Appendix – Specification of the Processing of Personal Data

1 INSTRUCTIONS

1.1 Brief description of the Service and the purposes of the processing
Wolters Kluwer will process the personal data to the extent necessary to provide the Service pursuant to the Agreement and as further specified in the Specification, and as further instructed by the Customer in its use of the Service. 

1.2 Categories of personal data

- Identification numbers such as social security numbers and IP-addresses

- Contact information such as names, email addresses, telephone numbers and physical addresses

- Financial information insofar necessary to perform compliance processes such as closing of books, tax declaration and audit

- Information on social and/or societal status insofar necessary to perform compliance processes such as closing of books, tax declaration and audit

1.3 Categories of data subjects
Employees of the Customer

1.4 Processing activities
Storage, administration, erasure and error correction of personal data and such other processing activities that are required to process the personal data in accordance with the Customer’s instructions and to ensure that the Customer can use the compliance processes supported by the Service, such as closing of books, tax declaration and audit services. 

1.5 Location of personal data processing
Sweden, Denmark, USA, The Netherlands, Ireland, Spain and Germany. 

1.6 Use for the purposes of improving the Services
1.6.1 Specification of the categories of personal data that may be used for the purposes of improving services that the Customer has ordered:
Email addresses and names of the Customer’s employees.

1.6.2 This personal data shall be obtained from the following processing activities that Wolters Kluwer performs on behalf of the Customer:
License Management processing
End-user support processing

1.6.3 And may only be used by Wolters Kluwer for the purposes of improving and/or developing the following kinds of service or categories of service ordered by the Customer: 
Improve end-user support and issue handling
Improve software products and related services

 

2 SECURITY MEASURES

2.1 Physical access control
See Wolters Kluwer Global IT Security Policy (GBS), and Wolters Kluwer Information Security Baseline (GDPR Privacy Library #6.1).

2.2 Access control for systems 
See Wolters Kluwer Global IT Security Policy (GBS), and Wolters Kluwer Permission Management Policy and Matrix (GDPR Privacy Library #4.1).

2.3 Access control for personal data
See Wolters Kluwer Global IT Security Policy (GBS), and Wolters Kluwer Permission Management Policy and Matrix (GDPR Privacy Library #4.1)

2.4 Access controls during transfers
Wolters Kluwer enforces encryption in transit whenever (personal) data is transmitted electronically outside of Wolters Kluwer’s secure IT environment. Wolters Kluwer enforces encryption in transit and encryption at rest when practically possible within Wolters Kluwer’s secure IT environment. Backup data is always encrypted.

2.5 Control of personal data entry
Wolters Kluwer maintains an Audit Trail of the processing of personal data in accordance with the General Data Protection Regulation.

2.6 Accessibility checks 
Wolters Kluwer has backup and restore processes in place for all business-critical data, including personal data. These processes are regularly tested and maintained.

2.7 Separation checks
Wolters Kluwer actively maintains a comprehensive register of all personal data processing activities, including the purpose of each processing. This register is used -amongst other things- to ensure that personal data is used only for its explicitly stated purpose.

2.8 Retention rules
2.8.1 During the term of the General Terms and Conditions: As soon as possible and at the latest within one month from when the Customer asked for the personal data to be erased. 

2.8.2 After the General Terms and Conditions has ceased to apply: See Sub-clause 8.2 of the Data Processing Agreement.

2.9 Security policy
See Wolters Kluwer Global IT Security Policy (GBS).

2.10 Certifications, etc. 
See Wolters Kluwer Global IT Security Policy (GBS), which is based on ISO27001.

 

3 PRE-APPROVED SUB-PROCESSORS
Wolters Kluwer is entitled to use the following sub-processors to process personal data under the Data Protection Agreement:

Name Location of processing (Country)
Tele2 Business AB Sweden
   Itadel AS Denmark
   B4Restore AS Denmark
Penneo APS Denmark
   Amazon Web Services Ireland, Germany
Företagsplatsen AB Sweden
   Microsoft (Azure) Ireland, Netherlands
   Citycloud Sweden
   Mixpanel, Inc. USA, EU-US Privacy Shield Framework
   Google LLC USA, EU-US Privacy Shield Framework
   Sendgrid, Inc. USA, EU-US Privacy Shield Framework
CrowdStrike, Inc. USA, EU-US Privacy Shield Framework
Multisoft AB Sweden
Wolters Kluwer Espana S.A Spain

 

The terms and conditions above are dated May 2019