Data Protection Policy

- Solutions
  - Strong Identities
    1. Identity Verification
      Enable high assurance identities that empower citizens.
    2. ID Issuance
      Issue safe, secure digital and physical IDs in high volumes or instantly.
    3. User Identity
      Elevate trust by protecting identities with a broad range of authenticators.
    4. Machine Identity
      Issue and manage strong machine identities to enable secure IoT and digital transformation.
    5. Digital Signature
      Use secure, verifiable signatures and seals for digital documents.
  - Secure Payments
    1. Financial Issuance
      Issue digital and physical financial identities and credentials instantly or at scale.
    2. Digital Card Solution
      Issue digital payment credentials directly to cardholders from your bank's mobile app.
  - Trusted Infrastructure
    1. Post-Quantum Cryptography
      Find, assess, and prepare your cryptographic assets for a post-quantum world.
    2. Database Security
      Secure databases with encryption, key management, and strong policy and access control.
    3. Multi-cloud Security
      Keys, data, and workload protection and compliance across hybrid and multi-cloud environments.
- Industry
- Compliance
  - 1. PSD2
    2. HIPAA
    3. GDPR
    4. Swift
  - 1. CMMC
    2. eIDAS
    3. NITES
- Featured Products
  - As a Service Products
    1. Identity Verification as a Service
      Citizen verification for immigration, border management, or eGov service delivery.
    2. Identity as a Service (IDaaS)
      Cloud-based Identity and Access Management solution.
    3. Digital Signing as a Service
      Cloud-based digital signing solutions.
    4. Instant ID as a Service
      Issue physical and mobile IDs with one secure platform.
  - 1. Digital Card Solution
      Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    2. PKI as a Service
      A highly secure PKI that’s quick to deploy, scales on-demand, and runs where you do business.
    3. nShield as a Service
      Subscription-based access to dedicated nShield HSMs for cloud-based cryptographic services.
    4. Seamless Travel as a Service
      Remote identity verification, digital travel credentials, and touchless border processes.
  - 1. Instant Financial Issuance
      In-branch and self-service kiosk issuance of debit and credit cards.
    2. Central Financial Issuance
      High volume financial card issuance with delivery and insertion options.
    3. Instant ID Issuance
      Secure issuance of employee badges, student IDs, membership cards and more.
    4. Central ID Issuance
      Passports, national IDs and driver licenses.
    5. nShield HSMs
      Securely generate encryption and signing keys, create digital signatures, encrypting data and more.
  - 1. Cloud Security, Encryption and Key Management
      Powerful encryption, policy, and access control for virtual and public, private, and hybrid cloud environments.
    2. Digital Certificates
      TLS/SSL, digital signing, and qualified certificates plus services and tools for certificate lifecycle management.
    3. Identity and Access Management (IAM)
      One Identity portfolio for all your users — workforce, consumers, and citizens.
    4. Machine Identity Management
      Centralized visibility, control, and management of machine identities.
    5. Post-Quantum
      Learn what steps to take to migrate to quantum-resistant cryptography.
- Enterprise ID & Issuance
  - Instant ID as a Service
    Issue physical and mobile IDs with one secure platform.
    Learn More
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
- Financial ID & Issuance
  - Digital Card Solution
    Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
  - Central Issuance
    1. Card Issuance Systems
    2. Inline Card Delivery Systems
    3. Inline Envelope Insertion Systems
    4. Standalone Card Affixing/Envelope Insertion Systems
    5. Standalone Envelope Insertion Systems
    6. System Software
      Personalization, encoding, delivery and analytics.
    7. Supplies
    8. Services
- Government ID & Issuance
  - Digital Citizen
    1. eGovernment service delivery
    2. Identity Verification as a Service
    3. Seamless Travel as a Service
    4. ePassport as a Service
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
      ID Personalization, encoding and delivery.
    7. Supplies
    8. Services
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. Sigma Direct-to-Card System
    3. Artista Retransfer System
    4. System Software
      Personalization, encoding, delivery and analytics.
    5. Supplies
    6. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - 1. CloudControl Enterprise for AWS
      Secure and ensure compliance for AWS configurations across multiple accounts, regions and availability zones.
    2. CloudControl Enterprise for Containers
      Security compliance and environmental hardening solution for contains and Kubernetes using VMware Tanzu and RedHat OpenShift platforms.
    3. CloudControl Enterprise for Swift
      Meet the compliance requirements for Swift’s Customer Security Program while protecting virtual infrastructure and data.
    4. CloudControl Enterprise for vSphere and NSX
      Comprehensive compliance, multi-factor authentication, secondary approval, RBAC for VMware vSphere NSX-T and VCF.
    5. CloudControl Foundation for vSphere
      Comprehensive compliance for VMware vSphere, NSX-T and SDDC and associated workload and management domains
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - 1. KeyControl for KMIP and Secrets
      Manage all your secrets and encryption keys, including how often you rotate and share them, securely at scale.
    2. KeyControl BYOK
      Create and manage encryption keys on premises and in the cloud. Manage your key lifecycle while keeping control of your cryptographic keys.
    3. KeyControl for Database Encryption
      Integrates with your database for secure lifecycle management of your TDE encryption keys.
    4. KeyControl for Backup and Recovery
      Integrates with your backup and recovery solution for secure lifecycle management of your encryption keys.
  - 1. DataControl for Azure
      Data encryption, multi-cloud key management, and workload security for Azure.
    2. DataControl for AWS
      Data encryption, multi-cloud key management, and workload security for AWS.
    3. DataControl for IBM Cloud
      Data encryption, multi-cloud key management, and workload security for IBM Cloud.
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - nShield as a Service
    1. Subscription-based access to dedicated nShield Cloud HSMs.
  - nShield HSMs
    1. nShield Connect
      Networked appliances that deliver cryptographic key services to distributed applications.
    2. nShield Solo
      PCI-Express card-based HSMs.
    3. nShield Edge
      Personal, USB-connected desktop HSMs.
  - Management and Monitoring
    1. nShield Monitor
    2. nShield Remote Administration
  - CodeSafe
    1. SDK for securing sensitive code within a FIPS 140-2 Level 3 certified nShield HSM.
    2. Post-Quantum SDK
  - Software Option Packs
  - Compliance and Certification
    1. FIPS 140-2/140-3
    2. Common Criteria
    3. eIDAS
    4. NIST 800-53
    5. GDPR
    6. PSD2
    7. HIPAA
    8. PCI-DSS
    9. NITES
  - Why you need an HSM
    1. Learn about all the details related to what hardware security modules offer you in security and cost savings...
    2. Learn More
  - Use Cases
- TLS/SSL Certificates
  - BUY NOW
    1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Integrations
  - Testimonials
  - Workforce
  - Consumer and Citizen
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
- Public Trust Certificates
  - Verified Mark Certificates (VMCs) for BIMI
    Show your official logo on email communications. Download our white paper to learn all you need to know about VMCs and the BIMI standard.
    Learn More
  - Buy and Renew TLS/SSL Certificates
    1. Buy Certificates
    2. Renew Certificates
  - Signing Certificates
  - Qualified Certificates
    1. PSD2 Qualified Electronic Seal Certificates
  - Sales and Services
- Public Key Infrastructure (PKI)
  - PKI as a Service
    1. Use Cases
    2. Post-Quantum PKIaaS
  - PKI Products
  - Managed Services
  - Certificate Lifecycle Management
  - Cryptographic Center of Excellence
    1. PKI Health Check
    2. Cryptographic Health Check
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Internet of Things (IoT) Security
  - Credentialing and Provisioning
  - Machine Identity Management
  - Global PKI IoT Trends Study
    Find out how organizations are using PKI and if they’re prepared for the possibilities of a more secure, connected world.
    Learn More
- Machine Identity Management
  - Lifecycle Management
  - Credentialing and Provisioning
  - The State of Machine Identity Management
    A recent survey by IDG uncovered the complexities around machine identities and the capabilities that IT leaders are seeking from a management solution.
    Get the White Paper
- Post-Quantum
  - Issuance and Provisioning
    1. PKI as a Service PQ
    2. PQ Standards and Research
  - Cryptographic Center of Excellence
    1. Crypto Health Check
    2. PKI Health Check
  - Are you ready for the threat of post-quantum computing?
    Know where your path to post-quantum readiness begins by taking our assessment.
    Begin Assessment
- Partners
  - Become an Entrust Partner
    Our partner programs can help you differentiate your business from the competition, increase revenues, and drive customer loyalty. Consider joining one or more of our Entrust partner programs and strategically position your company and brand in front of as many potential customers as possible.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology alliance partners.
    Search for a Partner
  - Programs
  - Partner Logins
- Support & Services
  - Contact Support
  - TrustedCare
    Product downloads, technical support, marketing development funds.
    Learn More
  - Digital Security Knowledge Base
    Guides, white papers, installation help, FAQs and certificate services tools.
    Learn More
  - Issuance Systems Knowledge Base
    Technotes, product bulletins, user guides, product registration, error codes and more.
    Learn More
  - PKI Professional Services
  - Cryptographic Center of Excellence
    Construct best practices and define strategies that work across your unique IT environment.
    Learn More
  - Custom Cryptographic Solutions
    1. Code Signing
    2. HSM Application Integration
  - Product Deployment Services
  - Packaged Services
  - Training
- Resources
  - Issuance Systems Knowledge Base
    Technotes, product bulletins, user guides, product registration, error codes and more.
    Learn More
  - Digital Security Knowledge Base
    Guides, white papers, installation help, FAQs and certificate services tools.
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - 1. Leadership
    2. Blog
    3. Careers
    4. Events
    5. Webinars
    6. Podcasts
    7. News Articles
    8. Press Releases
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Shop
  - Entrust Certificate Services Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Entrust Certificate Services Retail
    Shop for new single certificate purchases.
    Learn More
  - Entrust Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- Search Entrust
  - Search:

Introduction

As a business and an employer, it is necessary for Entrust Corporation and its subsidiaries and affiliates (collectively, “Entrust” or the “Company”) to collect, store and process personal data about our employees, contingent workers, customers, suppliers and other third parties with whom we engage to provide products or services on our behalf.

With the introduction of the European General Data Protection Regulation (“GDPR”) on May 25, 2018 and other applicable laws governing data protection, we are subject to enhanced requirements regarding how we collect, use, and store personal data.

Purpose

The purpose of this policy is to help all of us comply with our legal obligations and enable individuals about whom we hold personal data to have confidence in us. This policy applies to all Entrust employees, contingent workers and third parties processing data on behalf of Entrust. Unless specified, this policy applies in all countries in which Entrust operates and/or conducts business.

Policy Requirements

1. DEFINITIONS

“Data Controller” or “Personally Identifiable Information Controller (PII Controller)” means the entity that determines the purpose and means of Processing Personal Data.

“Data Processor” or “Personally Identifiable Information Processor (PII Processor)” means the entity that Processes Personal Data on behalf of the Controller.

“Data Protection Laws” means all applicable data protection and data privacy laws and regulations, including but not limited to the EU General Data Protection Regulation (GDPR), UK General Data Protection Regulation (UK GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and the California Consumer Privacy Act (CCPA).

“Data Subject” or “Personally Identifiable Information Principal (PII Principal)” means the identified or identifiable person or household to whom Personal Data relates.

“Data User” is a term used to describe any employee, consultant, independent contractor, intern, temporary worker or third party acting on Entrust’s behalf (including data processors) whose work involves processing personal data for Entrust.

“Personal Data” shall have the meaning ascribed to “personally identifiable information,” “personal information,” “personal data” or equivalent terms as such terms are defined under Data Protection Laws.

“Personal Data Incident” shall have the meaning assigned by Data Protection Laws to the terms “security incident,” “security breach” or “personal data breach” and shall include any situation in which Vendor becomes aware that Personal Data has been or is likely to have been accessed, disclosed, altered, lost, destroyed or used by unauthorized persons, in an unauthorized manner.

“Processing” means any operation or set of operations that is performed on Personal Data, whether or not by automatic means, such as collection, recording, organization structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring or disclosing personal data to third parties.

“Special Category Data” or “Special Category Personal Information” is a subset of personal data and refers to information about an individual’s race or ethnic origin, sex life or sexual orientation, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (eye color, hair color, height, weight), medical history, or criminal convictions and offenses or related security measures.

2. OUR RESPONSIBILITY

Depending on the circumstances, Entrust may act as a data controller or a data processor. As a data controller, Entrust is responsible for establishing practices and policies in line with Data Protection Laws. It is equally important that Entrust be able to demonstrate compliance with these laws. The Company does this by:

Implementing policies that enable the Company to comply with data protection laws such as this policy, policies around document retention and data security, and Entrust’s privacy statements;
Communicating and training employees, contingent workers and third parties acting on behalf of Entrust about data protection requirements;
Investigating instances of non-compliance with Entrust data protection policies and taking appropriate remedial and/or disciplinary action;
Investigating, remediating and, in some instances, providing notification of a Personal Data Incident;
Conducting data processing impact assessments where required for new types of processing activities;
Undertaking periodic internal audits of Entrust’s data protection policies and procedures; and
Considering data protection at the outset of new product design.

3. PROCESSING PERSONAL DATA

Any personal data that the Company processes or that is processed on Entrust’s behalf must:

Be processed fairly, lawfully and in a transparent manner;
Be processed only for specified, explicit and legitimate purposes;
Be relevant and limited to what is necessary for the legitimate purpose(s) for which the data is processed;
Be accurate and kept up to date ensuring, where reasonably possible, that inaccurate personal data is erased or rectified without delay;
Not be kept any longer than is necessary to fulfill the purpose(s) for which the data was collected; and
Be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage.

4. SENSITIVE AND SPECIAL CATEGORY DATA PROCESSING

Entrust processes sensitive information on behalf of colleagues across various business systems and limited special category data in Workday. Appropriate controls are in place and outlined in the Special Category Data, Benefits and Payroll DPIAs and the Access Control Standard for Sensitive and Special Category Data available on the Entrust Compliance site.

5. LEGAL GROUNDS FOR PROCESSING PERSONAL DATA

The Company may only process personal data if permitted to do so under Data Protection Laws. The following are the grounds Entrust relies upon to process personal data:

Where processing is necessary:

For the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
For compliance with a legal obligation to which Entrust is subject; and/or
To pursue Entrust’s legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

In addition to these grounds, Entrust may also process personal data where the data subject has given consent to the processing for one or more specified purposes, provided that the consent is freely given, specific, informed and an unambiguous indication of the data subject’s wishes. Where Entrust uses consent as the grounds for processing, a data subject has the right to withdraw consent at any time and for any reason.

Entrust may, on occasion, also need to process special categories of personal data for customers, employees or contingent workers (e.g., where required by safe employment practices). When Entrust processes or uses a third party to process on its behalf special categories of personal data, Entrust will ensure, where applicable, that the following conditions are satisfied:

Data subject has given explicit consent to the processing of the special category of personal data for one or more specified purposes;
Processing is necessary for carrying out obligations under employment law, social security or social protection law, or a collective bargaining agreement;
Processing is necessary for the purposes of preventive or occupational medicine, or for the assessment of the working capacity of an employee;
Processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent;
Processing relates to personal data which has been made public by the data subject; and/or
Processing is necessary for establishing or defending legal claims.

6. DATA RECORDS MANAGEMENT

Entrust maintains a central record of the types of personal data the Company collects and why that data is collected. Entrust will only process personal data for the specific purpose(s) set forth in the central record or for any other purpose(s) specifically permitted Data Protection Laws. Entrust will notify data subjects of those purposes when data is first collected or, where not possible, as soon as possible thereafter.

Entrust will only process personal data to the extent required for the purposes provided to the data subject. This means that Entrust may not ask for, or record in its systems, more personal data than is needed. The Company has appropriate technical and organizational measures in place to ensure that personal data that is no longer needed is erased or destroyed.

The Company also employs reasonable measures to ensure that any personal data held is accurate and kept up to date. Entrust aims to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. The Company will take all reasonable steps to erase, destroy or amend inaccurate or out-of-date data without undue delay and, in any event, within one month of a data subject’s request (or for up to three months where there are specific reasons why one month is not possible).

7. ERASURE OR DESTRUCTION OF PERSONAL DATA

Paper records that contain personal data must be shredded and disposed of securely when there is no longer a need to retain them. Paper records containing personal data may not be disposed of in any other manner.

When deleting electronic personal data, all possible steps should be taken to put the data in question beyond use. Where it is impossible to delete personal data altogether, reasonable steps must be taken to ensure the data is deleted to the fullest extent possible.

IT is responsible for destroying or erasing electronic equipment that contains personal data (e.g. laptops, desktops, company-owned mobile devices, and work data on BYOD devices).

8. INFORMATION SECURITY

When the Company processes personal data, it takes reasonable measures to ensure data remains secure and is protected against unauthorized or unlawful processing, accidental loss, destruction or damage. Entrust does this by:

Encrypting personal data where possible and appropriate;
Ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services used to process personal data;
Ensuring the restoration of access to personal data in a timely manner in the event of a physical or technical incident; and
Facilitating testing, assessment and evaluation of the effectiveness of technical and organizational measures for ensuring data security.

In assessing the appropriate level of security, Entrust considers the risks associated with the processing, in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the personal data that is processed.

Where Entrust engages third parties to process personal data on its behalf, such parties do so based on written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organizational measures to ensure data security. Personal data may not be shared with anyone outside of Entrust or authorized third parties.

Desks and cupboards are kept locked if they hold personal data or confidential information of any kind. Data users ensure that individual monitors/screens do not show personal data or confidential information to passers-by and that they log off from or lock their computers/tablets when left unattended.

9. REPORTING A PERSONAL DATA INCIDENT

A Personal Data Incident can happen in many ways, including:

Loss of a mobile device or hard copy file which contains personal data (e.g., accidentally leaving a device behind on public transportation);
Theft of a mobile device or hard copy file which contains personal data (e.g., stolen from a vehicle or home);
Human error (e.g., an employee accidentally sending an email containing personal data to an unintended recipient, or accidentally altering or deleting personal data);
Cyber-attack (e.g., opening an attachment to an email from an unknown third party that contains ransomware or other malware);
Allowing unauthorized use/access (e.g., permitting an unauthorized third party to access secure areas of Entrust offices or systems);
Unforeseen circumstances such as a fire or flood; or
Where information is obtained from Entrust by a third party through deception.

Signs that a Personal Data Incident may have occurred include the following:

Unusual log-in and/or excessive system activity, in particular with respect to active user accounts;
Unusual remote access activity;
The presence of spoof wireless (Wi-Fi) networks visible or accessible from Entrust’s working environment;
Equipment failure; and
Hardware or software key-loggers connected to or installed on Entrust systems.

Colleagues who become aware of or have any reason to suspect that a Personal Data Incident has occurred or is about to occur must immediately contact the Entrust Security Operation Center by email at [email protected] and the Compliance Director at [email protected].

10. PERSONAL DATA INCIDENT RESPONSE PLAN

In the event of an actual or imminent Personal Data Incident, Entrust takes quick action to minimize the impact of the incident and report the incident if required by law. In most cases, the response will involve:

Investigating the incident to determine the nature, cause and extent of the damage or harm that may result;
Implementing necessary steps to stop the incident from continuing or recurring, and limiting the harm to affected data subjects;
Assessing whether there is an obligation to notify other parties (e.g., national data protection authorities, affected data subjects) and making those notifications. If there is an obligation to notify data protection authorities, reporting must usually occur within 72 hours of the Company, including any of its employees, becoming aware of the incident; and
Recording information about the Personal Data Incident and the steps taken in response, including documentation that explains the decision to notify or not notify.

11. INTERNATIONAL DATA TRANSFERS AND TRANSFERS TO THIRD PARTIES

Under the GDPR, Entrust may transfer personal data to countries outside the European Economic Area (“EEA”) where there is an adequate level of protection in that country or where Entrust has put appropriate measures in place to ensure data protection.

Companies within the Entrust group (i.e., all corporate entities and subsidiaries) must enter into the Intra-Group Data Transfer Agreement in order to ensure appropriate safeguards for the transfer of personal data outside the EEA, but within the Entrust group.

Companies outside of the Entrust group who process personal data for or on behalf of Entrust, for which Entrust acts as a data controller or data processor, must enter into a data processing agreement with Entrust to ensure appropriate safeguards for the transfer of personal data outside the EEA. That agreement contains language to ensure the third party has appropriate technical and organizational measures in place to comply with the GDPR and to ensure the protection of data subject rights.

Instances where Entrust transfers personal data to a country outside the EEA may include:

The data subject has given their explicit consent to the proposed transfer after Entrust has informed them of any possible risks associated with such transfer (e.g., the absence in that country of equivalent safeguards);
The transfer is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract;
The transfer is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; or
The transfer is necessary for the establishment or defense of a legal claim.

For each transfer of data outside the EEA, Entrust will rely upon the Standard Contractual Clauses as defined by the European Commission (2001/497/EC, 2004/915/EC and 2010/87/EU).¹ Note that a data transfer agreement is also required if transferring personal data outside of Canada.

12. NOTIFYING DATA SUBJECTS

Entrust is required to provide information to data subjects about the processing of their personal data. This information is contained in the Company’s Web Privacy Statement which is publicly available at www.entrust.com, the Job Applicant Privacy Statement which is publicly available at https://www.entrust.com/legal-compliance/data-privacy/job-applicant-privacy-statement, and the Employee Privacy Statement which is available on the Entrust intranet. Such statements provide information about:

The types of personal data Entrust processes;
The purpose and legal basis for processing personal data;
Whether personal data will be disclosed to any third parties in the course of processing;
Whether personal data will be transferred outside of the EEA and Canada and, if so, what safeguards will be put in place;
How long the personal data will be processed or, if not possible to determine, the criteria the Company will use to determine the processing period;
How the data subject can obtain a copy of their personal data held by Entrust;
Data subject’s rights, including how to make a complaint;
If the personal data must be processed in order to comply with a law or a contract, the possible consequences of the data subject failing to provide the data or objecting to processing; and
The existence and details of any automated decision-making processes, where applicable.

If Entrust receives personal data about a data subject from a third party, the Company will also provide the data subject with information on:

The type of personal data received from the third party; and
The source of the data and whether it came from a publicly accessible source (e.g., a website accessible to the public).

13. PRIVACY BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENTS

Data Protection Laws require Entrust to consider data protection during the development stages of a new product offering. In order to satisfy this obligation, Entrust must take steps to ensure data protection is part of the design process and personal data collection is minimized to the extent possible.

In some circumstances (namely, when processing would result in high risk to an individual’s rights and freedoms), Entrust may be required to undertake a formal data protection impact assessment (DPIA) in relation to the processing of personal data. Such an assessment involves documenting the purposes for which the activity is carried out, how Entrust will comply with data protection laws and how the Company will mitigate potential risks to individuals’ privacy. If you believe a data protection impact assessment may be needed, contact the Compliance Director at [email protected].

14. DATA SUBJECT RIGHTS

If Entrust processes personal data, under Data Protection Laws the data subject may have the right to:

Request information about the personal data held with respect to them;
Have any inaccurate personal data about them corrected and incomplete personal data completed, subject to Entrust determining that the data is, in fact, inaccurate or incomplete;
Object to Entrust processing their personal data where the Company is doing so in pursuit of its own legitimate interests. Entrust can continue processing the personal data notwithstanding an objection if the Company’s legitimate interests outweigh those of the data subject, or if Entrust needs to do so for the establishment or defense of a legal claim;
Ask Entrust to destroy personal data held with respect to the data subject. The Company can refuse this request if the personal data is still necessary for the purposes for which it is being processed and there is a legitimate basis for Entrust to continue processing;
Ask Entrust to restrict the processing of their personal data to storage. This can only be requested if the accuracy of personal data has been contested and remains unverified; Entrust no longer requires the personal data, but the data subject needs it to establish or defend a legal claim; the data subject has objected to the processing of personal data; and Entrust is deciding whether its legitimate interests override the data subject’s interests or if the processing is unlawful.

If a data subject exercises these rights and Entrust has disclosed the personal data in question to a third party, the Company will do its best to ensure that the third party also complies with the wishes of the data subject.

15. DATA SUBJECT ACCESS RIGHTS

Data subjects who wish to request information about the personal data Entrust holds about them may do so by submitting a Data Subject Access Request (DSAR). If colleagues receive a request directly (whether verbally or in writing), immediately forward details of the request to [email protected].

16. TRAINING

Entrust provides its employees and contingent workers with access to training about data protection responsibilities. This training occurs at onboarding and at regular intervals thereafter.

17. DATA PROTECTION OFFICER

If you have questions about Entrust’s Privacy Information Management System, please contact:
Entrust Corporation
Attention: Jenny Carmichael, Compliance Director
1187 Park Place
Shakopee, MN 55379
[email protected]

Entrust Deutschland GmbH’s assigned Data Protection Officer is Mr Niels Kill of Althammer & Kill GmbH & Co. KG ([email protected]).

¹ As of December 27, 2022, these transfers will be effected using the new standard contractual clauses as outlined in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

Compliance

All employees and contingent workers are expected to comply with this policy. Additionally, all business units must ensure they have appropriate local standards and procedures in place to comply with this policy and applicable data privacy legislation in their jurisdiction. Breaches of this policy will be taken seriously and may result in disciplinary action, up to and including termination. This policy may be updated or amended at any time.

Exceptions

There are no exceptions to this policy.

Ownership and Review

This policy is owned by the Chief Legal and Compliance Officer. This policy shall be reviewed on an annual basis. Changes to this document shall be in accordance with the Information Security Management System (ISMS) Document and Records Control Standard.

CONTACT INFORMATION

Questions about this policy or complaints about the handling of personal data should be directed to the Compliance Director at [email protected].

Download

Personal Data Protection Policy (English)

Personal Data Protection Policy (Chinese)

Personal Data Protection Policy (French)

Personal Data Protection Policy (German)

Personal Data Protection Policy (Japanese)

Personal Data Protection Policy (Portuguese)

Personal Data Protection Policy (Spanish)