GDPR

Under the GDPR, Sibros acts as a data processor for the personal data that Sibros processes on behalf of our customers through their use of the Deep Connected Platform^TM.  Sibros will only collect, access, store, and process this data as instructed by our customers. 

Sibros customers are the data controllers for the personal data that is collected and processed through their use of our Deep Connected Platform because they “determine the purposes and means” of processing this data. Customers determine what data is collected and for what purpose(s), including the timing and frequency, and have the ability to create and run custom reports on their data.

Sibros has implemented various systems, procedures, and documentation to comply with and support our customers’ compliance with the GDPR, including the following:

‍Customer DPA and Data Transfer (SCCs) Terms:  

Sibros’ Data Processing Agreement (our “Customer DPA”) includes standard data protection terms applicable to the processing of personal data and the provision of our services, which are tailored to address the unique aspects of Sibros' services and reflect our data security procedures. Our Customer DPA incorporates:

Subprocessor Compliance: 

Sibros has taken a number of actions to ensure that its use of subprocessors complies with applicable data protection obligations.  

• Sibros has identified and maintains a list of its subprocessors, which can be accessed HERE.  Sibros may add or delete subprocessors at any time. Customers can subscribe to subprocessor update notifications from Sibros, and such notifications will be sent prior to processing of customer data by a new subprocessor. Customers may raise objections regarding new subprocessors in accordance with the terms of our Customer DPA with the respective customers.  
• Sibros has entered into data processing agreements (including the SCCs and UK IDTA as applicable) with its subprocessors, which include equivalent terms to those which apply to Sibros under its Customer DPA.  
• Sibros conducts due diligence and security reviews of its subprocessors prior to their processing of any customer personal data.
• Key subprocessors include Amazon Web Services (AWS) and Google Cloud Platform (GCP), which have their own GDPR compliance programs in place, available here:
• AWS: https://aws.amazon.com/compliance/gdpr-center/ 
• GCP: https://cloud.google.com/privacy/gdpr and https://cloud.google.com/blog/products/compliance/how-google-cloud-helps-customers-stay-current-with-gdpr

Data Transfers: 

Our Deep Connected Platform products and services, as well as our technical support and corporate operations, are provided from the United States, Germany, France, the UK, and India. We employ a range of measures to ensure that customer data is secure and safe and to maintain the integrity, accuracy, and confidentiality of that data when it is transferred to these jurisdictions.  These measures include entering into agreements that include GDPR-compliant data processing terms and the EU SCCs and UK IDTA as applicable.  Sibros has also implemented procedures and updated its practices to respond to the Schrems II decision by the European Court of Justice.  See below for more information.

Data De-Identification: 

Sibros protects and manages the usage of PII, especially geolocation, and performs de-identification actions including deletion or obfuscation of personal data and identifiers associated with the end user, VIN, and GUID(s), including by masking or deleting other unique identifiers such as ESN. The remaining disassociated data is also subject to further data exclusion and masking, which may include random staggering of the data, character shuffling, random dictionary substitution, or deletion of data to make it statistically improbable that the remaining data can be correlated with a particular vehicle or end user.

As the data controller, our customers are responsible for providing notice and obtaining any required consent from data subjects. As the data processor, Sibros provides customers the opportunity to display and link to a GDPR-compliant privacy notice and, where relevant, consent language addressed to the end-users, i.e., the data subjects.  Our customers are responsible for providing the relevant notice or consent language and for managing any applicable notices and consents and configurations for such. 

Notice and consent language and implementation is configured for each customer during the onboarding process and can be updated and configured as necessary thereafter. Customers configure how and when consent is requested, logged, and subsequently stored. For example, Sibros provides customers with a mechanism for obtaining mandatory electronic consent for log collection and Over the Air (OTA) updates. Customers must obtain end-user consent and send or transmit confirmation of such consent to Sibros before initiating data collection from or deploying FOTA updates to a particular vehicle through the Platform.  

Our customers, as the controllers of end-user personal data processed within the Platform, may have certain legal obligations to respond to data subject requests under the GDPR and other applicable regulations. Within our customer portals, customers have the ability to create and export custom end-user reports for some data. The ability to request the deletion of specific end-user data and otherwise manage end-user data is available via Support tickets under the category “Data Privacy Request.” Customers can submit a support ticket in the customer portal to request Sibros support for processing data subject requests. Sibros has established processes, as described below, to facilitate and support our customers in responding to data subject requests regarding Platform data.

Access and Data Portability 

Customers can submit a support ticket for a “Data Privacy Request” issue type specifying “Data Access Request” in their respective customer portal to request Sibros’ assistance in preparing and exporting a portable copy of end-user data associated with a particular Vehicle Identification Number (“VIN”).  To request an end-user access report, customers must provide the VIN for the relevant end user’s vehicle.  Data Access Request reports are provided to customers as a downloadable TAR File.

+ End User Access Report Format and Download

End-user access reports are compiled by Sibros as a TAR file and are usually processed within 10 business days.  Sibros will provide customers with a secure download link to access the report.  The link and end-user access report (TAR File) are available for 60 days, after which they expire.  

Deletion Requests

Customers can submit a support ticket for a “Data Privacy Request” issue type specifying “Data Deletion Request” in the customer portal to initiate an end-user deletion request for data associated with a particular VIN.   To request deletion of personal data regarding a specific end-user, customers must provide the VIN for the end user.  Sibros processes deletion requests by deleting and/or disassociating the vehicle and device data from a particular end user within the Platform.  Archived data that is stored as part of Sibros’ data back-ups are not subject to deletion and disassociation, unless the backup data is restored by Sibros. However, backups are regularly deleted or overwritten (usually within 180 days).   

+ Deletion Process

End user VIN is deleted from the relevant GUID asset table(s), which map vehicle and device-related data to a specific VIN within the Platform, and the relevant GUID(s) for the vehicle are also deleted from the Asset tables, which severs the link between the end user and the corresponding vehicle and device-related data within the Platform.  At this point, the device data cannot be associated with an end user without external data sources. It may take up to 15 days for a deletion request to be fully processed.

Other Data Subject Requests. 

Sibros collects vehicle and device data as it is generated by the vehicle or device and, as such, is not able to verify inaccuracy or “correct” any vehicle and device data that is generated and processed within the Platform. To request support from Sibros to process a correction or other data subject request, customers may submit an “Other Data Request” ticket and provide the relevant VIN for the end user. 

Yes, Sibros has customers in many jurisdictions worldwide, which is why our data processing terms are drafted broadly to address data protection requirements around the globe. Our Customer DPA incorporates the core privacy principles on which many international data protection law regimes are built and uses the strict GDPR framework as baseline language.

Yes. As an important privacy safeguard, Sibros is committed to ensure that law enforcement, intelligence agency, or other government requests for disclosure of data will be carefully scrutinized and that Sibros will only disclose the minimum amount of data necessary in response to a request. Where requests are unlawful or unfounded, Sibros will take appropriate steps to challenge these.

No, to date, Sibros has not received any request from law enforcement to disclose data from or about its customers.

In the wake of the new EU Standard Contractual Clauses and the Schrems II ruling by the Court of Justice of the European Union (CJEU), Sibros wants to provide our customers with the information needed to evaluate and assess transfers of personal information outside the European Economic Area (EEA) and the United Kingdom (UK), specifically regarding access from the United States.

Under certain laws, including the GDPR, the UK GDPR, and Swiss Privacy laws, companies may only transfer personal information outside the EEA/UK/Switzerland where either of the following is true: 

• The recipient country provides an adequate level of data protection (as determined by the EU Commission)/ICO or 
• A valid transfer mechanism, as approved by the relevant regulatory body, is in place between the data exporter (customer) and data importer (Sibros), such as the EU Standard Contractual Clauses (SCCs).

Previously acknowledged as a ‘valid transfer mechanism’ the EU-US and CH-US Privacy-Shield Framework were invalidated by the Schrems II ruling as a means on which companies can rely upon to transfer data from the EU or Switzerland to the United States. 

No, in principle, the CJEU upheld the validity of the SCCs (available at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en) as a lawful transfer mechanism but, in addition, now requires companies to evaluate and assess its global transfers and evaluate on a case-by-case basis, whether the privacy and surveillance laws of the recipient country, as well as the technical and organizational security measures deployed by the data importer, ensure a level of data protection adequate to the level required by applicable EEA/UK/Swiss law.

In addition to executing the new EU Standard Contractual Clauses (SCCs) available at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en, and the UK Addendum, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, Customers must also conduct a “Schrems II Transfer Assessment” when relying on the new SCCs. Sibros provides these FAQs to help its customers understand what compliance mechanisms Sibros has put in place and to help customers comply with their own compliance requirements.

Yes, where transfers of EEA/UK/Swiss originating personal data to the United States are at stake (“Relevant Transfers”), the customer and Sibros generally rely on executed SCCs and the UK Addendum as relevant. The SCCs and UK Addendum are part of Sibros' Customer Data Processing Addendum.

Sibros has been closely monitoring developments regarding the new EU-US and Swiss-US Data Privacy Frameworks (“DPFs”), which has been approved and signed in July of 2023. For more information, see https://www.dataprivacyframework.gov/s/. In addition, the U.S. and UK governments have announced a deal in principle to establish the "UK Extension" to the EU-U.S. Data Privacy Framework. If established, both would then allow U.S. companies that certify to the DPF to transfer personal data from the EEA/UK to the US, respectively. Sibros is in the process of evaluating the published documentation and a self-certification under the DPFs.

• The CJEU and European Data Protection Board (EDPB)  both refer to (1) security controls and (2) contractual safeguards as additional considerations to determine the lawfulness of transfers.  
• In our view, data controllers (i.e., our customers) must consider the (1) likelihood and (2) risk of harm in relation to the specific types of personal data being transferred.  We note that the US Government confirmed in a white paper that the majority of data being transferred by companies is of no interest to intelligence agencies and that, therefore, most companies never even receive an order for disclosure of data. 
• Thus, as a controller, our customers should look not just at the laws of the third country (in our case, the United States) but also at additional contractual or security-based safeguards agreed to between you and Sibros, as well as the likelihood and risk of harm to data subjects for the transfers of data that may take place.

Customers may wish to take the following factors into account: 

• Most US companies do not deal in data that is of any interest to US intelligence agencies and will never receive orders from agencies for disclosure of data.  This was confirmed in a recent white paper published by the US government.  
• Sibros' Data Processing Agreement (DPA) includes a number of contractual safeguards (including the Security Control measures listed in Annex II to the SCCs)– as part of and in addition to the SCCs - which mitigate against the risks identified by the CJEU.
• Sibros has updated its customer agreements to include the new version of the SCCs/ UK Addendum.
• The Security Controls that Sibros has put in place to mitigate against the risk of interception of / misuse of data by third parties which include: 
• Maintains industry standard compliances as documented here.
• Applicable technical and organizational safeguards.

Sibros uses Amazon Web Services (AWS) and Google Cloud Platform (GCP) for cloud hosting and computing services. Sibros' own instances are generally located in the United States. However, additional regions of the AWS and GCP instance may be agreed upon with the customer, for example, in the EU and certain APAC regions.

No. We are not of the view that any and all transfers to the US are unlawful simply because the possibility that Sibros may be subject to FISA 702 or EO 12,333 cannot be excluded.  In addition, the Schrems II decision calls for case-by-case assessments, and the European Data Protection Board (EDPB) FAQs encourage controllers to look at “the circumstances of the transfer,” including the supplementary measures and safeguards in place to protect the data, which supports the argument that not all transfers are automatically unlawful.  Many EU supervisory authorities have agreed that an approach of carrying out a risk-based assessment is the way to go, indicating that other factors than FISA 702 should be taken into consideration during the risk assessment process. 

Customers should take their own advice on this matter.  However, to help you with your risk assessments, we have put together information in these Customer FAQs for you.

FISA applies to the collection of foreign intelligence involving non-US persons where the collection occurs within the US and the collection of foreign intelligence regarding US persons, whereas EO 12,333 applies to a non-US person located outside the United States.