ENGLISH – VERSION 2
CHINESE – VERSION 19
Preamble
When our customers make use of the symmedia Hub, they trust us with various types of personal and commercial data and other sensitive information. We understand that this is a big responsibility and work hard to protect the integrity of all data entrusted to us. This Data Privacy Notice shall help our customers understand what types of data we process in connection with their use of the symmedia Hub, why we process it, and what rights they have in connection with the processing of their data.
Table of Contents
Scope of Data Processing 6
Storage Location for Participant Data 7
Access to Participant Data 7
Processing of Machine Data 7
Processing of Personal Data 7
Overview and Responsibilities 7
Personal Data Processing as Data Controller8
Personal Data Processing as Data Processor 8
Overview 9
Processing Activities as Data Controller 9
Onboarding of Administrator 9
Provision of Access to Participant Tenant 10
Processing Activities as Data Processor 11
Onboarding of Users 11
Use of Platform Services 11
Connected and Unconnected Services 11
Service Case Management (Unconnected Service) 12
Machine Documentation (Unconnected Service) 12
Conferencing (Unconnected Service) 13
Remote Access (Connected Service) 14
Edge Device and Applications 14
Edge Device Activation 14
Maintenance of Edge Devices 15
Application Module Handling 15
Processing of Machine Data by Application Modules 16
Responsibilities for Third-Party Applications 17
Security Architecture 17
Important Security Notice 18
Definitions
For the purposes of this Data Privacy Notice, all capitalized terms that are used herein shall have the meanings set forth below, unless context dictates otherwise:
“Account” means an identity created for a named individual that provides access to the Participant Tenant.
“Administrator” means the designated named individual who has the permission to administrate the Participant Tenant on behalf of the Participant.
“Administrator Account” means the Account generated by us that enables the Ad- ministrator to access and administrate the Participant Tenant.
“Agreement” means the SaaS Agreement for the symmedia Hub which describes the services that are provided on the Platform.
“Applications” means the software applications that are made available on the Platform by us and other Application Providers.
“Application Backend” means the service and data storage layer that includes the application programming interfaces (API) of the respective Application.
“Application Connection” means the connection between the Application Module and the corresponding Application Backend that is established when the Application is installed on the Edge Device.
“Application Module” means the Application specific software which is provided via the Platform and runs in the Edge Environment as an encapsulated software container.
“Application Provider” means any service provider who distributes and provides access to Applications over the Platform and is responsible for running the Applica- tion Backend of the respective Application.
“Application Subscription Terms” means the contractual terms regarding the use of a particular Application as defined by the Application Provider.
"Cloud Service Provider" means Microsoft Ireland Operations, Ltd., having its reg- istered office at One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18, P521 Ireland, which is engaged to store the Participant Data se- curely and make it accessible to the Participant.
“Connected Services” shall have the meaning set forth in Section III.4.1.
“Data Controller” means the natural or legal person which determines the purposes and means of the processing of Personal Data.
“Data Processor” means a natural or legal person which processes Personal Data on behalf of the Data Controller.
“Edge Connection” means the connection between the Edge Device and the Plat- form Backend established when the Machine Asset is connected to the Internet. Technically, the Edge Connection consists of multiple connections that enable the Edge Device to communicate with the services of the Platform Backend.
“Edge Device” means a piece of hardware attached to the Machine Assets that contains the Edge Runtime Environment and that provides the connectivity to the Platform, the Application Backends and the internal network to which the Machine Asset is connected.
“Edge Runtime Environment” means the runtime environment that enables the Edge Device to receive and run Application Modules and communicate the results to the Platform and/or the Application Backend.
“GDPR” means the General Data Protection Regulation (EU) 2016/679.
“Hosting Servers” means the servers operated by the Cloud Service Provider on which the Participant Data is stored.
“Identity Management System” means the identity and access management sys- tem used by the Platform to authenticate users and authorize access according to a user's role and permissions.
“Machine Assets” means the machine tools and appliances that can be registered and assigned to a Manufacturer and an Operator on the Platform.
“Machine Components” means the internal components of a Machine Asset that have communication capabilities and can act as data sources or sinks for data that is transmitted to and from an Application Module via the Machine Connection.
“Machine Connection” means a connection between a Machine Component and an Application Module that is installed for the same Machine Asset.
“Machine Data” means any Participant Data that is stored on the individual Machine Components and accessible via established Machine Connections.
“Manufacturer” means a manufacturer of Machine Assets that uses the Platform to provide services to Operators.
“Operator” means an operator of Machine Assets that uses the Platform to make use of the Platform Services and the services provided by the Manufacturers.
“Participant” means any legal entity that has entered into the Agreement in order to make use of the Platform.
"Participant Data" means the Personal Data and Machine Data of the Participant that is uploaded to or stored on the Platform by the Participant, transmitted to the Platform Backend or an Application Backend at the instigation of the Participant, or generated by the Platform as a result of the use of the Services by the Participant.
“Participant Tenant” means the Tenant of the Participant that is created when the Participant is onboarded to the Platform.
"Personal Data" means any information relating to an identified or identifiable nat- ural person.
“Platform” means the cloud-based service portal named symmedia Hub that facili- tates the interaction between Manufacturers and Operators.
“Platform Backend” means the services and data storage layer of the Platform that is hosted on the Hosting Servers.
“Platform Portal” means the front-end presentation layer of the Platform that offers access to the Participant Tenant and acts as the single access point through which specific Application Frontends are accessed by the Participants
“Platform Services” means the services that we provide on the Platform, including the Connected Services and the Unconnected Services.
“Service Provider” means a third-party service provider that uses the Platform to provide services to Operators.
"Tenant" means the dedicated part of the Platform provided for a particular Partici- pant that contains all accounts, assets and data of the Participant and cannot be accessed by any other Participant.
“Unconnected Services” shall have the meaning set forth in Section III.4.1.
“User” means a named individual who has the right to access the Participant Ten- ant.
“User Account” means any Account created by the Administrator that enables a named User to access the Participant Tenant.
General Information on Processing of Participant Data
Scope of Data Processing
We only process Participant Data to the extent necessary to provide a functional Platform and to enable our Participants and their authorized Users to make use of our services. Our responsibilities with regard to the individual data processing activities depend primarily on whether the Participant Data qualifies as Personal Data or Machine Data.
Storage Location for Participant Data
The Platform is made available via a web-application that can be accessed via the Internet and is hosted on the Hosting Servers operated by the Cloud Service Provider. The Hosting Servers are located in a datacenter located in the European Union. We do not store any Participant Data on our own premises. This means that all Participant Data shared with us as described herein will be transmitted directly from the Participant to the Hosting Servers.
The Cloud Service Provider engages various sub-processors which are located around the world. A complete list of all sub-processors that are retained by the Cloud Service Provider is available under: https://www.microsoft.com/en-us/trust-center/privacy/data-access. To the extent that these sub-processors are permitted by the Cloud Service Provider to access and process Participant Data, this permission is limited to the delivery of services which the Cloud Service Provider has retained the sub-processors to provide.
Access to Participant Data
The Platform is designed as a software-as-a-service (SaaS) solution that uses resources of the Cloud Service Provider. Since the Platform is built on a multi-tenant architecture, we create and offer a dedicated Tenant for each Participant. The individual Participant Tenants are logically separated from one another. The Participant Data and other resources of the Participants are fully segregated at all times. For this reason, the Participants can only see and access the data and resources stored within their own Participant Tenant.
Processing of Machine Data
While the processing of Machine Data is not subject to the general provisions and principles set forth in the GDPR and other privacy laws, we are aware that Machine Data is of great strategic and economic importance for our Participants. We are therefore committed to full transparency in this regard and strive to illustrate all processing activities and correlated data flows in a clear and comprehensible manner.
As described in Section III.3.3 below, Machine Data can only be accessed and processed by the Application Modules that are made available by the Application Providers and in- stalled on the Machine Assets by the Participant. To install an Application Module, the Par- ticipant must accept the corresponding Application Subscription Agreement which sets out the Machine Data processing activities of the Application Module in detail. Machine Data is therefore only collected and processed with the Participant’s consent.
Processing of Personal Data
Overview and Responsibilities
Some of the Participant Data that we process as described herein qualifies as Personal Data. When we process Personal Data in connection with the provision of the Platform, we strive to ensure compliance with the GDPR. Our responsibilities toward the Participant and
the individual data subjects primarily depend on whether we process the Personal Data on our own initiative (as the Data Controller) or on behalf of the Participant (as a Processor).
Personal Data Processing as Data Controller
With regard to Personal Data that is collected and processed by us as described in Section
III.2. below, we qualify as the Data Controller. This means that we are fully responsible for determining the purposes and means of processing this Persona Data and do not act on behalf of the Participant or any third party. Enquiries regarding the processing of this Per- sonal Data can be sent to the following address:
Symmedia GmbH, Turnerstraße 27, 33602 Bielefeld, Germany
Our data protection officer (DPO) can be directly contacted at: dpo@symmedia.de
Whenever we process Personal Data as the Data Controller, the Participant and the data subjects to whom the Personal Data relates can assert the following rights against us as further defined in Chapters 3 and 8 GDPR:
Right of access by the data subject in accordance with Art. 15 GDPR
Right to rectification in accordance with Art. 16 GDPR
Right to erasure in accordance with Art. 17 GDPR
Right to restriction of processing in accordance with Art. 18 GDPR
Right to data portability according to Art. 20 GDPR
Right to withdraw previously given consent according to Art. 13 GDPR
Right to object in accordance with Art. 21 GDPR
Right to lodge a complaint in accordance with Art. 77 GDPR
Personal Data Processing as Data Processor
With regard to Personal Data that is collected and processed by us as described in Section
III.3. below, we qualify as a Data Processor who processes Personal Data on behalf of the Participant. This means that the Participant is fully responsible for determining the purposes and means of processing and must ensure that the processing of Personal Data, including its collection and transfer to us, is based on a lawful basis. To comply with this obligation, the Participant must provide all necessary notices to and obtain all necessary consents from all data subjects (including its employees) to whom such Personal Data relates.
If the processing of this Personal Data falls within the scope of the GDPR, the Participant may be required to conclude a data processing agreement with us. Our Data Processing Agreement can be concluded in electronic or physical form.
Individual Data Processing Activities
Overview
In this Section, we will provide our Participants with detailed information about how we process their Participant Data. To deliver a complete picture, we will illustrate for each pro- cessing activity what types of Participant Data we process, for what purpose the Participant Data is processed, for how long the Participant Data will be stored on the Hosting Servers, to whom the Participant Data will be transferred, and, if the Participant Data qualifies as Personal Data, on what legal basis the Participant Data is processed.
Processing Activities as Data Controller
Onboarding of Administrator
The Participant onboarding process includes the creation of the Participant Tenant and the creation of an initial Administrator Account with administrator rights for the Participant Ten- ant. A successful Participant onboarding process ends in the status that the Participant Tenant is created and the initial Administrator has received an email to activate the Admin- istrator Account (see Onboarding of Users).
The Participant onboarding process can either be initiated by us, by the Participant, or by a Service Provider. In all these cases, we collect and process the following information related to the Administrator (“Administrator Data”):
Name and address of the Participant
Email address of the Administrator
Bank data for the purpose of automated billing (if applicable)
We collect and process the Administrator Data to identify the Administrator as the unique owner of the Administrator Account and ensure correct and secure billing. By collecting and processing the Administrator Data, we can prevent possible inconsistencies in the Partici- pant onboarding process and ensure that the invitation to access the Participant Tenant will only be sent to the email address of the individual who is designated as the Administrator by the Participant
The Administrator Data will be stored on the Hosting Servers in encrypted form until the Agreement is terminated. In case of a termination of the Agreement, we reserve our right to retain the Administrator Data for an additional ten (10) years before it is deleted from the Hosting Servers and redacted from the Agreement. This additional storage of the
Administrator Data is required to ensure that we can meet our obligations under potentially applicable data retention laws.
Since the processing of the Administrator Data as described is necessary to perform our contractual obligations under the Agreement, the processing is based on art. 6(1)(b) GDPR. We will not disclose to or share the Administrator Data with any third party other than the Cloud Service Provider without the Participant’s specific, informed and unambiguous con- sent within the meaning of art. 6(1)(a) GDPR, unless a disclosure is necessary to comply with a legal obligation to which we are subject as set forth in art. 6(1)(c) GDPR.
Provision of Access to Participant Tenant
As described in the Agreement, we make use of the enterprise identity service Azure Active Directory to provide access to the Platform. The Users are therefore able to log in to the Participant Tenant using the existing credentials which are provided by the Identity Man- agement System of the Participant. From a technical perspective, we invite the existing profile of the User to our Platform directory. This means that we are not required to generate or hold any usernames or passwords for the Administrator and individual Users.
When a User accesses the Participant Tenant for the first time, the User will be asked for his or her consent to share the following information with us, which is already stored in the Identity Management System of the Participant (“Identity Management Information”):
Name of the User
Email address of User
Photo of the User (if applicable)
We process the Identity Management Information in order to authenticate the User during the login process, associate specific access permissions with the User’s identity, and sign the User in to the respective account. The Identity Management Information is further used to enable 'single sign-on' for the User, which allows the User to use his existing credentials provided by the Identity Management System.
The Identity Management Information will be stored on the Hosting Server until the respec- tive account is deleted or until the User withdraws his or her consent as described below. Once the User withdraws his or her consent or the respective account is deleted, we re- serve our right to retain the Identity Management Information for an additional ten (10) years before it is deleted from the Hosting Server. This additional storage of the Identity Management Information is required to ensure that we can meet our obligations under po- tentially applicable data retention laws.
Since we only process the Identity Management Information based on the explicit consent of the User, the processing is based on art. 6(1)(a) GDPR. The User can withdraw his or her consent at any time. We will not disclose to or share the Identity Management Infor- mation Data with any third party other than the Cloud Service Provider without the specific,
informed, and unambiguous consent of the User within the meaning of art. 6(1)(a) GDPR, unless a disclosure is necessary to comply with a legal obligation to which we are subject as set forth in art. 6(1)(c) GDPR.
Processing Activities as Data Processor
Onboarding of Users
Once the Administrator Account is activated, the Administrator will be able to invite addi- tional Users to the Participant Tenant and administrate their access rights and permissions. The Administrator can create any number of User Accounts and determine which authori- zation each User should have. When inviting a new User, the Administrator requires the email address of the respective User in order to trigger the onboarding process.
The invited User will receive an invitation Mail in the look and feel of the inviting company which contains a URL to activate the User Account. This registration only works with the invited email address.
After clicking the on the link in the invitation, the user has to select how to authenticate on the Platform. The registration on the Platform is only possible with existing accounts from Microsoft or supported active directories such as Azure Multi-Tenant AAD.
Users who do not have an account at any of the supported identity providers (e.g., private individuals or employees of Participants that do not use Microsoft accounts or other sup- ported active directories) can create a free Microsoft Outlook account on the Microsoft homepage.
The final step in the onboarding process is the User’s confirmation and acceptance of this Data Privacy Notice. Once the Data Privacy Notice is accepted, the User is redirected di- rectly to the Platform Portal. Depending on the internal security policies of the Participant, additional authentication mechanisms like 2-Factor-Authentication may be triggered.
Use of Platform Services
Connected and Unconnected Services
Our data processing activities related to the use of the Platform depend on the Platform Services that are used by the Participant. Platform Services are related to Machine Assets that are registered in the Participant Tenant. The availability of Platform Services further depends on the compatibility of their Machine Assets. Not all Services are available for all Machine Assets. The Platform Services are divided into the following categories:
The services in the first category (“Unconnected Services”) are offered to all Par- ticipants and do not require a real connection between the registered Machine Asset
and the Platform. The Unconnected Services for example include the Services Ser- vice Case Management with Video and Voice Communication.
The services in the second category (“Connected Services”) can only be provided if the corresponding Machine Asset is equipped with an Edge Device that connects the registered Machine Asset to the Platform. All Connected Services are separate Applications that must be installed on the Edge Device as described herein.
Any Personal Data that is processed as part of the provision of the Platform Services can only be linked via references to technical universally unique identifiers (“UUIDs”) across the Platform. If a User Account is deleted, the reference becomes invalid, and it can never be traced back to the corresponding User. We will not disclose to or share any Participant Data related to the use of Platform Services with any third party other than the Cloud Ser- vice Provider without the specific, informed and unambiguous consent of the User, unless a disclosure is necessary to comply with a legal obligation to which we are subject.
Service Case Management (Unconnected Service)
Service Case Management allows Operators to send service requests to the Manufacturers or Operators concerning a particular Machine Assets (“Service Requests”). By creating a Service Requests, Operators can for example order a spare part, report a problem, or sign up for an upcoming inspection. The Service Requests can be used to provide critical infor- mation to the recipient, including the following (“Service Data”):
A detailed problem description
Prioritization of the request according to urgency, service level, etc.
Possibility of direct connection to the Machine Asset (see Remote Access)
Escalation Process
Documentation
Automatic forwarding outside business hours (daylight following)
The Service Data is collected via the corresponding forms of the Service Request ticket. Depending on the configuration, the required and optional fields vary. Due to the fact that Service Requests are always linked to a Machine Asset, important information about the Machine Asset such as log files or Machine Asset ID can be automatically attached to the Service Request. The responsibility for information that is manually entered in the context of a Service Request lies with the Operator or Service Provider.
Machine Documentation (Unconnected Service)
Machine Documentation allows all Participants to manage documents of any kind such as the maintenance manual of a Machine Asset from the Manufacturer or specific adjustments
that were made to a Machine Asset by the Operator. The purpose of Machine Documenta- tion depends on the role of the Participant:
For Manufacturers and Service Providers, the purpose of Machine Documentation is that they can store corresponding documents for each supported Machine Asset or machine type. These documents can then be viewed by all Operators who are using the corresponding Machine Asset or machine type.
For Operators, the purpose of Machine Documentation is that they can store indi- vidualized documents related to particular Machine Asset that is registered in the Participant Tenant. These documents can then be used by Users who have access to the Participant Tenant.
In both cases, only the User who has uploaded the respective document has the possibility to remove or change the document. This User is also responsible for the contents of the documents without exception as well as the compliance with legal regulations and laws and applicable data protection regulations.
Conferencing (Unconnected Service)
Conferencing includes various possibilities of collaboration between participants on the Platform, which can either be used integrated in other Platform Services such as Service Case Management, but also detached from them. Conferencing enables Users to com- municate with other Users within the same Participant Tenant or with Machine Manufactur- ers and Service Providers on other Tenants.
Chat Function
Users can use the Chat Function to communicate directly and quickly via text messages over the Platform. This includes both group chats with Users within the same Participant Tenant as well as chats with Manufacturers and Service Providers beyond the boundaries of the Participant Tenant. Besides text messages, Users can also attach files or white- boards to a chat. The text messages, files and whiteboards that are created or uploaded by the Users can only be accessed by the participants of that chat.
The Chat Function is implemented with the open source framework Matrix (see http://Ma- trix.org). The runtime instance is operated by the external service provider Ungleich.ch (https://ungleich.ch/) and integrated into the Platform. All data that is submitted by the Users in connection with the use of the Chat Function is stored on the servers of the external service provider and remains there until both participating Tenants no longer exist.
The Users who are writing text messages and uploading files and whiteboards are respon- sible for such content without exception as well as the compliance with legal regulations and laws and applicable data protection regulations.
Video Conferencing
Users can use Video Conferencing to communicate with each other directly and via video. With regarding to visibility, participants, and storage of data, Video Conferencing is subject to the same rules as the Chat Function. The transmission of video streams is encrypted by the Platform. The video streams are always temporary and never stored on the Hosting Servers. The oral and visual information that is shared during a video conference can there- fore not be traced or accessed in retrospect.
Remote Access (Connected Service)
Remote Access provides a complete remote maintenance infrastructure and thus forms the basis for efficient troubleshooting in the event of a malfunction of a Machine Asset. It allows Manufacturers and Service Providers to access the Edge Device of a compatible Machine Asset and is therefore very closely linked to Service Case Management, which in many cases precedes Remote Access. In order to protect the integrity of the Machine Assets, Remote Access can only be requested and activated by the Operator.
Remote Access takes place via a highly secure connection. In addition to desktop sharing or file transfer, services for accessing controllers (such as Siemens S7, Beckhoff, etc.) are available to the Manufacturer or Service Provider. With the appropriate authorization, the controller software can be accessed and even changes to the programming can be made. The scope of access granted to Manufacturers and Service Providers as part of Remote Access can be defined by the Operator on an individual or general basis. Every access and every function that is executed as part of Remote Access is tracked by the system and can be viewed by the Manufacturer and the Operator until the Edge Device is removed.
The data that is exchanged during a Remote Access session is the full responsibility of the participating parties. The Platform only establishes a secure and encrypted connection and therefore cannot and does not read or store any data.
Edge Device and Applications
Edge Device Activation
In order to use Connected Services such as Remote Access which are made available via Applications on the Edge Device, the Participant must establish a connection between the Edge Device and the Platform by connecting the Edge Device to the Internet via Ethernet cable ("Edge Connection"). The Participant can disable the Edge Connection at any time by disconnecting the Machine Asset from the Internet.
Once the Edge Connection is established, the initial boot process can be started. When the Edge Device is started for the first time, it uses the Internet connection to establish a connection to the platform backend based on the preset configuration. This connection is protected via HTTPS. The Edge Device is delivered with a certificate for this purpose, which is installed during the provisioning process. During this handshake, only the unique Edge Device ID is transmitted to the platform backend. Based on this ID, the platform backend can establish a unique association with the Participant and validate the implicitly requested
CSR (Certificate Signing Request) and issue a new certificate to the Edge Device for sub- sequent secure operation. As soon as the process is complete, the Edge Device is regis- tered in the Platform Backend and can be used with corresponding Applications.
Maintenance of Edge Devices
The Edge Connection is a two-way communication channel between the Platform and the Edge Device (see visualization below). Once the Edge Connection is created, we are able to pull and push Participant Data from the Edge Device to the Platform Backend and vice versa and execute arbitrary commands on the Edge Device to perform maintenance tasks.
These maintenance tasks allow us to keep the Edge Device and the software installed on the Edge Device operational, update the Edge Runtime Environment as well as basic soft- ware components, and support the Participant in case of functionality issues, for example by performing analysis tasks such as checking log files. In order to protect the integrity of the Machine Components and the Participant Data that is stored thereon, we do not pull or push Participant Data from the Machine Components to the Platform Backend and vice versa, unless the Participant decides to download any of the Applications described below.
The Edge Device does not have a permanent connection to the Platform Backend. Any necessary maintenance issues, e.g., if the Edge Device is no longer working correctly or the environment needs to be updated or repaired manually, are handled via a defined and secure process. As part of this process, we connect to the Edge Device via an tunnel with a signed temporary certificate. The counter certificate for validating the request is already available with the provisioning of the Edge Device. The generation of the temporary certif- icate, as well as the access to the Edge Device itself, are both logged and can therefore be viewed historically. Any Participant Data that is transmitted as part of a maintenance activity or transferred to the Edge Device is used solely for the purpose of maintenance.
Application Module Handling
Every Connected Service, whether offered by us of by a third party, is delivered as part of an Application. The functions of these Application and the handling of Participant Data by these Applications must be described separately in each case. For Applications that are made available by us, this information can be found in the "Connected Services" area.
Third Party Applications come with a separate Application Subscription Agreement, which must be accepted by the Participant (see Responsibilities for Third Party Applications).
Each Application contains an Application Module that must be installed by the Participant on the Edge Device of the selected Machine Asset. The Application Module acts as a bridge between the Application Backend and the Machine Asset and enables the exchange of Participant Data between the Participant and the Application Provider. To collect Participant Data from the Machine Asset, the Application Module establishes Machine Connections to all Machine Components that are required for the Application to function.
When the Participant uses Applications that are made available by us, the exchange of Participant Data between Application Module and Platform Backend happens exclusively via the secure Edge Connection which is provided by the Platform infrastructure. The Ap- plication Backend accesses the Participant Data via the Application Connection which rep- resents the connection of the Application Backend with the Platform Backend via API. Third Party Application Providers can either use the same mechanism to transfer Participant Data from the Application Module to the Application Backend or establish their own connections and use proprietary exchange mechanisms for Participant Data.
Processing of Machine Data by Application Modules
As illustrated in the visualization above, the Machine Data that is stored on the individual Machine Components can only be accessed via Machine Connections. This means that the Participant will only provide access to Machine Data if the Administrator installs Appli- cation Modules on the Machine Assets. No other part of the Platform will have access to the Machine Data of the Participant.
The Application Provider is technically able to access all Machine Data that is stored on the Machine Components connected to the Application Module. However, Application Modules only require access to certain types of Machine Data in order for the Application to function.
Since every Application Module processes different Machine Data, Application Providers are required to prepare separate Application Subscription Terms for their Applications which must be accepted by the Participant and contains all necessary information on the collec- tion and transfer of Participant Data.
Application Providers must further adhere to the principle of data minimization and limit the collection, storage, and usage of Participant Data to data that is relevant, adequate and necessary to ensure the proper functioning of the Application.
Responsibilities for Third-Party Applications
When the Participant installs an Application of a third party Application Provider, we merely act as a facilitating intermediary between such Application Provider and the Participant. This means that the respective Application Provider is responsible for determining the pur- poses and means of processing the Machine Data and must inform the Participant accord- ingly. If an Application Module processes any Personal Data, the Application Provider must further ensure that the processing of Personal Data is based on a lawful basis.
To offer an Application on the Platform, third-party Application Providers must contractually agree to limit their data processing activities to the Machine Data and the purposes listed in their Application Subscription Terms. If the Participant suspects or becomes aware that an Application processes any additional Machine Data, we kindly ask the Participant to send us a corresponding note so we can take appropriate measures.
While we are technically able to access all Machine Data that is transferred to Application Modules, we will never pull any data from Application Modules that are not part of our own Applications. This means that we will only process Machine Component Data if the Partic- ipant installs an Application that is provided and operated by us.
Participant Data Security
Security Architecture
The Platform is built with strong security features that protect the Participant Data. To pro- tect Participant Data from loss and unauthorized access, we have implemented various security measures into our Services which are detailed in our Security Whitepaper. In addition to these technical security measures, we restrict access to Personal Data to em- ployees, contractors, and agents who need to have access in order to process the Personal Data. Anyone with access to Personal Data is subject to strict contractual confidentiality obligations and may be disciplined if they fail to meet these obligations.
Important Security Information
The access to the Platform and our Services is provided via a web application. This means that the security and integrity of the Participant Data depends to a large extent on the in- tegrity of the computer systems used to access the Participant Tenant. As specified in the Agreement, we do not accept any liability for the disclosure or manipulation of Participant Data in connection with the manipulation of computer systems.
Amendments of Data Privacy Notice
We reserve our right to update this Data Privacy Notice at any time in compliance with the GDPR and other applicable data protection regulations. We will inform about such changes by making an updated Data Privacy Notice available in the Participant Tenant. All changes become applicable as soon as they are made available in the Participant Tenant.
If there are substantial changes to the way we process Participant Data, we will post an additional change notice in the Participant Tenant at least 30 days before the changes be- come effective. Any use of the Platform and the Platform Services after such changes have become effective will be subject to the updated Data Privacy Notice.
This Data Privacy Notice was last updated in July 2024.
CHINESE – VERSION
序言
当我们的客户使用Symmedias Hub时,客户信任我们处理各种个人和商业数据以及其他敏感信息。我们理解这是一个重大责任,并努力保护所有委托给我们的数据的完整性。本数据隐私声明将帮助我们的客户了解我们在处理客户的数据时涉及的数据类型、处理目的以及客户在数据处理方面享有的权利。
|
目录 |
|
|
|
I. |
定义 21 |
|
|
II. |
参与者数据处理的一般信息 |
23 |
|
1. |
数据处理的范围23 |
|
|
2. |
参与者数据的存储位置 23 |
|
对参与者数据的访问 23
机器数据的处理23
个人信息的处理24
概述和责任 24
作为数据处理者的个人信息处理 24
作为数据受托人的个人信息处理 24
概述 25
作为数据处理者的处理活动 25
管理员引导 25
向参与者租户提供访问权限 26
作为数据受托人的处理活动 26
用户引导 26
平台服务的使用27
连接和非连接服务 27
服务案例管理(非连接服务) 27
机器文档(非连接服务) 28
会议(非连接服务) 28
远程访问(连接服务) 29
边缘设备和应用29
边缘设备激活 29
边缘设备的维护29
应用模块处理 30
通过应用模块处理机器数据 30
第三方应用的责任 31
安全架构 31
重要的安全通知31
定义
为了本《数据隐私声明》的目的,以下所使用的所有术语在此均有下述定义,除非上下文另有规定:
“账户”指为一个指定的个人创建的身份,用于访问参与者租户。
“管理员”指被指定的、有权限代表参与者管理参与者租户的个人。
“管理员账户”指由我们生成的、使管理员能够访问和管理参与者租户的账户。
“协议”指Symmedias Hub的 SaaS 协议,该协议描述了平台上提供的服务。
“应用程序”指由我们和其他应用程序提供商在平台上提供的软件应用程序。
“应用程序后端”指包含相应应用程序的应用程序编程接口 (API) 的服务和数据存储层。
“应用程序连接”指在边缘设备上安装应用程序时,应用程序模块与相应应用程序后端之间的连接。
“应用程序模块”指通过平台提供并在边缘环境中作为封装软件容器运行的应用程序特定软件。
“应用程序提供商”指通过平台分发和提供对应用程序的访问权限并负责运行相应应用程序的应用程序后端的任何服务提供商。
“应用程序订阅条款”指由应用程序提供商定义的关于使用特定应用程序的合同条款。
“云服务提供商”指位于One Microsoft Place, South County Business Park, Leop- ardstown, Dublin 18, D18, P521 Ireland的Microsoft Ireland Operations Ltd.,负责安全存储参与者数据并使其可供参与者访问。
“连接服务”应具有第 III.4.1 节中规定的含义。
“数据处理者”指确定个人信息处理目的和方式的自然人或法人。
“数据受托人”指代表数据处理者处理个人信息的自然人或法人。
“边缘连接”指在机器资产连接到互联网时建立的边缘设备与平台后端之间的连 接。从技术上讲,边缘连接由多个连接组成,使边缘设备能够与平台后端的服务进行通信。
“边缘设备”指连接到机器资产的硬件设备,包含边缘运行环境,并提供与平台、
应用程序后端和计算机资产所连接的内部网络的连接。
“边缘运行环境”指使边缘设备能够接收和运行应用程序模块并将结果传达给平台和/或应用程序后端的运行环境。
“《个人信息保护法》”指《中华人民共和国个人信息保护法》。
“托管服务器”指由云服务提供商运营的存储参与者数据的服务器。
“身份管理系统”指平台用于对用户进行身份验证并根据用户的角色和权限授权访问的身份和访问管理系统。
“机器资产”指可以在平台上注册并分配给制造商和操作员的机械工具和设备。
“机器组件”是指机器资产的内部组件,该等组件具有通信功能,可以充当通过机器连接传输到应用程序模块和从应用程序模块传输的数据的数据源或接收器。
“机器连接”指机器组件与为同一机器资产安装的应用程序模块之间的连接。
“机器数据”指存储在各个机器组件上并可以通过已建立的机器连接访问的任何参与者数据。
“制造商”指使用平台为操作员提供服务的机器资产的制造商。
“操作员”指机器资产的操作员,其利用平台服务和制造商提供的服务来使用平台。
“参与者”指任何签订协议以利用平台的法人实体。
“参与者数据”指参与者上传到平台或存储在平台上,由参与者发起传输到平台后端或应用程序后端,或由平台因参与者使用服务而生成的参与者的个人信息和机器数据。
“参与者租户”指参与者加入平台时创建的参与者租户。
“个人信息”指任何以电子或其他方式记录的与已识别或可识别的自然人有关的信息,不包括去标识化处理后的信息。
“平台”指名为Symmedias Hub的基于云的服务门户,用于促进制造商和操作员之
间的互动。
“平台后端”指托管在托管服务器上的平台的服务和数据存储层。
“平台门户”指向参与者租户提供访问的平台前端展示层,并作为参与者访问具体
应用程序前端的单一访问点。
“平台服务”指我们在平台上提供的服务,包括连接服务和非连接服务。
“服务提供商”指第三方服务提供商,其使用平台向操作员提供服务。
“租户”指为特定参与者提供的平台专用部分,其中包含该参与者的所有账户、资产和数据,并且不能被其他参与者访问。
“非连接服务” 应具有第 III.4.1 节中规定的含义。
“用户”指有权访问参与者租户的指定个人。
“用户账户”指管理员创建的允许指定用户访问参与者租户的任何帐户。
参与者数据处理的一般信息
数据处理的范围
我们仅在提供功能平台,以及使我们的参与者及其授权用户能够使用我们的服务所必要的范围内,处理参与者数据。我们在个人数据处理活动的责任主要取决于参与者数据是否属于个人信息或机器数据。
参与者数据的存储位置
平台通过可通过互联网访问的网络应用程序提供,并托管在由云服务提供商运营的托管服务器上。托管服务器位于欧盟的一个数据中心。我们不在我们自己的场所存储任何参与者数据。这意味着,本文所述的与我们共享的所有参与者数据将直接从参与者传输到托管服务器。
云服务提供商会与位于世界各地的不同的转委托的第三方合作。所有由云服务提供商雇佣的转委托的第三方的完整列表可在下列网址找到:https://www.microsoft.com/en-us/trust- center/privacy/data-access。在云服务提供商许可该等转委托的第三方访问并处理参与者数据的范围内,此种许可仅限于云服务提供商委托转委托的第三方提供的服务的交付。
对参与者数据的访问
该平台是利用云服务提供商的资源的以软件即服务(SaaS)的形式设计的解决方案。由于平台建立在多租户架构上,我们为每个参与者创建并提供一个专用租户。各个参与者租户在逻辑上相互分离。参与者数据和参与者的其他资源始终完全隔离。因此,参与者只能查看和访问存储在其自己的参与者租户内的数据和资源。
机器数据的处理
尽管机器数据的处理不受《个人信息保护法》和其他隐私法规中规定的一般规定和原则的约束,但我们意识到机器数据对参与者具有重要的战略和经济意义。因此,我们致力于在这方面实现充分的透明度,并努力以清晰易懂的方式展示所有处理活动和相关数据流。
如下所述的第III.3.3节中所述,机器数据只能被应用程序提供者提供并由参与者安装在机器资产上的应用程序模块访问和处理。为了安装应用程序模块,参与者必须接受相应的应用程序订阅协议,该协议详细说明了应用程序模块的机器数据处理活动。因此,机器数据仅在参与者的同意下收集和处理。
个人信息的处理
概述和责任
根据本文所述,我们处理的一些参与者数据被视为个人信息。当我们处理与提供平台有关的个人信息时,我们努力确保遵守《个人信息保护法》。我们对参与者和个人数据主体的责任主要取决于我们是主动(作为数据处理者)还是代表参与者(作为受托人)处理个人信息。
作为数据处理者的个人信息处理
关于根据下文第III.2节描述的由我们收集和处理的个人信息,我们被视为数据处理者。这意味着我们完全负责确定处理此类个人信息的目的和方式,并不代表参与者或任何第三方行事。有关处理此类个人信息的查询可以发送至以下地址:
symmedia GmbH, Turnerstraße 27, 33602 Bielefeld, Germany
我们的个人信息保护官(DPO)可以直接联系:dpo@symmedia.de
每当我们作为数据处理者处理个人信息时,参与者和与个人信息相关的数据主体可以根据
《个人信息保护法》中第4章进一步定义的以下权利来向我们主张权利:
根据《个人信息保护法》第45条规定的数据主体访问权
根据《个人信息保护法》第46条规定的更正权
根据《个人信息保护法》第47条规定的删除权
根据《个人信息保护法》第44条规定的限制处理权
根据《个人信息保护法》第45条规定的数据可转移权
根据《个人信息保护法》第15条规定的撤回先前同意的权利
根据《个人信息保护法》第44条规定的异议权
根据《个人信息保护法》第50条规定的申诉权
作为数据受托人的个人信息处理
关于根据下文第III.3节所述的由我们收集和处理的个人信息,我们被视为代表参与者处理个人信息的数据受托人。这意味着,参与者对确定处理个人信息的目的和方式负有完全责
任,并且必须确保个人信息的处理(包括其收集和传输给我们),基于合法的依据。为了履行这一义务,参与者必须向所有此类个人信息有关的数据主体(包括其雇员)提供所有必要的通知并获得所有必要的同意。
如果对此类个人信息的处理属于《个人信息保护法》的范围,参与者可能需要与我们签订
数据处理协议。我们的数据处理协议可以以电子或实体形式签订。
个人数据处理活动
概述
在本节中,我们将向我们的参与者提供有关我们如何处理参与者数据的详细信息。为了提供完整的信息,我们将为每项处理活动说明我们处理的参与者数据的类型,处理参与者数据的目的,参与者数据将在托管服务器上存储多长时间,参与者数据将传输给谁,以及如果参与者数据符合个人信息的条件,参与者数据的处理基于何种法律依据。
作为数据处理者的处理活动
管理员引导
参与者入驻流程包括创建参与者租户,创建参与者租户的初始管理员账户,并赋予管理员权限。成功的参与者入驻流程将以参与者租户的创建和初始管理员收到一封激活管理员账户的电子邮件的状态结束(请参阅用户入驻)。
参与者入驻流程可以由我们、参与者或服务提供商发起。在所有此类情况下,我们收集和
处理与管理员相关的以下信息(“管理员数据”):
参与者的姓名和地址
管理员的电子邮件地址
用于自动计费的银行数据(如适用)
我们收集和处理管理员数据是为了将管理员识别为管理员账户的唯一所有者,并确保正确和安全的计费。通过收集和处理管理员数据,我们可以预防参与者入驻流程中可能出现的不一致,并确保只向由参与者指定为管理员的个人的电子邮件地址发送访问参与者租户的邀请。
管理员数据将以加密形式存储在托管服务器上,直到协议终止。在协议终止的情况下,我们保留将管理员数据再保留十 (10) 年的权利,然后再将其从托管服务器中删除并从协议中重新删除。这种对管理员数据的额外存储是为了确保我们能够履行可能适用的数据保留法律下的义务。
根据上述描述,由于对管理员数据的处理对于履行我们在协议下的合同义务是必要的,所以该处理是基于《个人信息保护法》第13条第1款第2项。在缺乏参与者在《个人信息保护法》第13条第1款第(3)项规定的具体、知情和明确同意的情况下,我们不会向云服务提供商以外的任何第三方披露或与之分享管理员的数据,除非披露是为了履行《个人信息保护法》第13条第1款第(3)项规定的我们应当承担的法律义务。
向参与者租户提供访问权限
如在本协议中所述,我们使用企业身份服务Azure Active Directory来提供对平台的访问权限。因此,用户可以使用参与者身份管理系统提供的现有信息登录到参与者租户。从技术角度来看,我们邀请用户的现有配置文件加入到我们的平台目录中。这意味着我们不需要生成或保存管理员和个人用户的任何用户名或密码。
当用户首次访问参与者租户时,用户将被要求同意与我们共享以下信息,该信息已存储在参与者的身份管理系统中(“身份管理信息”):
用户姓名
用户的电子邮件地址
用户的照片(如适用)
我们处理身份管理信息是为了在登录过程中对用户进行身份验证,将特定访问权限与用户的身份关联,并将用户登录到相应的帐户。身份管理信息还用于为用户启用“单点登
录”,这允许用户使用身份管理系统提供的现有信息。
身份管理信息将存储在托管服务器上,直到相应的账户被删除或用户撤回其同意,如下文所述。一旦用户撤回其同意或相应的账户被删除,我们保留将身份管理信息再保留十
(10) 年的权利,然后再将其从托管服务器中删除。这种对身份管理信息的额外存储是为
了确保我们能够履行可能适用的数据保留法律下的义务。
由于我们只基于用户的明确同意处理身份管理信息,所以该处理基于《个人信息保护法》第13条第1款第(1)项。用户可以随时撤回他或她的同意。在缺乏用户在《个人信息保护法》第13条第1款第(3)项规定的具体、知情和明确同意的情况下,我们不会向云服务提供商以外的任何第三方披露或与之分享身份管理信息数据,除非披露是为了履行《个人信息保护法》第13条第1款第(3)项规定的我们应当承担的法律义务。
作为数据受托人的处理活动
用户引导
一旦管理员账户被激活,管理员将能够邀请其他用户加入参与者租户并管理他们的访问权限和许可。管理员可以创建任意数量的用户账户,并确定每个用户应具备的权限。在邀请新用户时,管理员需要相应用户的电子邮件地址,以启动入驻流程。
受邀用户将收到一封邀请邮件,该邮件以邀请公司的界面外观出现,其中包含一个用于激活用户账户的URL。此注册仅适用于受邀的电子邮件地址。
在邀请中点击链接后,用户需要选择在平台上进行身份验证的方式。平台上的注册只能使用 Microsoft 的现有帐户或受支持的活动目录(例如 Azure多租户 AAD)进行。
在任何受支持的身份提供商处没有帐户的用户(例如,不使用Microsoft账户或其他支持的活动目录的个人或参与者的员工),可以在Microsoft主页上创建一个免费的Microsoft Out- look账户。
入驻流程的最后一步是用户确认并接受此数据隐私声明。一旦接受了数据隐私声明,用户将被直接转到平台门户。根据参与者的内部安全政策,可能会触发其他身份验证机制,如双因素认证。
平台服务的使用
连接和非连接服务
我们与平台使用相关的数据处理活动取决于参与者使用的平台服务。平台服务与在参与者租户中注册的机器资产相关。平台服务的可用性还取决于其机器资产的兼容性。并非所有服务均适用于所有机器资产。平台服务分为以下几个类别:
第一类别的服务(“非连接服务”)向所有参与者提供,不需要在注册的机器资产和平台之间建立实际连接。非连接服务的示例包括带有视频和语音通信的服务案例管理。
第二类别的服务(“连接服务”)只有在相应的机器资产配备了将注册的机器资产连接到平台的边缘设备时才能提供。所有连接服务均是单独的应用程序,必须按照本文所述安装在边缘设备上。
作为平台服务提供的一部分而处理的任何个人信息,只能通过平台上的技术性通用标识符
(“UUIDs”)的引用来链接。如果一个用户账户被删除,该引用就会失效,而且永远无法追溯到相应的用户。在缺乏用户的具体、知情和明确同意的情况下,我们不会向云服务提供商以外的任何第三方披露或与之分享与使用平台服务相关的任何参与者数据,除非披露是为了遵守我们受到的法律义务。
服务案例管理(非连接服务)
服务案例管理允许操作员向制造商或运营商发送有关特定机器资产的服务请求(“服务请求”)。通过创建服务请求,操作员可以订购备件、报告问题或报名参加即将进行的检查等。服务请求可用于向接收方提供关键信息,包括以下内容(“服务数据”):
详细的问题描述
根据紧急程度、服务级别等对请求进行优先级排序
与机器资产直接连接的可能性(参见远程访问)
升级流程
文档记录
在非工作时间自动转发
服务数据通过服务请求单的相应表格收集。根据配置的不同,所需和可选的字段也不同。由于服务请求总是与机器资产相联系,关于机器资产的重要信息,如日志文件或机器资产的ID,可以自动附加到服务请求中。在服务请求中手动输入的信息的责任在于操作员或服务提供商。
机器文档(非连接服务)
机器文档允许所有参与者管理各种类型的文档,例如制造商的机器资产维护手册或操作员对机器资产进行的特定调整。机器文档的目的取决于参与者的角色:
对于制造商和服务提供商,机器文档的目的是让他们可以为每个支持的机器资产或机器类型存储相应的文档。随后,所有使用相应机器资产或机器类型的操作员均可以查看该等文档。
对于操作员来说,机器文档的目的是让他们可以存储与在参与方租户中注册的特定机器资产相关的个性化文档。随后,该等文档可以供具有参与方租户访问权限的用户使用。
在这两种情况下,只有上传相应文档的用户才有权移除或更改该文档。该用户对文档内容
负有无条件的责任,同时也应遵守法律法规和适用的数据保护规定。
会议(非连接服务)
会议功能包括在平台上参与者之间进行各种协作的多种方式,可以集成到其他平台服务 中,如服务案例管理,也可以独立使用。会议功能使用户能够与同一参与者租户内的其他用户或与其他租户的机器制造商和服务提供商进行沟通。
聊天功能
用户可以通过平台上的聊天功能直接快速地通过文本消息进行沟通。这包括与同一参与者租户内的用户进行的群组聊天,以及与超出参与者租户范围的机器制造商和服务提供商进行的聊天。除了文本消息外,用户还可以在聊天中附加文件或白板。用户创建或上传的文本消息、文件和白板只能由该聊天的参与者访问。
聊天功能是使用开源框架Matrix(参见http://Matrix.org)实现的。运行时实例由外部服务提供商Ungleich.ch(https://ungleich.ch/)运营,并集成到平台中。与使用聊天功能相关的用户提交的所有数据均存储在外部服务提供商的服务器上,并将保留在那里,直到参与的两个租户不再存在。
撰写文本消息、上传文件和白板的用户对该等内容负有绝对责任,并应遵守法律法规和适
用的数据保护法规。
视频会议
用户可以使用视频会议功能直接进行视频通信。就数据的可见性、参与者和存储而言,视频会议遵循与聊天功能相同的规则。视频流的传输由平台进行加密。视频流始终是临时
的,不会存储在托管服务器上。因此,在视频会议期间共享的口头和视觉信息无法后续被
追踪或访问。
远程访问(连接服务)
远程访问提供了完整的远程维护基础设施,因此在机器资产发生故障时形成了高效的故障排除基础。它允许制造商和服务提供商访问兼容的机器资产的边缘设备,因此与服务案例管理密切相关,在许多情况下,远程访问是在服务案例管理之前进行的。为了保护机器资产的完整性,只有操作员可以请求和激活远程访问功能。
远程访问通过高度安全的连接进行。除了桌面共享或文件传输外,制造商或服务提供商还可以访问控制器(如西门子S7、Beckhoff等)的服务。在适当的授权下,可以访问控制器软件,甚至可以对编程进行更改。作为远程访问的一部分,授予制造商和服务提供商的访问权限范围可以由操作员在个体或通用的基础上定义。作为远程访问的一部分执行的每个访问和每个功能均由系统跟踪,并且可以由制造商和运营商查看,直到删除边缘设备。
在远程访问会话期间交换的数据由参与方全权负责。平台仅建立安全加密的连接,因此不能读取或存储任何数据。
边缘设备和应用
边缘设备激活
为了使用通过边缘设备上的应用程序提供的连接服务,例如远程访问,参与者必须通过以太网电缆将边缘设备连接到互联网(“边缘连接”),在边缘设备和平台之间建立连接。参与方可以随时通过断开机器资产与互联网的连接来禁用边缘连接。
一旦建立了边缘连接,可以开始初始引导过程。当第一次启动边缘设备时,它利用互联网连接根据预设配置与平台后端建立连接。该连接通过HTTPS进行保护。边缘设备随附用于此目的的证书,该证书在置备过程中安装。在此交换信息过程中,仅唯一的边缘设备 ID 传输到平台后端。基于该ID,平台后端可以与参与方建立唯一关联,并验证隐式请求的CSR
(证书签名请求),并向边缘设备颁发新证书以进行后续的安全操作。一旦流程完成,边缘设备将在平台后端注册,并可以与相应的应用程序一起使用。
边缘设备的维护
边缘连接是平台和边缘设备之间的双向通信通道(参见下面的可视化图示)。一旦建立了边缘连接,我们能够将参与者数据从边缘设备拉取并推送到平台后端,反之亦然,并在边缘设备上执行任意命令以执行维护任务。
该等维护任务使我们能够保持边缘设备和安装在其中的软件运行正常,更新边缘运行环境以及基本软件组件,并在功能问题的情况下支持参与方,例如执行分析任务(如检查日志文件)。为了保护机器组件和存储在其中的参与者数据的完整性,我们不会将参与者数据从机器组件拉取或推送到平台后端,反之亦然,除非参与者决定下载下文所述的任何应用程序。
边缘设备与平台后端之间没有永久连接。任何必要的维护问题,例如,如果边缘设备不再正常工作,或者环境需要手动更新或修复,均将通过清晰和安全的流程进行处理。作为此过程的一部分,我们通过带有签名临时证书的 SSH 网络协议连接到边缘设备。用于验证请求的计算器证书在边缘设备的配置过程中已经可用。临时证书的生成以及对边缘设备本身的访问均有相应的日志记录,因此可以查看历史。作为维护活动的一部分传送或传输到边缘设备的任何参与者数据,仅用于维护目的。
应用模块处理
每个连接的服务,无论是由我们还是由第三方提供,均作为一个应用程序的一部分提供。该等应用程序的功能以及对参与者数据的处理必须在每种情况下单独描述。对于我们提供的应用程序,可以在“连接服务”区域找到相关信息。第三方应用程序附带单独的应用程序订阅协议,参与者必须接受该协议(请参阅第三方应用程序的责任)。
每个应用程序均包含一个应用程序模块,参与者必须将其安装在所选机器资产的边缘设备上。应用程序模块充当应用程序后端与机器资产之间的桥梁,使参与者数据在参与者和应用程序提供商之间进行交换。为了收集来自机器资产的参与者数据,应用程序模块与应用程序运行所需的所有机器组件建立机器连接。
当参与者使用我们提供的应用程序时,应用程序模块与平台后端之间的参与者数据交换仅通过平台基础设施提供的安全边缘连接进行。应用程序后端通过应用程序连接访问参与者数据,应用程序连接,代表应用程序后端与平台后端通过 API的连接。第三方应用程序提供商可以使用相同的机制将参与者数据从应用程序模块传输到应用程序后端,也可以建立自己的连接并使用专有的参与者数据交换机制。
通过应用模块处理机器数据
如上图所示,存储在各个机器组件上的机器数据只能通过机器连接进行访问。这意味着,只有在管理员安装应用程序模块到机器资产上时,参与者才会提供对机器数据的访问权 限。平台的其他部分将无法访问参与者的机器数据。
应用程序提供商在技术上能够访问连接到应用程序模块的机器组件上存储的所有机器数 据。然而,应用程序模块仅需要访问特定类型的机器数据以使应用程序正常运行。由于每个应用程序模块处理不同的机器数据,应用程序提供商必须为其应用程序准备单独的应用程序订阅条款,该条款必须得到参与者的接受,且包含有关参与者数据的收集和传输的所有必要信息。
应用程序提供商还必须遵守数据最小化原则,限制对参与者数据的收集、存储和使用,仅
收集与应用程序正常运行所需的相关、适当和必要的数据。
第三方应用的责任
当参与者安装第三方应用程序提供商的应用程序时,我们仅作为这些应用程序提供商和参与者之间的协调中介。这意味着相应的应用程序提供商负责确定机器数据的处理目的和方式,并必须相应地通知参与者。如果应用程序模块处理任何个人信息,应用程序提供商还必须确保个人信息的处理基于合法的依据。
为了在平台上提供应用程序,第三方应用程序提供商必须在合同上同意将其数据处理活动限制在机器数据和其应用程序订阅条款中列出的目的范围内。如果参与者怀疑或发现某个应用程序处理了额外的机器数据,请参与者向我们发送相应的说明,以便我们采取适当的措施。
虽然我们在技术上能够访问传输到应用程序模块的所有机器数据,但我们将不会从不属于我们自己应用程序的应用程序模块中提取任何数据。这意味着,只有参与者安装了我们提供和运营的应用程序,我们才会处理机器组件数据。
参与者数据安全
安全架构
平台具有强大的安全性能,可保护参与者数据。为了防止参与者数据丢失和未经授权的访问,我们在我们的服务中实施了各种安全措施,我们的安全白皮书对该等措施进行了详细说明。除了这些技术安全措施外,我们还将个人信息的访问限制在为获取个人信息而需要访问的雇员、承包商和代理人。任何有权访问个人信息的人均受到严格的合同保密义务的约束,如果他们未能履行这些义务,存在受到纪律处分的可能。
重要的安全通知
对平台和我们服务的访问是通过网络应用程序提供的。这意味着参与者数据的安全性和完整性在很大程度上取决于用于访问参与者租户的计算机系统的完整性。根据本协议的规 定,对于与计算机系统操纵相关的参与者数据的披露或操纵,我们不承担任何责任。
数据隐私声明的修订
我们保留根据《个人信息保护法》和其他适用的数据保护法规随时更新本数据隐私声明的权利。我们将通过在参与者租户中提供修订后的数据隐私声明,以通知有关变更。一旦在参与者租户中提供了修订版本,所有修订即生效。
如果我们处理参与者数据的方式发生重大修订,我们将在修订生效前至少 30 天在参与者租户中发布额外的修订通知。此类修订生效后,对平台和平台服务的任何使用,均将受修订后的数据隐私声明的约束。
本数据隐私声明最后一次更新于2024年7月。