1. Scope Of The Certification
1.1. The scope of each Participant’s certification in the Program, to which the Program Criteria will be binding (hereinafter “Scope of the Certification”), must be clearly defined by the Participant.
1.2. The Scope of the Certification shall be foremost defined in terms of specific information system(s).
- The Program Criteria are, therefore, applicable to the people, processes, hardware, software, and networks that comprise those information systems in the Scope of the Certification.
1.3. Data Controllership. For each information system within the Scope of the Certification, it must be defined whether the Participant is a Data Controller or a Data Processor.
- If a Participant acts in two separate capacities (i.e., Data Controller and Data Processor) within the same information system, the circumstances of each role must be defined.
2. Notice
2.1 Participants must implement, maintain, and publish a Privacy Notice(s) that complies with these Program Criteria.
- The Privacy Notice(s) may be provided in a single document, or a series of compatible, layered Privacy Notices.
- Multiple information systems in the Scope of the Certification may share a single (or a series of layered) Privacy Notice(s), insofar as the Program Criteria are satisfied for every information system contemplated by such Privacy Notice(s).
2.2 Required Privacy Notice Elements for Data Processors. Where the Participant is a Data Processor, that Participant’s Privacy Notice(s) must:
- be furnished to the Data Subject or be conspicuously displayed by the Participant; and
- be presented in a legible format; and
- be materially correct and up to date; and
- state the date that the Privacy Notice came into effect (or was last materially revised, whichever is later); and
- be written in clear language that a reasonable person would comprehend; and
- be made available in the language(s) in which the Participant usually conducts its affairs; and
- include a title containing the word “privacy” (such as “Privacy Policy,” “Privacy Notice,” et cetera); and
- state the full legal name of the Participant; and
- state the information systems to which the Privacy Notice applies; and
- with regards to the information systems mentioned in point (i) of this Section, state the Participant’s role as defined in Section 1.3 above; and
- state any subsidiary entities of the Participant that are included within the Scope of the Certification and to which the Privacy Notice also applies; and
- state the categories of PII that the Participant Processes; and
- state the categories of ways in which the Participant receives or collects PII; and
- state the specific, limited purpose(s) for which the Participant does or intends to Process PII; and
- state the Basis for Processing the PII and, where the Participant Processes PII on the basis of Section 3.1(a)(5), list the specific legitimate interests that are pursued; and
- provide the categories, or the identities, of Third Parties to which the Participant does or intends to disclose PII; and
- disclose, if applicable, that the Participant intends to transfer PII onward to a third country; and
- disclose all applicable Choice, Access, and Privacy of Children rights of the Data Subject as described in Sections 5, 6, and 10 respectively, and how a Data Subject (or the parent or legal guardian of a Data Subject under the age of thirteen) may exercise those rights; and
- disclose the Participant’s policy for deleting PII after such time as the purpose or Basis for Processing of such PII becomes obsolete; and
- where the information system(s) disclosed pursuant to 2.2(i) include an Information Society Service and where the Participant collects PII pertaining to a Data Subject’s Internet activities over time and across Third Party Information Society Services, (for example, through the use of HTTP cookies, web beacons, locally shared objects, device recognition technologies, or similar technologies, collectively “Cookies”) disclose how, if at all, the Participant’s Information Society Service responds to web browser tracking preference expressions, such as “Do Not Track”; and
- Notwithstanding the foregoing, Participant may alternatively include a clear and conspicuous hyperlink to an Internet website containing a description, including the effects, of any program or protocol the Participant follows that offers Data Subjects the option to prevent such data collection.
- state that the Participant has implemented and will maintain reasonable security controls to protect the confidentiality, integrity, and availability of PII it Processes; and
- state that, if the Participant makes PII available to a Third Party, such Third Party will be required to implement and maintain reasonable security controls to protect the confidentiality, integrity, and availability of such PII; and
- disclose that PII Processed by the Participant may be transferred to Third Parties pursuant to lawful requests by public authorities, including national security and/or law enforcement requests, and that Section 2.2(v) may not apply to such transfers; and
- state how to contact the Participant with any inquiries or complaints, including at least a current and valid mailing address, email address, toll-free telephone number or toll-free fax number; and
- state the name or title, and business contact information, of a natural person appointed by the Participant, such as a competent data protection officer, to respond to data protection related inquiries and complaints lodged by Data Subjects; and
- state the maximum number of days it will take the Participant to respond to data protection related inquiries or complaints received from Data Subjects; and
- disclose the Participant’s procedure for notifying Data Subjects of a change in the respective Privacy Notice; and
- disclose any particular consumer protection agency that regulates the Participant’s Processing of PII; and
- disclose that VeraSafe is designated to address privacy complaints lodged against the Participant and, subject to the terms and conditions of the applicable VeraSafe dispute resolution Procedure, will provide appropriate recourse free of charge to Data Subjects.
2.3 Supplemental Privacy Notice Elements for Data Controllers. Where the Participant is a Data Controller, that Participant’s Privacy Notice must comply with the Privacy Notice requirements for Data Processors in Section 2.2 above, and must also:
- where the information system(s) disclosed pursuant to 2.2(i) includes an Information Society Service, disclose, if applicable, that Cookies are used by the Participant and/or Third Parties to collect the Data Subject’s PII via the Participant’s Information Society Service, the particular types of Cookies used, and the purposes for which the PII collected by such Cookies is or will be used; and
- where the Participant receives PII from a source other than the Data Subject, disclose from which source(s) (or categories of sources) the PII was obtained and, if applicable, that the PII was obtained from publicly accessible sources; and
- where the Participant receives PII directly from the Data Subject, be made available to the Data Subject when the Participant first solicits or receives PII from the Data Subject, or as soon as practicable thereafter, and in any case before the Participant discloses such PII to any Third Party; and
- where the Participant receives PII from a source other than the Data Subject, be made available to the Data Subject within a reasonable period (not more than thirty days) after receiving the PII.
2.4 Supplemental Privacy Notice Elements for Participants That Adhere to the Data Privacy Framework. Where the Participant is a U.S. entity and intends to certify its adherence to the Data Privacy Framework, that Participant’s Privacy Notice must also:
- include the Participant’s commitment to adhere to the applicable Data Privacy Framework, as applicable,; and
- include the Participant’s commitment to apply the Data Privacy Framework, as applicable, to all PII it receives in reliance on the Data Privacy Framework, as applicable; and
- provide a link to, or the website address for, the Data Privacy Framework, as applicable; and
- disclose, if applicable, that the Participant has agreed to cooperate and comply with the dispute resolution panel established by the European Data Protection Authorities in addition to the VeraSafe Dispute Resolution Procedure; and
- disclose the possibility, under certain conditions, for the Data Subject to invoke binding arbitration as described in the Data Privacy Framework, as applicable; and
- disclose the Participant’s liability in cases of onward transfers to Third Parties.
2.5 Notice Requirements for Changes in Data Processing Procedures. Prior to making any material changes to its Privacy Notice, a Participant must:
- notify VeraSafe of the proposed change(s); and
- receive approval from VeraSafe prior to implementing the proposed change(s).
2.6 Subject to the applicable terms of any commercial agreement between VeraSafe and the Participant, the Participant must display the VeraSafe Privacy Seal on or within its Internet-based Information Society Services that are within the Scope of the Certification.
3. Basis For Processing PII
3.1 Where the Participant is a Data Controller that Participant may Process PII
- only on the basis of:
- the valid Consent of the Data Subject; or
- the performance of a contract to which the Data Subject is party; or
- the necessity to comply with a legal obligation to which the Data Controller is subject; or
- the protection of the Vital Interests of the Data Subject or of another natural person; or
- the legitimate interests pursued by the Participant or by a third party, except where such interests are outweighed by the interests or fundamental rights and freedoms of the Data Subject which require protection of PII, in particular where the Data Subject is under the age of thirteen; or
- the need to erase such PII where the Basis for Processing is otherwise obsolete; and
- only for the specific, limited purposes disclosed in the Privacy Notice applicable to the collection of such PII and for other purposes which are compatible with those disclosed purposes, or:
- for other purposes pursuant to the further Consent of the Data Subject; or
- for those purposes strictly necessary to protect the Vital Interests of the Data Subject or of another natural person.
3.2 Notwithstanding the obligations of Section 3.1(a), where the Participant is a Data Controller, that Participant may only Process Sensitive PII on the basis of:
- the valid Consent of the Data Subject; or
- the protection of the Vital Interests of the Data Subject or of another natural person; or
- the need to establish, exercise or defend a legal claim(s); or
- the need to provide healthcare treatment, subject to all applicable laws regulating the privacy of PII concerning health; or
- the need of the Participant to carry out its obligations or to exercise specific rights in the field of employment law; or
- the need to erase such Sensitive PII where the Basis for Processing is otherwise obsolete.
3.3 Where the Participant is a Data Controller, that Participant must not condition the provision of goods or services on the Data Subject providing more PII than what is reasonably necessary for the purposes of Processing.
3.4 Where the Participant is a Data Processor, that Participant may not Process PII beyond as specified in the applicable data processing agreement implemented between the Participant and the Data Controller or between the Participant and another Data Processor acting on behalf of the Data Controller.
4. Onward Transfer
4.1 Subject to the limitations of Section 3:
- Where the Participant wishes to transfer or make available PII to an entity to which the Program Criteria do not apply, it may do so only where:
- the Data Subject has provided Consent to the proposed transfer, after having been informed of the risks of such transfers, such as those arising from the recipient’s inadequate level of data protection; or
- the transfer is necessary for the performance of a contract between the Data Subject and the Data Controller; or
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Data Controller and another natural or legal person; or
- the transfer is necessary for the establishment, exercise, or defense of important legal claims; or
- the transfer is necessary in order to protect the Vital Interests of the Data Subject or of another natural person, and where the Data Subject is physically or legally incapable of giving Consent; or
- the transfer is necessary to comply with lawful requests by public authorities, including national security or law enforcement requests.
- Where none of the circumstances in Section 4.1(a) apply, the transfer shall be permissible if the Third Party recipient is obligated to provide at least the same level of data protection as is required by the Program Criteria (either by way of an enforceable written contract, Binding Corporate Rules as defined by the General Data Protection Regulation of the European Union, applicable law, or participation in a binding self-regulatory scheme).
4.2 Contract for Onward Transfers to Data Controllers. Subject to the limitations of Section 4.1, for a Participant to transfer PII to a Third Party Data Controller, the Participant must first, whenever reasonably possible under the circumstances:
- enter into an enforceable written contract with the Third Party that restricts the Third Party to Processing the PII only for purposes compatible with the limited and specific purpose(s) for which the PII was originally collected, or with the further Consent of the Data Subject;
- ascertain that the Third Party is obligated to provide at least the same level of data protection as is required by the Program Criteria, either by way of an enforceable written contract, Binding Corporate Rules, applicable law, or participation in a binding self-regulatory scheme; and
- obligate the Third Party to notify the Participant if the Third Party becomes unable to satisfy its obligations referred to in Section 4.2(b) above.
4.3 Contract for Onward Transfers to Data Processors. For a Participant to transfer PII to a Third Party Data Processor for Processing on behalf of the Participant, the Participant must, in addition to the obligations in Section 4.2:
- ascertain that the Third Party employs only staff who have committed themselves to confidentiality or are under a statutory obligation of confidentiality; and
- take reasonable steps to confirm that the Third Party Processes the PII in a manner consistent with its obligations referred to in Section 4.2(b) and 4.3(a) above; and
- obligate the Third Party to notify the Participant if the Third Party becomes unable to satisfy its obligations referred to in Section 4.2(b) and 4.3(a) above; and
- take reasonable steps to stop and remediate unauthorized or noncompliant Processing by the Third Party, upon becoming aware of such Processing.
5. Choice
5.1 Right to Object. Where the Participant is a Data Controller, Data Subjects have a right to object to the Participant’s continued Processing of the Data Subject’s PII where the Basis for Processing such PII is:
- the Consent of the Data Subject;
- the Vital Interests of the Data Subject or of another natural person;
- the legitimate interests pursued by the Participant or by a third party, except in cases where the Participant can articulate that such Processing is lawful, done for explicitly specified and limited purposes, and is based on real and present legitimate interest(s), and that such interest(s) pursued by the Participant or by a third party outweigh the legitimate interests, rights, and freedoms of the Data Subject.
5.2 Notwithstanding the foregoing, where the Participant is a Data Controller and Processes PII for the purpose of direct marketing, the Data Subject shall have the unalienable right to object to such Processing without paying any fee. Where an objection is made by a Data Subject in accordance with this Section, the Participant may no longer Process the Data Subject’s PII for such direct marketing purposes.
5.3 Where an objection is made by a Data Subject in accordance with Section 5.1 points (a) through (c), the Participant in question may no longer rely on the demurred Basis for Processing, and if no other Basis for Processing exists, the Participant may no longer Process such PII except as strictly necessary to comply with and implement the objection of the Data Subject.
5.4 Where the Participant is a Data Controller and Processes PII on the potentially objectable bases identified in Section 5.1 points (a) through (c), that Participant must provide Data Subjects one or more easy to use, conspicuous, readily available, and affordable means to object to such Processing of their PII.
5.5 The Data Subject’s right to object, as established by this Section, is subject to reasonable limits, such as to allow the Participant the opportunity to authenticate the identity of the Data Subject, and to allow the Participant a reasonable amount of time to implement the Data Subject’s wishes.
5.6 Where the Participant is a Data Controller, that Participant is responsible for ensuring the implementation of the Data Subject’s wishes so exercised under this Section, including in the information systems of the Data Processors engaged by the Participant, unless doing so is not reasonably possible, would require disproportionate effort, or where such responsibility is formally assigned to a third party that is, along with the Participant, a joint Data Controller for the Data Subject’s PII.
6. Access
6.1 Right of Access to and Correction of PII. Where the Participant is a Data Controller, Data Subjects have a right to:
- obtain from the Participant confirmation of whether or not the Participant is Processing the Data Subject’s PII; and
- have communicated to them any such PII in a format that would be intelligible to a reasonable person, with regard given to, in particular, the age of the Data Subject; and
- be told the source(s) from which the Participant obtained their PII, or any pertinent, available information as to the source of the PII; and
- be told the Third Parties, or categories of Third Parties, to whom the Participant has disclosed or intends to disclose their PII; and
- be told the purposes for which their PII has been or will be Processed, either by the Participant or any Third Party acting as the Participant’s Data Processor; and
- have their PII corrected or amended where it is inaccurate or incomplete.
6.2 Right to Erasure. Where the Participant is a Data Controller, Data Subjects have a right to obtain the erasure of their PII:
- in cases where such PII is incorrect; or
- where the Participant’s Processing of such PII has materially violated the Program Criteria, applicable law(s), or applicable self-regulatory obligations; or
- where the PII is no longer necessary for the purpose(s) of Processing or there is no longer a valid Basis for Processing; or
- where the PII is collected via an Information Society Service and the Data Subject is under the age of thirteen.
6.3 Where the Participant is a Data Controller and the Participant has made a Data Subject’s PII public, the Data Subject has the right to request that the Participant take all reasonable steps, including technical measures, to inform Third Parties which are Processing such PII, of the Data Subject’s request to erase any copy or replication (and hyperlinks thereto) of such PII.
- Where the Participant has authorized a Third Party publication of PII, the Participant shall remain responsible for that publication.
6.4 Limitations of the Right of Access, Correction, and Erasure.
- Where the Participant is a Data Controller, that Participant must, at no charge to the Data Subject, implement the Data Subject’s wishes so exercised under this Section 6, except:
- where the burden or expense of implementation would be overwhelmingly disproportionate to the risks to the Data Subject’s privacy in the case in question; or
- where the Data Subject’s PII cannot reasonably be separated from confidential commercial information; or
- where the implementation would interfere with the execution or enforcement of the law or with private causes of action, including the prevention, investigation, or detection of criminal offenses or the right to a fair trial; or
- where the legitimate rights or important interests of others would be violated; or
- where the implementation would breach a legal or other professional privilege or obligation to which the Participant is subject; or
- where the Data Subject’s requests are vexatious or manifestly excessive, due in particular to their frequent or repetitive nature; or
- where the Processing of such PII is strictly necessary for historical, statistical, or scientific research purposes.
- If a Participant determines that a Data Subject’s right of access, correction, or erasure should be limited in any particular instance, the Participant must respond to the Data Subject with an explanation of why the Participant has made such a determination and provide information as to where the Data Subject can lodge further inquiries.
6.5 Where the Participant is a Data Controller, that Participant must provide Data Subjects one or more easy to use, conspicuous, readily available, and affordable means to exercise their rights under this Section.
6.6 Participants must confirm the identity of persons attempting to exercise rights under this Section, and only implement a Data Subject’s wishes so exercised under this Section where the identity of such Data Subject has been adequately confirmed by the Participant.
6.7 Where the Participant is a Data Controller, that Participant is responsible for implementing the Data Subject’s wishes so exercised under this Section, including in the systems of the Data Processors engaged by the Participant, unless doing so is not reasonably possible or would require a level of effort that is overwhelmingly disproportionate to the risks to the Data Subject’s privacy in the case in question.
7. Data Security
7.1 Within the Scope of the Certification, Participants must comply with the requirements of this Section.
7.2 Identify.
- Asset Management. [ID.AM]
- Maintain an inventory of the hardcopy and electronic records and the electronic devices and storage media that the Participant uses to Process PII.
- Identify and appoint one or more natural persons who are responsible for the development and implementation of the data security policies and procedures required by the Program Criteria.
- Business Environment. [ID.BE] (Reserved)
- Governance. [ID.GV]
- Implement and maintain a high-level data security policy.
- Risk Assessment. [ID.RA]
- If the Participant’s workforce is comprised of 250 or more full-time equivalent employees, conduct an accurate and thorough assessment of the potential risks to the confidentiality, integrity, and availability of PII it Processes. Such assessment must:
- identify critical assets; and
- identify threats and vulnerabilities to those critical assets; and
- result in a formal, documented analysis of risk; and
- be conducted based on established frameworks or methodologies such as NIST SP 800-30, ISO 27005, FAIR, or OCTAVE.
- Risk Management Strategy. [ID.RM]
- Implement data security controls that ensure an appropriate level of confidentiality, integrity, and availability for the PII that the Participant Processes. The Program Criteria set a baseline of required data security controls; however, additional data security controls may be needed to establish an appropriate level of data security under a Participant’s circumstances. In determining what is appropriate under the circumstances, regard should be given to the sensitivity of the PII, the purposes of Processing, the risks to the rights and freedoms of the Data Subject(s) that arise from such Processing, the cost of implementation and maintenance of such additional controls, and the consensus of professional opinion in the field of data security.
7.3 Protect.
- Access Control. [PR.AC]
- Implement and maintain procedures to control and validate a person’s physical and logical access to the Secured Facility(s), the information system(s), and the PII therein based on role or function, including visitor control.
- All users of Participant’s information systems must be individually identified and authenticated.
- Restrict logical access to all Workstations, and administrator and non-consumer functions in other IT Systems, with a strong password known only to authorized users, whenever reasonably practicable.
- Implement and maintain appropriate entry controls to reasonably prevent unauthorized persons from physically accessing the Secured Facility(s). Such controls may include using locks and keys, badges and badge readers, key fobs, et cetera, as appropriate given the risks to the rights and freedoms of the Data Subjects presented by the Processing.
- Require visitors to sign-in, wear a plainly visible “Guest” ID badge, and be escorted by an authorized individual at all times in the Secured Facility(s).
- Implement and maintain policies and procedures for terminating access to the Secured Facility(s), the information systems, and the PII therein when an employee or contractor is separated from the Participant or when such access is no longer justifiable.
- Such policies must require that all of the Participant’s physical authentication methods are either returned by such employees and contractors, or are deactivated.
- Implement and maintain policies and procedures to authenticate and verify the identity of a user before granting the user’s request to modify any authentication credential, such as resetting a password.
- Implement and maintain policies and procedures to correctly authenticate and verify the identity of Data Subjects before granting such Data Subjects’ requests to exercise rights with regards to PII Processed by Participant.
- Participant must not rely on fewer than two unique identifiers in authenticating such Data Subjects.
- Implement and maintain policies and procedures to limit employees’ and contractors’ access to the Secured Facility(s), the information systems, and the PII therein to those natural persons with an identified, legitimate need for such access, incorporating the principle of least privilege.
- Regularly audit such privileged access rights (at least twice per year).
- Awareness and Training. [PR.AT]
- Implement and maintain a data-security-training-program for all employees within the Scope of the Certification.
- Implement and maintain an ongoing data-security-awareness-program for all employees within the Scope of the Certification.
- Implement and maintain procedures for creating, changing, and safeguarding IT System passwords.
- Implement and maintain policies and procedures to mitigate risks that arise from unintentional insider threats.
- Data Security. [PR.DS]
- Secure the transmission of PII and authentication information over non-private networks with strong cryptography and security protocols (such as recent Transportation Layer Security protocols) if the inappropriate use or disclosure of that data could cause financial, physical, or reputational harm to a Data Subject.
- Secure the transmission of PII and authentication information over wireless networks with strong cryptography and security protocols.
- Maintain (and implement as needed) procedures for securely disposing of PII when the Basis of Processing becomes obsolete.
- Implement and maintain policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical and technical attributes surrounding a specific Workstation or class of Workstations. Such policies and procedures must, at minimum:
- prohibit those software applications or categories of software applications that are likely to introduce a critical vulnerability, from being used or installed on the Workstations; and
- prohibit operating systems with unauthorized modifications (including rooted or jailbroken operating systems) from being used or installed on Workstations; and
- require users to re-authenticate to reactivate Workstations that have been idle for more than 15 minutes.
- Implement and maintain policies to regulate the removal of storage media containing PII from within the Secured Facility(s). Whenever reasonably practicable, such policies must:
- prohibit the removal of electronic storage media containing PII from within the Secured Facility(s), except for the occasional removal of PII done not on a large scale, or if such PII is encrypted with strong cryptography; and
- prohibit the removal of PII in hardcopy from within the Secured Facility(s), except if such PII is reasonably physically secured when outside of the Secured Facility(s).
- Implement and maintain policies and procedures to require that whole disc encryption, container-level encryption, or file-level encryption be used in portable Workstations and portable mass storage media, as appropriate, to secure PII and authentication information contained on those devices. In all such cases, the encryption must be cryptographically strong.
- Implement and maintain policies to require that Workstations, storage media containing PII, and authentication information be physically secured when not in use, both inside and outside of the Secured Facility(s).
- Implement and maintain appropriate technical controls to prevent, detect, and correct data integrity violations in IT Systems.
- Such controls may include checksums, mirroring, ECC memory, RAID parity, and file integrity monitoring tools.
- Implement and maintain policies, whenever possible, to prohibit the use of PII for information system testing or development purposes.
- Information Protection Processes and Procedures. [PR.IP]
- Implement and maintain policies and procedures to ensure that vendor-supplied default passwords and other authentication parameters in IT System(s) are changed, removed, or disabled.
- Implement and maintain a binding confidentiality agreement with employees who are within the Scope of the Certification.
- Implement and maintain policies to apply appropriate sanctions against employees who fail to adhere to the Participant’s documented data security policies and procedures.
- Implement and maintain procedures to create and maintain retrievable exact copies of PII that the Participant stores or otherwise maintains.
- Implement and maintain appropriate environmental controls to protect the integrity and availability of mission critical information systems and PII that the Participant stores or otherwise maintains.
- Such controls may include emergency power supplies, emergency lighting, fire protection and suppression equipment, temperature and humidity controls, and measures to prevent water damage.
- Implement and maintain policies and procedures to ensure the removal of PII from storage media before such media are made available for re-use by the Participant.
- Implement and maintain policies and procedures to ensure the secure disposal of the media on which PII is or has been stored.
- Implement and maintain policies and procedures to detect technical security vulnerabilities in the IT Systems.
- Maintenance. [PR.MA]
- Implement and maintain policies and procedures to patch exploitable and high severity security vulnerabilities that exist in IT Systems expeditiously after the discovery of such vulnerabilities.
- Such policies and procedures must require that vendor-supplied patches for exploitable and high severity IT System vulnerabilities be tested and applied to the affected IT Systems (or the vulnerability otherwise mitigated) within sixty days of the date on which the vendor released the patch.
- Implement and maintain policies and procedures to prohibit the use of deprecated software that is no longer updated by the author.
- Protective Technology. [PR.PT]
- Limit repeated logical access attempts to IT System(s) by automatically locking out the user ID after not more than six consecutive failed access attempts.
- Set the lockout duration to a minimum of thirty minutes or until an administrator re-enables the user ID.
- Implement a functional firewall and maintain its configuration to protect the IT Systems from untrusted networks and untrusted traffic.
7.4 Detect.
- Anomalies and Events. [DE.AE]
- Establish a baseline of network operations and expected data flows.
- Analyze suspected Security Incidents to understand attack targets and methods.
- Security Continuous Monitoring. [DE.CM]
- Implement and maintain policies and procedures to monitor the Secured Facility(s) and the IT Systems to detect Security Incidents and associated activity.
- Implement and maintain hardware, software, and/or procedural mechanisms to record and monitor technical activity in the IT Systems.
- Implement and maintain mechanisms to monitor physical activity in the Secured Facility(s), including the physical activity of contractors and visitors.
- Deploy antivirus software on all IT Systems that are commonly affected by malicious software. Such antivirus software must:
- be regularly, frequently updated; and
- automatically scan the IT System(s) where it is deployed; and
- not be disabled on the IT System(s) where it is deployed.
- Detection Processes. [DE.DP] (Reserved)
7.5 Respond.
- Response Planning. [RS.RP]
- Implement and maintain policies and procedures to respond to suspected or known Security Incidents.
- Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that physically damages the Secured Facility(s) or the information system(s).
- Maintain (and implement as needed) procedures to ensure the continuation of those procedures that are necessary to protect the security of PII, while operating during an emergency.
- Maintain (and implement as needed) procedures for accessing PII during an emergency.
- Data Breach Notification. [RS.CO]
- Where the Participant is a Data Controller, for any Data Breach in the Scope of the Certification, including in the information systems of the Participant’s Data Processors and subprocessors, that Participant must transmit the information described in Section 7.5(b)(2) (a “Notice of Data Breach”) to competent law enforcement agency(ies) and affected Data Subjects without delay and promptly after becoming aware of each such Data Breach, or do otherwise as required by law.
- Participant must promptly transmit its Notice of Data Breach to the competent law enforcement agency(ies), no later than seventy-two hours after becoming aware of such Data Breach.
- Unless a longer timeframe is officially requested by a competent law enforcement agency, the Participant must transmit its Notice of Data Breach to the Data Subjects no later than ten days after becoming aware of such Data Breach.
- Participant must provide its Notice of Data Breach to affected Data Subjects by way of its usual means of communicating with the Data Subjects, along with other means, if necessary.
- If performing the obligation of 7.5(b)(1)II would require a disproportionate effort (for example, costing the Participant more than the lesser of ten percent of global turnover or $250,000 USD) the Participant may satisfy the obligation of 7.5(b)(1)II by making a public notification or similar measure whereby the Data Subjects are notified in an equally effective manner.
- Unless otherwise required by applicable law, Participant’s Notice of Data Breach must:
- be titled “Notice of Data Breach”; and
- disclose that a Data Breach occurred; and
- disclose the categories of PII that were disclosed in the Data Breach; and
- disclose, if available, the approximate number of records that were exposed in the Data Breach; and
- disclose, if available, the approximate number of Data Subjects affected by the Data Breach; and
- disclose when the Data Breach occurred; and
- disclose what steps Data Subjects can take to protect themselves; and
- disclose likely consequences of the Data Breach; and
- disclose the actions the Participant is taking regarding the Data Breach including the steps the Participant is taking to reduce the risk of a repeated or sustained Data Breach; and
- disclose the name and contact information of a representative of the Participant who can provide additional information regarding the Data Breach;
- be written in the language(s) in which the Participant usually conducts its affairs; and
- be provided in written form (which may be electronic), using clear language that a reasonable person would comprehend.
- Where the Participant is a Data Processor, that Participant must transmit its Notice of Data Breach to the Data Controller(s) within 72 hours of becoming aware of each such Data Breach.
- The Participant must act immediately, without undue delay, to patch any unmitigated exploitable IT security vulnerabilities and reduce the risk of a repeat or sustained Data Breach upon becoming aware of a Data Breach.
- Participants must notify VeraSafe of the occurrence of a Data Breach no later than ten days from the date of discovery of the Data Breach unless a longer timeframe is officially requested by a competent law enforcement agency.
- Analysis. [RS.AN]
- Implement and maintain policies and procedures to document Security Incidents and their outcomes.
- Mitigation. [RS.MI]
- Implement and maintain policies and procedures to mitigate, to the extent practicable, harmful effects of Security Incidents that are known to the Participant.
- Improvements. [RS.IM]
- Update policies and procedures based on lessons learned.
7.6 Recover.
- Recovery Planning. [RC.RP]
- Maintain (and implement when needed) procedures to restore any unintentionally lost PII.
- Improvements. [RC.IM] (Reserved)
- Communications. [RC.CO] (Reserved)
8. Data Quality
8.1 Where the Participant is a Data Controller, that Participant must take all reasonable steps to ensure that, with regard to the risks to the rights and freedoms of the Data Subject(s), PII it Processes is sufficiently reliable, accurate, complete, and current and that PII that are inaccurate are erased or rectified without unreasonable delay.
9. Privacy By Default
9.1 Where the Participant is a Data Controller, that Participant must ensure that, by default, the PII it Processes is not made accessible, without the Data Subject’s intervention, to an indefinite number of natural or legal persons.
10. Privacy Of Children
10.1 Where the Participant is a Data Controller, that Participant must, where the Participant’s Scope of the Certification includes Information Society Services:
- ensure that the Information Society Service is not directed at or intended for use by Data Subjects under the age of thirteen (“U13”); or
- provide notice to parents or legal guardians of U13 (“Parent(s)”) and obtain verifiable parental consent, such as in the form of a consent agreement signed by the Parent and returned to the Participant before Processing the PII of U13; and
- give Parent(s) the opportunity to terminate such consent agreement at any time; and
- give Parent(s) the choice of consenting to the Participant’s internal Processing of their U13’s PII, while prohibiting the Participant from disclosing that PII to a Third Party Data Controller (unless such disclosure is strictly necessary for the purpose(s) of Processing, in which case this must be made clear to Parents); and
- enable Parent(s) to exercise the rights described in Sections 5 and 6 on behalf of their U13.
10.2 Where the Participant is a Data Controller, and the Participant becomes aware that it Processes the PII of a U13 without complying with Section 10.1(b)-(e), that Participant must securely dispose of such PII.
11. Commercial Email Communication
11.1 Where the Participant is a Data Controller, and Processes PII for the purpose of sending Commercial Email Messages:
- such Commercial Email Messages must include the Participant’s valid postal address which can be a current street address, a post office box registered with the U.S. Postal Service, a private mailbox registered with a commercial mail receiving agency established under U.S. Postal Service regulations or, for Participants whose principal office(s) are located outside of the U.S., a valid and current post office box registered with the local governmental authority responsible for postal matters; and
- such Commercial Email Messages must include a clear and conspicuous, functioning and free unsubscribe mechanism. Such an unsubscribe mechanism must not require a Data Subject to give the Participant any PII beyond an email address, or make a Data Subject take any step other than sending a reply email or visiting a single page on a website as a condition for honoring an unsubscribe request. Participants must implement the Data Subject’s unsubscribe request within ten business days of receipt of such a request.
- An unsubscribe mechanism is not required for Relationship Messages and a Participant may continue to send Relationship Messages after a Data Subject unsubscribes from Commercial Email Messages provided that the Data Subject continues a business or employment relationship with the Participant.
11.2 If a Data Subject has unsubscribed to the Participant’s Commercial Email Messages, the Participant must not transfer that Data Subject’s email address to any Third Parties for their direct marketing use.
12. Recourse And Enforcement
12.1 Compliance Verification.
- Participants must retain the records related to their compliance with the Program Criteria for at least six years from the date on which a record was created, or was last in effect, whichever is later.
- Participants must regularly review their compliance with the applicable Privacy Notice(s) and these Program Criteria, and take remedial action, as appropriate, to ensure their ongoing compliance therewith.
- Each Participant shall be subject to, and cooperate with, the Verification Process at least annually to verify its ongoing compliance with these Program Criteria.
- The Verification Process can be re-initiated by VeraSafe at any time at VeraSafe’s discretion.
12.2 Recourse.
- Where the Participant is a Data Controller, that Participant must respond to data protection related inquiries or complaints it receives from Data Subjects within thirty days of receipt by the Participant.
- Participants must cooperate with VeraSafe’s efforts to investigate complaints pertaining to such Participant, that are determined to be valid and within the scope of these Program Criteria.
- Participants must cooperate and comply with the Procedure applicable to any such complaints.
12.3 Accountability.
- In the event VeraSafe reasonably believes that a Participant has violated these Program Criteria or the applicable Master License and Services Agreement between VeraSafe and the Participant in a material way, such Participant’s good standing in the Program may be suspended (“Program Suspension”) by VeraSafe.
- In such circumstance, VeraSafe shall provide the suspended Participant with a description of the violation(s) and any remedial actions that VeraSafe will require the Participant to take during the Program Suspension period (“Program Suspension Obligations”).
- Participant’s participation in the Program shall be considered to be suspended immediately upon receiving notice to such effect from VeraSafe.
- Program Suspension Obligations.
- Program Suspension Obligations may include, but are not limited to:
- implementation of additional data protection controls beyond those specified in the Program Criteria; and
- cooperation with additional compliance monitoring by VeraSafe; and
- payment to VeraSafe as compensation for VeraSafe’s additional compliance monitoring activities.
- Participants must comply with all Program Suspension Obligations within forty-five days of receiving the suspension notice, unless a longer duration is mutually agreed upon between VeraSafe and the Participant.
- During the Program Suspension period, Participant’s suspended status may be indicated via its VeraSafe instant verification page hosted by VeraSafe, and VeraSafe may revoke the Participant’s license to display the VeraSafe Privacy Seal(s).
- Exiting Program Suspension.
- Program Suspension shall last until such time as the Participant has corrected the material violation(s) to VeraSafe’s satisfaction.
- If the Participant has not rectified the material violation(s) by the end of the Program Suspension period, VeraSafe will, in its discretion, either:
- extend the Program Suspension period; or
- determine that Participant has failed to comply with the Program Suspension Obligations and apply one or more Enforcement Actions (as defined in the Section 12.3(d)) against the Participant.
- Enforcement Actions.
- Subject to the provisions of Section 12.3, VeraSafe may:
- terminate the Participant’s participation in the Program(s) (“Termination”); and
- Participants that are Terminated will no longer be entitled to use, reproduce, or display any of the VeraSafe Privacy Seals and must immediately stop all use of any VeraSafe Privacy Seal; and
- Participant’s participation in the Program shall be considered to be Terminated immediately upon receiving notice to such effect from VeraSafe; and
- notify the relevant regulatory enforcement authority in the Participant’s jurisdiction in cases where the Terminated Participant’s material violations are, in VeraSafe’s judgment, repeated or intentionally negligent; and
- make publicly available, a notice of the Terminated Participant’s material violation(s) in cases where such material violation(s), in VeraSafe’s judgment, constitute an ongoing risk to the rights and freedoms of Data Subjects; (“Enforcement Actions”).
13. Requirement For Neutrality
13.1 A Participant must not have a direct or indirect business affiliation with VeraSafe, or with any employee of VeraSafe, that would prejudice the ability of VeraSafe to render a fair decision with respect to the certification of the Participant. Such affiliations include but are not limited to the Participant and VeraSafe being under common control such that the Participant can exert undue influence in VeraSafe.