Digital Security Operations Services (DSOS)
As part of the DSOS, your personal data is collected and processed by Securitas Intelligent Services AB (located in Sweden, reg no. 556655-4670), together with Data Privacy Officer (located in Canada) hereafter collectively referred to as “Securitas”.
1. Scope of the Privacy Notice
Securitas values privacy and is therefore committed to protect the personal data of all its employees with the greatest possible care, and to process personal data only in a fair and lawful manner. This Privacy Notice is applicable to Securitas employees for the personal data collected and processed by Securitas within the DSOS.
This Privacy Notice contains essential information on what types of personal information Securitas, as data controller collects, how Securitas uses that personal information, for what purposes, who Securitas shares it with, how Securitas protects that information, and your statutory rights in relation to your personal information.
As the DSOS involves monitoring end user devices in the workplace (such as your work phone or computer), it is important you familiarize yourself with this privacy notice, and the DSOS information pack (soon to come) to ensure you understand the scope of this activity, what Securitas can see and what we can’t. If you require more information on the information pack please contact our Data Privacy Officer at firstname.lastname@example.org.
2. Description of the DSOS
The DSOS is a cyber security & incident response service, supported by a Global Cyber Emergency Response Team (the CERT team), which monitors the end-user IT environment and Securitas’ network for e.g. vulnerabilities, threats and malicious behaviour to ensure its compliance with corporate privacy & security policies. In addition to security monitoring and incident and response, the DSOS also include digital security forensics. Meaning that they actively search for breaches and infected hosts in the environment.
The DSOS employs a number of third-party cloud solutions hosted in the USA. Please refer to the section on third parties below for more information.
3. Processing of Personal Data
Personal Data can be defined as any information that allows a natural person to be identified, directly or indirectly.
In order to ensure an effective service, Securitas is collecting the following personal data via the DSOS:
- ZScaler: IP address, URLs, Department, Device name/owner, User ID.
- Knowi: IP address and usernames.
- CrowdStrike: IP address, usernames, work email (observed through raw event data collected from the end-device (e.g. Windows Event logs – native to Windows Operating System).
- Rapid7: IP address, local user, user activity, system and service accounts.
- NVISO; Incident response information
Securitas processes your personal data in accordance with the requirements of the Personal Information Protection and Electronic Documents Act and applicable provincial laws. A balancing test has been performed to ensure the proper preservation of your rights and freedoms as data subjects in the set-up and operation of the service. For more information about the balancing test performed, please contact your local Data Protection Officer or Privacy Officer.
4. How Securitas will use Personal information
The purpose of processing personal data in the context of the DSOS is information security and incident response: to provide cyber-security resilience for Securitas entities globally. To do this, Securitas is collecting, storing, accessing, viewing and monitoring your data. Securitas is also sharing personal data with specific third parties who are providing solutions to the DSOS. Please refer to the section on third parties for more information.
5. Your Rights as a Data Subject
At all times, you as a data subject, have certain rights which you can exercise in relation to your personal data, and as described in Schedule 1 of the Personal Information Protection and Electronic Documents Act.
Your data subject rights can be exercised free of charge by sending an e-mail to email@example.com.
Please note that Securitas reserves the right to request additional information in order to confirm your identity and ensure the request originates from you before fulfilling your request.
You have the following rights:
Right of access
You have the right at any time and free of charge to access your personal data and to request a copy of the personal data that Securitas collects about you in the DSOS. Our file of your information will usually be made available to you by secure means within 30 days. Extensions are possible in case of complex requests.
In the event that Securitas is unable to give you access to the personal information held about you (for example, if it would unreasonably affect someone else’s privacy or pose a serious threat to someone’s life, health or safety), we will inform you within 30 days. Those are exceptions that are provided for in Principle 4.9 of the Personal Information Protection and Electronic Documents Act.
Please note that Securitas may apply an administrative charge for providing access to your information in a limited number of cases. If you request a copy of your data using electronic means (such as email), then Securitas will provide a copy of your information in electronic form unless you ask us to do otherwise.
Right to rectification
You always have the right to request incorrect personal data to be corrected, or incomplete personal data to be completed.
Right to erasure (“right to be forgotten”)
You can request to have your personal data erased from Securitas systems. The request to erase your personal data cannot always be granted due to contractual or legal obligations. Securitas will take these obligations into account when replying to your request.
Right to object
You have the right to object to the processing of your personal data as the processing takes place on the ground of the legitimate interest of Securitas. We will stop processing unless we can prove that there are compelling legitimate grounds for the processing or for the exercise of legal claims.
Right to restriction of processing
In certain cases, you are entitled to request the restriction of the processing of your personal data. Securitas will continue to store your data but will restrict its use.
Right to lodge a complaint
If, at any time, you believe that Securitas infringes your privacy, you have the right to lodge a complaint with Integritetsskyddsmyndigheten (the Swedish Authority for Privacy Protection), or with the Supervisory Authority in your country of residence, which is the Office of the Privacy Commissioner of Canada.
6. Third Parties & International Transfers
Securitas is using the following third parties, hosted in the United States of America, to provide cloud service solutions to the DSOS:
- CrowdStrike, prevents and detects malware or any other anormal behavior. This solution helps to get visibility on a global scale of what’s happening on the host (e.g.: environment).
- ZScaler, implements a web proxy on the environment and monitors and logs activities.
- Knowi, gives all members on the IT team and the CERT team insight into the IT security and overall health.
- Rapid7, the platform, brings together Rapid7’s library of vulnerability research, exploit knowledge, global attacker behavior, Internet-wide scanning data, exposure analytics, and real-time reporting to provide a fully available, scalable, and efficient way to collect vulnerability data and turn it into answers.
These companies are FISA regulated companies, meaning they are subject to overriding powers of investigation by US Federal Authorities who have a broad scope to access personal data. Securitas has taken both contractual (implementing EU Standard Contractual Clauses), as well as technical and organizational measures (such as anonymization and or encryption) to ensure that your personal data is afforded the same level of protection as under the Personal Information Protection and Electronic Documents Act, when processed by these FISA-regulated third-parties.
Securitas contractually obliges the third parties in the DSOS to only process your personal data in accordance with Securitas’ instructions.
7. Retention of your Personal Data
Securitas acknowledges the importance of the protection of personal data. We do not retain your personal data longer than strictly necessary for the realisation of the purposes for which we received the data. As standard process, we will delete your personal data from the DSOS within a reasonable period after you exit the company and are no longer a Securitas employee. For more detailed information about the retention and erasure of your data, please contact your Privacy Officer.
In all cases, personal data may be retained for a longer period if there is a legal or regulatory reason to do so.
We guarantee to only provide limited access to archived data and to remove or render anonymous your personal data if the retention period has passed.
Securitas uses technical and organisational security measures to prevent the destruction, loss, falsification, alteration, unauthorized access or disclosure of your personal data to third parties and any other unauthorised processing of these data.
We have made every effort to ensure the confidentiality, integrity and availability of the information systems and services that process personal data. These measures include physical and operational security measures, access control, multi-factor authentication, encryption, anonymization and pseudonymization. All our employees and third parties engaged by us are obliged to respect the privacy and security of your data.
9. Contact Details
If you have comments, questions or concerns about any of the information in this Privacy Notice, or any other issues relating to the processing of your personal data by Securitas, please contact us using the information below.
To contact Securitas Intelligent Services AB please use the following:
Contact our privacy team on
Securitas Intelligent Services AB
Att: Data Privacy
P.O. Box 12307
102 28 Stockholm
Contact our Data Protection Officer on
Securitas Intelligent Services AB
Att: Data Protection Officer
P.O. Box 12307
102 28 Stockholm
To contact your local Securitas entity please refer to the following contact information:
Securitas Canada Limited
Att: Data Privacy Officer
235 Yorkland Blvd, Suite 400
North York, ON, M2J 4Y8
Email : firstname.lastname@example.org
10. Changes to our Privacy Notice
Securitas may amend or update this Privacy Notice from time to time to reflect changes in their practices with respect to the processing of your personal data, or changes in applicable law. When we provide modification to our Privacy Notice, we will change the date and version number of the “last update” of our Privacy Notice. Material changes will be notified to you in advance.
This Privacy Notice was last updated: 2021-08-24