Processor obligations FAQS

1. Does your company have a published privacy notice/statement that is available for our review?

• HP ’s official Privacy Statement is available on all hp.com web pages. Listing of statements in several language choices can be found HERE.

2. Do you maintain a record of processing for all activities carried out?

• HP maintains and constantly updates its record of processing activities. We have implemented privacy management and recordkeeping tools to operationalize and maintain records for many compliance activities, including Records of Processing, Data Protection Impact Assessments and Privacy by Design.

3. From which geographical locations will you provide the services? Do you transfer personal data to any countries outside of the EEA?

• HP is a global company and many of our business processes utilize a global operational model. Personal data given to HP may be transferred across state and country borders for the purposes of data consolidation, storage, and simplified customer information management. Any access or transfer of personal data across state or country boundaries must comply with applicable local laws and contractual requirements. HP participates in several programs that enable the international transfer of personal data to HP entities worldwide. You can learn more about our participation in these programs by visiting the HP Privacy Statement.

4. Do you rely on lawful mechanisms for data transfer?

• Consistent with GDPR, HP relies on approved mechanisms for data transfer.
  • As a data controller, HP has approved Binding Corporate Rules which are intended to provide adequate guarantees that personal data of HP employees, suppliers and consumer customers is safeguarded when being transferred to any HP company. HP remains among less than 100 companies worldwide recognized by EU data protection authorities for our binding corporate rules. You can find more information and verify HP’s BCR HERE.
  • The Asia-Pacific Economic Cooperation (APEC) of 21 economies implements the Cross-Border Privacy Rules (CBPR) System, which provides privacy protections for transfers of personal data across the region. HP’s privacy practices comply with the APEC CBPR System, including transparency, accountability, and choice regarding the collection and use of your personal data. You can find more information on CBPR’s and verify HP’s participation HERE.
  • HP is also self-certified under the EU/US Privacy Shield. You can find more information on Privacy Shield and verify HP’s participation HERE.
  • You can learn more about our participation in these programs by visiting the HP Privacy Statement.

5. Do you have an assigned Data Protection & Privacy Officer or equivalent?

• HP’s Chief Privacy and Data Protection Officer, with the support of the Privacy Office, is chartered to ensure compliance to GDPR and other privacy and data protection laws worldwide. Representatives of HP’s Privacy Office are located in the European Union and serve as points of contact for data subjects and EU based data protection authorities.

6. Do you have a formally documented security incident management plan including personal data breach?

• HP has established and maintains security and privacy procedures that promote information security, physical security, and privacy awareness.
• Security incidents—whether physical, technological, or information-based—are handled primarily through a global incident-reporting process. After receiving an incident report, the team directs it to the responsible party within HP and all parties follow established procedures for each type of incident. These procedures draw from industry best practices, legal requirements, and customer-based specifications within each contract.
• All instances of cybersecurity incidents are to be reported to the HP Cybersecurity through a 24x7 online supported process. HP has a documented escalation process to manage security incidents, however, generally speaking, once an incident is reported, HP immediately implements corrective action protocols and conducts a thorough investigation to determine whether any unauthorized access occurred. If unauthorized access to personal data is discovered, then the incident is escalated to the HP Privacy Office, Global Legal Affairs and other HP internal stakeholders who will make determinations regarding resolution and notification.

7. Are you in a position to assist your customers with any data subject requests and do you maintain a formally documented process for dealing with the exercise by a data subject of their rights?

• Individuals may exercise their rights, submit privacy inquiries or lodge complaints through Contact HP Privacy Office.
• Where HP is processing personal data on behalf of customers, subject to certain limitations, HP will assist its customers in satisfying their obligations to respond to requests from data subjects seeking to exercise their rights in accordance with contractual requirements.

8. Does your company have a data privacy standard/policy in compliance with applicable data protection laws of the jurisdiction where your company operates?

• HP has a long history of industry leadership in privacy and data protection; together with our robust portfolio of products, software and security services, we can support our customers’ efforts in protecting personal data and addressing their own compliance. HP has internal policies that address the security, access, and accuracy of personal data and prohibits the sharing of personal data without taking the proper steps. HP makes it a priority to understand the privacy and security requirements of its customers and to establish processes that deliver its products and services in ways that help meet their compliance needs.

9. Does your company provide privacy training to your employees?

• HP employees and contingent workers receive annual business ethics training, which features privacy and data protection as a key component. Additional mandatory training may also be required for certain job functions that regularly handle personal data or on an “as needed” basis to support specific business activities.

10. Are HP’s vendors bound to protect personal data when handling on behalf of HP?

• HP requires that third parties, including vendors and partners, that process personal data on behalf of HP are contractually bound to safeguard any personal data they receive from HP and are prohibited from using the personal data for any purpose other than to perform the services as instructed by HP. HP has also implemented a risk based compliance assessment for suppliers handling HP or HP customers’ data.

11. Do you implement Privacy by Design & Data Privacy Impact Assessment in the development of systems and products?

• We are reinforcing Privacy by Design in our operations to ensure all HP products, services, websites, systems and applications are designed and implemented only after thoughtful consideration of privacy implications. Another process of crucial importance is the Data Protection Impact Assessments, through which we assess risks to the rights of individuals and document decision-making for certain processing activities.

12. What is HP doing to support our customers’ efforts in protecting personal data and addressing their own compliance?

• We apply security measures around data we process for our customers. As a provider of management and technical services for printing and personal systems, HP is committed to meeting our obligations and protect any personal data that we process for our customers. We are bringing several of our customer service offerings into alignment with the ISO 27001 certification standard, including the expansion of our certification’s scope to include Managed Print Services and Device-as-a-Service offerings.
• HP has also implemented a Privacy controls framework containing more than 100 separate activities related to GDPR compliance. This control framework is the core of our privacy and data protection program. The controls framework has been reviewed by an independent third party based on legal requirements and industry standards.