NOTICE ON TECHNICAL AND ORGANIZATIONAL PROTECTION MEASURES APPLIED TO THE TRANSFER OF PERSONAL DATA TO THE PEOPLE’S REPUBLIC OF CHINA

Given the nature of its business activities, Lingo Turtle processes personal data in the course of its operations as either a controller or a processor. In certain cases, where there is an appropriate legal basis and subject to the implementation of the prescribed safeguards, personal data may be transferred to business partners established in the People’s Republic of China on the basis of agreements concluded with such business partners.

This Notice has been prepared to inform data subjects about the protection measures implemented by Lingo Turtle and its business partners in connection with the transfer and processing of personal data in the People’s Republic of China.

In order to ensure an adequate level of protection for personal data transferred to the People’s Republic of China, the parties implement technical, organizational and personnel-related measures designed to ensure the confidentiality, integrity, availability and resilience of personal data processing systems and services.

1.Protection Measures Implemented by the Data Exporter

When transferring data, information and communication systems are used that ensure the protection of data in transit through the application of modern cryptographic protocols for encrypted communications.

Data transfers between the parties are carried out through secure communication channels. In addition, files containing larger volumes of personal data or data of a more sensitive nature are protected by additional content encryption prior to transfer. Passwords or decryption keys are communicated through separate communication channels.

Access to systems and data is granted exclusively to authorized persons through individual user accounts. Multi-factor authentication is implemented for access to information systems containing personal data.

User access management measures are implemented, including the assignment of access rights in accordance with business needs, periodic reviews of user accounts, and the revocation of access for persons who no longer require it.

Endpoint devices used for the processing and transfer of data are protected by up-to-date antivirus and anti-malware solutions, as well as regular security updates of operating systems and applications.

Physical security measures are implemented to protect business premises and equipment, including access control mechanisms and other appropriate security safeguards.

2.Protection Measures Implemented by the Data Importer

The data importer is required to restrict access to personal data exclusively to persons who require such access for the performance of the agreed services and to implement appropriate technical and organizational measures for the protection of personal data.

The data importer applies access control measures, user authentication mechanisms, user privilege management procedures, safeguards against unauthorized access to information systems, and regular updates of software and hardware components.

The data importer is contractually obliged to process personal data solely in accordance with the documented instructions of the controller, to ensure the confidentiality of persons having access to the data, to report without undue delay any security incidents that may affect the security of the data, and to cooperate with the controller in safeguarding the rights of data subjects.

3.Additional Technical and Organizational Protection Measures

Given the nature of the services provided by the data importer, access to personal data in a readable form is a technical necessity. Consequently, end-to-end encryption measures under which the data exporter would retain exclusive control over the encryption keys cannot be implemented. The associated risks are mitigated through a combination of contractual, organizational and technical measures, including access restrictions, user authentication, access logging, data minimization and the protection of data in transit.

In order to further reduce the risks associated with the international transfer of personal data to the People’s Republic of China, the parties implement the following additional protection measures:

  • Multi-Factor Authentication (MFA) is implemented for access to information systems containing personal data;
  • Personal data is transferred through secure communication channels using modern cryptographic protocols to protect data in transit;
  • Files containing larger volumes of personal data or data of a more sensitive nature are additionally protected through the application of modern encryption methods prior to transfer, while passwords or decryption keys are communicated through separate communication channels;
  • Endpoint devices and information systems are protected by appropriate antivirus, anti-malware and other security mechanisms aimed at preventing unauthorized access and data compromise;
  • A backup system for business-critical data has been established, including periodic testing of data recovery capabilities;
  • Access to personal data is restricted exclusively to persons who require such access for the performance of their duties, in accordance with the principle of least privilege and predefined access levels;
  • The number of persons having access to personal data is limited to the minimum necessary for achieving the purpose of processing;
  • User accounts, access rights and processing authorizations are reviewed on a regular basis;
  • Records of access to information systems and user activities (audit logs) are maintained for the purpose of detecting, analyzing and documenting security incidents and other relevant events;
  • Operating systems, applications and other software components are regularly updated with security patches and updates;
  • Periodic assessments of the effectiveness of technical, organizational and personnel-related protection measures are conducted;
  • The principle of data minimization is applied, ensuring that only personal data necessary for the specific purpose of processing is transferred;
  • The data importer is contractually required to promptly notify the data exporter of any request from a public authority seeking access to transferred personal data, unless such notification is prohibited by applicable law;
  • The data importer is contractually required, to the extent permitted by applicable law, to challenge requests from public authorities that it considers unlawful, unnecessary or disproportionate to the purpose for which the data is requested;
  • The data importer maintains records of all requests from public authorities for access to personal data and, to the extent permitted by applicable law, makes relevant information available to the data exporter;
  • Where the data importer is required to comply with a lawful request from a public authority, it shall limit the scope of the disclosed data to the minimum amount necessary to satisfy the specific legal requirement;
  • Employees who have access to personal data are subject to confidentiality obligations and receive appropriate training in personal data protection and information security;
  • Procedures are implemented for the recording, reporting, investigation and remediation of security incidents, including mutual notification between the parties where an incident may affect the security of transferred personal data.

When assessing the adequacy of the above measures, consideration is given to the nature, scope, context and purposes of the processing, as well as the likelihood and severity of the risks to the rights and freedoms of the data subjects concerned.