S.C. BITDEFENDER S.R.L. (“Bitdefender”), with its official headquarters in Bucharest, 6th District, 15A Sos. Orhideelor, Orhideea Towers Building, 9-12 floors, registered in the Bucharest Trade Register with number J40/20427/2005, fiscal code RO18189442, e-mail [email protected] processes personal data in agreement with the Romanian data protection legislation and the EU GDPR – General Data Protection Regulation (Regulation 2016/679). Our Data Protection Officer can be found at the following contacts: Bitdefender’s Data Protection Office – [email protected], Phone: 4021 -206.34.70 Bitdefender offers data security solutions and services. Our main goal is ensure information and network security by providing quality solutions and services in these areas while also respecting privacy and personal data of customers, Internet users and business partners. For this purpose, we collect only that personal data absolutely necessary for the specified purposes, on a best efforts basis. For the collected information and data, we strive to apply adequate solutions to anonymize it, or at least to pseudonymize it. Our main principle applied to the data we collect is anonymization of all technical data that can be used by Bitdefender only for the specified purposes below. In cases where perfect anonymization of technical data is not technically possible, the potential identification of a user is extremely unlikely to happen. Personal data according to the European legislation definition (Regulation 2016/679) means: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” In this context, Bitdefender processes personal data from its Bitdefender Business Solutions for the sole purpose of ensuring network and information security by:
All personal data collected by Bitdefender is recorded, stored, used, and managed on protected servers, as well as on other devices that allow these operations with standard industry security measures. Also, all Bitdefender's websites are hosted on protected servers having standard industry security measures. Bitdefender may collect personal information from data subjects, as users of Bitdefender Business Solutions which is limited to technical and licensing data, which sometimes may include personal data:
– for example, when a license is provided to you, your employer or partner may share with us your business contacts, such as email address or phone number so we can contact you with updates, notices, or to provide support. Also, when you access the Support Center, we may ask for a valid email address or a phone number and/or other technical information to communicate with you in providing support. All such data is being used to provide a specific user with a license to use Bitdefender Business Solutions, for solving a request or complaint you addressed to us, or for offering technical support. Bitdefender may also ask for other data that could be considered personal data, if necessary for solving the information security problem you sought help on. More details will be shared when using a specific communication tool with us. The data used for licensing information is kept for the duration of the contract, plus five years after its expiration to be able to defend any legal complaints on contractual issues. The data used for support services is kept for different periods of time, depending especially if the problem has been solved and the exact method of communication with the support services, but in no case the data will be kept for more than five years after the last communication took place, to be able to defend any legal complaints on contractual issues.
– when you use Bitdefender Business Solutions it is possible to share with us some technical details, such as data for identifying the device (UDID), the infected URL you reported, or IP addresses. If you use a Bitdefender Business Solutions that integrates with your email server, some technical data of the infected files could be send to us, including data such as sender, recipient, subject, or attachment. In most cases, these technical data may not lead to your direct or indirect identification, but in some very specific cases computer specialists might be able to identify a specific computer. Therefore, we treat all such information as personal data and protect it as such. This information is solely used for the purpose of securing information and networks by correct and efficient operation of our Solutions and services, according to the technical specifications, and their improvement, including by analyzing the reported security issues. This includes delivering and customizing related services. Also, we may use this information for statistical purposes and improving the quality of our Solutions. This data is stored for a limited period, depending on its usefulness for the current information security needs. Based on the current speed of technology, we will not need them for over 10 years from the day of the collection.
Bitdefender processes personal data from its Bitdefender Business Solutions based on legitimate interests of Bitdefender, but also the legitimate interests of the Data Subjects that it aims to protect for the sole purpose of ensuring network and information security, as explained in the Recital 47 of the GDPR. How this data processing is managed, it will not affect the interests or fundamental rights and freedoms of the data subject that require protection of personal data. As explained above, we apply the principle of “data minimization” to the collected data, so that all data collected is anonymized by default. As a leader in information security services, confidentiality and data protection are of vital importance for us. Access to the collected personal data is restricted to Bitdefender employees and data processors that need access to this information, as explained below. All Bitdefender information security policies are ISO 27001 and SOC2 Type2 certified.
In principle, Bitdefender will not reveal any personal data about its Data Subjects to third parties with the exceptions mentioned below and in chapter 6.
Bitdefender sometimes uses other companies to process the collected personal data but only when needed, for the sole purpose of allowing them to conduct Bitdefender business. These companies are considered data processors and have strict contractual obligations to keep the confidentiality of the processed data and to offer at least the same level of security as Bitdefender. Data processors have the obligation not to allow third parties without Bitdefender prior approval and only for the purposes as instructed by Bitdefender to process personal data on behalf of Bitdefender and to access, use and/or keep the data secure and confidential.
Bitdefender may host or transfer personal data in Romania, Ireland, as well as in European Union or any other jurisdiction, which offers adequate level of personal data protection according to European Union standards (art 45 GDPR) or other appropriate safeguards, including Standard Contractual Clauses (art 46.2 GDPR).
For the Bitdefender Business Solutions, most of the data is hosted and managed internally. But for certain data, we may use the following type of data processors for services based in EU and USA:
Due to confidentiality obligations the specific information regarding the processors used will be provided to competent authorities.
However, Bitdefender may reveal personal data to competent authorities, upon their request according to the applicable laws or when this is necessary to protect the rights and interests of our clients and Bitdefender.
According to GDPR, data subjects have the right to access to data, right to rectification, right to erasure and the right not to be subject to individual decisions. Data subjects also have the right to restriction of personal data processing and to request the deletion of the collected personal data, as well as the right to data portability.
For any data processing based on consent, you have the right to withdraw the consent at any time.
To exercise these rights, you may send a written request, dated and signed, to the Bitdefender DPO or via email to [email protected].
Data subjects are not subject to decisions based solely on automated processing, including profiling, which may produce legal effects or similarly significantly affects them.
Data subjects also have the right to lodge a complaint with a supervisory authority and the right to address a court.
If you use our Bitdefender Business Solutions, then it is possible that another company (usually your employer as our business Client or a Partner that includes our services) is also a joint data controller for some of the data collected by the Bitdefender Business Solutions, especially those available in the Bitdefender GravityZone Console for the purpose of information security. According to our joint controllers arrangement with them, these companies have the full responsibility for the personal data processed by them and need to inform you on all aspects of their personal data processing, including legal basis for data processing and all purposes of collection, including the purpose of information security.