These clauses form the Data Processing Agreement (DPA) between TBS INTERNET Ltd and the Customer holding the Customer Area.

v1.04, 2020-12-01

As part of the «General Data Protection Regulation», it is important to note that:

• The Customer generally acts as a Data Controller (but may be in the position of Data Processor if he acts as a reseller).
• TBS INTERNET Ltd acts as a Data Processor for the supply and management of digital certificates.
• TBS INTERNET Ltd acts as a Data Controller for the supply of certificates TBS X509.
• TBS INTERNET Ltd is led to transfer personal data to the Certification Authorities acting as either Data Controller or Data Processor.
• In accordance with the data protection laws and in particular Article 28.3.a of the European Regulation, the Data Processor only acts according to the instructions given by the Data Controller.

I. Processing Instructions

The data processing operations perfomed by the Data Processor on behalf of the Data Controller are defined below:

Aim on data processing:
The supply, issuance and management of digital certificates

Nature of operations carried out on Personal Data:

Addition, deletion, modification of Personal Data necessary for contract management and validation of digital certificate applications.
Transmission of Personal Data to Certification Authorities as the recipient of the Customer's Personal Data.

What are the processing purposes?

To «Execute and deliver the digital certificate management contract» the purposes are broken down into:

• Valid requests
• Technical Support
• Product Validity duration
• Legal requirements
• Statistics
• System Security
• Marketing

Processing duration

TBS INTERNET Ltd will proceed to the Processing of Personal Data for the duration of the Contract, unless otherwise agreed by the parties, in writing.

At the end of the contract, the Personal Data will be:

• For data used to validate certificate requests: Personal Data retention time is function of the retention policy of the relevant digital certificate class (documented in the "Certification terms" that you accept with each certificate request).
• For other data related to contract management: anonymized one year after the end of the business relationship or one year after the expiry of the certificate if this date is later.

For your information, when the GDPR came into force, the standard CA/Browser Forum Baseline Requirements 1 (CA/B BR1) required a retention of data for 7 years after the expiry of the certificate.

Categories of data subjects

The Client may submit Personal Data relating to the following categories of Data Subjects:

• Employees or Client's suppliers contacts
• Employees, agents, advisors or independent workers of the Client (who are natural persons)
• Employees or contacts of Customer's customers (in case of resale)

In case of resale, the Client ensures that he has obtained from his own client the agreement for the processing of Personal Data entrusted to TBS INTERNET Ltd and the Certification Authorities.

Data Subject's Rights

Data Subjects may exercise rights of access, rectification and erasure here:
https://www.tbs-certificats.com/RGPD

Categories of Personal Data

Transferred Personal Data include the following categories of data:
Personal details: last name, first name, phone number, email address, IP address, and if required for electronic certificate validation: a copy of ID.

Special category of Pesonal Data (when appropriate)

No sensitive data

Data Recipients

• Within TBS INTERNET Ltd: all departments
• Certification Authorities
• Certification Authorities's Controllers and Vetting Supervisors

Data Protection Officer (DPO)

Given the processed data, TBS INTERNET Ltd has no obligation to have a DPO. Any specific GDPR issue can be sent to privacy@tbs-internet.co.uk

Security of Personal Data

TBS INTERNET Ltd and its Subprocessors take the necessary technical measures to ensure the protection of personal data, in line with the risks. This includes encryption techniques, access limitation, audit trails, as well as backup.

II. List of Subprocessors

Export within the European Union, outside it to a country found by the European Commission to provide adequate protection of personal data:

• SIGNIFLOW Ltd, digital signature platform

III. List of exportations to Suppliers

Export to a Data Controller, recipient of processed data, to the European Union or to another country recognized by the EU as providing an adequate level of protection:

• Certigna, certification authority
  • To learn more about how the authority protects, processes and manages data personal see the privacy policy.

Export to a Data Controller, recipient of processed data, to the European Union or to another country recognized by the EU as providing an adequate level of protection or to another country where the Data Controller has a presence and that he considers provide an adequate level of protection:

• Sectigo Ltd, certification authority, Comodo and PositiveSSL brands
  • To learn more about how the authority protects, processes and manages data personal see the privacy policy.
• Digicert Ireland Ltd, certification authority, Symantec, Thawte, Geotrust, RapidSSL, Digicert brands
  • To learn more about how the authority protects, processes and manages data personal see the privacy policy.
• GMO GlobalSign Ltd, certification authority, GlobalSign brand
  • To learn more about how the authority protects, processes and manages data personal see the privacy policy.

Export to a Processor, a supplier who stores the data in the European Union:

• SIGNIFLOW Ltd, electronic signature solution
  • To learn more about how the authority protects, processes and manages data personal see privacy policy.