TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE PERSONAL DATA
FUNPLUS INTERNATIONAL AG
Below is the description of Technical and Organizational Measures (TOM) implemented by FunPlus International AG. In order to satisfy FunPlus’ obligations under article 32 of the EU GDPR, articles 7 & 8 OF the Swiss revised FADP (“Swiss nFADP”), article 3 of Ordinance to the Swiss nFADP and section 5 of FunPlus Data Breach Policy, FunPlus management, employees, and dedicated staff are responsible for the development, implementation and maintenance of this TOM for Personal Data Protection. FunPlus will ensure an appropriate level of security, considering the nature, scope, context and purpose of the processing and the risk to the rights and freedoms of the data subjects.
FunPlus reserves the right to change or modify the security measures contained in this TOM at any time and in our sole discretion, without reducing the data protection security level.
1. SECURITY MEASURES TO ENSURE THE CONFIDENTIALITY OF PERSONAL DATA
A. Access control
The access control has been designed to prevent access by unauthorized people to the data processing facilities. These measures also ensure that the authorized people may only access the data in accordance with their access authorization and that personal data cannot be read, copied, modified, altered, or deleted without authorization during the processing and retention period.
FunPlus has implemented and maintains suitable measures to prevent unauthorized persons from gaining access to the personal data held by FunPlus. FunPlus employees are assigned minimum access rights depending on their job requirements.
B. Entrance Control
FunPlus implements an entrance control to prevent unauthorized entrance to its premises and facility rooms. The employees are provided with an access control validation (e.g., badge access system) to be able to enter FunPlus’ premises. FunPlus’ office services providers such as cleaning service personnel and plant service personnel (“Office Service Providers”) are provided with badges to enter the facility. The Office Service Providers have signed a confidentiality agreement and must comply with the Service Provider Notice which contains information about general security and confidentiality obligations towards any FunPlus’ confidential information.
C. Data Usage
On the back-end, all servers and applications use a unified identity management system for privilege authentication. FunPlus’ employees must use their role to submit a permission request and the applicant must specify the content of the data to be accessed, the reason for the access and the duration of the access. Permissions granted to employees are reviewed periodically each time they are granted and are automatically revoked when they are transferred or leave. At the database level, all insertions, queries, updates, and deletions are subject to storage of operation logs, regular analysis of operation traffic, and alerting and blocking of illegal.
2. SECURITY MEASURES TO ENSURE THE AVAILABILITY AND INTEGRITY OF PERSONAL DATA
A. Data Storage
All data is stored in a unified data warehouse platform (Snowflake and AWS) and is graded into tables based on the sensitivity level of the data. For personal privacy-related data, strong encryption algorithms are used for encrypted storage.
B. Transport Control (Data Transfer)
All internet application communications need to be traffic encrypted using TLS or other encryption methods. Specific keys are used for signing, authentication, and encryption during data interactions. This ensures the confidentiality, integrity, and reliability of the data.
C. Data Recovery (Protection Against a Technical Incident)
FunPlus protects personal data against accidental destruction or loss. For this purpose, the architecture of data processing systems, including network infrastructure, the power supply, and the connection to the internet must be designed redundantly. A comprehensive backup and recovery concept is in place to prevent data loss.
Measures are taken to ensure that the data can be recovered quickly in the event of data loss. A combination of redundant systems and backup solutions are used to protect against the loss of data. All data is backed up at least once per day. In case of data loss, this data can be recovered from the existing backups.
D. Data Integrity
The data system is backed up daily, and the monitoring system monitors in real-time whether the data system has a malfunction. If there are any problems, it will automatically trigger the backup switch mechanism to restore system availability.
E. System Security
All new features of all businesses will undergo security testing before going online. If security vulnerabilities are found, they will be submitted to the development staff for repair. At the same time, penetration testing of online services will be conducted every day to ensure that new vulnerabilities are discovered and repaired in a timely manner.
F. Data Audit
A log of all the above data lifecycle operations needs to be kept. Information security can be monitored by using technologies such as semantic analysis and behavioral filtering. For example, illegal access to sensitive data, the elevation of privileges, failed login events, etc. If abnormal behavior is detected, the system will issue alerts to ensure that each breach can be tracked.
G. Data Destructio
A user data erasure interface and a stop switch for each data service must be provided. When users apply to stop sharing their personal privacy data, their personal data must be erased from the data platform in a timely manner.
All games already launched a self-service account and data deletion function within the game. Currently, players can apply for account and data deletion through customer service or Privacy Office email address (privacyoffice@funplus.com).
Our copies of data are mainly stored in the following places:
- Mysql database on the server
- Aws S3 object storage
- Databricks
When FunPlus uses the data to delete programs and delete user data, the data in Mysql and Snowflake will perform database commands to delete the personal data. S3 data is formatted in the cold standby data and can not be directly deleted, but after the data in the database is deleted, the data in the S3 is unable to restore the data for the Data Subjects, so it is taken as anonymous.
FunPlus cannot delete the personal data collected by the third party directly. Most of the third parties do not provide methods to delete the data. FunPlus can only rely on the storage validity of the other party, which is generally destroyed automatically after one year.
3. ›SECURITY MEASURES TO ENSURE THE TRACEABILITY OF PERSONAL DATA
A. Input Control
The data system has a logging function and all operations will leave logs for audit.
B. Disclosure Control
All data transmission actions need to submit an application and only after explaining the usage method and disclosure object, and obtaining approval, is transmission allowed.
C. Remediation
All operation logs will be recorded. If unauthorized operations occur, the audit system will detect and alert. Upon receiving the alert, security personnel will review and inquire in a timely manner to prevent the occurrence of violations.
4. INDUSTRY STANDARDS
FunPlus’ information security and privacy program are based upon recognized industry standards such as ISO 27000:2013 for Information security management systems and ISO 27701: 2019 for Privacy Information Management Systems. It means that FunPlus complies with and has implemented strict standards in ensuring confidentiality, integrity, and availability of our users’, employees’, and partners’ data, FunPlus’s assets, IP, confidential information, and other relevant systems.
5. ORGANIZATIONAL SECURITY MEASURES
A. Employees’ Training
All new employees receive onboarding and mandatory security and data protection awareness training which must be completed during their first two weeks. The trainings are aimed to provide them knowledge about data protection and security measures when doing their job. FunPlus will also make sure that all respective accounts will be disabled as soon as employees leave the organization.
FunPlus has provided its employees with the Data Protection Policy and its sub-policies as a guideline for the employees in doing their day-to-day business activities.
B. Password
Password controls are designed to manage and control password strength, expiration, and usage including prohibiting employees from sharing passwords.
C. Personal Data Transfer
FunPlus ensures that Personal Data can only be accessed by authorized parties during the transfer or storage of personal data. When the Personal Data must be transferred, the following measures are taken to control the transfer of Personal Data:
- The transfer of personal data is encrypted.
- Personal Data shall not be transferred to a third-country outside of the European Union and EEA countries with the absence of an adequacy decision. FunPlus will take measures to compensate for the lack of data protection in such third countries by way of appropriate safeguards for the Data Subjects.
- FunPlus utilizes EU Standard Contractual Clauses (EU SCCs) as our primary international data transfer mechanism of Personal Data outside the European Union and EEA countries to third-party countries or international organizations, to ensure the level of protection of such Personal Data. In light of the requirements of the EU SCCs, FunPlus observes additional security measures such as encryption at rest and in transit.
D. Privacy Management
FunPlus operates an internal Data Protection Impact Assessment at the early stage of a new project or system to ensure privacy by design for any new platform features.
FunPlus and the contracted processors must establish appropriate technical and organizational security measures to ensure their safe data processing activities. Both FunPlus and the contracted processor must also regularly review the effectiveness of these measures for critical approval according to an appropriate process.
E. Personal Data Breach Management
In case of a personal data breach, FunPlus shall without undue delay, where feasible, not later than 72 hours after having become aware of the breach, notify the personal data breach to the Supervisory Authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural personal persons. The following measures are taken to respond to the incident:
- FunPlus takes the confidentiality and protection of the personal data of its global players, employees, job applicants and partners very seriously. A
- When an individual suspects a data protection incident, this must be reported to the Privacy Office. The Privacy Office Coordinator and Legal Team will immediately assess the report and decide if the incident involves personal data or not. If the conclusion of the report is a personal data breach, FunPlus will make a report to the Supervisory Authority within 72 hours after becoming aware of the incident and follow the handling procedure as described in Data Breach Policy. Privacy Office Coordinator and the Ad-hoc team will investigate the report, data breaches, and exposures, and notify the data subjects affected.
6. REGULAR REVIEW
A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing must be implemented. This measure is to be implemented in the form of a data protection management system, tested, and optimized within the scope of a continuous improvement process.
7. CONTACT DETAILS OF FUNPLUS’ PRIVACY OFFICE, AND EU & UK REPRESENTATIVE
A. Privacy Office
FunPlus International AG
Address: Bahnhofstrasse 2, 6300 Zug
E-mail: privacyoffice@funplus.com
B. FunPlus EU Representative:
FunPlus Games Spain SL
Address: Carrer Casp 21, Pl. 5ª 08010, Barcelona, Spain
E-mail: EUrepresentativeoffice@funplus.com
C. FunPlus UK Representative
GRCI Law Limited
E-mail: ukrep@grcilaw.com
Please include “FunPlus International AG” when contacting our UK Representative
FunPlus International AG – Bahnhofstrasse 2 – 6300 Zug, Switzerland