Commission Decision C(2010)593
Standard Contractual Clauses (processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, the data exporter and the data importing organisation: Sansan, Inc., whose principal place of business is located at Aoyama Oval Building 13F 5-52-2 Jingu-Mae, Shibuya-ku Japan 150-0001, Japan (“data importer”), each a “party”; together “the parties”, HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

Clause 5

Obligations of the data importer*2

The data importer agrees and warrants:

Clause 6

Liability

Clause 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

Clause 12

Obligation after the termination of personal data processing services

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
Data exporter
The data exporter is (please specify briefly your activities relevant to the transfer):
The data exporter is a company/person wishing to make use of the data importer’s customer relationship management system to organise and manage its client details.
Data importer
The data importer is (please specify briefly activities relevant to the transfer):
The provider of a customer relationship management system.
Data subjects
The personal data transferred concern the following categories of data subjects (please specify):
The data exporter’s clients.
Categories of data
The personal data transferred concern the following categories of data (please specify):
Business card contact information.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
Not applicable.
Processing operations
The personal data transferred will be subject to the following basic processing activities (please specify):
The business card information will be converted into data, and then entered into the customer relationship management system database, for accessing by the data exporter.

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

This Appendix will: a) outline some of Sansan's policies in place which are designed to keep personal data secure; and b) provide a summary of the controls implemented to achieve this aim.
A)Policies
Sansan's privacy policy
Sets out requirements relating to the way Sansan acquires, uses, stores and shares personal data and Sansan will properly handle personal information in accordance with this policy to meet customers' expectations and requests for the recognition of privacy.
Sansan's Information Risk Management Policy
Sets out requirements for the maintenance and protection of information relating to the way Sansan/data importer maintains and protects all of the information, including personal data, it uses or stores in accordance with this value sensitivity and the risks to which it is exposed, and in a manner consistent with legal, regulatory and contractual requirements.
Sansan's IT Policy
Sets out the minimum technology requirements. The Data importer has established and maintains an information security program, supported by policies, standards, and procedures designed to protect data exporter's information assets according to the sensitivity, criticality, and value of such assets, and in accordance with applicable business and legal requirements.
Data importer provides employee education in connection with this information security program.
Data importer employs physical access control measures and admission control measures (personal user log-in when entering the system, password procedures minimum of 8 characters, automated screen locks after a defined period of inactivity, password protected screen savers, etc.) for preventing data processing systems from being accessed or used without authorization.
Sansan's retention Policy
Sansan has procedures in the event of the expiration of duration or the termination as follows;
Sansan destroys any and all personal information in the Entrusted data.
B)Technical and Organisational Security Measures
Organisation
Sansan's policies are designed to ensure that technical and organisational security measures are in place to protect personal data and there are dedicated teams or managers within each business unit responsible for security.
Staff Roles and Responsibilities
Successful job applicants are required to complete a pre-employment screening at Sansan. All staff are also required to complete regular training to understand their responsibilities with regards to the security of personal data. The premises where all data exporter data is stored or accessed have security guards or alternative ID controlled access.
Incident Management
Sansan has in place incident management procedures which specify how and when information loss and suspicious activity are reported. Sansan keeps records of any kind of incident report and any remedial actions taken.
Procedures exist to identify, report, and act upon system security breaches and other incidents.
Procedures exist to provide that issues of noncompliance with system availability, confidentiality of data, processing integrity and related security policies are promptly addressed and that corrective measures are taken on a timely basis.
Data Leakage Controls
Sansan has a number of controls in place to minimise the risk of data loss and leakage which includes destroying all business cards once details have been uploaded to the platform. Sansan uses HTTPS encryption when data is transferred back to the data exporter. Sensitive data is encrypted when it is stored on a database server e.g. password and tokens.
Within our own managed Production Network, we do not encrypt data at rest, but protect it in a variety of other ways instead. These include strict access control, zone segmentation whereby databases exist only in the highest zone of trust, robust monitoring and logging, use of Firewalls, logical data segregation via globally unique Customer IDs attached to each piece of data, and a dedicated Security team.
Backup Copies and Recovery
Sansan has procedures in place for making back-up copies and for recovering personal data.
Access to Information Systems
Sansan has agreements in place for the exchange of information between Sansan and relevant third parties such as suppliers.
Sansan undertakes regular audit and conformance testing against its third party suppliers.
User Access
Sansan will not review, share, distribute, or reference any such Customer Data except as provided in the Agreement, or as may be required by law. Sansan may access Customer Data only for the purposes of providing the services, preventing or addressing service or technical problems, at a Customer’s request in connection with customer support matters, or as may be required by law.
Physical Access
Sansan shall appoint a person in charge to securely manage the Customer's personal information, including, but not limited to, preventing the leakage, loss, or damage of the information provided from the Customer, and shall take required and appropriate measures on the information management.
Physical security control measures
The physical security control measures mean the measures of the control for entering and leaving a building (room) and of the prevention of personal data theft, etc.

1) Implementing the control for entering and leaving a building (room)
•Implementation of the work handling personal data in a room that is physically protected by the control for entering and leaving a building (room)
•Installation of the information system, etc. handling personal data in a room, etc. that is physically protected by the control for entering and leaving a building (room)

2) Preventing theft, etc.
•Prohibition of leaving documents, mediums, and portable computers, etc. with personal data on a desk or in a car, etc.
•Prevention of peek by starting a screen saver with a password, etc. when leaving desk
•Locked storage of medium with personal data
•Separate storage between the personal data containing name, address, e-mail address, etc. and other personal data
•Prohibition of leaving the operation manual of information system handling personal data on a desk

3) Physically protecting equipments and devices, etc.
•Physical protection of the equipments and devices, etc. handling personal data from the security control threat (for instance, theft, destruction, and damage) and from the environmental threat (for instance, water leakage, fire, and power stoppage)
Third Party Service Providers
Sansan shall be able to consign all or part of the work on the Text Data Conversion of this Service to the third parties, in accepting this contract, it shall be deemed to be provided the prior written consent of the data exporter. Where Sansan consignes its obligations under the Clauses, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on Sansan under the Clauses, and Sansan shall be liable for any damage arising out of or in connection with the consignment.

Necessary and appropriate supervision measures

1) Selection of trustees

2) Conclusion of entrustment contract which sets out the following matters:

3) Clarification of the responsibilities of entruster and trustee

4) Matters regarding the security control of personal data
•Matters regarding the prevention of the leakage of personal data and the prohibition of the fraudulent use of personal data
•Prohibition of process and use beyond the scope of entrustment contract
•Prohibition of copy and duplicate beyond the scope of entrustment contract
•Contract period
•Matters regarding the return, erasure, and disposal of personal data after the expiration of an entrustment contract

5) Matters regarding reentrustment
•Report in writing to an entruster when reentrusting

6) Contents of the reports and when to submit it regarding the status of handling personal data by the trustee

7) Confirmation that the provisions of contract are duly observed (for instance, an information security audit, etc. is performed)

8) Measures when the provisions of contract are not observed
•Matters regarding report and communication when a security incident or accident occurs

9) Comprehension of the state of handling of personal data by the trustee
Storage of Personal Data
Sansan will store the data in Japan or other locations deemed necessary or approproate.
Disposal of Personal Data
Sansan has disposal procedures in the event of the expiration of duration or the termination as follows;
Sansan destroys any and all personal information in the Entrusted data.