The first section (Services Personal Information Data Processing Terms) describes the privacy and security practices that Qommodity Corporation and its affiliates (“Qommodity”) employ when handling Services Personal Information (as defined below) for the provision of Technical Support, Consulting, Cloud or other services (the “Services”) provided to Qommodity customers (“You” or “Your”) during the term of Your order for Services.
Services Personal Information is personal information that is provided by You, resides on Qommodity, customer or third-party systems and environments, and is processed by Qommodity on Your behalf in order to perform the Services. Services Personal Information may include, depending on the Services: information concerning family, lifestyle and social circumstances; employment details; financial details; online identifiers such as mobile device IDs and IP addresses, and first party online behavior and interest data. Services Personal Information may relate to Your representatives and end users, such as Your employees, job applicants, contractors, collaborators, partners, suppliers, customers and clients.
The second section (System Operations Data Processing Terms) describes the privacy and security practices that apply to personal information that may be incidentally contained in Systems Operation Data that is generated by the interaction of (end-)users of our Services (“Users”) with the Qommodity systems and networks used to monitor, safeguard and deliver Services to our customer base.
Systems Operations Data may include log files, event files, and other trace and diagnostic files, as well as statistical and aggregated information that relates to the use and operation of our Services, and the systems and networks these Services run on.
The third section (Communications and Notifications to Customers and Users) applies to both Services Personal Information and personal information contained in Systems Operations Data, describes how Qommodity handles legally required disclosure requests, and informs You and Users how to communicate with Qommodity’s Global Data Protection Officer or file a complaint.
2. FIRST SECTION: SERVICES PERSONAL INFORMATION DATA PROCESSING TERMS
Qommodity treats all Services Personal Information in accordance with the terms of Sections I and III of this Policy and Your order for Services.
Performance of the Services
Qommodity may process Services Personal Information for the processing activities necessary to perform the Services, including for testing and applying new product or system versions, patches, updates and upgrades, and resolving bugs and other issues You have reported to Qommodity.
You are the controller of the Services Personal Information processed by Qommodity to perform the Services. Qommodity will process your Services Personal Information as specified in Your Services order and Your documented additional written instructions to the extent necessary for Qommodity to (i) comply with its processor obligations under applicable data protection law or (ii) assist You to comply with Your controller obligations under applicable data protection law relevant to Your use of the Services. Qommodity will promptly inform You if, in our reasonable opinion, Your instruction infringes applicable data protection law. Additional fees may apply.
Rights of individuals
You control access to Your Services Personal Information by Your end users, and Your end users should direct any requests related to their Services Personal Information to You. To the extent such access is not available to You, Qommodity will provide reasonable assistance with requests from individuals to access, delete or erase, restrict, rectify, receive and transmit, block access to or object to processing of Services Personal Information on Qommodity systems.
Security and confidentiality
Qommodity has implemented and will maintain technical and organizational measures designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Services Personal Information. These measures, which are generally aligned with the ISO/IEC 27001:2013 standard, govern all areas of security applicable to the Services, including physical access, system access, data access, transmission, input, security oversight, and enforcement.
Qommodity employees are required to maintain the confidentiality of personal information. Employees’ obligations include written confidentiality agreements, regular training on information protection, and compliance with company policies concerning protection of confidential information.
Incident Management and data breach notification.
Qommodity promptly evaluates and responds to incidents that create suspicion of or indicate unauthorized access to or handling of Services Personal Information.
If Qommodity becomes aware and determines that an incident involving Services Personal Information qualifies as a breach of security leading to the misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Services Personal Information transmitted, stored or otherwise processed on Qommodity systems that compromises the security, confidentiality or integrity of such Services Personal Information, Qommodity will report such breach to You without undue delay.
As information regarding the breach is collected or otherwise reasonably becomes available to Qommodity and to the extent permitted by law, Qommodity will provide You with additional relevant information concerning the breach reasonably known or available to Qommodity.
To the extent Qommodity engages third party subprocessors to have access to Services Personal Information in order to assist in the provision of Services, such subprocessors shall be subject to the same level of data protection and security as Qommodity under the terms of Your order for Services. Qommodity is responsible for its subprocessors’ compliance with the terms of Your order for Services.
Cross-border data transfers
Qommodity is a global corporation with operations in over 80 countries and Services Personal Information may be processed globally as necessary in accordance with this policy. If Services Personal Information is transferred to an Qommodity recipient in a country that does not provide an adequate level of protection for personal information, Qommodity will take adequate measures designed to protect the Services Personal Information, such as ensuring that such transfers are subject to the terms of the EU Model Clauses or other adequate transfer mechanism as required under relevant data protection.
In the event the services agreement between You and Qommodity references the Qommodity Data Processing Agreement for Qommodity Services (“DPA”), further details on the relevant data transfer mechanism that applies to Your order for Qommodity services are available in the DPA. In particular, for Services Personal Information transferred from the European Economic Area (“EEA”), Switzerland, or the United Kingdom (“UK”), such transfers are subject to Qommodity’s Binding Corporate Rules for Processors (BCR-P) or the terms of the EU Model Clauses.
Deletion or return of Services Personal Information
Except as otherwise specified in an order for services or required by law, upon termination of services or at your request, Qommodity will delete your production customer data located on Qommodity computers in a manner designed to ensure that they cannot reasonably be accessed or read, unless there is a legal obligation imposed on Qommodity preventing it from deleting all or part of the data. You may consult with your Qommodity services contact for additional information on data deletion prior to service completion.
3. SECOND SECTION: SYSTEMS OPERATIONS DATA PROCESSING TERMS
Responsibility and purposes for processing personal information
Qommodity and its affiliated entities are responsible for processing personal information that may be incidentally contained in Systems Operations Data in accordance with Sections II and III of this Policy.
We may collect or generate Systems Operations Data for the following purposes:
a) to help keep our Services secure, including for security monitoring and identity management;
b) to investigate and prevent potential fraud or illegal activities involving our systems and networks, including to prevent cyber-attacks and to detect bots;
c) to administer our back-up disaster recovery plans and policies;
e) for research and development purposes, including to analyze, develop, improve and optimize our Services;
f) to comply with applicable laws and regulations and to operate our business, including to comply with legally mandated reporting, disclosure or other legal process requests, for mergers and acquisitions, finance and accounting, archiving and insurance purposes, legal and business consulting and in the context of dispute resolution.
For personal information contained in Systems Operations Data collected in the EU, our legal basis for processing such information is our legitimate interest in performing, maintaining and securing our products and services and operating our business in an efficient and appropriate manner. Personal information may also be processed based on our legal obligations or legitimate interest to comply with such legal obligations.
Sharing personal information
Personal information contained in Systems Operations Data may be shared throughout Qommodity’s global organization.
We may also share such personal information with the following third parties:
third-party service providers (for example IT service providers, lawyers and auditors) in order for those service providers to perform business functions on behalf of Qommodity;
relevant third parties in the event of a reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings);
as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to government requests, including public and government authorities outside your country of residence, for national security and/or law enforcement purposes.
Cross-border data transfers
If personal information contained in Systems Operations Data is transferred to an Qommodity recipient in a country that does not provide an adequate level of protection for personal information, Qommodity will take measures designed to adequately protect information about Users, such as ensuring that such transfers are subject to the terms of the EU Model Clauses.
Qommodity has implemented appropriate technical, physical and organisational measures in accordance with the Qommodity Corporate Security Practices designed to protect personal information against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access as well as all other forms of unlawful processing (including, but not limited to, unnecessary collection) or further processing.
To the extent provided under applicable laws, Users may request to access, correct, update or delete personal information contained in Systems Operations Data in certain cases, or otherwise exercise their choices with regard to their personal information by using the contact form.
4. THIRD SECTION: COMMUNICATIONS AND NOTIFICATIONS TO CUSTOMERS AND USERS
Qommodity may be required to provide access to Services Personal Information and to personal information contained in Systems Operations Data as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect Your or a User’s safety or the safety of others, investigate fraud, or respond to government requests, including public and government authorities outside Your or a User’s country of residence, for national security and/or law enforcement purposes.
Qommodity will promptly inform You of requests to provide access to Services Personal Information, unless otherwise required by law.
Global Data Protection Officer
Written inquiries to the Global Data Protection Officer may be addressed to:
Qommodity Resource Holdings BV
Global Data Protection Officer
Kaya Richard J. Beaujon z/n
P.O. Box 837, Willemstad, Curaçao
Dispute resolution or filing a complaint
If You or a User have any complaints regarding our compliance with our privacy and security practices, please contact us first. We will investigate and attempt to resolve any complaints and disputes regarding our privacy practices.
Under certain conditions, Users may invoke binding arbitration when other dispute resolution procedures have been exhausted. Users also have the right to file a complaint with a competent data protection authority if they are a resident of a European Union member state.