Privacy Policy for Bitdefender Business Solutions Version 5.0, adopted on 20.07.2021

The document explains the personal data we collect, how and where we may use it, how we protect it, who has access to it, with whom we share it, and how you may correct it. This privacy policy applies only to Bitdefender Business Solutions managed by Bitdefender, The anti-theft and human risk services have additional privacy policies, which are detailed in Chapter 7 and 8. If you are Home user or you visit our websites, check our public privacy policy on what personal data we may process available on our website https://www.bitdefender.com/site/view/legal-privacy.html

1. General information

S.C. BITDEFENDER S.R.L. (“Bitdefender”), with its official headquarters in Bucharest, 6th District, 15A Sos. Orhideelor, Orhideea Towers Building, 9-12 floors, registered in the Bucharest Trade Register with number J40/20427/2005, fiscal code RO18189442, e-mail [email protected] processes personal data in agreement with the Romanian data protection legislation and the EU GDPR – General Data Protection Regulation (Regulation 2016/679). Our Data Protection Officer can be found at the following contacts: Bitdefender’s Data Protection Office – [email protected], Phone: 4021 -206.34.70 Bitdefender offers data security solutions and services. Our main goal is ensure information and network security by providing quality solutions and services in these areas while also respecting privacy and personal data of customers, Internet users and business partners. For this purpose, we collect only that personal data absolutely necessary for the specified purposes, on a best efforts basis. For the collected information and data, we strive to apply adequate solutions to anonymize it, or at least to pseudonymize it. Our main principle applied to the data we collect is anonymization of all technical data that can be used by Bitdefender only for the specified purposes below. In cases where perfect anonymization of technical data is not technically possible, the potential identification of a user is extremely unlikely to happen. Personal data according to the European legislation definition (Regulation 2016/679) means: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” In this context, Bitdefender processes personal data from its Bitdefender Business Solutions for the sole purpose of ensuring network and information security by:

  • Ensuring correct and efficient operation of Bitdefender Business Solutions, according to the technical specifications and license details, and for their improvement, including analyzing the reported IT security issues, delivering and customizing the related services to the Data Subjects needs and developing new technologies;
  • if the contract with the Business Client includes this feature, offering support or counseling to the Data Subjects of Bitdefender Business Solutions, if the data subject specifically demands it.
2. Personal data collected

All personal data collected by Bitdefender is recorded, stored, used, and managed on protected servers, as well as on other devices that allow these operations with standard industry security measures. Also, all Bitdefender's websites are hosted on protected servers having standard industry security measures. Bitdefender may collect personal information from data subjects, as users of Bitdefender Business Solutions which is limited to technical and licensing data, which sometimes may include personal data:

  • Personal data directly provided by a Partner/Clients when creating an account;
  • technical data sent by the Bitdefender Business Solutions installed by Partners/Clients.
2.1 Personal data directly provided by a Partner/User

– for example, when a license is provided to you, your employer or partner may share with us your business contacts, such as email address or phone number so we can contact you with updates, notices, or to provide support. Also, when you access the Support Center, we may ask for a valid email address or a phone number and/or other technical information to communicate with you in providing support. All such data is being used to provide a specific user with a license to use Bitdefender Business Solutions, for solving a request or complaint you addressed to us, or for offering technical support. Bitdefender may also ask for other data that could be considered personal data, if necessary for solving the information security problem you sought help on. More details will be shared when using a specific communication tool with us. The data used for licensing information is kept for the duration of the contract, plus five years after its expiration to be able to defend any legal complaints on contractual issues. The data used for support services is kept for different periods of time, depending especially if the problem has been solved and the exact method of communication with the support services, but in no case the data will be kept for more than five years after the last communication took place, to be able to defend any legal complaints on contractual issues.

2.2. Technical data sent by Bitdefender Business Solutions

– when you use Bitdefender Business Solutions it is possible to share with us some technical details, such as data for identifying the device (UDID), the infected URL you reported, or IP addresses. If you use a Bitdefender Business Solutions that integrates with your email server, some technical data of the infected files could be send to us, including data such as sender, recipient, subject, or attachment. In most cases, these technical data may not lead to your direct or indirect identification, but in some very specific cases computer specialists might be able to identify a specific computer. Therefore, we treat all such information as personal data and protect it as such. This information is solely used for the purpose of securing information and networks by correct and efficient operation of our Solutions and services, according to the technical specifications, and their improvement, including by analyzing the reported security issues. This includes delivering and customizing related services. Also, we may use this information for statistical purposes and improving the quality of our Solutions. This data is stored for a limited period, depending on its usefulness for the current information security needs. Based on the current speed of technology, we will not need them for over 10 years from the day of the collection.

3. Legal basis and other details for personal data processing

Bitdefender processes personal data from its Bitdefender Business Solutions based on legitimate interests of Bitdefender, but also the legitimate interests of the Data Subjects that it aims to protect for the sole purpose of ensuring network and information security, as explained in the Recital 47 of the GDPR. How this data processing is managed, it will not affect the interests or fundamental rights and freedoms of the data subject that require protection of personal data. As explained above, we apply the principle of “data minimization” to the collected data, so that all data collected is anonymized by default. As a leader in information security services, confidentiality and data protection are of vital importance for us. Access to the collected personal data is restricted to Bitdefender employees and data processors that need access to this information, as explained below. All Bitdefender information security policies are ISO 27001 and SOC2 Type2 certified.

4. Who has access to personal data

In principle, Bitdefender will not reveal any personal data about its Data Subjects to third parties with the exceptions mentioned below and in chapter 6.

Bitdefender sometimes uses other companies to process the collected personal data but only when needed, for the sole purpose of allowing them to conduct Bitdefender business. These companies are considered data processors and have strict contractual obligations to keep the confidentiality of the processed data and to offer at least the same level of security as Bitdefender. Data processors have the obligation not to allow third parties without Bitdefender prior approval and only for the purposes as instructed by Bitdefender to process personal data on behalf of Bitdefender and to access, use and/or keep the data secure and confidential.

Bitdefender may host or transfer personal data in Romania, Ireland, as well as in European Union or any other jurisdiction, which offers adequate level of personal data protection according to European Union standards (art 45 GDPR) or other appropriate safeguards, including Standard Contractual Clauses (art 46.2 GDPR).

For the Bitdefender Business Solutions, most of the data is hosted and managed internally. But for certain data, we may use the following type of data processors for services based in EU and USA:

  • for Live channels communication we use data processors from EU and USA for purposes of support services, live chat and call centers.
  • for off-line channels communication we use data processors from EU and USA for support services and hosting the data.
  • for certain email security services, we use data processors from EU and UK

Due to confidentiality obligations the specific information regarding the processors used will be provided to competent authorities.

However, Bitdefender may reveal personal data to competent authorities, upon their request according to the applicable laws or when this is necessary to protect the rights and interests of our clients and Bitdefender.

5. Your personal data rights

According to GDPR, data subjects have the right to access to data, right to rectification, right to erasure and the right not to be subject to individual decisions. Data subjects also have the right to restriction of personal data processing and to request the deletion of the collected personal data, as well as the right to data portability.

For any data processing based on consent, you have the right to withdraw the consent at any time.

To exercise these rights, you may send a written request, dated and signed, to the Bitdefender DPO or via email to [email protected].

Data subjects are not subject to decisions based solely on automated processing, including profiling, which may produce legal effects or similarly significantly affects them.

Data subjects also have the right to lodge a complaint with a supervisory authority and the right to address a court.

6. Other joint data - controllers

If you use our Bitdefender Business Solutions, then it is possible that another company (usually your employer as our business Client or a Partner that includes our services) is also a joint data controller for some of the data collected by the Bitdefender Business Solutions, especially those available in the Bitdefender GravityZone Console for the purpose of information security. According to our joint controllers arrangement with them, these companies have the full responsibility for the personal data processed by them and need to inform you on all aspects of their personal data processing, including legal basis for data processing and all purposes of collection, including the purpose of information security.

7. Additional information regarding personal data collection of Anti-theft services of Bitdefender Business Solutions

This chapter complements the privacy policy with specific information regarding processing information that may be personal data and that is collected by Bitdefender for the anti-theft services, if those are active within the Bitdefender Business Solutions that you use. Some of Bitdefender Business Solutions include an anti-theft service option designed for both mobile phone solutions as well as for tablets and laptops. Once activated and configured, the anti-theft option can track in real time via geo-localization the lost or stolen device. This Bitdefender service offers the localization option as well as other connected options such as remote blocking of the device, deleting the entire content of the device, or taking photos of the person who is accessing the phone without authorization. More details are available here. If the anti-theft services are activated, Bitdefender may receive personal data such as geo-localization data either from GPS, GSM cells, Wi-Fi usage, or IP address. The only purpose of processing this data is information security via the Bitdefender anti-theft service. For the purpose of identifying the precise location, we may use third party processors. All the data is mostly hosted on the EU territory. However, certain data might also be hosted in USA by processors which offer adequate level of personal data protection according to European Union standards (art 45 GDPR) or other appropriate safeguards, including Standard Contractual Clauses (art 46.2 GDPR). All geo-localization information is kept for as long as the anti-theft service is active and will be deleted when the service is deactivated. Thus, the Admin of a Bitdefender Solution may have administration rights for Bitdefender services and Solutions. Therefore, on the devices where the anti-theft services are installed, he/she can operate commands remotely. In this regard, it is the responsibility of the Admin to ensure that he/she can fulfill these actions from a legal standpoint and that he/she has the right to know the location, to take pictures remotely, to block or delete the device' content or to interact in any way with it.

8. Additional information regarding personal data collection of Human Risk services of Bitdefender Business Solutions

This chapter complements the privacy policy with specific information regarding processing information that may be personal data and that is collected by Bitdefender for the Human Risk Analytics services, only if those are activated within the Bitdefender Business Solutions that you use. The only purpose of this data collection is to help identify user actions and behaviors that pose a security risk to the organization. This is being implemented with a privacy-friendly solution, by processing data exclusively on the local endpoints to identify potential human risk security activities. The generic result is being displayed in the GravityZone console only available to the Admin of the solution, together with a general score for Human Risk. The data is not being used by Bitdefender for other purposes. More technical data on what it is being processed is available in the technical documentation of the Business Solutions and on our website.

9. Publication date

The privacy policy has been adopted on the date mentioned in the title of the document and will be modified each time is necessary without prior or future notice of the changes. The new version will enter into force when published on the website and it will be marked accordingly. The present document is available at https://www.bitdefender.com/site/view/legal-privacy.html.