
a
l
GRNETS
.
A.ha
sp
r
i
v
a
c
ypo
l
i
c
ydo
c
ume
nt
sf
o
rpa
r
t
i
c
ul
a
rs
e
r
v
i
c
e
si
t
o
,e
r
s
.Thede
t
a
i
l
sa
nds
pe
c
i
fic
so
ft
hepr
i
v
a
c
ypo
l
i
c
yo
fe
a
c
hs
e
r
v
i
c
e
a
r
ede
fine
da
c
c
o
r
di
ng
l
y
,i
nc
l
o
s
ec
o
o
pe
r
a
t
i
o
nwi
t
ht
heHe
l
l
e
ni
cDa
t
a
Pr
o
t
e
c
t
i
o
nAut
ho
r
i
t
y(
HDPA)
,
de
pe
ndi
ngo
nt
hena
t
ur
ea
ndt
he
r
e
q
ui
r
e
me
nt
so
fe
a
c
hs
e
r
v
i
c
e
.
Ane
x
a
mpl
eo
fs
uc
haPr
i
v
a
c
yP
o
l
i
c
ydo
c
ume
nt
,
t
ha
ta
ppl
i
e
st
oGRNET
S
.
A.
I
a
a
SS
e
r
v
i
c
e~o
k
e
a
no
s(
ht
t
p:
/
/
o
k
e
a
no
s
.
g
r
ne
t
.
g
r
)
,a
ndi
spa
r
to
f
i
t
sTe
r
msOfUs
ei
sa
sf
o
l
l
o
ws
:
"
I
no
r
de
rf
o
rGRNETS
At
opr
o
v
i
dei
t
ss
e
r
v
i
c
e
swi
t
ho
uta
nyi
mpe
di
me
nt
s
,
GRNETS
.
A.c
a
nc
o
l
l
e
c
tg
e
ne
r
a
l
s
t
a
t
i
s
t
i
c
a
l
da
t
ar
e
g
a
r
di
ngt
heflo
wa
nd
o
pt
i
mi
z
a
t
i
o
n/d
e
v
e
l
o
pme
nto
ft
hene
t
wo
r
ka
ndc
o
mput
e
rr
e
s
o
ur
c
e
so
ft
he
i
nf
r
a
s
t
r
uc
t
ur
e
.
GRNETS
.
A.
do
e
sno
tha
v
edi
r
e
c
ta
c
c
e
s
s
,
ha
snoi
nt
e
r
e
s
ti
n
a
ndwi
l
l
no
tc
o
l
l
e
c
ta
nys
pe
c
i
ficda
t
awi
t
hr
e
g
a
r
dt
os
pe
c
i
fics
e
r
v
i
c
e
s
whi
c
ha
r
eho
s
t
e
di
nv
i
r
t
ua
l
ma
c
hi
ne
so
rb
yt
hefina
l
u
s
e
r
so
ft
heho
s
t
e
d
s
e
r
v
i
c
e
s
.Thei
nf
o
r
ma
t
i
o
nwhi
c
hwi
l
l
e
v
e
nt
ua
l
l
yb
ec
o
l
l
e
c
t
e
dt
hr
o
ug
ht
he
s
e
r
v
i
c
e
sb
yGRNETS
.
A.
wi
l
l
b
eus
e
da
c
c
o
r
di
ngt
ot
hei
ns
t
i
t
ut
i
o
na
l
f
r
a
me
wo
r
ki
nf
o
r
c
ei
nGr
e
e
c
ea
ndi
nt
heEur
o
pe
a
nUni
o
n.
Thi
sda
t
ac
a
nb
eus
e
di
no
r
de
rt
omo
ni
t
o
rt
hef
unc
t
i
o
no
ft
hes
e
r
v
i
c
e
s
,
t
oi
mp
r
o
v
et
heq
ua
l
i
t
yo
fi
t
sf
unc
t
i
o
n,o
rf
o
rr
e
s
e
a
r
c
hpur
po
s
e
s
,a
nd
c
a
nb
epub
l
i
s
he
do
rdi
s
t
r
i
but
e
dt
ot
hi
r
dpa
r
t
i
e
sa
f
t
e
rapr
i
o
r
a
ppr
o
pr
i
a
t
ee
l
a
b
o
r
a
t
i
o
ns
ot
ha
tpe
r
s
o
na
l
da
t
ao
ft
hema
na
g
e
r
sa
nd/o
r
o
ft
hefina
l
us
e
r
sa
r
eno
tdi
s
c
l
o
s
e
d
.GRNETS
.
A.
c
a
ndi
s
c
l
o
s
ei
nf
o
r
ma
t
i
o
n
r
e
g
a
r
di
ngt
heus
eo
fv
i
r
t
ua
l
ma
c
hi
ne
swhe
ni
ti
sde
ma
nde
db
yt
hel
a
wa
nd
t
hec
o
mp
e
t
e
nts
e
r
v
i
c
e
s
.
"
#D eZe
use
v
ot
i
ngs
y
s
t
e
m
I
nt
hePANORAMI
Xpr
o
j
e
c
tGRNETwi
l
l
wo
r
ko
ni
t
sZe
use
v
o
t
i
ngs
y
s
t
e
m
(
ht
t
p:
/
/
z
e
us
.
g
r
ne
t
.
g
r
)
.TheZe
uss
y
s
t
e
mi
sus
e
db
ybo
t
he
l
e
c
t
i
o
n
c
o
mmi
t
t
e
e
s
,
whoa
dmi
ni
s
t
e
re
l
e
c
t
i
o
ns
,a
ndv
o
t
e
r
s
,
whoc
a
s
tt
he
i
r
v
o
t
e
s
.
Theus
e
r
sa
r
ec
ur
r
e
nt
l
yno
ta
s
k
e
dt
oa
c
c
e
p
tapr
i
v
a
c
ypo
l
i
c
y
.
Fr
o
m aus
e
r
e
x
p
e
r
i
e
nc
epo
i
nto
fv
i
e
wt
hi
si
sac
o
mpl
i
c
a
t
e
di
s
s
ue
,
a
s
v
o
t
e
r
si
nt
e
r
a
c
twi
t
has
y
s
t
e
mo
nl
yi
nt
hec
o
nt
e
x
to
fa
ne
l
e
c
t
i
o
n.
As
k
i
ngv
o
t
e
r
st
oa
c
c
e
ptado
c
ume
nti
no
r
de
rt
ov
o
t
ee
nt
a
i
l
st
he
po
s
s
i
b
i
l
i
t
yo
fv
o
t
e
r
sno
tv
o
t
i
ngb
yno
ta
c
c
e
pt
i
ng
.
Att
hes
a
met
i
me
,
no
ti
nf
o
r
mi
ngv
o
t
e
r
sa
ta
l
l
a
bo
utt
e
r
mso
fus
ei
sf
a
rf
r
o
mi
de
a
l
;
GRNETS
.
A.wi
l
l
wo
r
ko
nt
ha
ti
nt
hec
o
ur
s
eo
ft
hep
r
o
j
e
c
t
.
##Ze
usI
nf
or
ma
t
i
onCol
l
e
c
t
i
ng
Vo
t
e
r
sa
r
el
i
s
t
e
dwi
t
ht
he
i
rc
o
nt
a
c
tde
t
a
i
l
ss
ot
ha
tZe
usc
a
ns
e
ndt
he
m
a
ni
nv
i
t
a
t
i
o
nt
oc
a
s
tt
he
i
rb
a
l
l
o
t
.The
s
ede
t
a
i
l
s
,e
ma
i
l
a
nd/
o
rpho
ne
numb
e
r
sa
r
ep
r
o
v
i
de
db
ye
l
e
c
t
i
o
na
ut
ho
r
i
t
i
e
sa
ndZe
uss
t
o
r
e
st
he
m
i
nde
fine
t
e
l
ya
spa
r
to
ft
hee
l
e
c
t
i
o
na
ut
ho
r
i
t
i
e
sa
c
c
o
untwi
t
ht
he
s
y
s
t
e
m,
b
utdo
e
sno
tus
ei
ti
na
nyo
t
he
rwa
y
.
Ze
usl
o
g
se
v
e
r
ya
c
t
i
o
no
fa
ut
he
nt
i
c
a
t
e
dv
o
t
e
r
s
,
t
r
us
t
e
e
s
,a
nde
l
e
c
t
i
o
n
a
dmi
ni
s
t
r
a
t
o
r
sf
o
ra
udi
tpur
po
s
e
s
.Thi
si
nf
o
r
ma
t
i
o
ni
sus
e
dwhe
n
e
l
e
c
t
i
o
na
ut
ho
r
i
t
i
e
so
r
de
ra
udi
t
so
ri
nv
e
s
t
i
g
a
t
i
o
nsa
sar
e
s
po
ns
et
o
i
nc
i
de
nt
so
rc
l
a
i
msa
ndc
ha
l
l
e
ng
e
sf
r
o
mv
o
t
e
r
sa
ndc
a
ndi
da
t
e
s
.
Byt
hede
s
i
g
no
ft
hec
r
y
pt
o
g
r
a
phi
cpr
o
c
e
s
sa
ndt
hee
l
e
c
t
i
o
npr
o
t
o
c
o
l
,
Ze
us
a
c
t
sa
sa
na
ut
o
ma
t
i
ct
r
us
t
e
ef
o
ra
l
l
e
l
e
c
t
i
o
nst
huspr
e
v
e
nt
i
nga
ny
ma
ni
pul
a
t
i
o
nf
r
o
me
l
e
c
t
i
o
na
ut
ho
r
i
t
i
e
s
.
##Cooki
e
s
Ze
usus
e
sc
o
o
k
i
e
so
nl
yf
o
re
s
t
a
bl
i
s
hi
ngat
e
mpo
r
a
r
ys
e
s
s
i
o
nwi
t
ht
he
us
e
ra
nddo
e
sno
ta
s
kt
os
t
o
r
ec
o
o
k
i
e
sf
o
rl
o
ngt
e
r
m.
D1.4 - ETHICS REPORT
A.2
SAP Terms and Conditions
– 36 of 57 –
SAP Global Data Protection and Privacy Policy
Version 2.0
December 2015
Public
This attached Policy is provided to you as an information only. It shall have no binding effect on SAP or SAP’s course of business
and SAP reserves the right to change the Policy at any time without giving notice.
SAP Global Data Protection and Privacy Policy Version 2.0 PUBLIC
I
Contents
1.
INTRODUCTION .......................................................................................................................3
2.
DEFINITIONS............................................................................................................................1
3.
BASIC PRINCIPLES OF PROTECTING PERSONAL DATA .....................................................3
4.
RESPONSIBILITIES FOR DATA PROTECTION AND PRIVACY ..............................................3
A.
MANAGEMENT ........................................................................................................................3
B.
GLOBAL HUMAN RESOURCES ..............................................................................................3
C.
EMPLOYEES ............................................................................................................................4
5.
DETAILS ...................................................................................................................................4
A.
NOTIFICATION, ACCURACY OF DATA, AND INSPECTION ...................................................4
B.
DURATION OF STORAGE, DATA DELETION .........................................................................4
C.
ADDITIONAL RULES FOR SPECIAL TYPES OF PERSONAL DATA ......................................4
D.
TRANSFER OF PERSONAL DATA/COMMISSIONED DATA PROCESSING ...........................5
6.
TRANSFER OF CUSTOMER DATA..........................................................................................6
7.
DATA PROTECTION AND PRIVACY SUPERVISORY AUTHORITIES .....................................6
8.
DATA PROTECTION AND PRIVACY AND DATA SECURITY ..................................................6
9.
DATA PROTECTION AND PRIVACY ORGANIZATION ............................................................6
A.
POSITION OF THE DATA PROTECTION OFFICER AND GLOBAL ORGANIZATION .............6
B.
ORGANIZATION AT LOCAL, REGIONAL, AND LINE-OF-BUSINESS LEVEL .........................7
10.
DATA PROTECTION AND PRIVACY STANDARDS .................................................................7
11.
RAISING AWARENESS ............................................................................................................7
ANNEX 1
TASKS OF THE GLOBAL SAP DATA PROTECTION AND PRIVACY ORGANIZATION
ANNEX 2
TASKS OF THE LOCAL, REGIONAL, AND LINE-OF-BUSINESS-SPECIFIC DATA
PROTECTION AND PRIVACY ORGANIZATION
This attached Policy is provided to you as an information only. It shall have no binding effect on SAP or SAP’s course of business
and SAP reserves the right to change the Policy at any time without giving notice.
SAP Global Data Protection and Privacy Policy Version 2.0 PUBLIC
II
This page is intentionally empty in the PUBLIC version of the Policy.
Additionally the annexes with internal content are not provided.
This attached Policy is provided to you as an information only. It shall have no binding effect on SAP or SAP’s course of business
and SAP reserves the right to change the Policy at any time without giving notice.
SAP Global Data Protection and Privacy Policy Version 2.0 PUBLIC
1
1. Introduction
SAP is bound by data protection and privacy laws. SAP respects and protects the rights of individuals, in particular
the right to data protection and privacy during the processing and use of information as well as the right to privacy.
The protection of information comprises the personal data of employees, applicants, customers, suppliers, partners,
and all other persons within SAP's area of responsibility. To adhere to this obligation, SAP has adopted an SAP
Global Data Protection and Privacy Policy (“Policy”), and reviews it regularly.
The Policy outlines a group-wide minimum standard for handling personal data in compliance with data protection
and privacy laws. It defines requirements for all operational processes that affect personal data, as well as clear
responsibilities and organizational structures. As soon as a process at SAP involves collecting, processing, or using
personal data, the provisions of this Policy are to be adhered to. Management of the individual SAP group companies
and the relevant process owners are responsible for ensuring that all processes during which personal data is
collected, processed, or used, are designed such that the provisions of this Policy are fulfilled. It is the duty of all SAP
employees to comply with the provisions of this Policy when handling personal data in their daily work for SAP.
SAP is a global company with headquarters in Germany, a member state of the European Union (EU). Therefore,
the basic principles established through this Policy are based on the requirements of European data protection and
privacy legislation. If, on a case-by-case basis, applicable local law outlines stricter data protection and privacy
requirements than this Policy, personal data must be handled in compliance with those stricter laws. Additional
standards and/or guidelines within the SAP Group that are issued as a result of this Policy must also take the
applicable law into account in this respect. Questions on applicable law can be directed to the Data Protection and
Privacy Office (“DPPO”) (mail:[email protected]) and/or the appointed Data Protection and Privacy Coordinators
(“DPPC”).
Data protection and privacy rights of employees must be guaranteed in accordance with the law of the country in
which the employment contract with the respective SAP Group company was concluded, notwithstanding the local
law of the country in which the employee data is actually processed or used. The legal responsibility for collecting,
processing, and/or using the personal data of SAP employees always lies with the respective employer. It is the
employer's duty to inform other SAP Group companies (for example, if the manager is an employee of a different
SAP company), if within the scope of processing and using personal data for their employees, different provisions
apply for the protection of personal data from those defined in this Policy.
This Policy shall not restrict SAP's right to use employee personal data to the fullest extent legally possible in order
to preserve its position during any legal action or official proceedings. However, the applicable data protection and
privacy law must be observed by SAP generally.
2. Definitions
Anonymized data
Anonymous data
Anonymized data is data in a form that makes the direct or indirect identification of an
individual person impossible, even with the aid of other data or information. Anonymous
data does not have any reference to a person when it is collected. Anonymous and
anonymized data is no longer subject to the internal or external data protection and
privacy regulations.
Commissioned data
processor
A natural or legal person, authority, institution, or any other office that processes
personal data on behalf of the data controller, for example, an external company or an
SAP company that is not the data controller itself.
Special categories of
personal data
Contain data on the racial or ethnic origin, political views, religious or philosophical
beliefs, union membership, felonies, penal convictions, health, or sexual preferences of
persons, as well as data that can be misused for identity theft, for example, social
security numbers, credit card and bank account numbers, as well as passport or driver's
license numbers.
Person affected
An identified or identifiable natural person whose personal data is affected by a data
processing action. A person is deemed identifiable if he or she can be identified directly
This attached Policy is provided to you as an information only. It shall have no binding effect on SAP or SAP’s course of business
and SAP reserves the right to change the Policy at any time without giving notice.
SAP Global Data Protection and Privacy Policy Version 2.0 PUBLIC
2
or indirectly, in particular by reference to an identity number or to one or more factors
specific to that person's physical, physiological, psychological, economic, cultural, or
social identity.
Data processing actions
(collecting, processing,
and/or using)
Third-party
Collecting means procuring data on the person affected. Processing describes any
operation performed with or without the aid of an automatic procedure, or any set of
operations connected with personal data, for example, collecting, saving, modifying,
storing, changing, transferring, locking, or deleting personal data. Using means any
usage of personal data except for processing.
A natural or legal person, authority, institution, or any other office, except for the
following:
·
·
·
·
The person affected
The office responsible
The commissioned data processor
The persons who, under the direct responsibility of the data controller or the
commissioned data processor, are authorized to process the data
For the purposes of this Policy as well as applicable data protection and privacy laws,
different companies within the SAP Group are classified as third-parties in relation to
each other.
Consent
This may be explicit or implicit. Explicit consent generally requires an action by the
person affected, through which they allow the processing of data, for example, the
declaration of consent with the sending of e-mails, or entering of personal data (opt-in).
Explicit consent granted without duress is deemed to be the legal basis for the
processing of personal data, provided no other legal provision is in force. Implicit
consent (for example, via opt-out) allows processing provided the person affected does
not object.
Deletion
Either the physical destruction of data or the anonymization of data in such a way that
makes it impossible to relate the data to a natural person.
Personal data
All information on an identified or identifiable natural person (person affected). A person
is deemed identifiable if he or she can be directly or indirectly identified, in particular by
reference to an identity number or to one or more factors specific to that person's
physical, physiological, psychological, economic, cultural, or social identity.
For example, persons can be identified directly on the basis of names, telephone
numbers, e-mail addresses, postal addresses, user IDs, tax numbers, or social security
numbers, or indirectly on the basis of a combination of any information. Personal data
that is subject to this Policy includes data on employees, applicants, former employees,
customers, interested parties, suppliers, partners, users of SAP websites and services,
and any other persons. The data may be contained in an SAP system, or in systems of
third parties, who operate these on behalf of SAP. Customer systems that SAP or third
parties on behalf of SAP operate are also relevant, as are systems operated by
customers themselves if SAP employees can access the personal data stored in these
systems while providing services, support, or consulting services.
SAP
SAP SE and its global offices and subsidiaries (and 'affiliates’ as defined by the German
Stock Corporation Act (AktG), article 15 ff).
Data controller
(controller)
A natural or legal person, authority, institution, or any other office that, either alone or
in collaboration with others, makes decisions on the purposes and means of processing
personal data (general legal definition). In the case of SAP, an SAP company is always
the controller for the personal data of its employees, customers, suppliers, partners, or
other persons. SAP employees, internal units, or organizations cannot be controllers.
The controller is represented by the management legally responsible, for example, by
the members of the SAP SE Executive Board, or the directors of other SAP companies.
This attached Policy is provided to you as an information only. It shall have no binding effect on SAP or SAP’s course of business
and SAP reserves the right to change the Policy at any time without giving notice.
SAP Global Data Protection and Privacy Policy Version 2.0 PUBLIC
3
3. Basic Principles of Protecting Personal Data
During every process that includes collecting, processing, or using personal data, personal data may be processed
or used only in accordance with this Policy and to the extent permitted by law.
Processing is only allowed in the following cases:
·
If a person affected freely gave their consent, for example, when registering on a website
·
If required to fulfill contracts with the person affected, for example, for an employment contract or a service
contract
·
If legally required or permitted, for example, due to tax or social security laws.
Personal data may be collected and processed for lawful purposes only. The respective purpose must be defined
before the time at which the data is collected. Processing for a purpose other than the one defined before the data
was collected is permitted in exceptional circumstances only if the person affected consents to the processing or if
stipulated by law.
Personal data is to be collected directly from the person affected. Otherwise, the person affected must be at least
informed of which types of personal data will be collected, processed, and/or used, and for which specific purposes.
Data may only ever be collected to the extent absolutely necessary for fulfilling the purpose specified before it is
processed or used; any other processing is not permitted.
Personal data must be accurate at all times and corrected where necessary.
Personal data may be retained only for as long as is absolutely necessary for the purposes specified or other legal
requirements. Thereafter, personal data must be deleted or anonymized (for more information, see section 5b).
4.
Responsibilities for Data Protection and Privacy
a.
Management
The legal responsibility for collecting, processing, and using personal data within SAP lies with the executives of the
SAP company that collects, processes, or uses the personal data for their business purposes.
Within SAP, responsibility can be delegated along the organizational structure of SAP by means of documented
instructions from management, guidelines, and business processes that involve the explicit transfer of responsibility
to managers at different levels as well as employees.
Management is responsible for structuring all processes during which personal data is collected, processed, or used
in such a way that the requirements of this Policy are fulfilled.
The following tasks are the responsibility of management in every SAP company:
b.
·
Continuous monitoring of the applicable law
·
Ensuring that processes during which personal data is collected, processed, and/or used are in line with
applicable law, and that local and global process owners are informed of necessary changes
·
Ensuring that all approvals required by the supervisory authorities for collecting, processing, using, and
transferring personal data have been granted, and that the necessary notifications have been sent to the
supervisory authorities
Global Human Resources
Before commencing an activity during which access to personal data cannot be excluded, every employee and every
third party acting on behalf of SAP are to be instructed that they are not permitted to collect, process, or use personal
data without authorization (data protection) and that this data must be handled confidentially (confidentiality).
Employees are to be made aware of the consequences of violating data protection and confidentiality. This Policy
This attached Policy is provided to you as an information only. It shall have no binding effect on SAP or SAP’s course of business
and SAP reserves the right to change the Policy at any time without giving notice.
SAP Global Data Protection and Privacy Policy Version 2.0 PUBLIC
4
and other internal company guidelines that govern the handling of personal data are to be brought to employees'
attention. The instruction must be documented in writing or in another form. Furthermore, every employee can access
additional information on the Data Protection and Privacy Office portal page.
SAP Global Human Resources is responsible for providing the instruction.
c.
Employees
It is the duty of all SAP employees to treat personal data to which they have access in the course of fulfilling their
contractual duties with SAP as confidential.
SAP employees may collect, process, and/or use personal data only to the extent required to fulfill their duties, and
in accordance with approved processes. If collecting, processing, or using personal data is not recognizably
prohibited for the employee, he or she can refer to the legality of the management's instructions. In case of doubt,
employees may contact the DPPO for clarification (mail: [email protected]).
5.
Details
a.
Notification, Accuracy of Data, and Inspection
A person affected must be informed in a suitable manner that their personal data is being collected, processed,
and/or used. Usually, they are to be informed before the time at which data is collected.
The person affected must be informed of the SAP company collecting the data, the purpose for collecting, processing,
or using the data, as well as other recipients to whom their data will be transferred. The information must be provided
in a way that is easy to understand.
Stored personal data must be accurate. Inaccurate data must be corrected or deleted as soon as practicably possible.
All processes for collecting, processing, and/or using personal data must contain an option for correcting, updating,
and, where required by applicable law, deleting or blocking.
A person affected may, at any time, request information about the data stored on them, its origin, purpose for storing,
and recipients to whom the data is passed on. Queries or complaints submitted by a person affected must be
processed by the SAP company responsible without undue delay or according to those timeframes imposed by local
law, whichever is the earlier. Objections from a person affected with regard to the processing of personal data must
be investigated and, if necessary, remedial action must be taken.
b.
Duration of Storage, Data Deletion
For every process in which personal data is collected, processed, or used, a schedule must be defined for the regular
deletion of personal data after the specified purpose has been fulfilled or if the legal basis no longer applies.
Instead of deleting the personal data, it may also be irreversibly anonymized, meaning retained in such a way that
makes it no longer possible to identify individual persons. If, for technical or legal reasons (for example, if the retention
of data is legally required for tax purposes), it is not possible to either delete or anonymize personal data, this personal
data must be blocked for any further processing and/or use, as well as for further access.
c.
Additional Rules for Special Types of Personal Data
Special types of personal data are details on racial and ethnic origin, political views, religious or philosophical
beliefs, union membership, health, or sexual preferences. Special types of personal data are equal to such personal
data that requires special sensitivity for the persons affected (sensitive data). For example, this is the case for data
on criminal activities, as well as on those individuals who in their respective country fall below the age legally deemed
as adult i.e. minors.
In the instances in which SAP, or third parties acting on behalf of SAP, collect special types of personal data,
management must ensure that the persons affected have been informed in advance and have given their consent
for this. Provided that applicable law does not determine otherwise, special types of personal data may be collected,
This attached Policy is provided to you as an information only. It shall have no binding effect on SAP or SAP’s course of business
and SAP reserves the right to change the Policy at any time without giving notice.
SAP Global Data Protection and Privacy Policy Version 2.0 PUBLIC
5
stored, processed, and transferred only with the explicit consent of the persons affected. Increased precautions (for
example, physical safety features, encryption, and access restrictions) that are appropriate for the special sensitivity
are to be taken for collecting, storing, processing, and transferring this data.
The following additional rules apply for these special categories of data:
· The collection, processing, and/or use of this data must be transparent for the persons affected at all times.
· Consent given by persons affected must refer explicitly to these special categories of data.
· Processes that involve collecting or using special types of personal data may be configured only with a
prior check performed by the DPPO, or in consultation with the local DPPC.
d.
Transfer of personal data/Commissioned Data Processing
If personal data is to be exchanged within the SAP Group or with other companies, it must first be checked whether
contractual agreements on data protection and privacy and data security are required. Such a check is always
required if an SAP Group company is to process data on behalf of another SAP Group company, or if an external
service provider is to process data on behalf of an SAP company (“transfer for processing purposes”). A check is
also necessary if an SAP Group company transfers data to another SAP Group company or an external company
(for example, a service provider, partner, or customer), and the receiving company wishes to use the data for its own
business purposes (“transfer for own purposes”). The legally compliant transfer of personal data within the SAP
Group is ensured based on internal company commissioned data processing agreements (intra-group data transfer
agreements or an ‘IGA’).
If personal data under SAP’s legal responsibility is transferred to an SAP company located in the European Union or
in Switzerland, Liechtenstein, Iceland, or Norway, or in a country not mentioned, it must also be ensured in advance
that a suitable level of protection in accordance with Articles 25 and 26 of the EU Data Protection Directive (95/46/EC)
is guaranteed.
If personal data is transferred, the following rules apply:
Transfer for commissioned processing:
The SAP company that commissions or instructs another SAP company or an external company to collect, process,
or store personal data is responsible for compliance with the requirements of data protection and privacy regulations.
This responsibility does not cease with the transfer to the other SAP or external company.
Every SAP company must ensure that external companies who are to collect, process, or store personal data on
their behalf, are reviewed in advance and then regularly to ensure that they comply with the requirements of data
protection and privacy regulations, and that the necessary contracts with these companies have been concluded.
The review can be delegated to central units within the SAP Group. A regular review also takes place within the
companies of the SAP Group.
Transfer for recipient's own purposes:
The transfer of personal data to another company within the SAP Group or an external company for their own
purposes is allowed only if this is permitted or required by law, or if the persons affected have given their prior consent.
The transferring SAP company must ensure that the legal requirements are checked before the data is transferred.
Transfer to state agencies (authorities and courts):
SAP will transfer personal data to governmental agencies only on the basis of applicable law and after the DPPO
and Global Legal have performed a prior check, and taking into account other required areas within the SAP Group.
This attached Policy is provided to you as an information only. It shall have no binding effect on SAP or SAP’s course of business
and SAP reserves the right to change the Policy at any time without giving notice.
SAP Global Data Protection and Privacy Policy Version 2.0 PUBLIC
6
In the event of a request for information from a governmental authority or a court of competent jurisdiction, SAP will
inform the person affected of this without undue delay.
6. Transfer of Customer Data
SAP processes customer personal data. This means not only the personal data of a customer’s employees/business
partners etc. but also the personal data belonging to SAP’s customer’s own customers. The transfer and use of such
customer data must be performed in full compliance with applicable law and those additional obligations agreed in
the contract between us. Personal data of customers may never be passed on to third parties without an appropriate
legal or contractual basis.
In this respect, SAP works with its customers to support them in complying with the applicable data protection and
privacy legislation; however, this does not include providing our customers with any legal advice or giving them any
guarantee that their legal compliance with data protection and privacy laws are guaranteed.
7. Data Protection and Privacy Supervisory Authorities
If so required by law, contract and/or the obligations set down in this Policy, SAP companies must always cooperate
with any data protection and privacy supervisory authority irrespective of whether such authoritative entity is based
within the EEA or outside the EEA.
If a data protection and privacy supervisory authority requests information or otherwise exercises their right of
investigation, the DPPO must be informed without delay (mail: [email protected]). The DPPO shall then act as
primary coordinator to formulate an appropriate response to the query in consultation with the other responsible
departments (for example, Global Legal, Legal Compliance & Integrity, IT Security, Global GRC), and acts as a direct
contact person with the respective data protection and privacy supervisory authorities.
8.
Data Protection and Privacy and Data Security
Certain data protection and privacy laws require special security measures to be implemented when collecting,
processing, and/or using personal data. SAP shall define such measures in compliance with the legal requirements
in the SAP Security Policy and the related Security Standards and Guidelines. The DPPO shall assist in defining and
updating these standards and guidelines.
9.
Data Protection and Privacy Organization
a.
Position of the Data Protection Officer and Global Organization
The DPPO is an appointed organizational unit within SAP SE. It reports directly to the responsible board member
and is managed by the SAP SE Data Protection Officer.
The DPPO determines the SAP Group's data protection and privacy strategy in accordance with the strategic
objectives of the SAP Group and ensures that the SAP Group companies adhere to the applicable provisions of the
data protection and privacy regulations. The DPPO is to be supported in performing its tasks. In particular, the DPPO
is to be provided with the resources required to perform its tasks and is to be provided with any requested information
fully and without undue delay.
The Data Protection Officer is free to exercise his/her tasks as they see fit. The DPPO employees are only bound by
the instructions of the Data Protection Officer. The Data Protection Officer and the DPPO employees must not be
discriminated against for performing their tasks.
The DPPO maintains a network of data protection and privacy coordinators, who, in accordance with section 9b of
this Policy, are to be appointed by the respective SAP companies and central organizations. The tasks of the global
organization are defined in Annex 1. The DPPCs are to be supported by their respective SAP companies in
performing their tasks and must not be discriminated against for performing their tasks.
This attached Policy is provided to you as an information only. It shall have no binding effect on SAP or SAP’s course of business
and SAP reserves the right to change the Policy at any time without giving notice.
SAP Global Data Protection and Privacy Policy Version 2.0 PUBLIC
b.
7
Organization at Local, Regional, and Line-of-Business Level
This obligation is broken down into 2 key subsections, as follows:
(1) It is the duty of every SAP company to appoint a DPPC for their business unit, and to inform the DPPO the name
of the the personnel appointed. More than one SAP company can also appoint the same DPPC jointly.
All DPPCs must have a direct functional reporting line to the head of the relevant SAP unit to which they have been
appointed. They must ensure compliance with relevant data protection and privacy laws and the provisions of this
Policy. They shall regularly align their activities with the DPPO, but are otherwise free to exercise their expertise in
the area of data protection and privacy as they see fit, and must not be discriminated against for performing their
tasks.
The appointment as DPPC can only be revoked in agreement with the SAP SE Data Protection Officer. If a DPPC's
appointment comes to an end or is otherwise terminated, the respective SAP company must appoint a new DPPC in
good time and inform the DPPO.
The respective business units to which the DPPCs are appointed shall provide the DPPCs with reasonable time to
work required by the DPPC to administer its DPPC duties and suitable resources shall be allocated to the DPPC in
order for them to perform its tasks. To ensure that the DPPC retains and benefits from learning resources to ensure
the necessary expertise to fulfil their duties, they shall be permitted to participate in further education and professional
development funded by SAP upon mutual agreement with their managers.
A DPPC shall undertake those tasks outlined at Annex 2. In the event of any query regarding the nature and scope
of such tasks, the DPPC (or manager responsible for the DPPC) may contact the DPPO for further clarification.
(2) Organizations and/or business units of an SAP company who do not in their daily tasks administer personal data
are also, at the request of the DPPO, obliged to appoint a DPPC responsible for the respective organization.
Accordingly, the provisions of section 9b (1) apply to the DPPCs.
10.
Data Protection and Privacy Standards
The requirements under this Policy can be specified and enhanced through data protection and privacy standards.
Such data protection and privacy standards may only come into effect after the DPPO has reviewed and approved
their compatibility with this Policy.
11.
Raising Awareness
The DPPO and DPPCs shall take measures to raise awareness at regular intervals. All employees and third parties
acting on behalf of SAP are regularly informed about both their duties and their rights within the scope of this Policy
and applicable laws.
This attached Policy is provided to you as an information only. It shall have no binding effect on SAP or SAP’s course of business
and SAP reserves the right to change the Policy at any time without giving notice.
D1.4 - ETHICS REPORT
A.3
Greenhost Terms and Conditions
– 47 of 57 –
Gr
e
e
nhos
tUs
a
g
eTe
r
msa
ndCondi
t
i
ons
Te
r
msa
ndCondi
t
i
ons
The
s
eg
e
ne
r
a
l
t
e
r
msa
ndc
o
ndi
t
i
o
nsa
ppl
yt
oa
l
l
o
,e
r
sa
nda
g
r
e
e
me
nt
sb
e
t
we
e
nGr
e
e
nho
s
tB.
V.Ams
t
e
r
da
m,
Cha
mb
e
ro
fCo
mme
r
c
e62
576
59
3(
“
Gr
e
e
nho
s
t
”
)a
ndi
t
sc
o
unt
e
rpa
r
t
i
e
s(
“
Cus
t
o
me
r
”
)
.
Te
r
mso
rc
o
ndi
t
i
o
nss
e
t
b
yc
us
t
o
me
rt
ha
tde
v
i
a
t
ef
r
o
mo
rdono
ta
ppe
a
ri
nt
he
s
eg
e
ne
r
a
l
t
e
r
msa
ndc
o
ndi
t
i
o
nsa
r
eo
nl
yb
i
ndi
ngf
o
r
Gr
e
e
nho
s
ti
fi
tha
sb
e
e
na
g
r
e
e
dupo
ne
x
pl
i
c
i
t
l
yi
nwr
i
t
i
ng
.
Ar
t
i
c
l
e1.
O8e
ra
nda
c
c
e
pt
a
nc
e
1.
1
.Cus
t
o
me
rc
a
nma
k
eas
e
l
e
c
t
i
o
nv
i
at
heGr
e
e
nho
s
ts
i
t
ef
r
o
mt
hev
a
r
i
o
uspa
c
k
a
g
e
so
fs
e
r
v
i
c
e
s
,
s
uc
ha
swe
b
ho
s
t
i
ng
,me
di
a
t
i
o
nf
o
rr
e
g
i
s
t
r
a
t
i
o
no
fdo
ma
i
nna
me
s
,pr
o
v
i
s
i
o
no
fS
S
Lc
e
r
t
i
fic
a
t
e
s
,i
ns
t
a
l
l
a
t
i
o
no
fs
o
f
t
wa
r
ef
o
r
v
i
r
t
ua
l
s
e
r
v
e
r
s(
t
he“
S
e
r
v
i
c
e
s
”
)t
ha
tGr
e
e
nho
s
ti
swi
l
l
i
ngt
ode
l
i
v
e
r
.Ex
c
l
us
i
v
e
l
yo
nt
hewe
b
s
i
t
ede
s
c
r
i
be
dpa
c
k
a
g
e
de
s
c
r
i
pt
i
o
no
ft
heS
e
r
v
i
c
e
si
sb
i
ndi
ng
.
1.
2
.I
fCus
t
o
me
rma
k
e
sas
e
l
e
c
t
i
o
no
fde
s
i
r
e
ds
e
r
v
i
c
e
sv
i
aa
no
t
he
rc
ha
nne
l
(
s
uc
ha
st
e
l
e
pho
ne
,
l
e
t
t
e
ro
ri
npe
r
s
o
n),
Gr
e
e
nho
s
twi
l
l
ma
k
eaq
uo
t
a
t
i
o
no
ft
hes
e
r
v
i
c
e
sr
e
q
ui
r
e
d,
t
hepr
i
c
e
sa
ndho
wt
he
s
es
e
r
v
i
c
e
sa
r
ede
l
i
v
e
r
e
d.
1.
3
.Thes
ub
mi
t
t
e
ds
e
l
e
c
t
i
o
nf
r
o
m pa
r
a
g
r
a
ph1o
rt
hea
c
c
e
pt
a
nc
eo
ft
heq
uo
t
a
t
i
o
nf
r
o
m pa
r
a
g
r
a
ph2l
e
a
dst
oa
n
a
g
r
e
e
me
ntb
e
t
we
e
nGr
e
e
nho
s
ta
ndCl
i
e
nta
tt
het
i
meo
fi
t
sr
e
c
e
i
ptb
yGr
e
e
nho
s
t
.Gr
e
e
nho
s
twi
l
l
Cu
s
t
o
me
ra
c
o
nfir
ma
t
i
o
ne
ma
i
l
r
e
c
e
i
v
e
d.
Cus
t
o
me
rc
a
nunt
i
l
t
het
i
meo
fr
e
c
e
i
pto
ft
hi
se
ma
i
l
c
a
nc
e
l
t
hea
g
r
e
e
me
nt
.
1.
4
.I
fCus
t
o
me
ri
sana
t
ur
a
l
pe
r
s
o
nno
ta
c
t
i
ngi
nt
hee
x
e
r
c
i
s
eo
fpr
o
f
e
s
s
i
o
no
rbus
i
ne
s
s
,
Cus
t
o
me
rma
y
,wi
t
hi
n
s
e
v
e
nda
y
sa
f
t
e
rc
o
mpl
e
t
i
o
no
ft
hea
g
r
e
e
me
ntt
e
r
mi
na
t
et
hi
sb
yno
t
i
f
y
i
ngGr
e
e
nho
s
t
.Thi
sr
i
g
htl
a
ps
e
sa
ss
o
o
na
sa
Cus
t
o
me
rS
e
r
v
i
c
et
i
meo
rGr
e
e
nho
s
tpe
r
mi
s
s
i
o
nt
odowo
r
ko
nb
e
ha
l
fo
faS
e
r
v
i
c
e
.Thel
a
wdo
e
sno
te
x
i
s
ti
n
me
di
a
t
i
ngr
e
g
i
s
t
r
a
t
i
o
no
fdo
ma
i
nna
me
s
,
a
si
ta
l
wa
y
si
spe
r
f
o
r
me
di
mme
di
a
t
e
l
ya
f
t
e
ra
ppl
i
c
a
t
i
o
na
ndwi
t
ht
he
c
o
ns
e
nto
fCus
t
o
me
r
.
1.
5
.Al
l
c
ha
ng
e
si
nt
hei
mpl
e
me
nt
a
t
i
o
no
faS
e
r
v
i
c
ea
tCus
t
o
me
r
’
sr
e
q
ue
s
ta
r
ec
o
ns
i
de
r
e
da
ddi
t
i
o
na
l
wo
r
kwhe
ni
t
a
dde
dc
o
s
tc
o
ns
i
de
r
e
da
ddi
t
i
o
na
l
wo
r
ka
nda
sar
e
s
ul
tl
e
s
swo
r
kwhe
nt
he
r
ei
sl
e
s
sc
o
s
t
.
Thes
a
mea
ppl
i
e
swhe
na
c
ha
ng
ei
nc
i
r
c
ums
t
a
nc
e
s
,
adi
,e
r
e
nti
mpl
e
me
nt
a
t
i
o
ni
sr
e
q
ui
r
e
d
.Gr
e
e
nho
s
tma
ya
dj
us
tt
hepr
i
c
e
sa
c
c
o
r
di
ng
l
y
uni
l
a
t
e
r
a
l
l
y
,b
uto
nl
ya
f
t
e
rc
o
ns
ul
t
a
t
i
o
nwi
t
hCu
s
t
o
me
r
.
Ar
t
i
c
l
e2.
I
mpl
e
me
nt
a
t
i
onoft
heS
e
r
v
i
c
e
s
2.
1
.Af
t
e
rt
hec
o
nc
l
us
i
o
no
ft
hea
g
r
e
e
me
nta
ss
o
o
na
spo
s
s
i
bl
eGr
e
e
nho
s
twi
l
l
p
r
o
v
i
det
heS
e
r
v
i
c
e
si
na
c
c
o
r
da
nc
e
wi
t
ht
hea
g
r
e
e
me
nt
,
t
a
k
i
ngi
nt
oa
c
c
o
untr
e
a
s
o
na
bl
ef
ur
t
he
rwi
s
he
so
fCus
t
o
me
r
.
Gr
e
e
nho
s
tg
ua
r
a
nt
e
e
st
ha
tt
he
S
e
r
v
i
c
e
st
ot
heb
e
s
tc
a
nbepe
r
f
o
r
me
dus
i
ngduec
a
r
ea
ndwo
r
k
ma
ns
hi
p
.Thef
o
l
l
o
wi
nga
ppl
i
e
st
ode
l
i
v
e
r
yt
i
me
s
a
r
ei
ndi
c
a
t
i
v
eunl
e
s
so
t
he
r
wi
s
ei
ndi
c
a
t
e
d.
2.
3
.I
fa
ndi
ns
o
f
a
ra
st
hep
r
o
pe
ri
mpl
e
me
nt
a
t
i
o
no
ft
heS
e
r
v
i
c
e
sr
e
q
ui
r
e
s
,Gr
e
e
nho
s
tha
st
her
i
g
htt
oc
o
mmi
s
s
i
o
n
c
e
r
t
a
i
na
c
t
i
v
i
t
i
e
sb
yt
hi
r
dpa
r
t
i
e
s
.
The
s
et
hi
r
dpa
r
t
i
e
so
pe
r
a
t
eunde
rt
her
e
s
po
ns
i
bi
l
i
t
ya
nds
upe
r
v
i
s
i
o
no
f
Gr
e
e
nho
s
t
.
2.
4
.Cus
t
o
me
rwi
l
l
a
l
r
e
a
dydoa
l
l
t
ha
ti
sr
e
a
s
o
na
bl
yne
c
e
s
s
a
r
ya
ndd
e
s
i
r
a
bl
et
oa
l
l
o
wat
i
me
l
ya
ndpr
o
pe
re
x
e
c
ut
i
o
n
o
ft
hea
g
r
e
e
me
nt
.
I
npa
r
t
i
c
ul
a
rc
o
nt
r
i
b
ut
e
sCus
t
o
me
re
ns
ur
et
ha
ta
l
l
bus
i
ne
s
sa
ndda
t
awhi
c
hGr
e
e
nho
s
ti
ndi
c
a
t
e
s
a
r
ene
c
e
s
s
a
r
yo
rwhi
c
ht
heCl
i
e
ntr
e
a
s
o
na
b
l
yunde
r
s
t
a
ndt
obene
c
e
s
s
a
r
yt
opr
o
v
i
det
heS
e
r
v
i
c
e
swi
l
l
b
epr
o
v
i
de
d
t
oGr
e
e
nho
s
t
.
2.
5
.Gr
e
e
nho
s
tha
st
her
i
g
htt
op
r
o
v
i
det
heS
e
r
v
i
c
e
st
os
us
pe
ndo
rr
e
s
t
r
i
c
ts
uppl
yi
fi
tt
u
r
nso
utt
ha
tt
heCus
t
o
me
r
i
nr
e
s
pe
c
to
ft
hec
o
nt
r
a
c
ta
no
bl
i
g
a
t
i
o
nt
oGr
e
e
nho
s
tno
tc
o
mea
f
t
e
ro
ra
c
t
si
nv
i
o
l
a
t
i
o
no
ft
he
s
et
e
r
mso
rt
hel
a
w.
2.
6
.Cus
t
o
me
rs
ha
l
l
a
te
nt
e
r
i
ngi
nt
ot
hea
g
r
e
e
me
ntawo
r
k
i
nge
ma
i
l
a
ddr
e
s
st
og
i
v
eup
.Gr
e
e
nho
s
tma
ys
e
nda
l
l
c
o
mmuni
c
a
t
i
o
nsc
o
nc
e
r
ni
ngt
hea
g
r
e
e
me
ntt
ot
hi
se
ma
i
l
a
ddr
e
s
s
.Thi
se
ma
i
l
a
ddr
e
s
ss
ho
ul
dwo
r
kt
hr
o
ug
ho
utt
he
c
o
nt
r
a
c
t
.I
ft
hec
ha
ng
ee
ma
i
l
a
ddr
e
s
s
,
Cus
t
o
me
rmu
s
tno
t
i
f
yt
hec
ha
ng
ef
r
o
mt
hi
se
ma
i
l
a
ddr
e
s
s
.Re
q
ue
s
t
sf
o
r
i
nf
o
r
ma
t
i
o
no
ra
c
c
e
s
st
oc
us
t
o
me
rda
t
as
ho
ul
da
l
s
ob
edo
nef
r
o
mt
hi
se
ma
i
l
a
ddr
e
s
s
.
2.
7
.Gr
e
e
nho
s
tf
o
c
us
e
so
ne
ne
r
g
ys
a
v
i
ng
,“
g
r
e
e
n
”ho
s
t
i
nga
ndo
t
he
rs
e
r
v
i
c
e
s
.Asus
e
dGr
e
e
nho
s
to
nl
yr
e
ne
wa
b
l
e
e
ne
r
g
ys
o
ur
c
e
s
.Gr
e
e
nho
s
ts
t
r
i
v
et
oi
mpr
o
v
ei
nt
hi
sa
r
e
awi
t
hi
t
ss
e
r
v
i
c
e
.
TheI
S
O 26
000s
t
a
nda
r
df
o
rs
o
c
i
a
l
r
e
s
po
ns
i
bi
l
i
t
yo
fo
r
g
a
ni
z
a
t
i
o
nsi
sl
e
a
di
ngi
nt
hi
s
.
Ar
t
i
c
l
e3.
S
uppor
tbyGr
e
e
nhos
t
3.
1
.Gr
e
e
nho
s
twi
l
l
r
e
ma
i
na
v
a
i
l
a
b
l
ef
o
rar
e
a
s
o
na
bl
el
e
v
e
l
o
fr
e
mo
t
es
uppo
r
tb
ypho
neo
re
ma
i
l
.Thet
i
me
so
f
a
v
a
i
l
a
bi
l
i
t
ya
nda
nyr
e
s
po
ns
et
i
me
swi
l
l
bepub
l
i
s
he
do
rwi
l
l
bec
o
mmuni
c
a
t
e
dma
nne
rt
obea
g
r
e
e
do
nt
he
we
b
s
i
t
eo
fGr
e
e
nho
s
t
.
3.
2
.Gr
e
e
nho
s
twi
l
l
t
hene
c
e
s
s
a
r
ys
o
f
t
wa
r
e(
l
i
k
eVPSe
nv
i
r
o
nme
nt
s
,
Apa
c
he
,
My
S
QL,
e
t
c
.
)i
ns
t
a
l
l
a
nd/o
r
c
o
nfig
ur
eo
ns
y
s
t
e
msma
na
g
e
db
yGr
e
e
nho
s
t
.
3.
3
.Addi
t
i
o
na
l
s
o
f
t
wa
r
emus
tbei
ns
t
a
l
l
e
db
yt
heCu
s
t
o
me
rhi
ms
e
l
f
.Cus
t
o
me
rwi
l
l
e
ns
ur
et
ha
tt
hi
ss
o
f
t
wa
r
eupt
o
da
t
e
,
pa
r
t
i
c
ul
a
r
l
ywi
t
hr
e
g
a
r
dt
os
e
c
ur
i
t
y
.Onr
e
q
ue
s
tGr
e
e
nho
s
tc
a
nb
eo
fhe
l
p
,whi
c
hGr
e
e
nho
s
te
nt
i
t
l
e
dt
o
c
ha
r
g
ei
t
sus
ua
l
ho
ur
l
yr
a
t
e
.
I
fGr
e
e
nho
s
tfindst
ha
tCus
t
o
me
rdo
e
sno
tpr
o
pe
r
l
yupda
t
et
hes
e
c
ur
i
t
ys
o
f
t
wa
r
e
Gr
e
e
nho
s
tc
a
ni
nt
e
r
v
e
nei
na
c
c
o
r
da
nc
ewi
t
hAr
t
i
c
l
e5.
3.
4
.I
fne
c
e
s
s
a
r
yf
o
rt
heus
eo
fs
o
f
t
wa
r
el
i
c
e
ns
e
sf
r
o
mt
hi
r
dpa
r
t
i
e
s
,Cu
s
t
o
me
rwi
l
l
de
c
r
e
a
s
et
he
s
el
i
c
e
ns
e
sa
nd
e
ns
ur
et
ha
ti
t
spr
o
v
i
s
i
o
nsa
r
es
t
r
i
c
t
l
yc
o
mpl
i
e
dwi
t
h.Onr
e
q
ue
s
tGr
e
e
nho
s
tma
yde
c
r
e
a
s
ec
e
r
t
a
i
nl
i
c
e
ns
e
sa
nd
t
r
a
ns
f
e
rt
ot
heCus
t
o
me
r
,a
g
a
i
ns
tmut
ua
l
l
ya
g
r
e
e
df
e
e
.
Cus
t
o
me
ri
nde
mni
fie
sGr
e
e
nho
s
tc
l
a
i
msb
yt
hi
r
dpa
r
t
i
e
s
r
e
l
a
t
i
ngt
oi
ns
t
a
l
l
a
t
i
o
na
ndl
i
c
e
ns
i
ngo
fs
o
f
t
wa
r
e
,
e
x
c
e
pti
ns
o
f
a
ra
st
hec
l
a
i
msa
r
et
her
e
s
ul
to
fi
nf
o
r
ma
t
i
o
no
r
l
i
c
e
ns
e
sa
r
ede
l
i
v
e
r
e
db
yGr
e
e
nho
s
t
.
3.
5
.
Whe
nCus
t
o
me
rb
e
l
i
e
v
e
st
ha
ts
o
f
t
wa
r
edo
e
sno
two
r
ko
rno
ta
de
q
ua
t
e(
e
g
.
Al
o
wpe
r
f
o
r
ma
nc
e
)Gr
e
e
nho
s
ti
s
r
e
a
dyt
oe
x
a
mi
net
hi
sf
ur
t
he
ra
ndpr
o
po
s
eapl
a
nf
o
ri
mp
r
o
v
e
me
nt
.
Toc
o
nduc
to
ft
hes
t
udya
ndt
hei
mpr
o
v
e
me
nt
c
ha
r
g
e
sa
r
ea
ppl
i
c
a
bl
e
,unl
e
s
si
ta
ppe
a
r
st
ha
tt
hec
a
us
eo
ff
a
i
l
ur
eo
rno
two
r
k
i
ngpr
o
pe
r
l
yduet
oGr
e
e
nho
s
ti
t
s
e
l
f
.
Ar
t
i
c
l
e4.
Av
a
i
l
a
bi
l
i
t
yofs
y
s
t
e
ms
4.
1
.I
faS
e
r
v
i
c
e(
pa
r
t
l
y
)s
uppl
i
e
dt
hr
o
ug
hs
y
s
t
e
msa
nd/o
rne
t
wo
r
k
sma
na
g
e
db
yGr
e
e
nho
s
t
,s
uc
ha
swe
bho
s
t
i
ng
,
e
ma
i
l
t
r
a
ns
mi
s
s
i
o
n/r
e
c
e
pt
i
o
no
ra
c
c
e
s
st
oo
nl
i
nes
o
f
t
wa
r
eo
rma
na
g
e
me
ntt
o
o
l
s
,
Gr
e
e
nho
s
twi
l
l
e
nde
a
v
o
ri
nt
hi
s
S
e
r
v
i
c
et
ouni
nt
e
r
r
upt
e
da
v
a
i
l
a
bi
l
i
t
yo
ft
he
s
es
y
s
t
e
msa
ndt
oc
r
e
a
t
ene
t
wo
r
k
sa
ndt
or
e
a
l
i
z
ea
c
c
e
s
st
oda
t
as
t
o
r
e
db
y
Gr
e
e
nho
s
t
.
4.
2
.Gr
e
e
nho
s
tdo
e
sno
tg
ua
r
a
nt
e
et
hec
o
nt
i
nuo
usa
v
a
i
l
a
bi
l
i
t
y
,
unl
e
s
so
t
he
r
wi
s
ea
g
r
e
e
db
yme
a
nso
fas
o
c
a
l
l
e
d
S
e
r
v
i
c
eLe
v
e
l
Ag
r
e
e
me
nt
.
4.
3
.Gr
e
e
nho
s
twi
l
l
e
nde
a
v
o
rt
ok
e
e
pt
hes
y
s
t
e
msi
tus
e
sa
nds
o
f
t
wa
r
eupt
oda
t
e
.
Gr
e
e
nho
s
the
r
ei
sho
we
v
e
r
de
pe
nde
nto
ni
t
ss
uppl
i
e
r(
s
)
.
Gr
e
e
nho
s
ti
se
nt
i
t
l
e
dt
oi
ns
t
a
l
l
a
nupda
t
eo
rpo
s
t
po
nepa
t
c
hunt
i
l
t
he
yc
a
nt
e
s
ti
t
ha
sbe
e
na
de
q
ua
t
e
l
ya
nde
v
a
l
ua
t
e
.
4.
4
.I
fa
c
c
e
s
st
oa
na
dmi
ni
s
t
r
a
t
i
v
ea
c
c
o
unta
nd/o
rama
na
g
e
me
nta
g
r
e
e
ds
ot
oc
o
meCu
s
t
o
me
rma
ybea
g
r
e
e
d
a
s
pe
c
t
so
fma
na
g
i
ngt
heS
e
r
v
i
c
e
,
Gr
e
e
nho
s
twi
l
l
pr
o
v
i
det
heCus
t
o
me
rwi
t
ha
na
dmi
ni
s
t
r
a
t
i
v
eus
e
r
na
mea
nd
pa
s
s
wo
r
d.
Ev
e
r
ya
c
t
i
o
nt
ha
to
c
c
ur
sv
i
at
hea
dmi
ni
s
t
r
a
t
i
v
ea
c
c
o
unto
ra
na
c
c
o
unto
fa
ni
ndi
v
i
dua
l
us
e
ro
ft
he
Cus
t
o
me
ri
sc
o
ns
i
de
r
e
dt
ob
eunde
rt
her
e
s
po
ns
i
b
i
l
i
t
ya
ndr
i
s
ko
ft
heCus
t
o
me
r
.
I
nc
a
s
e
so
fs
us
pe
c
t
e
da
bus
eo
fa
n
a
c
c
o
untCus
t
o
me
rmus
tr
e
po
r
tt
hi
sa
ss
o
o
na
spo
s
s
i
b
l
es
ot
ha
tGr
e
e
nho
s
tc
a
nt
a
k
et
he
s
eme
a
s
ur
e
s
.
4.
5
.Gr
e
e
nho
s
twi
l
l
ma
k
er
e
g
ul
a
rba
c
k
upso
fCus
t
o
me
r
’
ss
y
s
t
e
mso
fGr
e
e
nho
s
ts
t
o
r
e
dda
t
af
o
rc
o
nt
i
nui
t
y
pur
po
s
e
s
.The
s
eba
c
k
upsa
r
eno
tma
d
ea
v
a
i
l
a
b
l
et
oCus
t
o
me
ro
nl
yb
yGr
e
e
nho
s
tus
e
df
o
rda
t
ar
e
c
o
v
e
r
yt
o
c
o
nt
i
nui
t
ypr
o
b
l
e
ms
.
Thepr
o
v
i
s
i
o
no
ft
heb
a
c
k
upso
ri
ndi
v
i
dua
l
fil
e
sf
r
o
mi
ti
spo
s
s
i
bl
eo
nl
yi
ns
p
e
c
i
a
l
c
a
s
e
sa
nd
upo
npa
y
me
nto
ft
het
he
nc
ur
r
e
nts
t
a
nda
r
dr
a
t
e
.
4.
6
.I
ft
heb
a
c
k
ups
e
r
v
i
c
ea
sa
g
r
e
e
dGr
e
e
nho
s
twi
l
l
p
r
o
v
i
d
et
hec
r
e
a
t
e
db
a
c
k
upt
oCus
t
o
me
rf
o
runme
di
a
t
e
d
a
c
c
e
s
s
.
4.
7
.Cus
t
o
me
r
’
so
bl
i
g
a
t
i
o
nt
ome
e
tt
hea
g
r
e
e
dl
i
mi
t
sf
o
rda
t
at
r
a
ns
f
e
r
,s
t
o
r
a
g
ea
nd/o
rpr
o
c
e
s
s
i
ngc
a
pa
c
i
t
y
.
Ex
c
e
e
di
ngi
sGr
e
e
nho
s
ta
ut
ho
r
i
z
e
df
ur
t
he
ru
s
et
or
e
s
t
r
i
c
to
rbl
o
c
kt
heS
e
r
v
i
c
e
,
o
rt
ob
r
i
nga
na
ddi
t
i
o
na
l
a
mo
unt
i
na
c
c
o
r
da
nc
ewi
t
ht
het
he
na
ppl
i
c
a
bl
ea
mo
unt
sf
o
ra
ddi
t
i
o
na
l
pr
o
c
e
s
s
o
rc
a
pa
c
i
t
y
,da
t
at
r
a
ns
f
e
ro
rs
t
o
r
a
g
e
.
Gr
e
e
nho
s
twi
l
l
wa
r
nt
hec
us
t
o
me
ri
nt
i
meb
e
f
o
r
eb
r
i
ng
i
nga
ddi
t
i
o
na
l
us
e
dc
a
pi
c
i
t
e
i
tc
ha
r
g
e
d.
Ar
t
i
c
l
e5.
Rul
e
sofc
onduc
tonc
ont
e
nt
5.
1
.Cus
t
o
me
rma
yno
ts
t
o
r
eo
rdi
s
t
r
i
but
ei
nf
o
r
ma
t
i
o
ni
nv
i
o
l
a
t
i
o
no
ft
hel
a
wo
rt
het
e
r
msa
ndc
o
ndi
t
i
o
ns
.
5.
2
.I
npa
r
t
i
c
ul
a
r
,
Cus
t
o
me
rma
yno
ts
t
o
r
eo
rdi
s
t
r
i
but
ei
nf
o
r
ma
t
i
o
nt
ha
t
o
,e
ns
ei
nv
o
l
v
e
sf
o
r
mso
fpo
r
no
g
r
a
phyo
rl
i
be
l
o
us
,de
f
a
ma
t
o
r
y
,r
a
c
i
s
t
,
di
s
c
r
i
mi
na
t
o
r
y
,ha
t
e
f
ul
,
i
nf
r
i
ng
e
st
her
i
g
ht
so
ft
hi
r
dpa
r
t
i
e
s
,i
na
nyc
a
s
e
,butno
tl
i
mi
t
e
dt
oc
o
py
r
i
g
ht
s
,t
r
a
de
ma
r
kr
i
g
ht
sa
ndpo
r
t
r
a
i
t
r
i
g
ht
s
,
c
o
nt
a
i
nsuns
o
l
i
c
i
t
e
dc
o
mme
r
c
i
a
l
,
c
ha
r
i
t
a
bl
eo
rp
hi
l
a
nt
hr
o
pi
cc
o
mmuni
c
a
t
i
o
n.
5.
3
.I
ti
sp
r
o
hi
bi
t
e
dt
os
t
o
r
eo
rt
r
a
ns
mi
tda
t
ao
rpr
o
c
e
s
s
e
so
rs
o
f
t
wa
r
e
,
whe
t
he
rt
hr
o
ug
ht
hes
y
s
t
e
mso
fGr
e
e
nho
s
t
bo
o
twhi
c
hCus
t
o
me
rk
no
wso
rc
a
nr
e
a
s
o
na
bl
ys
u
s
pe
c
tt
ha
tt
hi
sGr
e
e
nho
s
t
,o
t
he
rus
e
r
so
ft
heS
e
r
v
i
c
e
so
rI
nt
e
r
ne
t
us
e
r
so
rda
ma
g
ec
a
ni
nfli
c
t
.
5.
4
.Gr
e
e
nho
s
tc
a
nl
o
g
sa
ndma
i
nt
a
i
nr
e
c
o
r
dso
ft
heus
eo
ft
heS
e
r
v
i
c
e
si
no
r
de
rt
ome
a
s
ur
et
hep
e
r
f
o
r
ma
nc
eo
fi
t
s
s
y
s
t
e
msa
ndt
oi
de
nt
i
f
yv
i
o
l
a
t
i
o
nso
ft
hi
sa
r
t
i
c
l
e
.
Gr
e
e
nho
s
twi
l
l
ho
we
v
e
rno
tk
e
e
pl
o
g
so
ni
ndi
v
i
dua
l
o
ut
bo
und
e
ma
i
l
t
r
a
Ecwi
t
ho
uts
pe
c
i
a
l
pe
r
mi
s
s
i
o
nf
r
o
mt
heCu
s
t
o
me
r
.
5.
5
.I
fi
nt
heo
pi
ni
o
no
fGr
e
e
nho
s
tha
sb
e
e
nav
i
o
l
a
t
i
o
no
ft
hi
sa
r
t
i
c
l
e
,Gr
e
e
nho
s
ti
se
nt
i
t
l
e
dt
ot
a
k
ea
l
l
me
a
s
ur
e
si
t
de
e
msr
e
a
s
o
na
b
l
yne
c
e
s
s
a
r
yt
ot
e
r
mi
na
t
eo
rr
e
duc
et
hei
mpa
c
t
.
The
s
eme
a
s
ur
e
sa
r
ee
l
a
bo
r
a
t
e
di
nt
he“
no
t
i
c
ea
nd
t
a
k
e
do
wn
”po
l
i
c
ya
ss
t
a
t
e
do
nt
heGr
e
e
nho
s
twe
bs
i
t
e
.
Thi
swi
l
l
i
nc
l
udet
hel
o
c
kma
yo
rdi
s
a
b
l
i
nga
c
c
e
s
st
o
i
nf
o
r
ma
t
i
o
no
rdi
s
a
bl
i
ngs
o
f
t
wa
r
e
.Gr
e
e
nho
s
twi
l
l
no
t
i
f
yCus
t
o
me
ro
fa
nya
c
t
i
o
nunde
rt
hi
sAr
t
i
c
l
e
.I
fGr
e
e
nho
s
t
c
o
s
t
smu
s
tma
k
et
oe
ndav
i
o
l
a
t
i
o
no
rt
omi
ni
mi
z
et
hei
mpa
c
t
,i
twi
l
l
ber
e
c
o
v
e
r
e
df
r
o
mt
heCl
i
e
nt
.
5.
6
.
Whe
ns
uEc
i
e
nt
l
ypl
a
us
i
b
l
et
ha
tt
he
r
ei
sawr
o
ng
f
ul
a
c
ta
g
a
i
ns
tat
hi
r
dpa
r
t
ya
ndt
ha
tt
hi
r
dpa
r
t
yha
sar
e
a
l
i
nt
e
r
e
s
ti
nt
hei
s
s
u
eo
fp
e
r
s
o
na
l
da
t
ao
fCus
t
o
me
ro
ra
nyus
e
ro
faS
e
r
v
i
c
e
,Gr
e
e
nho
s
ti
sa
l
s
oe
nt
i
t
l
e
dt
ot
hi
sda
t
a
t
oma
k
et
he
s
et
hi
r
da
v
a
i
l
a
bl
e
.
Gr
e
e
nho
s
ti
nt
hi
ss
i
t
ua
t
i
o
nwi
l
l
c
r
e
a
t
eaba
l
a
nc
eo
fi
nt
e
r
e
s
t
sa
ndi
ff
e
a
s
i
b
l
eCus
t
o
me
r
pr
i
o
rno
t
i
c
eo
fi
t
si
nt
e
nt
i
o
n.S
t
a
t
et
hepr
o
c
e
dur
et
ob
ewo
r
k
e
do
uti
nt
heNo
t
i
c
e
Ta
k
e
do
wnP
o
l
i
c
yGr
e
e
nho
s
ta
nd
t
r
a
ns
pa
r
e
ntf
o
re
a
c
hc
us
t
o
me
r
.
Ar
t
i
c
l
e6.
Ex
pe
r
i
me
nt
a
lS
of
t
wa
r
e
6.
1
.Gr
e
e
nho
s
tma
yma
k
ea
v
a
i
l
a
bl
ec
e
r
t
a
i
ns
o
f
t
wa
r
ea
sa
ne
x
p
e
r
i
me
nta
sas
e
r
v
i
c
e
.
TheCus
t
o
me
ri
sf
r
e
ehe
r
eo
r
no
tt
ou
s
e
.
6.
2
.I
fCus
t
o
me
rc
ho
o
s
e
st
ous
et
hi
ss
o
f
t
wa
r
e
,
Cus
t
o
me
runde
r
s
t
a
ndsa
nda
g
r
e
e
st
ha
t
,t
ha
tt
hes
o
f
t
wa
r
ei
s
e
x
pe
r
i
me
nt
a
l
a
ndwi
t
ho
uta
nywa
r
r
a
nt
yo
rc
l
a
i
mt
of
unc
t
i
o
npr
o
pe
r
l
yo
rb
ea
v
a
i
l
a
b
l
ei
so
,e
r
e
d.
6.
3
.Gr
e
e
nho
s
tma
ya
ta
nyt
i
mea
ndwi
t
ho
utf
ur
t
he
rmo
di
fic
a
t
i
o
nt
oe
x
t
e
ndt
hee
x
pe
r
i
me
nt
a
l
s
o
f
t
wa
r
e
,
mo
di
f
yo
r
di
s
c
o
nt
i
nuet
hes
up
pl
yt
he
r
e
o
f
.F
o
rt
hi
s
,
nol
i
a
b
i
l
i
t
yi
sa
c
c
e
pt
e
dr
e
g
a
r
dl
e
s
so
fho
wl
o
ngt
hes
o
f
t
wa
r
ei
sa
v
a
i
l
a
b
l
e
a
ndi
fCus
t
o
me
rha
sa
nno
unc
e
dt
ha
thewi
l
l
c
o
nt
i
nuet
ous
et
hee
x
pe
r
i
me
nt
a
l
s
o
f
t
wa
r
e
.
6.
4
.Onr
e
q
ue
s
t
,e
x
pe
r
i
me
nt
a
l
s
o
f
t
wa
r
ei
nc
l
ude
da
spa
r
to
faS
e
r
v
i
c
e
.I
nt
ha
tc
a
s
enol
o
ng
e
ra
ppl
i
e
st
hepr
o
v
i
s
i
o
ns
o
ft
hi
sAr
t
i
c
l
e
.
Gr
e
e
nho
s
twi
l
l
i
nt
ha
tc
a
s
ebe
f
o
r
eaq
uo
t
ef
o
rt
hec
o
s
to
ft
hi
si
s
s
ue
,whi
c
hCus
t
o
me
rmus
ta
ppr
o
v
e
t
ot
hee
x
p
e
r
i
me
nt
a
l
s
o
f
t
wa
r
epa
r
to
faS
e
r
v
i
c
e
.
Ar
t
i
c
l
e7.
Doma
i
nna
me
s
,
I
Pa
ddr
e
s
s
e
sa
ndSSLc
e
r
t
i
fic
a
t
e
s
7.
1
.Appl
i
c
a
t
i
o
n,a
l
l
o
c
a
t
i
o
na
ndpo
s
s
i
bl
eus
eo
fado
ma
i
nna
me
,
I
Pa
ddr
e
s
sa
nd/o
rS
S
Lc
e
r
t
i
fic
a
t
ede
p
e
ndo
na
nd
a
r
es
ubj
e
c
tt
ot
her
ul
e
sa
ndpr
o
c
e
dur
e
so
ft
her
e
g
i
s
t
e
r
i
nga
ut
ho
r
i
t
i
e
s
,s
uc
ha
st
heFo
unda
t
i
o
nf
o
rI
nt
e
r
ne
tDo
ma
i
n
Re
g
i
s
t
r
a
t
i
o
ni
nt
heNe
t
he
r
l
a
ndso
rt
hei
s
s
ui
ngc
e
r
t
i
fic
a
t
i
o
na
ut
ho
r
i
t
y
.Ther
e
l
e
v
a
nta
ut
ho
r
i
t
yd
e
c
i
de
so
nt
he
a
l
l
o
c
a
t
i
o
n.
Gr
e
e
nho
s
tpe
r
f
o
r
mst
hea
p
pl
i
c
a
t
i
o
no
nl
ya
ni
nt
e
r
me
di
a
r
yr
o
l
ea
nddo
e
sno
tg
ua
r
a
nt
e
et
ha
tar
e
q
ue
s
t
wi
l
l
beho
no
r
e
d.
7.
2
.Gr
e
e
nho
s
ti
se
nt
i
t
l
e
dt
oc
ha
r
g
ef
o
rt
heme
di
a
t
i
o
ns
e
r
v
i
c
ea
ndt
hes
e
r
v
i
c
eo
ft
hec
o
mmi
s
s
i
o
ni
ngo
ft
hedo
ma
i
n
na
me
,I
Pa
ddr
e
s
sa
ndS
S
Lc
e
r
t
i
fic
a
t
ea
dmi
ni
s
t
r
a
t
i
o
n.
The
s
ea
r
eno
t
i
fie
di
na
dv
a
nc
e
.
7.
3
.Onl
yt
hec
o
nfir
ma
t
i
o
no
fGr
e
e
nho
s
t
,s
t
a
t
i
ngt
ha
tado
ma
i
nna
me
,I
Pa
ddr
e
s
sa
nd/o
rS
S
Lc
e
r
t
i
fic
a
t
eha
s
be
e
ni
s
s
ue
d,o
ri
t
sc
o
mmi
s
s
i
o
ni
ngo
nb
e
ha
l
fo
faS
e
r
v
i
c
e
,i
spr
o
o
fo
fg
r
a
nt
.Abi
l
l
o
fGr
e
e
nho
s
ta
ppl
i
c
a
t
i
o
no
r
me
di
a
t
i
o
ni
sno
tac
o
nfir
ma
t
i
o
no
fr
e
g
i
s
t
r
a
t
i
o
n.
7.
4
.Gr
e
e
nho
s
twi
l
l
e
ns
ur
et
ha
tdo
ma
i
nna
me
sa
s
s
i
g
ne
db
yCus
t
o
me
rt
hr
o
ug
hGr
e
e
nho
s
t
,
I
Pa
ddr
e
s
s
e
sa
nd/o
r
S
S
Lc
e
r
t
i
fic
a
t
e
sf
o
rs
e
r
v
i
c
e
sus
a
bl
ea
nda
v
a
i
l
a
bl
ei
na
c
c
o
r
da
nc
ewi
t
hAr
t
i
c
l
e4
.Cus
t
o
me
ri
nd
e
mni
fie
sa
ndho
l
ds
Gr
e
e
nho
s
tha
r
ml
e
s
sf
o
ra
l
l
da
ma
g
e
sr
e
l
a
t
e
dt
o(
t
heus
eo
f
)do
ma
i
nna
me
,
I
Pa
ddr
e
s
sa
nd/o
rS
S
Lc
e
r
t
i
fic
a
t
eb
yo
r
o
nb
e
ha
l
fo
fCus
t
o
me
r
.
7.
5
.Gr
e
e
nho
s
ti
sno
tl
i
a
bl
ef
o
rt
hel
o
s
s
e
sc
a
us
e
db
yCu
s
t
o
me
ro
fhi
sr
i
g
ht(
s
)o
nado
ma
i
n,I
Pa
ddr
e
s
sa
nd/o
r
S
S
Lc
e
r
t
i
fic
a
t
e
,
o
rt
hef
a
c
tt
ha
tado
ma
i
nna
meo
rI
Pa
ddr
e
s
si
sa
c
q
ui
r
e
db
yat
hi
r
dpa
r
t
ya
nd/o
ro
bt
a
i
ne
d,
s
ub
j
e
c
ti
nc
a
s
eo
fi
nt
e
nto
rde
l
i
be
r
a
t
er
e
c
k
l
e
s
s
ne
s
so
fGr
e
e
nho
s
t
.
7.
6
.Unl
e
s
so
t
he
r
wi
s
ea
g
r
e
e
d,
o
nl
yde
pl
o
y
e
da
nI
Pa
ddr
e
s
sf
o
rt
hedur
a
t
i
o
no
ft
hea
g
r
e
e
me
nto
nb
e
ha
l
fo
f
Cus
t
o
me
r
.I
Pa
ddr
e
s
s
e
sc
a
nb
es
ha
r
e
dwi
t
ho
t
he
rc
l
i
e
nt
so
fGr
e
e
nho
s
t
,unl
e
s
st
hena
t
ur
eo
ft
hes
e
r
v
i
c
edo
e
sno
t
a
l
l
o
wo
rd
e
s
i
r
a
b
l
e
.Cus
t
o
me
rma
yno
tc
l
a
i
ma
nI
Pa
ddr
e
s
so
rt
a
k
eunl
e
s
se
x
pr
e
s
s
l
ya
g
r
e
e
di
nwr
i
t
i
ng
.
Fur
t
he
r
mo
r
e
Gr
e
e
nho
s
te
nt
i
t
l
e
dt
oc
ha
ng
eI
Pa
ddr
e
s
s
e
sa
sne
c
e
s
s
a
r
yf
o
rag
o
o
ds
u
ppl
yo
ft
heS
e
r
v
i
c
e(
s
)
.
Ar
t
i
c
l
e8.
I
nt
e
l
l
e
c
t
ua
lpr
ope
r
t
yr
i
g
ht
s
8.
1
.Al
l
i
nt
e
l
l
e
c
t
ua
l
pr
o
pe
r
t
yr
i
g
ht
sa
ta
l
l
i
nt
hec
o
nt
e
x
to
fas
e
r
v
i
c
ema
dea
v
a
i
l
a
bl
et
owo
r
k(
s
uc
ha
ss
o
f
t
wa
r
e
,
s
c
r
i
pt
s
,t
e
x
t
so
ri
ma
g
e
s
)a
r
ehe
l
de
x
c
l
us
i
v
e
l
yb
yGr
e
e
nho
s
to
ri
t
ss
u
ppl
i
e
r
s
.
Cus
t
o
me
ra
c
q
ui
r
e
so
nl
yt
heus
e
rr
i
g
ht
s
a
ndr
e
s
po
ns
i
b
i
l
i
t
i
e
sa
r
i
s
i
ngf
r
o
mt
hes
c
o
peo
ft
hea
g
r
e
e
me
nto
rg
r
a
nt
e
di
nwr
i
t
i
nga
ndt
heCus
t
o
me
rwi
l
l
wo
r
k
no
tr
e
pr
o
duc
eo
rpubl
i
s
h.
8.
2
.I
fa
nyi
nt
e
l
l
e
c
t
ua
l
pr
o
pe
r
t
yr
i
g
hti
st
r
a
ns
f
e
r
r
e
dt
oawo
r
ko
fGr
e
e
nho
s
tt
oCus
t
o
me
r
,Gr
e
e
nho
s
tr
e
t
a
i
nsa
n
unl
i
mi
t
e
da
ndpe
r
pe
t
ua
l
l
i
c
e
ns
et
ous
et
hewo
r
ka
ndi
t
sc
o
mpo
ne
nt
si
ni
t
sb
us
i
ne
s
so
pe
r
a
t
i
o
nsa
ndde
l
i
v
e
rt
o
o
t
he
r
s
.Thi
sdo
e
sno
ta
,e
c
tt
hedut
yo
fGr
e
e
nho
s
tt
oc
o
nfide
nt
i
a
l
c
us
t
o
me
ri
nf
o
r
ma
t
i
o
nc
o
nfide
nt
i
a
l
.
8.
3
.Al
l
r
i
g
ht
so
fus
eo
fwo
r
k
sma
dea
v
a
i
l
a
bl
ee
x
pi
r
eupo
nt
e
r
mi
na
t
i
o
no
rr
e
s
c
i
s
s
i
o
no
ft
hec
o
nt
r
a
c
t
.
Ar
t
i
c
l
e9.
Pr
i
c
e
sa
ndpa
y
me
nt
9.
1
.Cus
t
o
me
rs
ha
l
l
pa
ya
nnua
l
l
yi
na
dv
a
nc
et
hea
mo
unto
fGr
e
e
nho
s
t
.
Va
r
i
a
bl
ea
mo
unt
smus
tb
eme
tmo
nt
hl
y
i
na
r
r
e
a
r
sGr
e
e
nho
s
t
.Gr
e
e
nho
s
twi
l
l
s
e
ndabi
l
l
f
o
rt
hea
mo
unto
we
db
yt
heCus
t
o
me
rt
oCus
t
o
me
r
.
Gr
e
e
nho
s
t
s
e
ndse
l
e
c
t
r
o
ni
ci
nv
o
i
c
e
sunl
e
s
so
t
he
r
wi
s
ea
g
r
e
e
d
.
9.
2
.I
fCus
t
o
me
rb
e
l
i
e
v
e
st
ha
t(
pa
r
to
f
)a
ni
nv
o
i
c
ei
si
nc
o
r
r
e
c
t
,hemu
s
tr
e
po
r
tt
hi
swi
t
hi
nt
hepa
y
me
ntt
oHo
s
t
Gr
e
e
n.
Thepa
y
me
nto
ft
hedi
s
put
e
d(
butno
to
t
he
r
wi
s
e
)s
ha
l
l
b
es
u
s
pe
nd
e
dunt
i
l
Gr
e
e
nho
s
ti
nv
e
s
t
i
g
a
t
e
dt
he
r
e
po
r
t
.I
fGr
e
e
nho
s
ta
f
t
e
rs
t
udyc
o
nc
l
ude
st
ha
tt
hec
o
mpl
a
i
ntwa
sunj
u
s
t
i
fie
d,
Cus
t
o
me
rs
ha
l
l
wi
t
hi
ns
e
v
e
nda
y
s
t
opa
yt
hedi
s
put
e
dy
e
t
.
9.
3
.Thei
nv
o
i
c
eo
fGr
e
e
nho
s
ti
s1
4da
y
sa
f
t
e
rt
hei
nv
o
i
c
eda
t
e
.
I
nal
a
t
epa
y
me
nt
,Cu
s
t
o
me
r
,
i
na
ddi
t
i
o
nt
ot
he
a
mo
untduea
ndt
hei
nt
e
r
e
s
tduet
he
r
e
o
n,
he
l
dt
oaf
ul
l
c
o
mpe
ns
a
t
i
o
no
fb
o
t
hj
udi
c
i
a
l
a
nde
x
t
r
a
j
udi
c
i
a
l
c
o
l
l
e
c
t
i
o
n
c
o
s
t
s
,i
nc
l
udi
ngc
o
s
t
sf
o
rl
a
wy
e
r
s
,
ba
i
l
i
,sa
ndde
b
tc
o
l
l
e
c
t
i
o
na
g
e
nc
i
e
s
.
5.
5
.9
.
4
.
Gr
e
e
nho
s
ti
se
nt
i
t
l
e
dt
oa
dj
us
tt
her
a
t
e
sc
ha
r
g
e
do
nc
epe
rc
a
l
e
nda
ry
e
a
r
.
Gr
e
e
nho
s
twi
l
l
Cl
i
e
nto
ft
hi
sa
t
l
e
a
s
t2(
t
wo
)mo
nt
hsi
nf
o
r
mi
na
dv
a
nc
e
.
Cus
t
o
me
rwi
t
hapr
i
c
et
her
i
g
htt
ot
e
r
mi
na
t
et
hec
o
nt
r
a
c
ta
tt
het
i
mei
t
e
nt
e
r
si
nt
of
o
r
c
e
.
Ar
t
i
c
l
e10.
Confide
nt
i
a
l
i
t
y
10
.
1
.P
a
r
t
i
e
swi
l
l
i
nf
o
r
ma
t
i
o
nt
he
yb
e
f
o
r
e
,dur
i
ngo
ra
f
t
e
rt
hee
x
e
c
ut
i
o
no
ft
hea
g
r
e
e
me
ntpr
o
v
i
det
oe
a
c
ho
t
he
ra
s
c
o
nfide
nt
i
a
l
i
ft
hi
si
nf
o
r
ma
t
i
o
ni
sma
r
k
e
da
sc
o
nfide
nt
i
a
l
o
ri
ft
her
e
c
e
i
v
i
ngpa
r
t
yk
no
wso
rs
ho
ul
dr
e
a
s
o
na
b
l
y
s
us
pe
c
tt
ha
tt
hei
nf
o
r
ma
t
i
o
nwa
si
nt
e
nde
da
sc
o
nfide
nt
i
a
l
.Pa
r
t
i
e
sa
l
s
oi
mpo
s
et
hi
so
bl
i
g
a
t
i
o
no
nt
he
i
re
mpl
o
y
e
e
s
a
ndt
hi
r
dpa
r
t
i
e
se
ng
a
g
e
db
yt
he
mt
oi
mpl
e
me
ntt
hea
g
r
e
e
me
nt
.
10
.
2
.Gr
e
e
nho
s
twi
l
l
no
tt
a
k
ec
o
g
ni
z
a
nc
eo
fda
t
ar
e
c
o
r
de
db
yCus
t
o
me
ra
nd/o
rdi
s
t
r
i
but
e
dt
hr
o
ug
ht
hes
y
s
t
e
ms
ma
na
g
e
db
yGr
e
e
nho
s
t
,unl
e
s
st
heCu
s
t
o
me
r
’
sc
o
ns
e
nt
,a
c
c
e
s
sha
sbe
e
nne
c
e
s
s
a
r
yf
o
rt
hep
r
o
pe
rpe
r
f
o
r
ma
nc
eo
f
t
hec
o
nt
r
a
c
to
rGr
e
e
nho
s
ti
sr
e
q
ui
r
e
dt
odos
ounde
ras
t
a
t
ut
o
r
ypr
o
v
i
s
i
o
no
ra
ut
ho
r
i
z
e
do
r
de
rb
yt
hea
ut
ho
r
i
t
i
e
s
.
I
nt
ha
tc
a
s
eGr
e
e
nho
s
twi
l
l
e
nde
a
v
o
rc
o
g
ni
z
a
nc
eo
ft
heda
t
at
omi
ni
mi
z
e
,
t
ot
hee
x
t
e
ntwi
t
hi
ni
t
spo
we
ra
nd,
i
f
po
s
s
i
b
l
e
,i
nf
o
r
mt
hec
us
t
o
me
ro
ft
hi
sa
ppl
i
c
a
t
i
o
nupt
oda
t
e
.
10
.
3
.Gr
e
e
nho
s
tr
e
s
e
r
v
e
st
her
i
g
hta
ta
l
l
t
i
me
si
nc
r
e
a
s
e
db
yt
hei
mpl
e
me
nt
a
t
i
o
no
ft
hea
g
r
e
e
me
ntt
ous
e
k
no
wl
e
dg
ef
o
ro
t
he
rc
l
i
e
nt
s
,p
r
o
v
i
de
dt
ha
tnoi
nf
o
r
ma
t
i
o
no
ft
heCu
s
t
o
me
ri
nbr
e
a
c
ho
fo
bl
i
g
a
t
i
o
nso
f
c
o
nfide
nt
i
a
l
i
t
yi
sma
dea
v
a
i
l
a
bl
et
ot
hi
r
dpa
r
t
i
e
s
.
10
.
4
.Theo
b
l
i
g
a
t
i
o
nso
ft
hi
sa
r
t
i
c
l
ewhi
c
hr
e
ma
i
na
f
t
e
rt
het
e
r
mi
na
t
i
o
no
ft
heAg
r
e
e
me
ntf
o
ra
nyr
e
a
s
o
n,
a
nds
o
muc
hf
o
rs
ol
o
nga
st
hepr
o
v
i
di
ngpa
r
t
yc
a
nr
e
a
s
o
na
bl
yc
l
a
i
mt
ot
hec
o
nfide
nt
i
a
l
i
t
yo
ft
hei
nf
o
r
ma
t
i
o
n.
Ar
t
i
c
l
e11.
Li
a
bi
l
i
t
y
11
.
1
.Gr
e
e
nho
s
ti
so
nl
yl
i
a
b
l
et
oCus
t
o
me
ri
nt
hee
v
e
nto
fac
ul
pa
bl
eb
r
e
a
c
ho
ft
hea
g
r
e
e
me
nta
ndo
nl
yf
o
r
c
o
mpe
ns
a
t
o
r
yda
ma
g
e
s
,
i
ec
o
mpe
ns
a
t
i
o
nf
o
rt
hev
a
l
ueo
ft
heo
mi
t
t
e
dpe
r
f
o
r
ma
nc
e
.
11
.
2
.Anyl
i
a
bi
l
i
t
yo
fGr
e
e
nho
s
ti
se
x
c
l
ude
df
o
ra
nyo
t
he
rf
o
r
mo
fda
ma
g
e
,i
nc
l
udi
nga
mo
ngo
t
he
rt
hi
ng
s
,
a
ddi
t
i
o
na
l
c
o
mpe
ns
a
t
i
o
ni
na
nyf
o
r
m wha
t
s
o
e
v
e
r
,c
o
mpe
ns
a
t
i
o
nf
o
ri
ndi
r
e
c
to
rc
o
ns
e
q
ue
nt
i
a
l
da
ma
g
e
s
,
l
o
s
so
f
r
e
v
e
nue
so
rpr
o
fit
s
,da
ma
g
e
sf
o
rl
o
s
so
fda
t
aa
ndda
ma
g
ef
o
re
x
c
e
e
di
ngt
e
r
msduet
oc
ha
ng
e
dc
i
r
c
ums
t
a
nc
e
s
.
11
.
3
.Thema
x
i
mum a
mo
untt
ha
tc
a
nb
epa
i
di
nc
a
s
eo
fl
i
a
b
i
l
i
t
yunde
rpa
r
a
g
r
a
ph1whi
c
hi
sbi
l
l
e
df
o
rt
hes
i
x
mo
nt
hspr
e
c
e
di
ngt
hemo
nt
hi
nwhi
c
ht
heda
ma
g
eo
c
c
ur
r
e
d.
Thi
sma
x
i
mum a
mo
untwi
l
l
l
a
ps
ei
fa
ndi
ns
o
f
a
ra
s
t
heda
ma
g
ei
sc
a
us
e
db
yi
nt
e
nto
rg
r
o
s
sne
g
l
i
g
e
nc
eo
fGr
e
e
nho
s
t
.
11
.
4
.Thel
i
a
bi
l
i
t
yo
fGr
e
e
nho
s
tduet
oc
ul
pa
bl
eb
r
e
a
c
ho
fc
o
nt
r
a
c
ta
r
i
s
e
so
nl
yi
fCus
t
o
me
rGr
e
e
nho
s
t
i
mme
di
a
t
e
l
ya
ndp
r
o
pe
r
l
yb
ei
nde
f
a
ul
t
,
s
t
a
t
i
ngar
e
a
s
o
na
b
l
ep
e
r
i
o
dt
or
e
me
dyt
hede
fic
i
e
nc
y
,
a
ndGr
e
e
nho
s
ta
f
t
e
r
t
ha
tpe
r
i
o
da
t
t
r
i
but
a
bl
et
of
ul
fil
l
i
t
so
bl
i
g
a
t
i
o
nsde
fic
i
tc
o
nt
i
nue
st
os
ho
o
t
.
Theno
t
i
c
emus
tc
o
nt
a
i
nade
t
a
i
l
e
d
de
s
c
r
i
pt
i
o
no
ft
hef
a
i
l
ur
e
,
s
oGr
e
e
nho
s
ti
sa
bl
et
or
e
s
po
nda
de
q
ua
t
e
l
y
.
11
.
5
.I
nc
a
s
eo
ff
o
r
c
ema
j
e
ur
e
,i
ee
v
e
r
ye
v
e
ntwhi
c
hf
ul
fil
l
me
nto
ft
hea
g
r
e
e
me
ntc
a
nno
tr
e
a
s
o
na
bl
yb
ede
ma
nd
e
d
o
fGr
e
e
nho
s
t
,
t
hei
mpl
e
me
nt
a
t
i
o
no
ft
hea
g
r
e
e
me
ntwi
l
l
bes
us
pe
nde
do
rt
e
r
mi
na
t
et
hea
g
r
e
e
me
nti
ft
hef
o
r
c
e
ma
j
e
ur
es
i
t
ua
t
i
o
nha
sl
a
s
t
e
dl
o
ng
e
rt
ha
ns
i
x
t
yda
y
s
,
a
l
l
wi
t
ho
uta
nyl
i
a
bi
l
i
t
yf
o
rda
ma
g
e
s
.
Ar
t
i
c
l
e12.
Te
r
ma
ndTe
r
mi
na
t
i
on
12
.
1
.Thi
sa
g
r
e
e
me
nti
sv
a
l
i
df
o
rami
ni
mum p
e
r
i
o
do
fo
ney
e
a
r
,unl
e
s
so
t
he
r
wi
s
ea
g
r
e
e
di
nwr
i
t
i
ng
.
The
a
g
r
e
e
me
ntc
a
no
nl
yb
et
e
r
mi
na
t
e
dpr
e
ma
t
ur
e
l
ya
spr
o
v
i
de
di
nt
he
s
eTe
r
msa
ndCo
ndi
t
i
o
ns
,o
rb
ymut
ua
l
c
o
ns
e
nt
.
12
.
2
.Thea
g
r
e
e
me
nti
si
nt
hea
b
s
e
nc
eo
fawr
i
t
t
e
nno
t
i
c
ei
ng
o
o
dt
i
mef
o
rat
hi
r
t
yda
yno
t
i
c
epe
r
i
o
di
s
a
ut
o
ma
t
i
c
a
l
l
yr
e
ne
we
df
o
rape
r
i
o
do
fo
ney
e
a
r
.
12
.
3
.I
fCu
s
t
o
me
ri
sac
o
ns
ume
r
,i
nde
r
o
g
a
t
i
o
no
ft
hepr
e
v
i
o
uspa
r
a
g
r
a
ph,t
hec
o
nt
r
a
c
ta
f
t
e
rt
hemi
ni
mum t
e
r
m
i
nt
oac
o
nt
r
a
c
to
fi
nde
fini
t
edur
a
t
i
o
n.
Cus
t
o
me
rc
a
na
l
wa
y
sc
a
nc
e
l
t
hec
o
nt
r
a
c
twi
t
hano
t
i
c
epe
r
i
o
do
fo
ne
mo
nt
h.No
t
i
c
et
he
r
e
o
fc
a
nt
hr
o
ug
ht
hes
a
mec
ha
nne
l
t
hr
o
ug
hwhi
c
hCus
t
o
me
rha
sno
t
i
fie
dt
hea
c
c
e
p
t
a
nc
e
,
a
s
we
l
l
a
si
nwr
i
t
i
ngo
rv
i
at
hec
o
nt
r
o
l
pa
ne
l
o
ra
dmi
ni
s
t
r
a
t
i
v
ea
c
c
o
unt(
i
fa
ny
)
.
12
.
4
.Upo
nc
a
nc
e
l
l
a
t
i
o
nr
e
f
e
r
r
e
dt
oi
nt
hepr
e
v
i
o
uspa
r
a
g
r
a
phGr
e
e
nho
s
twi
l
l
r
e
f
unda
nypa
i
dbutb
e
c
o
meundul
y
b
yt
e
r
mi
na
t
i
o
na
mo
unt
sf
o
r
wa
r
d.
Ar
t
i
c
l
e13.
Ame
ndme
nt
st
oAg
r
e
e
me
nt
13
.
1
.Af
t
e
ra
c
c
e
pt
a
nc
e
,t
hec
o
nt
r
a
c
tma
yo
nl
yb
ea
me
nde
db
ymut
ua
l
c
o
ns
e
nt
.
13
.
2
.Gr
e
e
nho
s
ti
so
nc
epe
rc
a
l
e
nda
re
nt
i
t
l
e
dt
he
s
et
e
r
mst
ouni
l
a
t
e
r
a
l
l
ymo
di
f
yo
re
x
pa
nd.
The
ymus
tdos
oa
t
l
e
a
s
tt
hi
r
t
yda
y
sbe
f
o
r
et
hemo
di
fic
a
t
i
o
nso
re
x
t
e
ns
i
o
nse
,e
c
twi
l
l
b
et
og
i
v
eno
t
i
c
et
ot
heCus
t
o
me
r
.
13
.
3
.I
ft
heCus
t
o
me
rwi
t
hi
nt
hi
spe
r
i
o
do
bj
e
c
t
o
rGr
e
e
nho
s
twi
l
l
c
o
ns
i
de
rwhe
t
he
rt
heo
bj
e
c
t
i
o
na
bl
ec
ha
ng
e
so
r
e
x
pa
ns
i
o
nswi
s
ht
owi
t
hdr
a
wo
rno
t
.
I
twi
l
l
ma
k
ei
t
sde
c
i
s
i
o
nno
t
i
c
et
oCus
t
o
me
r
.I
fGr
e
e
nho
s
to
bj
e
c
t
i
o
na
b
l
e
mo
di
fic
a
t
i
o
nso
re
x
t
e
ns
i
o
nsno
tt
or
e
v
o
k
e
,
t
heCus
t
o
me
rha
st
her
i
g
htt
ot
e
r
mi
na
t
et
hea
g
r
e
e
me
nta
so
ft
heda
t
e
t
ha
tt
hi
si
mpa
c
twi
l
l
be
.
13
.
4
.Gr
e
e
nho
s
tma
yma
k
ec
ha
ng
e
sa
ta
nyt
i
mei
nt
he
s
ec
o
ndi
t
i
o
nsi
ft
he
ya
r
ene
c
e
s
s
a
r
ybe
c
a
us
eo
fr
e
v
i
s
e
d
l
e
g
i
s
l
a
t
i
o
n.Ag
a
i
ns
ts
uc
hc
ha
ng
e
s
,
Cus
t
o
me
rma
yno
to
bj
e
c
t
.
Ar
t
i
c
l
e14.
Fi
na
lPr
o
v
i
s
i
ons
14
.
1
.Thi
sa
g
r
e
e
me
nti
sg
o
v
e
r
ne
db
yDut
c
hl
a
w.I
ns
o
f
a
ra
st
hema
nda
t
o
r
yl
a
wdo
e
sno
to
t
he
r
wi
s
e
,
a
l
l
di
s
put
e
st
ha
t
ma
ya
r
i
s
ea
sar
e
s
ul
to
ft
hi
sa
g
r
e
e
me
ntwi
l
l
b
es
ub
mi
t
t
e
dt
ot
hec
o
mpe
t
e
ntDut
c
hc
o
ur
tf
o
rt
hedi
s
t
r
i
c
ti
nwhi
c
h
Gr
e
e
nho
s
ti
sl
o
c
a
t
e
d
.
14
.
2
.I
fa
nypr
o
v
i
s
i
o
ni
sf
o
undt
obev
o
i
dunde
rt
hi
sc
o
nt
r
a
c
t
,
t
hi
swi
l
l
no
ta
,e
c
tt
hev
a
l
i
di
t
yo
ft
hee
nt
i
r
e
a
g
r
e
e
me
nt
.Thepa
r
t
i
e
ss
ha
l
l
i
nt
ha
tc
a
s
e
,r
e
pl
a
c
e(
a
)ne
wpr
o
v
i
s
i
o
n(
s
)
,whi
c
ha
sf
a
ra
sl
e
g
a
l
l
ypo
s
s
i
bl
et
ot
hei
nt
e
nt
o
ft
heo
r
i
g
i
na
l
a
g
r
e
e
me
nta
ndt
he
s
et
e
r
msa
ndc
o
ndi
t
i
o
nswi
l
l
ber
e
fle
c
t
e
d.
14
.
3
.“
I
nwr
i
t
i
ng
”i
nt
he
s
ec
o
ndi
t
i
o
nsa
l
s
oe
ma
i
l
a
ndf
a
xc
o
mmuni
c
a
t
i
o
n,
pr
o
v
i
de
dt
hei
de
nt
i
t
yo
ft
hes
e
nde
ra
nd
t
hei
nt
e
g
r
i
t
yo
ft
hec
o
nt
e
nt
ss
uEc
i
e
nt
l
ye
s
t
a
bl
i
s
he
d.
Thepa
r
t
i
e
swi
l
l
e
nd
e
a
v
o
rt
oc
o
nfir
mr
e
c
e
i
pta
ndc
o
nt
e
nto
f
c
o
mmuni
c
a
t
i
o
nb
ye
ma
i
l
.
14
.
4
.Re
c
e
i
v
e
db
yGr
e
e
nho
s
to
rs
a
v
e
dv
e
r
s
i
o
no
fa
nyc
o
mmuni
c
a
t
i
o
ns
ha
l
l
b
ed
e
e
me
da
ut
he
nt
i
c
,s
ub
j
e
c
tt
opr
o
o
f
t
ot
hec
o
nt
r
a
r
yb
yt
heCl
i
e
nt
.
14
.
5
.Ea
c
hpa
r
t
yi
so
nl
ye
nt
i
t
l
e
dt
oa
s
s
i
g
ni
t
sr
i
g
ht
sa
ndo
b
l
i
g
a
t
i
o
nsund
e
rt
hec
o
nt
r
a
c
tt
oat
hi
r
dpa
r
t
ywi
t
ho
ut
t
hewr
i
t
t
e
nc
o
ns
e
nto
ft
heo
t
he
rpa
r
t
y
.Ho
we
v
e
r
:Gr
e
e
nho
s
ta
l
wa
y
sbee
nt
i
t
l
e
dt
oa
s
s
i
g
ni
t
sr
i
g
ht
sa
ndo
bl
i
g
a
t
i
o
ns
unde
rt
hec
o
nt
r
a
c
tt
oapa
r
e
nt
,s
ub
s
i
di
a
r
yo
ra
El
i
a
t
e
dc
o
mpa
ny
.
D1.4 - ETHICS REPORT
A.4
Mobile Vikings Terms and Conditions
– 54 of 57 –
Privacy conditions
The explanation of the information we collect from you.
Definities
In these Privacy Conditions following terms are used.
"VikingCo NV" indicates VikingCo NV;
"Services" indicate the services offered for sale on this Website;
"Information" indicates the information concerning the visitors to this Website, as
described in article 4;
"VikingCo NV" / "us" indicates the VikingCo NV, Kempische Steenweg 309/1, B3500 Hasselt; email address: [email protected] ; V.A.T.: BE 0886.946.917;
"Products" indicate the services and products mentionned on this Website;
"Website" indicates the website of Mobile Vikings on the URL www.vikingco.com or
any other URL that leads to the same content.
Introduction
VikingCo NV strives to offer the highest possible standard of service to its customers. To be
able to guarantee this quality, VikingCo NV needs to collect certain information about you. In
this respect, VikingCo NV commits itself to protect your privacy and to follow the guidelines
from the Law issued on December 8, 1992 (“Wet van 8 december 1992 tot bescherming van
de persoonlijke levensfeer ten opzichte van de verwerking van persoonsgegevens”).
Your Permission
1. By using this WebSite you agree with these Privacy Conditions and the way
information can be collected and used by VikingCo NV, as with the possible transfer
of this information, as described below.
2. We are allowed to change these conditions in the future. In that case we will announce
the changed conditions on the Website.
Information Collecting
1. When you register, we need to collect certain information to complete the registration.
This infomation will be part of a permanent file regarding your transactions with
VikingCo NV. This file contains primarily following data: first name, last name,
address, email address, date of birth, phonenumber.
2. It is possible that – when sending us an email – we will request certain information
from you in order to be able to respond quickly and correctly to your questions, or to
verify the data of your permanent file. This information may be included in our
permanent file concerning you.
3. When contacting us, by any means, it is possible that we, if necessary, include certain
remarks with respect to this contact in your permanent file. This allows us to offer a
better service to our customer.
Cookies
1. The Website uses cookies to improve your experience when browsing the website. No
sensitive personal data is stored in these cookies, and the Website will remain fully
functional when disabling cookies in your browser.
2. From time to time VikingCo NV will use marketing agencies to insure our publicity
on the Internet. These companies use cookies to measure the effectiveness of the
publicity. For this purpose these companies may use information regarding your visit
to this or other websites. Unless otherwise stated, no names, addresses, email
addresses or phone numbers or used. No connection is made between internet usage or
cookies and identifiable persons.
3. You can disable cookies during your visit to the website. More information regarding
cookies can be found at www.allaboutcookies.org.
Usage and transfer of information
1. You agree that we and carefully selected others can contact you from time to time
using email, telephone, SMS or MMS regarding products or services that we believe
could be of interest to you.
2. You agree that VikingCo NV may send you emails and newsletters from time to time
with following contents: information about VikingCo NV products and services. At
any time, you have the right to ask VikingCo NV to stop sending these emails and
newsletters.
3. You agree that VikingCo NV uses this information for the following purposes:
1. Handling your orders and requests, managing bills and invoices, processing
invoices of service providers, managing questions, requests or complaints,
legal procedures or any other administrative or commercial activity;
2. Conducting market research to inform you about our products and services,
new features or improvements of products or services, special offers, discounts
and prices that VikingCo NV deems relevant;
3. Giving information according to legal, administrative or regulatory rules
applying to VikingCo NV or relating to legal disputes, fraude, criminal acts or
the prosecution of (alleged) forgers or relating to credit requests coming from
the User.
4. Performing activities relating to the management of VikingCo NV, like staff
training, quality control, network management, testing and maintaining
computers and other systems and relating the transfer of a part of VikingCo
NV.
Right to access
1. On request and without any additional costs, you have the right to oppose the use of
your private information for purposes of direct marketing. You can inform us of this
by sending a letter to the following address:
VikingCo NV, Kempische Steenweg 309/1, B-3500 Hasselt, Belgium or by sending
an e-mail to [email protected]
2. On simple request you have the right to access your personal information for free, and
the right to correct it. Please contact us on the (email) address mentioned above if you
wish to verify, change or alter your data.