Personal Data Notice for Business Contacts of the Clients/Partners Version 2.0, adopted on 08.02.2021

This privacy notice applies only to data collected, processed or managed by Bitdefender of the business contacts of companies, as customers of the Bitdefender solutions (“Clients) or the partners like xSP, licensees, resellers, distributors (“Partners”), hereinafter referred as “Business Contacts”.

This notice does not apply to personal data collected by its solutions or websites.

The document describes the personal data we collect, how and where we may use it, how we protect it, who has access to it, with whom we share it, and how you may correct it.

1. General information

S.C. BITDEFENDER S.R.L. (hereafter mentioned as Bitdefender), with its official headquarters in Bucharest, 6th District, 15A Sos. Orhideelor, Orhideea Towers Building, 9-12 floors, registered in the Bucharest Trade Register with number J40/20427/2005, fiscal code RO18189442, e-mail [email protected] processes personal data in agreement with the Romanian data protection legislation and the EU GDPR – General Data Protection Regulation (Regulation 2016/679) Our Data Protection Officer can be found at the following contacts - Bitdefender’s Data Protection Office – [email protected], Phone: 4021 -206.34.70

Bitdefender offers data security solutions and services. Our main goal is to provide information and network security by providing quality solutions and services while respecting privacy and personal data of customers, Internet users, and business partners.

This personal data notice describes what data we process as business contacts and how we may use it. Most of the business contacts are not personal data, as they relate to the organization's data (e.g we might collect data such as name, surname, email or phone number). Even though these data are being collected as Business Contacts, they may be used to identify the data subjects and therefore we treat them as personal data.

2. Personal Data Collected

In this context, Bitdefender processes personal data from its business contacts for the following purposes:

  • as contact data for the organizations that have contracts (or have taken steps to conclude a contract) for Bitdefender Solutions and services or its resellers;
  • invoicing and reporting;
  • support or counseling to these business contacts on commercial or solution issues;
  • marketing activities for Bitdefender and not third parties;
  • statistical analysis and market analysis, based on aggregated data.
2.1. Personal data directly provided by a Client/Partner

– when you login to your Bitdefender account, we might ask your name, surname and/or email address, together with other data from your organisation. Also our partners may share with us your business contact information, such as email address or phone number, in order to provide you with a valid license or instructions for terminating a contract with us.

Also, when you access any support services, we may ask for a valid email address or a phone number and/or other commercial information so that we may coordinate the support with you. All these data are being used to provide a specific company/partner with licenses to use our solutions or to sell them, for solving a request or complaint you addressed to us, or for offering sales and technical support The data used within the contracts and invoicing is kept for different periods of time, depending of the nature of the business relation but in no case the data will be kept for more than ten years after the business relationship has ended to defend or bring any legal complaints. The data used for support services is kept for different periods of time, depending especially if the problem has been solved and the exact method of communication, but in no case the data will be kept for more than five years after the last communication took place to defend or bring legal complaints.

2.2. Personal Data provided for marketing purposes

The personal information used for marketing purposes is either provided by a company contact in a web form or collected by the Bitdefender Sales team or its partners from events, conferences, direct contacts, or accessing other services or publicly available information (contact data on websites, data brokers etc.)

These data are being used for marketing purposes, but also for statistical purposes and improving the quality of our Solutions. The data used for marketing is kept for the entire duration of the valid consent of the data subject. The data may not be used for more than five years after the last communication took place, in the case when the legal bases of the data collection is the legitimate interest.

3. Legal basis and other details for personal data processing

Bitdefender’s basis for processing personal data is:

  • contractual basis and legal obligations, for data necessary for contractual purposes (including support);
  • consent and/or legitimate interest for B2B marketing activities.

As a leader in information security services, confidentiality and data protection are of vital importance for us. Access to the collected personal data is restricted to Bitdefender employees and data processors which need access to this information, as explained below. All Bitdefender information security policies are ISO 27001 certified.

Bitdefender sometimes uses other IT companies to process the collected personal data when this is needed for the sole purpose of allowing them to conduct Bitdefender business. These companies are considered data processors and have strict contractual obligations to keep the confidentiality of the processed data and to offer at least the same level of security as Bitdefender. Data processors have the obligation not to allow third parties without Bitdefender prior approval and only for the purposes as instructed by Bitdefender to process personal data on behalf of Bitdefender and to access, use and/or keep the data secure and confidential.

Bitdefender may host personal data in Romania, Ireland, as well as in European Union or any other jurisdiction, which offers adequate level of personal data protection according to European Union standards (art 45 GDPR) or other appropriate safeguards, including Standard Contractual Clauses (art 46.2 GDPR).

For the Bitdefender Business Solutions, most of the data is hosted and managed internally. But for certain data, we may use the following type of data processors for hosting services based in EU and USA.

Only for support services, if applicable, the following data processors may be used:

a. for Live channels communication we use data processors from EU and USA for purposes of live chat and call centers.

b. for off-line channels communication we use data processors from EU and USA for hosting the data.

c. for marketing purposes, the data is being managed sometimes using data processors from EU, and USA for the purposes of marketing automation and other related marketing purposes.

Due to confidentiality obligations the specific information regarding the providers used will be provided to competent authorities.

4. Who has access to personal data

Bitdefender will not reveal the personal data of Data Subjects to third parties with the exceptions explained in this document or as provided by law.

Law enforcement: In certain cases Bitdefender can disclose personal data to competent authorities as it may be necessary for Bitdefender to disclose personal data to government officials or otherwise as required by applicable law.

No personal data will be disclosed to any law enforcement authority except in response to: i) a subpoena, warrant or other process issued by a court of competent jurisdiction; ii) a legal process having the same consequence as a court-issued request for information, were refusing to provide such information, it would be a breach of law, and be subject to liabilities for failing to honor such legal process; iii) Where such disclosure is necessary to enforce Bitdefender’s or your legal rights pursuant to the laws of the jurisdiction from which such information was gathered; iv) request for information with the purpose of identifying and/or preventing cybercrime complying with applicable laws; or v) where such disclosure is necessary to prevent or lessen a serious and imminent threat of bodily harm to the data subject.

5. Your personal data rights.

According to GDPR, data subjects have the right to access data, right to rectification, right to erasure, and the right not to be subject to automated decisions. Data subjects also have the right to restrict personal data processing and to request the deletion of the collected personal data, as well as the right to data portability and to reject profiling. To exercise these rights, send a written request, dated and signed, to the Bitdefender DPO or via email to [email protected] The data subjects also have the right to lodge a complaint with a supervisory authority and the right to address a court.

6. Other joint data - controllers

If you use our Bitdefender’s Business Solutions, it is possible that another company (e.g. Partners that include our services in their offering) is also a joint data controller for some of the data collected by Bitdefender. According to our arrangement with joint controllers, we have obligated these companies to inform you on all aspects of their personal data processing, including legal basis for data processing and purposes of collection.

7. Publication date

The privacy policy has been adopted on the date mentioned in the title of the document and will be modified each time is necessary without prior or future notice of the changes. The new version will enter into force when published on the website and it will be marked accordingly. The present document is available at https://www.bitdefender.com/site/view/legal-privacy.html.