This document sets forth Mars, Inc. and its subsidiaries, including Mars benefits trustees' ("Mars") Policy on the acceptable processing of Personal Data. In particular, it provides detail on the necessary data privacy and security requirements applicable to all suppliers to the extent that they collect, maintain and Process Personal Data. We refer to people covered by this Policy as "Suppliers."
2.1 In this Policy, the following terms shall have the meanings set out below:
(a) “Data Subject” means a living individual who is the subject of any of the personal data;
(b) “Data Privacy Legislation” means all laws and regulations, in any country, region, district, state, municipality, or jurisdiction of the world, which protect the security of information or privacy rights of individuals, in so far as those laws and regulations apply to the Processing of personal data subject to this Policy and any Agreement(s) to which this Policy applies;
(c) “Data Security Breach” means, (1) any unauthorized access to or acquisition of data that compromises the security, confidentiality or integrity of Personal Data, or (2) any unauthorized disclosure of, access to or use of any Personal Data, or (3) any unauthorized intrusion into systems containing Personal Data resulting in unauthorized access or access in excess of authorization. This definition shall apply without regard to whether the data Security Breach takes place in Mars’ [or the specific Mars entity controlling the systems] systems or your own;
(d) “Personal Data” shall mean any information which relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable living individual or household which is Processed by you in the course of providing services on our behalf under this Agreement;
(e) “Processing” shall mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
(f) “we”, “us”, “our” means [the entity disclosing the data];
(g) “you” means [the entity receiving the data];
(h) “writing,” “written,” where referring to written authorizations, shall include both written and electronic communications;
(i) “Policy” means this Policy and any Agreement(s) to which it applies.
3.1 You shall:
(a) Comply, at your own cost, with Data Privacy Legislation, and if not already required by such legislation, use all commercially reasonable endeavors to assist Mars in its own compliance with Data Privacy Legislation. This includes, without limitation, the preparation of necessary notifications, registrations and documentation which Mars may be required to make or enter into in order to comply with Data Privacy Legislation in connection with this Agreement
(b) Not do, or cause or permit to be done, anything in relation to the information provided to or processed by you on our behalf which may result in a breach by Mars of any applicable laws, regulations, regulatory requirements, or the Data Privacy Legislation.
(c) Only process the Personal Data in accordance with our documented instructions unless otherwise required by Data Privacy Legislation to which you are subject. In such a case, the Supplier shall inform us of that legal requirement before carrying out the required Processing, unless that law prohibits such information on important public interest grounds.
(d) Shall not benefit commercially from the Personal Data apart from Processing according to our instructions and shall not use the Personal Data received from us to provide services to another person or entity;
(e) At our request, provide an updated list of the types of data you hold on our behalf;
(f) Put in place measures to ensure:
(i) that any employees who have access to Personal Data have received appropriate training on their responsibilities and do not Process the Personal Data except on instructions from us unless required to do so by Data Privacy Legislation to which you are subject; and
(ii) that any employees, contractors or other agents who have access to Personal Data are reliable and have committed themselves to confidentiality and that such confidentiality commitments continue to apply beyond the termination of the employment.
(g) Adopt, at their own cost, all reasonable recommendations which we may make concerning measures, programs and procedures to be adopted to ensure ongoing compliance with the data privacy provisions of this Policy, including any company policies which we may have regarding information security that may be applicable to the services you provide pursuant to this Agreement, which we notify to you.
(h) Not disclose the Personal Data to any other person, entity or body (including any subcontractor) without our express agreement in writing.
(i) Where Personal Data from the EU, European Economic Area, Switzerland, or the United Kingdom is transferred from a Mars US Entity, you warrant that as recipients of such Personal Data you are subject to the Privacy Shield and will:
(i) Only process the Personal Data in accordance with our documented instructions and the consent provided by the individuals whose Personal Data you are Processing;
(ii) Provide the same level of protection as the Privacy Shield Principles over the Personal Data that we transfer to you;
(iii) Notify us if you make a determination that you can no longer meet this obligation within forty-eight (48) hours of making such a determination;
(iv) Cease Processing or take reasonable and appropriate steps to remediate any inability to meet this obligation; and
(v) Assist us in responding to individuals whose Personal Data we transfer to you when they exercise their rights under the Privacy Shield.
(j) Not transfer Personal Data across international or jurisdictional boundaries, to the extent such transfers are subject to restrictions under applicable Data Privacy Legislation, unless:
(i) We have consented to such transfer in writing and such transfer complies and continues to comply with the requirements for international data transfers under applicable Data Privacy Legislation or;
(ii) Such transfer is required by applicable Data Privacy Legislation to which you are subject. In such a case, you shall inform us of that legal requirement before carrying out the required Processing, unless that law prohibits such information on important public interest grounds;
(k) Not subcontract any of your duties under this Policy unless:
(i) You have obtained our prior express agreement in writing;
(ii) The subprocessor is subject to a written agreement to the extent that the agreement relates to European Personal Data or other applicable Data Privacy Legislation, and which imposes on the subprocessor at least the same obligations that are imposed on you under this Policy to the extent applicable to the nature of the services provided by such subprocessor, including obligations to allow inspection and audit of their Processing activities;
(iii) You have carefully chosen the subprocessor under particular consideration of the appropriateness of the technical and organizational security measures taken by the subprocessor. The corresponding test documents shall be made available to us upon reasonable request; and
(iv) You may appoint additional or different subprocessors only with our prior written approval; and
(v) Any consent which we give pursuant to this clause or this Agreement generally for subcontracting will not relieve you of any liability for the performance of their obligations under this Policy. You are liable to us for the subprocessor's compliance with the data protection obligations that the you have contractually imposed upon the subprocessor in accordance with this Policy.
(l) Notify us no later than seven (7) calendar days after you receive a request from a Data Subject to have access to Personal Data or exercise any other applicable Data Subject rights, or if you receive any other complaint or request relating to our obligations under the Data Privacy Legislation and assist us insofar as reasonably possible in responding to any such complaint or request, including, without limitation:
(i) Where authorised by us in writing, by allowing Data Subjects to know whether their Personal Data is sold or disclosed and to whom, have access to their Personal Data or to have that Personal Data corrected, deleted, or blocked within the relevant time frames set out by applicable Data Privacy Legislation, and not be discriminated against for exercising these rights;
(ii) By providing us with any information Mars requests relating to the Processing of Personal Data under this Policy; and
(iii) By providing us with any Personal Data you hold in relation to a Data Subject, if required, in a commonly-used, structured, electronic, and machine-readable format.
(m) If we are required by the Data Privacy Legislation to carry out a Privacy Impact Assessment in relation to the services you provide pursuant to this Policy, you will, at their own cost, provide us with such support and information as we may reasonably require in carrying out such assessment;
(n) If we must provide information about our data or your processing to a governmental or administrative authority or a third party, you shall upon first request assist Mars in providing such information, in particular by making all information and documents relating to the Processor of Personal Data provided by us in matter of this Policy immediately available. This includes, but is not limited to the technical and organizational measures taken by you, the technical procedures, the places where the Personal Data was Processed and the persons involved in the Processing;
(o) Make available to us all information necessary to demonstrate compliance with this Policy and allow for and contribute to audits, including inspections conducted by us or another auditor mandated by us, including those of any of your agents or subcontractors to whom you have been permitted by us to disclose the Personal Data, with such audits to occur no more frequently than once per calendar year (except where based upon a reasonable belief that you have failed to comply with the terms of this Policy or applicable Data Privacy Legislation) and subject to reasonable security controls and comply with all reasonable requests or directions by us to enable us to verify and/or procure that you are in full compliance with your obligations under this Policy;
(p) Immediately, and in any case within forty-eight (48) hours, inform us in writing if in your opinion one of our instructions or assertions of rights under this Policy infringes applicable Data Privacy Legislation;
(q) If so requested by us at any time, you shall provide us with a copy of the Personal Data or (at our option) destroy it and provide us with a suitable certification of return or destruction; and
(r) Within a reasonable period of time after termination of your provision of services relating to Personal Data, delete or return all the Personal Data to us and delete any existing copies of the Personal Data and provide a suitable certification of return or destruction, save where applicable law requires that the Supplier retain copies of such data. You may only retain copies where you are required to do so by applicable law and only for so long as required to do so.
4.1 You must:
(a) At a minimum, implement and maintain appropriate technical and organisational measures to ensure the security and protection of Personal Data, taking into account the nature and sensitivity of the information to be protected, the risk presented by Processing, the state of the art, and the costs of implementation, in compliance with applicable Data Privacy Legislation. Such measures shall include appropriate physical, electronic and procedural safeguards to:
(i) Ensure the security and confidentiality of Personal Data;
(ii) Protect against any threats or hazards to the security or integrity of Personal Data; and
(iii) Prevent unauthorised access to or use of Personal Data.
(b) Without limiting any other obligations in connection with services provided under this Policy, and as a minimum standard, you shall implement the technical and organizational measures specified in Exhibit A prior to beginning to process information we provided to you and ensure that Processing of information we provided to you is carried out in accordance with those measures. You shall have the right to implement alternative adequate technical and organizational measures after our prior express agreement in writing, as long they do not drop below the security level of the technical and organizational measures specified in Exhibit A. You must obtain approval for any material alterations with us beforehand in writing. Such agreements must be kept for the duration of any Agreement(s) that include this Policy.
(c) Upon our reasonable request, you shall prove to us your compliance with the technical and organizational measures determined in Exhibit A. Such proof can be furnished at the request of us by submitting a current certificate or report from an independent authority (such as an auditor) or an appropriate certification. Our rights of control and auditing according to Section 3.1(o) shall remain unaffected. You shall promptly, and in any case no later than forty-eight (48) hours, notify us of any reason why you cannot or are not likely to be able to comply with the security provisions in this paragraph, in which case we shall, at our sole discretion, be entitled to suspend or terminate the provision of any services provided by you.
(d) You must immediately, and in any case no later than twenty-four (24) hours, notify us at the following email addresses: [email protected] and [email protected] if you know, discover or reasonably believe that there has been a Data Security Breach;
(e) In the event of a Data Security Breach, and at your own cost, (1) investigate, correct, mitigate, remediate and otherwise handle the Data Security Breach, including without limitation, by identifying Personal Data affected by the Data Security Breach and taking sufficient steps to prevent the continuation and recurrence of the Data Security Breach; and (2) provide information and assistance reasonably needed to enable us to evaluate the Data Security Breach and, as applicable, to provide timely notices disclosing a Data Security Breach and to comply with any obligations (including but not limited to those imposed by applicable Data Privacy Legislation) to provide information on the Data Security Breach to relevant regulators, affected individuals and as otherwise required by applicable law; and
(f) Indemnify, defend, and hold harmless us against all costs, claims, losses, damages, liabilities and expenses (including but not limited to legal costs and fees) that we may incur as a result of such Data Security Breach caused by your acts or omissions or those of any of your authorized subcontractors, including but not limited to, the expenses incurred in investigating the Data Security Breach and notifying affected individuals, and providing these individuals with the support necessary under the circumstances and imposed by applicable Data Privacy Legislation, such as credit monitoring. Notwithstanding the foregoing, we shall retain the right to control the defense of any claim or legislation arising from any Data Security Breach.
(a) You shall be liable in accordance with the statutory provisions for damages applicable to us resulting from your culpable breach of this Policy or obligations under applicable Data Privacy Legislation affecting you. In this regard any limitation of liability otherwise agreed between the Parties shall not apply. As far as third parties assert claims against us which are caused by your culpable breach of this Policy or an obligation under applicable Data Privacy Legislation, you shall upon first request indemnify and hold us harmless against these claims.
(b) You shall have the burden of proof that any damages and fines are not based on a circumstance for which you are responsible, as far as the respective cause lies in the processing of Personal Data provided by us within your sphere of responsibility.
(c) In case of conflicts between this Policy and other Agreement(s), Purchase Orders, Statements of Work or other Arrangements between the Parties, the provisions of this Policy shall prevail.
(d) We reserve the right at our sole discretion to determine the appropriate action to be taken in the event that you violate this Policy. Such action may include our termination of any existing Agreement that is subject to this Policy.
(e) We reserve the right to change this Policy at any time and for any reason.
EXHIBIT A TO MARS DATA PROCESSING POLICY INFORMATION SECURITY
General Information Security Infrastructure and Training
- Suppliers must have a security policy demonstrating that they are committed to implementing an effective information security framework.
- Suppliers must validate that the security policy is fully implemented within their organizations.
- Suppliers’ security policy and management must be compliant with ISO/IEC standards 27001:2005 (or an equivalent standard). Suppliers’ security must be certified by an accredited certification body.
- Suppliers must have a person or department responsible for security management.
- Suppliers must have sufficient resources and facilities made available to ensure security of information.
- Suppliers must have an effective system of recruiting and vetting personnel and training personnel in relation to security responsibilities and disclosure of information.
- Suppliers’ staff and contractors must be bound to maintain the confidentiality of all appropriate data including Personal Data pursuant to executed confidentiality obligations, and for Mars data, and must be bound by confidentiality provisions at least as protective as those confidentiality obligations executed by Suppliers who are recipients of Mars data.
- Suppliers must have confidentiality policies in place to support implementation and enforcement of these obligations.
- Suppliers must have data privacy training required for personnel who have access to Personal Data. Suppliers must conduct such training at least annually.
- Suppliers must have an adequate procedure for authenticating the identification of intended recipients of information prior to disclosure.
- Suppliers must have an adequate procedure for authorizing and securing removal of Personal Data to temporary storage.
Physical Security Measures
- Suppliers must require all persons to wear ID badges when on site.
- Suppliers must adequately secure (e.g., have measures been taken to make it resistant to attack) the site(s) where Mars data will be sent to and stored.
- Suppliers must adequately control (e.g. card readers, video surveillance) access to the building or room where the information is stored and/or processed.
- Suppliers must keep a list of personnel with access to facilities storing data. Suppliers must include third parties (e.g. maintenance firms) in such list.
- If applicable, Suppliers must take appropriate measures to ensure passers-by cannot read information off screens or documents.
- If access given to anyone outside the organization (e.g., to provide IT support), Suppliers must put appropriate security procedures in place to manage and oversee such access.
- Suppliers must lock away paper-based information at night, and maintain a list of personnel with access to such paper media.
- Suppliers must securely dispose of media and/or printed material when no longer required (e.g., through secure cross-cut shredding).
Computer Security Measures
- Suppliers must have authentication and logical access controls, including passwords, to control different levels of access to information depending upon requirements.
- Suppliers must require unique IDs for all personnel.
- Suppliers must have strong password requirements based on industry standards and appropriate to the data involved.
- Suppliers must physically or virtually separate Mars data from other clients’ data. If Mars data is commingled with other clients’ data, Suppliers must notify Mars.
- Suppliers must restrict access to data to a need-to-know basis.
- Suppliers must encrypt all laptops and hard drives, as well as removable media storage that store Personal Data.
- Suppliers must have appropriate security technologies in place to detect potential breaches or malware infections.
- If personnel are permitted to work remotely, Suppliers must have security features in place to secure remote connectivity.
- Suppliers must have a program for identifying vulnerabilities and a program for applying patches in a timely manner.
- Suppliers must have pertinent logs secured and retained for at least 60 days for forensic analysis.
- Suppliers must have adequate procedures for secure destruction of systems and media used for data storage before being reused for other purposes.
Secure System Development Lifecycle
- Suppliers must have a secure coding program that ensures at a minimum that OWASP top 10 are addressed:
o A1 Injection
o A2 Broken Authentication and Session Management (was formerly A3)
o A3 Cross-Site Scripting (XSS) (was formerly A2)
o A4 Insecure Direct Object References
o A5 Security Misconfiguration (was formerly A6)
o A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection)
o A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access)
o A8 Cross-Site Request Forgery (CSRF) (was formerly A5)
o A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration)
o A10 Unvalidated Redirects and Forwards
- Suppliers must also ensure that the OWASP Mobile Top 10 are addressed:
o M1 – Improper Platform Usage
o M2 – Insecure Data Storage
o M3 – Insecure Communication
o M4 – Insecure Authentication
o M5 – Insufficient cryptography
o M6 – Insecure Authorization
o M7 – Client Code Quality
o M8 - Code Tampering
o M9 - Reverse Engineering
o M10 – Extraneous Functionality
- Suppliers must have a change management process in place that requires all changes to be approved and tested prior to any change in production. The change management process must include roll back procedures.
- Suppliers must have adequate segregation of duties to prevent developers from making unauthorized changes to production.
- Suppliers must have an isolated development environment.
Dealing with Security Breaches:
- Suppliers must have effective antivirus and anti-hacking measures in place to prevent the compromising of the integrity of data or systems.
- Suppliers must have an adequate procedure for authenticating the identification of intended recipients of information prior to disclosure.
- Suppliers must have an appropriate policy in place requiring all staff and system users to recognize and report breaches of security to the nominated security officer.
- Suppliers must have adequate procedures in place to manage and mitigate the risk arising from such breaches.
- Suppliers must have an adequate incident response procedure in place to ensure security incidents are investigated and resolved including lessons learned.
Business Continuity and Disaster Recovery
- Suppliers must have adequate business continuity and disaster recovery plans in place to provide effective protection against likely risks, for example, loss, damage, or corruption of information arising from:
o Human error,
o Computer virus,
o Network failure,
o Flood, and
o Other disasters.
- Suppliers must have their business continuity and disaster recovery plans regularly tested.
- Suppliers must have adequate protection against possible loss of information due to failure of power supply (e.g. provision of uninterrupted power supply).
- Suppliers must have effective data backup and systems recovery operations that are independently tested.
Audit and Compliance Arrangements
- Suppliers must have tamper-proof audit trails maintained for all incident security actions affecting data.
- Suppliers must have regular random audit/assurance checks carried out to confirm security procedures are operating as expected.
Mars may require Supplier to re-attest to this Exhibit annually. In certain circumstances, Mars Information Security may require Supplier to participate in a Security Assessment through a security assessment tool. Mars may also monitor the security posture of Supplier’s internet presence via a nonintrusive security monitoring tool. If Mars notes any significant drops in Supplier’s security posture, Supplier commits to work with Mars on remediation.
Updated: February 2020