Cover PhotoCover Photo

    Data Policy and Security Policy

    1.1 Definitions

    In this Annexure the following expressions shall, unless the context otherwise requires, have the meanings assigned to them below:

    "Affiliate" means in relation to a party, a corporation owned or controlled by the Party or which owns or controls the Party or which is owned or controlled by a parent corporation which also owns that Party.

    “Company” means the entity with whom Robi is entering into the Agreement.

    "Robi Data" includes, but is not limited to, the data, text, drawings, diagrams, plans, statistics or images (together with any database made up of any of these) which are embodied in any electronic, magnetic, electromagnetic, optical, tangible or other media,

    (a) which are supplied to the Company by or on behalf of Robi

    (b) which the Company accesses, processes, stores, transmits or replicates using or on the Company’s systems or equipment pursuant to this Agreement; or

    (c) which the Company has custody or control of for purposes connected to this Agreement,

    including any Personal Data which Robi controls the Processing of or which comes into the knowledge, possession or control of the Company pursuant to this Agreement;

    "Robi Systems" means the hardware (including computer hardware), software and telecommunications or information technology equipment, systems and networks used or owned Robi or licensed to Robi by a third party;

    “Applicable Privacy Laws” include prevailing privacy and personal data protection laws, rules, regulations, guidelines, directives, etc. in Bangladesh.

    "Best Industry Practice" means, in relation to any undertaking and any circumstances, the exercise of the degree of skill, care, diligence, prudence, foresight and judgement which could reasonably be expected from highly skilled, experienced persons, entities and world leading suppliers and contractors engaged in comparable types of undertaking under similar circumstances, applying equivalent or better standards currently applied in the industry relevant to the Professional Services and any other products, works and services that may become available to ensure, without limitation, the objectives and obligations identified in this Agreement are achieved and performed that include best practices and value in respect of price, performance and time to market;

    "Commencement Date" means Purchase Order date;

    "Confidential Information" means all information, reports or data such as diagrams, plans, statistics, drawings and supporting records or materials (whether in writing, orally, or by any electronic or other means), which has come into the possession of the Company before, on or after the Commencement Date which relate to Robi , its customers (including its customers’ customers) or suppliers and shall include but is not limited to:

    (a) data on the network, formulae, photographs, drawings, specifications, software programs, samples and any technical, business plans, financial or commercial information relating to Robi or

    (b) any information relating to its business, operations, processes, plans, intentions, product information, know-how, design rights, trade secrets, market strategy and opportunities, customer and supplier details and business affairs and any other material bearing or incorporating any information and documentation relating to Robi; and

    (c) any Personal Data which Robi controls the Processing of or which comes into the knowledge, possession or control of the Company pursuant to this Agreement

    “Data Subject” means an individual who is the subject of the Personal Data;

    "Deliverables" means the items set out in Contract including any amendments and modifications as requested by Robi from time to time and shall include anything compiled, written, provided, created and developed by the Company in relation to the Professional Services, including but not limited to materials, studies, methodologies, models or general industry perspective and practices, plans, drawings, diagrams, statistics and reports;

    "Malware" means anything, software or device which may impair or otherwise adversely affect the operation of any computer or system, prevent or hinder access to any program or data (whether by rearranging within the computer or any storage medium or device, altering or erasing, the program or data in whole or in part, or otherwise), gain unauthorised access to any program, equipment, system or data or collect data or surveillance without authorisation, including worms, Trojan horses, computer viruses, ransomware, spyware or similar things;

    “Party” means a party to this Agreement and “Parties” means the parties to this Agreement;

    “Personal Data” means personal data, personal information or data relating to the Data Subject transferred under this Agreement;

    "Personnel" means in relation to a party, the employees, directors, officers, agents, advisers, contractors and subcontractors of that party or of its Affiliates or associates, and the employees, directors and personnel of any such agents, advisers, contractors and subcontractors. The Company’s Personnel shall, in addition to the foregoing, include Sub-Processors;

    “Process” or “Processing” means collecting, recording, holding or storing Personal Data or carrying out any operation or set of operations on Personal Data, including:

    (a) the organization, adaptation or alteration of Personal Data;

    (b) the retrieval, consultation or use of Personal Data;

    (c) the disclosure of Personal Data by transmission, transfer, dissemination or otherwise making available; or

    (d) the alignment, combination, correction, erasure or destruction of Personal Data;

    "Professional Services" means the services to be provided by the Company to Robi which includes the Deliverables and more particularly set out in the Scope of Work;

    "Scope of Work" means the Company’s scope of work for the performance of the Professional Services in accordance with Contract hereto;

    “Sub-Processor” means any party appointed by, or on behalf of, the Company to Process Personal Data of Robi in connection with this Agreement.

    2. Data Security and Protection

    2.1 In supplying the Deliverables and performing the Professional Services, and in carrying out the other tasks allocated to it in this Agreement, the Company shall in accordance with Best Industry Practice:

    (a) do all things that a reasonable and prudent entity would do to ensure that all Robi Data are protected at all times from accidental, unauthorised or unlawful access, processing or Processing, use or transfer by a third party or loss, misuse, damage or destruction by any person, including adopt and implement all appropriate technical and organisational measures and controls;

    (b) provide and implement protective policies, processes, measures and controls for the Robi Data that are no less rigorous than accepted industry standards and commensurate with the consequences and probability of accidental, unauthorised or unlawful access to, processing or Processing, use or transfer of, or the loss, misuse, damage or destruction of, the Robi Data. The Company shall provide Robi with an up-to-date copy of its written physical, technical and organizational security measures;

    (c) comply with Robi’s information technology, security, access and usage policies, procedures and directions set out in this Agreement or notified to it from time to time;

    (d) take all necessary steps to prevent any Malware being introduced into any software or onto any of the Robi Systems or any information technology equipment (including computer hardware), systems or networks used by the Company to access, process or Process, store, transmit or generate Robi Data or to supply the Professional Services to Robi;

    (e) not access or attempt to access the Robi Systems without the prior written consent of Robi;

    (f) procure that no unauthorised third party will, as a result of any act or omission of the Company or its Personnel, obtain access to any of the Robi Data or Robi Systems;

    (g) apply security procedures, measures and controls to guard against the misuse, loss, damage, destruction, corruption or alteration of the Robi Data in the possession or control of (or accessed by) the Company or its Personnel;

    (h) ensure that it does not deliberately or negligently misuse, lose, damage, destroy, corrupt, alter or erase the Robi Data on the Robi Systems or on its own equipment or systems;

    (i) not disclose or share passwords, authentication tokens or credentials supplied by Robi to access the Robi Systems to any person other than its Personnel with a need to know and revoke or remove such access immediately upon any such Personnel no longer having the need to know or leaving the Company;

    (j) immediately notify Robi of any breach of (a) to (i) above; and

    (k) develop or adapt for acceptance by Robi a Data Protection Plan ("DPP") that sets out how the Company will deal with and discharge its obligations in respect of Robi Data (including Personal Data) during the provision of the Professional Services. The DPP must:

    • be consistent with the requirements of this Agreement (including this Clause 2);
    • be consistent with the requirements of all relevant privacy or data protection and other laws, including the privacy or data protection laws of jurisdictions where any Robi Data is stored, managed or transited;
    • specifically deal with cybercrime or cybersecurity risks, including protecting against and monitoring actual, attempted or potential unauthorised access and rapidly responding to any unauthorised access, cybercrime or cybersecurity breaches in order to limit the effects of such access, crime or breach and the occurrence of any other such access, crime or breach;
    • set out the steps and processes that the Company and Robi will follow to protect the Robi Data from actual, attempted or potential unauthorised or unlawful access, use, processing or Processing, or transfer, or misuse, damage, destruction, loss or corruption and rapidly respond to any unauthorised or unlawful access, cybercrime or cybersecurity breaches; and
    • include any comments from or requirements of Robi from time to time, and once accepted by Robi, the Company must comply with the DPP.

    2.2 If the Company becomes aware of any actual or suspected:

    (a) action taken through the use of computer networks that attempts to access the Company’s information system or Robi Data residing on that system or that results in any actual or potential adverse effect on the Company’s information system or Robi Data residing on that system (a "Cyber Incident");

    (b) any other unauthorised access or use by a third party or misuse, damage or destruction by any person (an "Other Incident"); or

    (c) breach of any applicable law by the Company (a "Breach"), the Company shall:

    (i) notify Robi in writing immediately (and no longer than two (2) hours after becoming aware of the Cyber Incident, Other Incident or Breach) providing full details of the Cyber Incident, Other Incident or Breach and Robi updated at all times thereafter in relation to the Cyber Incident, Other Incident or Breach; and

    (ii) provide sufficient information and assistance to allow Robi to meet their respective obligations to report the Cyber Incident, Other Incident or Breach to the relevant authorities or inform the Data Subjects under the applicable privacy or data protection and other laws. The Company shall co-operate with Robi, and the relevant authorities to take all reasonable steps to assist in the investigation, mitigation and remediation of the Cyber Incident, Other Incident or Breach;

    (iii) comply with the DPP and all other directions issued by Robi in connection with the Cyber Incident, Other Incident or Breach, including in relation to:

    (1) notifying any relevant body, as required by the DPP or Robi;

    (2) obtaining evidence (including digital forensic evidence) about how, when and by whom the Company’s information system or the Robi has or may have been compromised, providing it to Robi on request, and preserving and protecting that evidence for a period of at least twelve (12) months;

    (3) implementing any mitigation strategies to contain and reduce the impact of the Cyber Incident, Other Incident or Breach or the likelihood or impact of any future similar event, incident or breach; and

    (4) recovering and restoring the Professional Services (if affected) and preserving and protecting Robi Data (including as necessary reverting to any backup or alternative site or taking other action to recover Robi Data).

    Notwithstanding anything contained in this Agreement, Robi may suspend the transfer of Robi Data to the Company until such Cyber Incident, Other Incident or Breach has been rectified or the Processing of Robi Data under this Agreement is terminated.

    2.3 The Company shall ensure that:

    (a) all subcontracts, other supply chain arrangements and contracts with Sub-Processors, which may allow or cause access to Robi Data, contain provisions that are at least as stringent as those in this Clause 2 and do not contain any provisions that are inconsistent with this Clause 2; and

    (b) all the Company’s Personnel who have access, directly or indirectly, to Robi Data or Robi Systems comply with this Clause 2 as if the Personnel were the Company.

    2.4 The Company shall at all times comply with the Applicable Privacy laws in respect of the Processing, dealing, remote access or transfer of Personal Data of Robi , including but not limited to Personal Data of the customers or employees of Robi. The Company shall not do or omit to do anything that would cause Robi Group to contravene, or that would result in Robi Group contravening, any Personal Data Laws.

    2.5 The Company shall only Process Personal Data of Robi for the sole purpose of performing the Professional Services and in accordance with the respective instructions and policies of Robi. The Company shall immediately notify Robi if it believes that the data Processing instruction infringes the applicable privacy or data protection laws.

    2.6 The Company shall not transfer or remotely access Personal Data of Robi Group without the prior written consent of Robi. The Company shall ensure that any transfer of, or remote access to, Personal Data of Robi Group does not contravene any provisions of this Agreement or any applicable laws and that such Personal Data is adequately protected at all times. All transfer of such Personal Data shall be encrypted or be secured in other ways and the Company shall ensure that the third party, whom the Personal Data transferred to, adheres.to the same obligations as the Company’s obligations with respect to Robi Data (including Personal Data) and Confidential Information in this Agreement. The Company shall be responsible for verifying the third party’s compliance. The Company shall be fully responsible to Robi for any non-compliance by any third party with the aforesaid obligations or any applicable laws.

    2.7 The Company shall not engage a Sub-Processor to Process any Personal Data of Robi or change any Sub-Processor without the prior written consent of Robi. Where the Company engages any such Sub-Processor, the Company shall ensure that the Sub-Processor adheres to the same obligations as the Company’s obligations with respect to Robi Data (including Personal Data) and Confidential Information in this Agreement. The Company shall be responsible for verifying the Sub-Processor’s compliance. The Company shall be fully responsible to Robi for any non-compliance by any Sub-Processor with the aforesaid obligations or any applicable laws.

    2.8 The Company shall assist Robi to handle and comply with their respective obligations in complying with Data Subjects’ rights. If the Company or its Sub-Processor receives a complaint or any request (including any request for access to or correct the Personal Data) from any Data Subject or his/her agents, or from any authority, the Company must, without undue delay, inform Robi of the complaint or request. Upon request by Robi, the Company shall, without undue delay, supply the information to Robi to enable them to respond to such complaint or request. The Company shall not respond to these complaints or requests unless instructed in writing by Robi.

    2.9 The Company shall establish and maintain a record of Personal Data Processing activities in electronic form. Such record shall, at the minimum, contain the following information:

    (a) types/categories of Personal Data Processed;

    (b) transfer details, including countries transferred to and the safeguards for the transfer;

    (c) information of the Sub-Processor and details of the Processing activity;

    (d) specific data security requirements;

    (e) information of the Company and its Data Protection Officer or appointed officer responsible for the Processing of Personal Data;

    (f) technical and organizational security measures employed by the Company to safeguard Personal Data.
    The Company shall furnish a copy of the up-to-date record to Robi upon request.

    2.10 The Company shall provide reasonable assistance to Robi with any data protection impact assessment and consultation with supervisory authority, when required by Robi.

    2.11 (a) Robi may conduct, or require a third party nominated by them to conduct, a security audit of the Company’s facilities, safeguards, policies, procedures and security measures in place to protect the Robi Data and Confidential Information at any time and from time to time during the Term, including if directed by the data protection authority or if necessary due to any accidental, unauthorised or unlawful access to, processing or Processing, use or transfer of, or loss, misuse, damage or destruction of, any Robi Data. The Company shall make available all information necessary to demonstrate compliance with the provisions of this Agreement and privacy or data protection laws. The Company may engage its own auditor, provided such auditor is acceptable to Robi, and shall furnish the auditor’s report to Robi for their review. Subject to Clause 2.11(b), each Party will bear its own cost of audit.

    (b) Robi will review the results of the security audit with the Company. If such results demonstrate that the Company has breached any of its obligations, or that the Company’s safeguards and security measures in place to protect the Robi Data or Confidential Information do not meet industry best practice standards, or there is a reasonable risk of material security breaches, the Company shall (without limiting Robi’s rights and remedies):

    i. pay Robi’s costs associated with the security audit; and

    ii. promptly take such steps as are necessary to remediate the issues identified in respect of the safeguards and security measures to at least the industry standard identified as adequate in the security audit and will provide to Robi regular status updates of such remediation. The frequency of such status updates will be agreed upon by the Robi but in any event will be at least once every seven (7) days.

    2.12 In respect of Personal Data:

    (a) in the event of any conflict or inconsistency between Clause 2.4 and any other provisions in this Agreement, the former shall prevail to the extent of the conflict or inconsistency;

    (b) if compliance with any mandatory Personal Data Laws will result in any conflict with any provisions in this Agreement, the Company shall comply with such mandatory Personal Data Laws to the extent of the conflict; and

    (c) in the event of any conflict or inconsistency between any provisions in Clause 2 and any provisions in confidentiality clause of this Agreement, the former shall prevail to the extent of the conflict or inconsistency.

    3. Consequences of Termination

    3.1 Where this Agreement is terminated:

    (a) the Company shall permanently destroy, or return to Robi and other relevant member(s) of the Robi, all Confidential Information and Deliverables or deal with the same in the manner instructed by Robi, within the earlier of the time period required under law (if any) and fourteen (14) days after the termination or expiry of this Agreement (“Execution Date”), and shall provide a written confirmation to this effect to Robi within seven (7) days of the Execution Date;

    (b) the Company shall, at no cost and expense Robi, make available Personnel and take immediate steps to assist Robi to ensure a smooth transition if a third party has been appointed to replace the Company in the performance of its obligations under this Agreement. The Company shall support Robi with any transfer of Personal Data to a third party if required by them;

    (c) the Company shall take immediate steps to cease the Professional Services in a prompt and orderly manner, discontinue from making commitments and shall proceed to cancel all existing orders and terminate all works under this Agreement as promptly as is practicable and hand over all Deliverables and other related materials to Robi; and

    (d) Robi shall not be liable to the Company by virtue of early termination of this Agreement including but not limited to any claim for loss of profits and revenue or prospective profits.

    3.2 The termination or expiry of this Agreement shall not prejudice the rights of either Party to sue for damages or to obtain any other relief in respect of any antecedent breach of the terms of this Agreement by the other Party prior to such termination or expiry.