1. Protection of Personal Information
Schneider Electric is a global Company that is committed to ensuring an adequate level of protection for personal information in compliance with applicable laws.
Personal information is processed by Schneider Electric Corporate Product Cyber Emergency Response Team (CPCERT), implemented by Schneider Electric Industries SAS and used by the entities of the Company who manage the security of products and offers.
Personal information is processed by Schneider Electric Corporate Cyber Emergency Response Team (SE-CERT), implemented by Schneider Electric Industries SAS , and used by the entities of the Company who manage the security for Schneider Electric’s information systems.
In its efforts to protect personal information, Schneider Electric has adopted a Global Data Privacy Policy, which imposes common rules for the collection, use and disclosure of personal information by all Schneider Electric entities globally and aims to protect personal information within the Company. The Global Data Privacy Policy is available on Schneider Electric website.
2. Purposes of Data Processing
Schneider Electric uses the personal information processed in its CPCERT database to manage contacts with security researchers, to improve cooperation with researchers and to resolve any incidents/security issues they bring forward.
3. Categories of Processed Personal Information
The processed personal information includes:
- Contact information (e.g. name, company, blog or other media links)
- Technical expertise (e.g. products, technologies)
- Work with SE-CERT or CPCERT (number & CVSS scoring of submissions, history of disclosures & cooperation)
This information is obtained (a) from you when you submit a report (contact information, work with SE-CERT or CPCERT), and (b) from public sources, to establish a professional profile (technical expertise). The following public sources are mainly used:
- Bio/profile from alma mater, from professional publications or from technical conference profiles
- Your CV, if publicly available and
- As applicable, your research/professional/institutional web pages, or information from social networks/blogs that you use in a research/professional capacity.
4. Sharing of Personal Information
The information in SE-CERT or CPCERT’s database is accessed by vulnerability handlers and security advisors. Because Schneider Electric is a global company, these handlers and advisors may have global or multi-country roles and can then be located anywhere in the world where Schneider Electric operates.
Both the Cert databases is hosted internally. Relevant personal information may also be provided to competent authorities or otherwise as legally required.
The personal information in the System can be used to operate other systems, but only if such use is compatible with the above data processing purposes.
5. Your Data Protection Rights
Researchers can access and rectify their personal information by contacting SE-CERT at cert@se.com or CPCERT at cpcert@se.com.
6. Additional Information for researchers in the European Economic Area (EEA)
6.1 Legal Basis for Processing
Managing contact with researchers, developing cooperation and working with them to resolve the issues they bring forward is necessary for the legitimate interests of Schneider Electric and its clients. These interests shall not outweigh the researchers’ rights and freedoms.
6.2 Data Protection Rights
Researchers benefit from rights to access, rectify or request erasure or restriction of personal information and the right to information. They can also object to the processing of personal information on grounds relating to their particular situation when the processing is justified by our legitimate interest. These rights can be exercised as indicated in section 5 above.
6.3 International Data Transfers
Schneider Electric is a global company and Personal information is transferred to countries which do not have equivalent standards for the protection of personal information as the EU. In order to ensure a high level of protection for personal information wherever it is processed, Schneider Electric has adopted Binding Corporate Rules (BCR) which apply across the Company to all entities outside the EU. Our Global Data Privacy Policy implements our BCR. For more information, you may contact global-data-privacy@schneider-electric.com.
6.4 Data Retention
Personal information will be kept for as long as it is needed for the purposes set forth in this Privacy Notice. Data retention is determined by taking into consideration the following: ongoing cooperation and activities with the researchers, open submissions, legal requirements for keeping data, and statute of limitations. If Schneider Electric does not receive any submission from a researcher for 20 years, the Personal information is deleted.
6.5 Questions and Claims
Questions or comments about the Company’s privacy practices or this Data Protection Notice can be addressed to the Group Data Protection Officer (DPO): DPO@schneider-electric.com, DPO Schneider Electric, 35 rue Joseph Monier CS 30323 92506 Rueil Malmaison, France.
If a security researcher believes that Schneider Electric has processed his/her personal information in violation of applicable law, he/she may file a complaint with the Group DPO at the contact details provided above or with a supervisory authority or request judicial remedy.