DELL EMC PARTNER PROGRAM TERMS AND CONDITIONS (Europe, Middle East & Africa version)
By participating in the Dell Technologies Partner Program (“Program”), the company or entity submitting the channel partner application (“you”, “your” or “Channel Partner” ), being a party to these terms and conditions (“Terms”) with Dell Technologies, agrees to be bound by these Terms as from your acceptance of these Terms (“Effective Date”). Unless otherwise specified by Dell Technologies, these Terms shall govern subprograms, including marketing and incentive programs that are offered to you as a participant in the Program. For the purposes of this Program, “Dell Technologies” means, as applicable, the Dell Affiliate with which you have executed the Dell Ordering Agreement (as described in Section 2.3 below) or if no such Dell Ordering Agreement exists, then Dell Affiliate means Dell Products, with a place of business at Raheen Industrial Estate, Limerick, Co. Limerick, Republic of Ireland, (herein referred to as “Dell”) and/or the EMC Affiliate with which you have executed the EMC Ordering Agreement (as described in Section 2.3 below) or if no such EMC Ordering Agreement exists, then EMC Affiliate means EMC Information Systems International, with a place of business at IDA Industrial Estate, Ovens, County Cork, Republic of Ireland (herein referred to as “EMC”) (collectively, referred to herein as “Dell Technologies”). “Affiliate” means any legal entity controlling, controlled by, or under common control with either Dell or EMC and “Dell Technologies Affiliate” shall be construed accordingly.
1. ELIGIBILITY. Throughout your participation in the Program, you must (a) maintain good credit standing with Dell Technologies and/or all Dell Technologies Affiliates as applicable; (b) maintain a current Program registration profile, including yearly updates and (c) provide prompt, written notification to Dell Technologies of any changes that may affect your participation in the Program. Additional requirements regarding your Channel Partner status may be found here and may be updated upon reasonable notice to Channel Partners at Dell Technologies’ sole discretion.
2. GOVERNING DOCUMENTS.
2.1 Program Terms. These Terms shall apply to your participation in the Program and supersede any previous program terms or agreements in place between you and Dell or Technologies.
2.2 Purchases. Products and services made available to you for resale by Dell Technologies shall be purchased through only a Dell Technologies authorized distributor (“Distributor”), unless you are expressly authorized by Dell Technologies, subject to the applicable Dell Technologies Ordering Agreement, to purchase products and services directly from Dell Technologies. If you purchase products or services from a Distributor then the final terms of pricing, invoicing, payment, order, shipment, cancelation, and returns will be as agreed between you and the Distributor, and the terms that correspond to those topics in the Dell Technologies Ordering Agreement do not apply as between you and Dell Technologies. For the purposes of these Terms and the Dell Technologies Ordering Agreement, Dell Technologies’ client solution group products offered to you by Dell Technologies shall be referred to as “Dell Products,” and Dell Technologies’ infrastructure solution group products offered to you by Dell Technologies shall be referred to as “Dell EMC Products.”
2.3 Ordering Agreements. If Channel Partner purchases products or services directly from Dell, Channel Partner will order from the applicable Dell entity until further notice, and such purchases are subject to and governed by either the then-current applicable Dell entity Reseller Terms of Sale, or any existing agreement that you have with Dell, or a Dell Technologies Affiliate, that authorizes you to purchase products or services directly (collectively the “Dell Ordering Agreement”). If Channel Partner purchases products or services directly from EMC, Channel Partner will order from the applicable EMC entity until further notice, and such purchases are subject to and governed by the existing purchasing agreement with EMC or a Dell Technologies Affiliate that authorizes you to purchase products or services directly (“EMC Ordering Agreement”). Channel Partners with no Dell Ordering Agreement or EMC Ordering Agreement (“Dell Technologies Ordering Agreement”) may purchase products and services from a Distributor only.
2.4 Precedence. To the extent there are any conflicting provisions regarding Program, Information, Confidential Information (as defined in Section 7), Personal Data (as defined in Section 8) incentives, rebates, pricing (each provided as a result of the Program) or interpretation of these Terms, these Terms shall prevail and control, followed by the Dell Ordering Agreement or EMC Ordering Agreement.
3. PARTNER PORTAL ACCESS.
3.1 Scope and Grant of License. Dell Technologies may provide to you, or you may receive, (i) information through Program websites, currently identified as the “Partner Portal” which contain information, materials, and tools pertaining to products and services; (ii) other information related to the Program not obtained through the Partner Portal; and (iii) Customer Data (as defined below) (collectively the “Information”). Dell Technologies grants Channel Partner a limited, non-exclusive, nontransferable, non-sublicenseable right and license, during the period in which these Terms are in effect, to access the Partner Portal and to use the Information solely in accordance with the provisions of this Section 3 (Partner Portal Access), Section 7 (Confidential Information) and Section 8 (Personal Data). All Information shall remain the property of Dell Technologies.
3.2 Restriction on Usage. Channel Partner shall use the Information only for the purposes of (i) marketing and delivery of products or services obtained by Channel Partner from Dell Technologies or a Distributor; (ii) development of Channel Partner services utilizing products or services; and/or (iii) assisting Dell Technologies to sell and/or license products or services. Channel Partner shall promptly notify Dell Technologies of the termination or reassignment of any Channel Partner personnel who have been granted access hereunder. If Channel Partner obtains “Customer Data”, meaning contacts and other information related to Dell Technologies’ customers, including prospective customers and leads for Channel Partner to market and sell products or services to, Channel Partner agrees; (i) that all Customer Data is considered Dell Technologies’ Confidential Information (as defined in Section 7 below) and that you shall keep all Customer Data confidential, and shall not disclose Customer Data to any third party without Dell Technologies’ prior written consent; (ii) that you will only access, retain and use Customer Data solely for the purpose of marketing and selling products or services; (iii) that you will not sell, rent, transfer, distribute, or otherwise disclose or make available any Customer Data to any third party (including subcontractors, agents, outsourcers, or auditors), without prior written permission from Dell Technologies, unless and to the extent required by law; and (iv) that you will comply with Section 8 and the Data Processing Schedule in respect of any Customer Data that is Personal Data (as defined in Section 8).
4. PARTNER TRAINING OBLIGATIONS.
Channel Partner shall use good faith and reasonable efforts to conform to any training obligations required by Dell Technologies for its Channel Partner status, currently located at the Partner Portal, within ninety (90) days after the training becomes available from Dell Technologies, or such earlier date as specified by Dell Technologies. The charges associated with this training, if any, shall be payable by the Channel Partner.
5. PARTNER COMMUNICATIONS.
In connection with your participation in the Program, Dell Technologies may contact you and/or any of your personnel (by email, SMS, mail, telephone or other means) regarding news or information related to any element of the Program, including sub-programs and Program related marketing activities and incentives aimed at end user customers ("Channel Partner Communications"). It is a condition of your participation in the Program and your access and use of the Portal that you and your personnel receive such Channel Partner Communications. End user customers who receive communications related to Program related marketing activities and incentives must be able to unsubscribe at any time. Separately, Dell Technologies may contact you or any of your personnel (by email, mail, SMS, telephone or other means) regarding Dell Technologies offers and promotions (“Marketing Communications”). Recipients of Marketing Communications from Dell Technologies may unsubscribe at any time.
6. AVAILABILITY. Access to the Partner Portal may be unavailable without notice at certain times, and Dell Technologies will not be liable for any damages that may result from such lack of availability
7.1 This provision covers confidential information disclosed only in connection with the Program. In connection with these Terms, you may have access to or be exposed to Dell Technologies Information that is not generally known to the public, whether such information is in written, oral, electronic, web site-based, or other forms (collectively, "Confidential Information"). You will keep all Dell Technologies Confidential Information strictly confidential for a period of three (3) years after the termination of these Terms, using at least the same degree of care as you use to protect your own confidential information, but no less than reasonable care. You will share Confidential Information only with your employees who have a need to know and who are subject to legally binding obligations to keep such information confidential. These confidentiality obligations do not apply to any Confidential Information that (a) you can demonstrate was in your possession before your receipt from Dell Technologies; (b) is or becomes publicly available through no fault by you; or (c) you rightfully received from a third party without a duty of confidentiality. If you are required by a government body or court of law to disclose any Dell Technologies Confidential Information, you agree to give Dell Technologies reasonable advance notice so that Dell Technologies may contest the disclosure or seek a protective order. Channel Partner acknowledges that damages for improper disclosure of Confidential Information may be irreparable and that Dell Technologies shall be entitled to equitable relief, including injunction and preliminary injunction, in addition to all other remedies available at law or in equity.
7.2 Notwithstanding any separate confidentiality agreement you may have with Dell Technologies, and subject to the parties’ compliance with Section 8, you agree that information regarding your business with Dell Technologies and information you provide to Dell Technologies in connection with the Program, including end user information, may be accessed and used by Dell Technologies and Dell Technologies Affiliates and their employees and contractors for sales and marketing purposes and for any purpose related to the Program or the relationship between you and Dell Technologies, and may be disclosed to relevant Dell Technologies Distributors, resellers, governing body or end-users for the purposes of fulfilling Dell Technologies’ obligations to you and your end-user. To the extent necessary in provision of products and services and subject to the parties’ compliance with Section 8, you agree that Dell Technologies may communicate directly with Channel Partner’s end users.
8. Personal data.
8.1 “Personal Data” shall have the meaning in the General Data Protection Regulation (EU) 2016/679.
8.2 Dell may provide you with Personal Data (e.g. Customer Data) for you to Process (as defined in the Data Processing Schedule attached hereto) either as a Controller OR as our Processor or Subprocessor (as such terms are defined in the Data Protection Schedule). You may provide Dell Technologies with Personal Data (e.g. lead registration or lead generation information) for Dell Technologies to Process as a Controller OR as your Processor or Subprocessor.
8.3 To the extent that, in the performance of your obligations under these Terms, you Process Personal Data received from Dell Technologies either as a Controller or a Processor or Subprocessor, you hereby agree to comply with the Data Processing Schedule. To the extent that you provide Dell Technologies with Personal Data and Dell Technologies Processes such data either as a Controller or as a Processor or Subprocessor, Dell Technologies shall also comply with the Data Processing Schedule.
8.4 Dell Technologies may use account-related data, technical and related information about use and performance of the products or services derived from the provision of the products or services under these Terms (which may include Personal Data) to assess, enhance and/or improve Dell Products, Dell EMC products, services, solutions, technologies, communications and relationship with you. Dell is an independent Controller of this data. More information about Dell’s data privacy practices can be found here.
9. ADMINISTRATION and AUDIT. During the term of these Terms and a period of five (5) years thereafter you will maintain legible, accurate and complete books and records concerning these Terms and your activities hereunder. At the end of this retention period, you will appropriately dispose of all records. Upon Dell Technologies ' request, you will cooperate with and assist Dell Technologies with any audit, review, or investigation ("Audit") that relates to (i) these Terms or your compliance with Laws and Regulations (as defined below); (ii) your marketing, sale, distribution, licensing, or delivery of products and services, whether sourced from Dell Technologies or a third-party; (iii) any rebates, incentives, concessions, or other amounts paid or payable by Dell Technologies; (iv) compliance with logo use standards, or (v) any amounts due to Dell Technologies. In connection with an Audit, you will deliver all records, information, and documents reasonably requested by Dell Technologies. Dell Technologies has the right to conduct onsite Audits, and you will grant Dell Technologies and its employees and representatives reasonable access to information, records, personnel, and customers (including customer agreements to verify your compliance with these Terms) and provide entry and access to your premises or other locations (during normal business hours) where such information and records are located. Failure to cooperate with an Audit or provide the information or records requested by Dell Technologies is a material breach of these Terms. Dell Technologies will pay the costs of an Audit except where a discrepancy of five (5) percent or more is discovered in the information disclosed by you, in which case you agree to be responsible for all reasonable costs. Dell Technologies may deny any claim that it believes, in its sole discretion, does not conform to these Terms, the Program, or subprogram terms. Dell Technologies may, without prior notice, immediately suspend or terminate an order or your participation in the Program if you provide to Dell Technologies or end-users any inaccurate, incomplete, or fraudulent claims or information or if you engage in activities that may cause damage, embarrassment or adverse publicity to Dell Technologies, or any of its officers, directors or employees. Dell Technologies’ records and systems shall be authoritative and conclusive for purposes of determining your eligibility and Program benefits and for performing any computation under the Program. Dell Technologies reserves the right to interpret the rules of the Program in its sole discretion.
10. BUSINESS CONDUCT AND ANTI-CORRUPTION LAWS.
You represent and warrant that you understand and agree to comply with your obligations under the Dell Technologies Partner Code of Conduct available here. At all times, you are required to comply with all applicable laws and regulations, including anti-bribery, export, trade, data protection and privacy, antitrust and competition laws and regulations (“Laws and Regulations”). You will not take or allow any third party to take any action or engage in any practice that would violate Laws and Regulations. Any violation of this Section 9 by you or by persons working for you or on your behalf will constitute the basis for the immediate termination of your business relationship(s) with Dell Technologies, including all related contracts.
11. INCENTIVE, REBATE, MDF AND OTHER PORTAL TERMS. You will comply with all terms posted to the Partner Portal regarding any subprograms, tools or products, including, but not limited to:
a. Dell Technologies Partner Program Incentive Terms and Conditions - EMEA that are posted here;
b. Dell Technologies Deal Registration Terms and Guidelines – EMEA that are posted here.
12. LOGO AND TRADEMARK.
12.1 Dell Technologies Logo, Trademark and Domain Usage. You agree that trademarks, service marks, trade or company names, product and service identifications, internet domains/internet addresses, logos, artwork and other symbols and devices associated with Dell Technologies, Dell Technologies Affiliates, and products and services (the “Dell Technologies Marks”) are and shall remain Dell Technologies’ property. You acknowledge that any provided images and artwork of products or services are subject to Dell Technologies copyright and you will not alter these images or use them outside of the context in which they were provided to you. You agree that you will not use the Dell Technologies Marks in search engine advertising, either as a keyword or in advertisements appearing on search engines or in email addresses, without Dell Technologies’ prior written permission. Additionally, you may not register or use any domain name or business name containing or confusingly similar to any Dell Technologies Marks.
12.2 Program Logo. All Dell Technologies Program Logos will be governed by the Dell Technologies Channel Partner Logo and Trademark Use Document found here.
To the fullest extent permitted by law, you shall indemnify, defend, and hold harmless Dell Technologies, Dell Technologies Affiliates, and their respective successors and assigns from any claim, demand, cause of action, debt, or liability (including reasonable attorney or legal fees, expenses, and court costs) arising from your violation of Laws and Regulations.
14. LIMITATION OF LIABILITY. In no event will Dell Technologies be liable for any loss of business, income, or profits, or for lost or corrupted data or software. Dell Technologies will have no liability for any consequential, special, punitive, reliance, exemplary, incidental, or indirect loss or damages. Dell Technologies’ aggregate liability for all claims in connection with these Terms shall be limited to $500 (five hundred U.S. dollars) or the equivalent amount in the currency of the country in which your company headquarters is located. The afore mentioned limitations shall not apply to limit liability for fraud and any other liability that cannot be excluded by law.
15. TERM AND TERMINATION.
15.1 Term and Termination. These Terms shall commence upon the Effective Date and continue until terminated in the manner set forth below. You may withdraw from the Program at any time by notifying Dell Technologies in writing. Dell Technologies may suspend or terminate your participation in the Program, in whole or in part, without prior written notice: (i) for any breach of these Terms or any other agreement related to your participation in the Program, (ii) for any attempt to impair the integrity of the Program as determined by Dell Technologies or (iii) for any violation of Laws and Regulations as set out in Section 9. In addition, Dell Technologies, in its sole discretion, may terminate these Terms or the Program, in whole or in part, for all participants, or for you alone, with or without cause, upon ten (10) days’ notice.
15.2 Effect of Termination. Upon termination of these Terms or the Program, the license and rights granted hereunder shall terminate completely and Channel Partner shall cease to use Information and shall promptly return to Dell Technologies all tangible copies of the Information in its possession at Channel Partner’s own cost. Nothing in this Section shall limit Dell Technologies’rights to pursue other legal remedies, including immediate court or judicial relief. All provisions that by their nature are intended to survive the termination shall survive.
15.3 Termination of Partner Portal Access. Dell Technologies has the right to terminate or discontinue access to the Information or Partner Portal, at its convenience, by sending written notice thereof which will be effective upon receipt.
16.1 Assignment. You may not assign these Terms, or any benefits due to you under the Program, nor delegate any obligations hereunder, to any third party without the express written consent of Dell Technologies.
16.2 Independent Contractors. You and Dell Technologies are independent contractors and shall have no authority to bind the other. Neither these Terms nor your participation in the Program shall be deemed to create a partnership, agency, joint venture, franchise, or other similar arrangement, and the employees, agents, or representatives of one party shall not be deemed to be employees, agents, or representatives of the other party.
16.3 Force Majeure. Except for payment obligations where applicable, neither party will be liable for failure to perform its obligations during any period if performance is delayed or rendered impracticable or impossible due to reasonably unforeseeable circumstances beyond that party’s reasonable control.
16.4 Governing Law. You agree that these Terms, any dispute arising from, out of, or relating to the Program or these Terms hereunder will be governed exclusively by the laws of England, except where local mandatory laws cannot be derogated from by way of contract.
16.5 Modifications. Dell Technologies reserves the right to modify the Program, including, without limitation, the eligibility requirements, Program benefits (including any discounts and pricing), and these Terms, at any time without prior notice via the Partner Portal. Your continued participation in the Program will constitute your binding acceptance of the changes and your consideration supporting any such modification. Any future updates are deemed to be incorporated to this Terms by reference to this Section.
16.6 Severability. If any provision herein is void or unenforceable, you and Dell Technologies agree to delete such provision and agree that the remainder of these Terms will continue to be in effect.
16.7 Publicity. You shall not directly or indirectly issue or release any written publicity, marketing collateral or other public announcement, relating in any way to these Terms, without the prior written approval of Dell Technologies.
16.8 Entire Agreement. The entire relationship between you and Dell Technologies is defined in these Terms and the further Dell Technologies Program related terms referenced herein. Both parties expressly disclaim any reliance on any oral statements, representations, or courses of conduct or any representations or statements not expressly set forth in these Terms.
16.9 Territory scope. If you are situated outside the European Economic Area (“EEA) and purchase products and/or services from a Distributor located outside the EEA, you are allowed to sell such products and services in the territory only in which the Distributor, from whom you purchased such products and/or services, is authorized by Dell Technologies to sell into. For the avoidance of doubt, this section 16.9 shall NOT apply within the EEA.
Data Processing Schedule
In this Schedule, the terms “Data Subject”, Controller”, “Processor”, and “Processing” (and its derivatives) shall have the meanings set out in the relevant “Data Protection Laws”, meaning those data protection and/or privacy related laws, statutes, directives, or regulations (and any amendments or successors thereto) to which the parties to these Terms are subject and which apply to the parties’ respective data protection and/or privacy obligations under these Terms (including but not limited to Regulation (EU) 2016/679 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data (General Data Protection Regulation or “GDPR”)). “Subprocessor” means a third party engaged by either party, acting as a Processor, (including without limitation an affiliate and/or subcontractor) in connection with the Processing of the Personal Data in relation to the provision of the Services.
A. The parties agree to comply with their respective obligations under any relevant Data Protection Laws that apply to the relationship contemplated under these Terms and to Process any Personal Data only in compliance with applicable Data Protection Laws.
B. The parties agree that the security measures described in Annex 1 (Information Security Measures) provide an appropriate level of security for the protection of Personal Data to meet the requirements of this Schedule.
C. Controller to Controller: Where one party acting as a Controller (“Disclosing Controller”) discloses Personal Data to the other party to also Process as a Controller (“Receiving Controller”) the following obligations will apply :-
(i) Unless the parties otherwise agree in writing, Receiving Controller will Process the Personal Data solely for the purpose of performing its obligations under these Terms and in accordance with applicable Data Protection Laws;
(ii) Disclosing Controller will have obtained all rights and authorizations necessary to disclose the Personal Data to Receiving Controller pursuant to these Terms, including but not limited to giving the appropriate notices and, where necessary, obtaining consents from the Data Subject (in accordance with Data Protection Laws) to the disclosure of their Personal Data to Receiving Controller in connection with the Program;
(iii) If Disclosing Controller discloses Personal Data for the purpose of Receiving Controller sending marketing communications, Disclosing Controller agrees to obtain the relevant Data Subjects' prior consent to such disclosure and use by Receiving Controller;
(iv) Receiving Controller will deal promptly with all reasonable inquiries from Disclosing Controller or a Data Subject relating to the Personal Data, including requests for access or correction of Personal Data and information about Receiving Controller’s practices, procedures and/or complaints process; and
(v) Receiving Controller will ensure that it has appropriate technical and organisational measures in place to reasonably ensure that the security, confidentiality, integrity, availability and resilience of Processing systems and services involved in the Processing of any Personal Data are commensurate with the risk in respect of such Personal Data and to guard against any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data transmitted, stored or otherwise Processed in accordance with these Terms (a “Personal Data Breach”).
D. Controller to Processor: where one party acting as a Controller discloses Personal data to the other party to Process as a Processor or Subprocessor on its behalf, the party acting as a Processor or Subprocessor shall :-
(i) Process the Personal Data only in accordance with the Controller’s instructions, unless required to do so by applicable law. The subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data, the categories of Data Subjects and the obligations and rights of the Controller shall be set out in the relevant Dell Ordering Agreement, EMC Ordering Agreement, service description, statement of work or other contractual terms agreed between the parties;
(ii) Process the Personal Data provided by the Controller only to the extent necessary to perform its obligations under these Terms;
(iii) not disclose the Personal Data to any third party (other than an Affiliate or authorized Subprocessor) except as necessary and only for the purposes of:
(a) complying with the Controller’s instructions;
(b) complying with this Data Protection Schedule; or
(c) complying with the law or a binding order of a governmental body. Unless it would violate the law or a binding order of a government body, Processor will give the Controller notice of any legal requirement or order referenced in this provision;
(iv) ensure that it has in place procedures requiring that any personnel or third party authorized by them (including any affiliate or authorized Subprocessor) that has access to the Personal Data received from the Controller is under a duty of confidence and will respect and maintain the confidentiality and security of the Personal Data; and
(v) ensure that it has appropriate technical and organisational measures in place to reasonably ensure that the security, confidentiality, integrity, availability and resilience of Processing systems and services involved in the Processing of any Personal Data are commensurate with the risk in respect of such Personal Data and to guard against any Personal Data Breach;
(vi) upon becoming aware of a Personal Data Breach, notify the Controller without undue delay (and in any event within 72 hours) and provide written details of the Personal Data Breach to the extent such information is known or available to the Processor at the time, including the type of data affected, how the breach occurred, the identity of affected person(s), the likely consequences of the Personal Data Breach and the measures taken or proposed to be taken to address it, providing further information as soon as such information becomes known or available;
(vii) upon reasonable prior written request, provide the Controller with such information as may be reasonably necessary under applicable law to demonstrate Processor’s compliance with this Data Protection Schedule;
(viii) upon reasonable prior notice, provide reasonably requested cooperation and assistance to the Controller regarding the Processing of the relevant Personal Data to enable Controller to carry out data protection impact assessments and/or prior consultations with data protection authorities as may be required;
(ix) not engage a Subprocessor to Process the Controller’s Personal Data without (i) Controller’s prior written consent; and (ii) a written agreement requiring the Subprocessor to Process the Personal Data only on instructions from the Processor (itself acting on instructions from the Controller) and imposing equivalent data protection obligations upon such Subprocessor as those imposed on Processor under this Data Protection Schedule. Processor shall remain liable for all acts and omissions of the Subprocessor. Processor shall make available to Controller a list of such Subprocessors it currently engages to support the provision of its obligations upon written request. Controller hereby consents to Processor appointing its affiliates and subcontractors to Process Controller’s Personal Data for the purposes of this Data Protection Schedule. Processor will notify Controller in advance of any changes to approved Subprocessors. Processor shall not unreasonably object to any intended changes of Subprocessor;
(x) promptly notify Controller of, and cooperate with the Controller to address, any requests from individuals or applicable data protection authorities relating to the Processing of Personal Data under these Terms, including requests from individuals seeking to exercise their rights under any applicable Data Protection Laws. Processor shall not respond to such communications directly without Controller’ prior authorization, unless legally compelled to do so;
(xi) at the expiry or termination of these Terms or Channel Partner’s Program participation, or otherwise at Controller’s option (as may be requested in writing), delete or return all Personal Data to Controller as soon as reasonably practicable, except where the Processor is required to retain copies under applicable law, in which case Processor will limit and protect that Personal Data from any further Processing except to the extent required by applicable law;
(xii) in respect of Personal Data identified as having originated in the European Economic Area (“EEA”), not transfer such Personal Data to any third party located outside of the EEA unless (i) the fulfilment of the obligations of the Processor under these Terms requires the transfer of Personal Data outside the EEA; and (ii) Processor has entered into the Standard Contractual Clauses (meaning the standard contractual (Controller to Processor) clauses approved by the EU Commission for transfers of personal data to countries outside the EEA that have not been deemed by the European Commission as providing an adequate level of data protection) with the Controller (where requested by Controller) and the third party located outside the EEA. The parties may agree to apply appropriate safeguards other than the Standard Contractual Clauses where these are available to address transfers of Personal Data to countries outside the EEA; and
(xiii) notify Controller as soon as reasonably practicable if Processor is of the opinion that a Controller instruction infringes applicable Data Protection Laws and Processor shall not be required to comply with such infringing instruction.
Annex 1 to Data Processing Schedule Information Security Measures (Technical and Organizational Measures)
This information security overview applies to the parties’ corporate controls for safeguarding personal data which is processed and transferred amongst the parties’ group companies.
The parties have implemented corporate information security practices and standards that are designed to safeguard the corporate environment and to address: (1) information security; (2) system and asset management; (3) development; and (4) governance. These practices and standards undergo a formal review on an annual basis.
It is the responsibility of the individuals across the organization to comply with these practices and standards. To facilitate the corporate adherence to these practices and standards, the function of information security provides:
1. Strategy and compliance with policies/standards and regulations, awareness and education, risk assessments and management, contract security requirements management, application and infrastructure consulting, assurance testing and drives the security direction of the company.
2. Security testing, design and implementation of security solutions to enable security controls adoption across the environment.
3. Security operations of implemented security solutions, the environment and assets, and manage incident response.
4. Forensic investigations with security operations, legal, data protection and human resources for investigations including eDiscovery and eForensics.
Asset Classification and Control
The parties’ practice is to track and manage physical and logical assets. Examples of the assets that might be tracked include:
- Information Assets, such as identified databases, disaster recovery plans, business continuity plans, data classification, archived information.
- Software Assets, such as identified applications and system software.
- Physical Assets, such as identified servers, desktops/laptops, backup/archival tapes, printers and communications equipment.
The assets are classified based on business criticality to determine confidentiality requirements. Industry guidance for handling personal data provides the framework for technical, organizational and physical safeguards. These may include controls such as access management, encryption, logging and monitoring, and data destruction.
As part of the employment process, employees undergo a screening process applicable per regional law. Dell Technologies annual compliance training includes a requirement for employees to complete an online course and pass an assessment covering information security and data privacy. The security awareness program may also provide materials specific to certain job functions. The partners commit to a similar compliance standard.
Physical and Environmental Security
The parties use a number of technological and operational approaches in their physical security programs in regards to risk mitigation. The security teams work closely with each company site to determine appropriate measures are in place and continually monitor any changes to the physical infrastructure, business, and known threats. It also monitors best practice measures used by others in the industry and carefully selects approaches that meet both uniqueness’s in business practice and expectations of the parties. The parties balance their approach towards security by considering elements of control that include architecture, operations, and systems.
Communications and Operations Management
The IT organization manages changes to the corporate infrastructure, systems and applications through a centralized change management program, which may include testing, business impact analysis and management approval, where appropriate.
Incident response procedures exist for security and data protection incidents, which may include incident analysis, containment, response, remediation, reporting and the return to normal operations.
To protect against malicious use of assets and malicious software, additional controls may be implemented, based on risk. Such controls may include, but are not limited to, information security practices and standards; restricted access; designated development and test environments; virus detection on servers, desktops and notebooks; virus email attachment scanning; system compliance scans; intrusion prevention monitoring and response; logging and alerting on key events; information handling procedures based on data type, e-commerce application and network security; and system and application vulnerability scanning.
Access to corporate systems is restricted, based on procedures to ensure appropriate approvals. To reduce the risk of misuse, intentional or otherwise, access is provided based on segregation of duties and least privileges.
Remote access and wireless computing capabilities are restricted and require that both user and system safeguards are in place.
Specific event logs from key devices and systems are centrally collected and reported on an exceptions basis to enable incident response and forensic investigations.
System Development and Maintenance
Publicly released third party vulnerabilities are reviewed for applicability in each party’s environment. Based on risk to the parties’ business and customers, there are pre-determined timeframes for remediation. In addition, vulnerability scanning and assessments are performed on new and key applications and the infrastructure based on risk. Code reviews and scanners are used in the development environment prior to production to proactively detect coding vulnerabilities based on risk. These processes enable proactive identification of vulnerabilities as well as compliance.
The information security, legal, privacy and compliance departments work to identify regional laws and regulations applicable to the parties. These requirements cover areas such as intellectual property of the parties and our customers, software licenses, protection of employee and customer personal information, data protection and data handling procedures, trans-border data transmission, financial and operational procedures, regulatory export controls around technology, and forensic requirements.
Mechanisms such as information security programs, executive privacy councils, internal and external audits/assessments, internal and external legal counsel consultation, internal controls assessments, internal penetration testing and vulnerability assessments, contract management, security awareness, security consulting, policy exception reviews and risk management combine to drive compliance with these requirements.