Data Processing Agreement
Version 4 - Last updated July 2023
This Data Processing Agreement (“DPA”) applies to the processing of Personal Data (“Processed Personal Data”) by Logitech and its affiliates (“Logitech”) in accordance with the products and services provided as described in the DPA Details (“Services”) pursuant to the agreements or terms and conditions (“Agreements”) between Logitech and its partners, resellers, and enterprise end-customers (“Customer”). This DPA is attached to, and incorporated by reference into, the Agreements.
- Processing of End User Personal Data. Where Customer has instructed Logitech, either expressly as a Controller or as reasonably expected pursuant to the Services having obtained previous instructions and authorization of the relevant Controller(s), to process end user Processed Personal Data on behalf of Customer, Logitech will process the end user Processed Personal Data in accordance with this DPA and solely in connection with performing the Services. Logitech will not use end user Processed Personal Data for any other purposes.
- Compliance with Laws. Each party will comply with all applicable data privacy laws in respect of the Services. Customer will not use the Services in a manner that would violate applicable data privacy laws.
- Security. Customer and Logitech agree that Logitech will implement and maintain the technical, administrative and organizational data security measures ("TOMs") set forth in the DPA Details. Logitech may update and modify its TOMs from time to time, as appropriate for the Services.
- Submit to Audits. Logitech shall allow for, and contribute to, reasonable audits required by law, including inspections, conducted by the Customer or another auditor mandated by the Customer. Any auditor mandated by the Customer shall not be a direct competitor of Logitech with regard to the Services and shall be bound to an obligation of confidentiality. Customer may request an audit only once in any 12 month period, and it shall be conducted during Logitech standard business hours. Customer and/or its auditor shall follow all Logitech’s processes, and Logitech shall not be required to disclose other parties confidential information in connection with any audit.
- Notify Breaches. Logitech will notify Customer of security breaches of Processed Personal Data as required by applicable law.
- Subprocessors. Customer authorizes the engagement of other Processors by Logitech for the processing of the Processed Personal Data (“Subprocessors”). Logitech imposes substantially similar but no less protective data protection obligations, as set out in this DPA, on any approved Subprocessor prior to the Subprocessor initiating any processing of Customer Personal Data. A list of approved Subprocessors shall be included in the applicable DPA Details.
- EEA/UK/CH Personal Data. For personal data that is subject to the GDPR and/or the UK GDPR and/or the Swiss Data Protection Act, Logitech offers Customer to execute the Schedule for the Standard Contractual Clauses, which incorporates (i) the Standard Contractual Clauses 2021 promulgated by Commission implementing decision (EU) 2021/914 of June 2021 (EU SCCs) with the applicable Module(s) and completed Annexes; (ii) the UK International Data Transfer Addendum to the Standard Contractual Clauses version B1.0 in force 21 March 2022 (UK SCCs) with tables completed and (iii) the EU SCCs with the adaptations required under the Swiss Federal Data Protection Act (Swiss SCCs). If the Customer and/or Logitech believe that these measures are not sufficient to satisfy applicable data privacy laws, the parties shall work together to implement any additional and/or alternative appropriate international data transfer measures.
- No Information Selling or Sharing for Advertising. Logitech acknowledges and confirms that it will not sell or share the Processed Personal Data, as the terms “sell” and “share” are defined in the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act of 2020 (“CCPA”). Logitech will not collect, retain, use, or disclose any Processed Personal Data (a) for targeted or cross context behavioral advertising, (b) but for the business purposes specified in the Agreements, or (c) outside the direct business relationship with Logitech.
- Disclosure by Law. In the event Logitech is required by applicable law, regulation, or legal process to disclose any Processed Personal Data, Logitech will (a) give Customer, to the extent possible, reasonable advance notice prior to disclosure so Customer may contest the disclosure or seek a protective order, and (b) reasonably limit the disclosure to the minimum amount that is legally required to be disclosed.
- Integration. This DPA is binding on Logitech if and to the extent it is expressly agreed or incorporated by reference under the duly signed Agreements. This DPA shall not create third party beneficiary rights. Logitech does not accept or submit to additional requirements relating to Processed Personal Data, except as specifically and expressly agreed in writing with explicit reference to the Agreements and this DPA.
Data Processing Agreement Details
Sync & Sync Plus & Select
This Data Processing Agreement Details (DPA Details) specifies the DPA for the identified Services: Sync, Sync Plus and Select. Any item specific to a Service is marked with an asterisk (*).
a. Duration of Processing
Logitech will process the Processed Personal Data for the duration of the Services, or as otherwise described in the Agreements.
b. Nature of Processing
Logitech’s activities with regard to the processing of Processed Personal Data are:
- Collection - Data collected (acquired or received) from the Customer.
- Use - Reading data only.
- Storage - Storing of data, including backups.
- *Creation - Creation of new aggregated data (not Personal Data) by insights and analytics. *Specific to Sync Plus.
2. Customer Personal Data
a. Categories of Data Subjects
The following lists the Categories of Data Subjects whose Personal Data generally can be processed within the Service(s):
- Customer’s employees (including temporary or casual workers, assignees, trainees)
- Customer’s suppliers and subcontractors (if those suppliers and subcontractors are individuals)
- Customer’s agents, consultants and other professional experts (contractors)
b. Types of Personal Data & Source of Data collection
The following lists the Types of Client Personal Data that generally can be processed within the Service(s):
- Registration & Account Creation Data (Source: Sync Portal / Select Portal). Including but not limited to:
- Email address
- First name
- Last name
- Organization name
- Additional User-Provided Data (Source: Sync Portal / Select Portal). Including but not limited to:
- Room name
- Seat count
- Group names
- Meeting Room PC or Appliance Data (Source: Sync One App). Including but not limited to:
- Device name
- Device unique IS
- Device firmware version
- Device serial number
- Sync app version
- Computer OS type
- Computer OS version
- IP/MAC address
- Computer specification metadata
- Meeting room occupancy (metadata only)
- *Insights on how meeting rooms are used & occupancy (Source: Sync Portal). *Specific to Sync Plus. Including but not limited to:
- Metadata only (aggregated data of meeting room occupancy, data is shown on a room level, no personal data)
- *Event Related Data (Source: Select Portal). *Specific to Select. Including but not limited to:
- User ID (email address)
- Customer ID
- Date & time stamp for each event
- Event identifier (contract assigned/unassigned)
- Select contract ID
- Room name/ID
3. Technical and Organizational Measures
A. Policies and Procedures
Logitech maintains policies and procedures to ensure the confidentiality, integrity, and availability of Processed Personal Data and protect it from accidental, unauthorized or improper disclosure, use, alteration or destruction.
B. Access Controls
Logitech maintains policies, procedures, and operational processes that:
B.1. limit physical access to Processed Personal Data and the facility or facilities in which it is stored to properly authorized persons;
B.2. ensure that all members of the Logitech workforce (including contractors) who require access to Processed Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access;
B.3. authenticate and permit access only to authorized individuals and prevent members of Logitech workforce from providing Processed Personal Data or information relating thereto to unauthorized individuals;
B.4. assign a unique ID to each person with computer access to Processed Personal Data.
B.5. restrict access to Processed Personal Data to only those people with a “need-to-know” for a permitted purpose;
B.6. regularly review the list of people and services with access to Processed Personal Data, and remove accounts that no longer require access;
B.7. maintain and enforce “account lockout” by disabling accounts with access to Processed Personal Data when an account exceeds a threshold number of consecutive incorrect password attempts;
B.8. regularly review access logs for signs of malicious behavior or unauthorized access.
C. Security Awareness and Training
Logitech maintains an ongoing security awareness and training program for all members of Logitech’s workforce (including contractors and management).
D. Security Incident Procedures
Logitech maintains policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Processed Personal Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes. If Logitech becomes aware of any security incident that leads to a data breach impacting Processed Personal Data, Logitech will:
D.1. notify Customer without undue delay;
D.2. reasonably cooperate with impacted Customers to investigate and remediate the breach and mitigate any further risk to Processed Personal Data.
E. Contingency Planning
Logitech maintains policies, procedures, and operational processes for responding to an emergency, or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Processed Personal Data or systems that contain Processed Personal Data.
F. Device and Media Controls
Logitech requires Processed Personal Data to be downloaded, or otherwise stored on laptops or other portable devices, subject to all of the protections required herein. Such protective measures shall include, at a minimum, that all devices accessing Processed Personal Data shall be encrypted and use up-to-date anti-malware detection prevention software.
G. Security Audit Controls
Logitech maintains hardware, software, services, platforms and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.
H. Storage and Transmission Security
Logitech maintains technical security measures to guard against unauthorized access to Processed Personal Data that is being transmitted over an electronic communications network. Logitech will:
H.1. maintain a working network firewall to protect data accessible via the Internet and will keep all Logitech Information protected by the firewall at all times;
H.2. use anti-malware software at all times and will keep the anti-malware software up to date;
H.3. maintain technical and security measures to encrypt Processed Personal Data in transit and at rest;
H.4. regularly review access logs for signs of malicious behavior or unauthorized access;
H.5. keep Logitech’s systems and software up-to-date with the latest applicable upgrades, updates, new versions and other modifications necessary to ensure security of Processed Personal Data.
I. Assigned Security Responsibility
Logitech has a designated security official responsible for the development, implementation, and maintenance of the Security Program.
Logitech regularly tests key controls, systems and procedures of Logitech’s Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified.
K. Third Party Vendor Management
Logitech may use third party vendors in support of Logitech’s services to Customers. Logitech performs a security and privacy risk-based assessment of prospective vendors before working with vendors to validate that they meet Logitech’s privacy and security standards.
Logitech continually monitors, evaluates, and adjusts, as appropriate, the Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Processed Personal Data, and internal or external threats to Processed Personal Data.
Logitech will assist Customer by TOMs for the fulfillment of Customer’s obligation to comply with the rights of Data Subjects, Customers’ obligations relating to the security of processing, the notification and communication of a notifiable security breach and the Data Protection Impact Assessment, including prior consultation with the responsible Supervisory Authority, if required, taking into account the nature of the processing and the information available to Logitech.
Customer shall make a written request for any assistance referred to in the DPA and this DPA Details. Logitech may charge Customer no more than a reasonable charge to perform such assistance, allow for an audit or an Additional Instruction, and such charges shall be set forth in a quote and agreed to in writing by the parties. If Customer does not agree to the quote, the parties agree to reasonably cooperate to find a feasible solution in accordance with the dispute resolution process of the Agreements.
5. Deletion and Return of Customer Personal Data
Logitech shall delete and/or return data to the Customer any Processed Personal Data at the end of the relationship with Customer. If, at any time during the relationship, Customer requests Logitech to delete and/or return the Processed Personal Data, such request shall be provided in written form.
Logitech may use the following approved Third Party Subprocessors in the processing of Processed Personal Data:
|Name of Subprocessor||Country of Subprocessor||Description of processing activities|
|Amazon Web Services (AWS)
*Specific to Sync and Sync Plus.
|U.S.A. / Germany
(at Customer’s choice, must be specified in the Agreement)
|To store Processed Personal Data|
*Specific to Sync.
|U.S.A.||To index and search device data|
|Elastic Search Inc.
*Specific to Sync.
|U.S.A.||To index and store diagnostic and error logs|
|Salesforce Lightning Platform
*Specific to Select.
|U.S.A.||To store Processed Personal Data|
Additional details on Logitech Subprocessors are available upon request.
7. Data Protection Officer and Other Controllers
Customer is responsible for providing complete, accurate and up-to-date information about its Data Protection Officer, and EU Representative if applicable, and each other Controller(s) (including their Data Protection Officer, and EU Representative, if applicable), if any, by written notice via email to email@example.com and to the Customer’s contact within Logitech.
Schedule for the Standard Contractual Clauses
Sync & Sync Plus & Select
With respect to any Processed Personal Data that is subject to the GDPR and/or the UK GDPR and/or the Swiss Federal Data Protection Act as “personal data”, Logitech and Customer accept (i) the Standard Contractual Clauses 2021 promulgated by Commission implementing decision (EU) 2021/914 of 4 June 2021 (EU SCCs), with the applicable Module(s), with its completed Annexes and list of subprocessors, and if required, the parties will agree to a transfer impact assessment (as per Clause 14) without undue delay; (ii) the UK International Data Transfer Addendum to the EU SCCs version B1.0 in force 21 March 2022 (UK SCCs), with tables completed; and (iii) the EU SCCs with the adaptations required under the Swiss Federal Data Protection Act (Swiss SCCs); all as set out in the DPA Details and this Schedule for the SCCs. Terms used in this Schedule for the SCCs, but not defined herein, shall have the meaning assigned to them in the applicable data privacy law.
For each module, where applicable:
For Clause 9 (Use of subprocessors), Option 2 will apply, the general written authorisation. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least thirty (30) days in advance.
For Clause 17 (Governing law), Option 1 will apply, the Parties agree that this shall be the law of the Republic of Ireland for the EU SCCs and the laws of England and Wales for the UK SCCs and Swiss law for the Swiss SCCs.
For Clause 18 (Choice of forum and jurisdiction), the Parties agree that those shall be the courts of the Republic of Ireland for the EU SCCs and the courts of England and Wales for the UK SCCs and the courts of Switzerland for the Swiss SCCs.
|A. List of Parties|
[Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
[Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
|Name||Customer Name||Logitech Europe S.A.|
|Address||Customer Address||EPFL Quartier de l’Innovation, Borel Innovation Center, 1015 Lausanne
|Contact person’s name, position and contact details||Customer’s privacy contact details
(duly provided via written communication to firstname.lastname@example.org and to the Customer’s contact within Logitech)
|Logitech Privacy Office - email@example.com|
|Activities relevant to the data transferred under these Clauses||As described in the Agreements||As described in the Agreements|
|Signature and date||By entering into the DPA, which is incorporated by reference into the Agreements, the Data Exporter is deemed to have signed the Standard Contractual Clauses incorporated herein, including their Annexes.||By entering into the DPA, which is incorporated by reference into the Agreements, the Data Exporter is deemed to have signed the Standard Contractual Clauses incorporated herein, including their Annexes.|
|B. Description of transfer|
Transfer Controller to Controller
Transfer Controller to Processor
Transfer Processor to Processor
Categories of data subjects whose personal data is transferred
E.g. Logitech employees, users, clients, contractors, consultants, consumers, business contacts, etc.
|Individual employees and representatives of Data Exporter who instruct Data Importer, send purchase orders, process invoices, arrange for payment, make support calls, use Data Importer’s Services, and otherwise do business with Data Importer.||As set out in the applicable DPA Details, Section 2.a.||As set out in the applicable DPA Details, Section 2.a.|
Categories of personal data transferred
E.g. names, identification numbers (ID numbers), location data, an online identifier (IP addresses), social identifier.
|Business contact information, service usage, payment status and other information relating to how Data Exporter uses Data Importer's Services.||As set out in the applicable DPA Details, Section 2.b.||As set out in the applicable DPA Details, Section 2.b.|
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
E.g. racial / ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health.
|The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).||Continuous.||Continuous.||Continuous.|
Nature of the processing
E.g. collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction)
|Data Importer uses data as a Controller to do business with Data Exporter, sell services, issue invoices, provide technical support, perform services, address Customer questions, improve services and develop new services and offerings.||As set out in the applicable DPA Details, Section 1.b.||As set out in the appliable DPA Details, Section 1.b.|
Purpose(s) of the data transfer and further processing
E.g. Processing is necessary for the performance of a contract, processing is necessary for compliance with a legal obligation, processing is necessary for the purposes of the legitimate interests, the data subject has given consent to the processing of his or her personal data)
|To provide communications and the business collaboration between Data Exporter and Data Importer.||To provide the contracted Services under the Agreements and as Instructed under the DPA.||To provide the contracted Services under the Agreements and as Instructed under the DPA.|
|The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period||For the term of the Agreements and so long as Data Importer markets additional services to Data Exporter (with appropriate notice and consent).||For the term of the Agreements.||For the term of the Agreements.|
|For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing||N/A||N/A||N/A|
|C. Competent Supervisory Authority|
Transfer Controller to Controller
Transfer Controller to Processor
Transfer Processor to Processor
|Identify the competent supervisory authority/ies in accordance with Clause 13||The Data Protection Commission (DPC), The Republic of Ireland - for the EU SCCs.
The Information Commissioner (ICO), The United Kingdom - for the UK SCCs.
The Federal Data Protection Information Commissioner (FDPIC), Switzerland - for the Swiss SCCs.
Technical and Organizational Measures including the Technical and Organizational measures to ensure the security of the data
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.