Master Vendor Agreement Privacy and Data Protection Requirements
Updated: May 2, 2011
"Agreement" means the agreement under which you are performing the Services; examples of such agreements are the Microsoft Master Vendor Agreement, the General Purchase Order Terms & Conditions, or other services contracts.
"Services" means the services that you are providing to Microsoft under the terms of the Agreement as described in the Agreement or its related documents (including Statement of Work or Schedule).
"Personal Information" means any information that Microsoft provides or that you collect in connection with the Agreement and:
- That identifies or can be used to identify, contact, or locate the person to whom such information pertains, or
- From which identification or contact information of an individual person can be derived.
Personal Information includes, but is not limited to name, address, phone number, fax number, e-mail address, social security number or other government-issued identifier, and credit card information. Additionally, if any other information (for example, a personal profile, unique identifier, biometric information, and/or IP address) is associated or combined with Personal Information, then such information is also Personal Information.
Note: Any references to "personal information" in the Vendor Privacy Toolkit, even if not capitalized, have this same meaning.
"You" or "Your" means the Microsoft vendor providing Services under the terms of the Agreement.
Collection of Personal Information and Notice
Any Personal Information you collect or access as part of performing the Services must be limited to what is strictly necessary to perform the Services or to fulfill any legal requirements. If the Services involve the collection of Personal Information directly from individuals, such as through a Web page, you must provide a clear and conspicuous notice regarding the uses of the Personal Information. The notice must comply with all relevant guidelines contained in this Vendor Privacy Toolkit or as otherwise provided by Microsoft.
Limitations on Collection and Use of Payment Card Information
To the extent credit card information will be collected/handled as part of the Services, you, your affiliates and your respective subcontractors, as applicable, at all times must comply, at your own cost, with the Payment Card Industry Data Security Standard (PCI DSS) requirements for cardholder data as prescribed by the PCI Security Standards Council and required to be implemented under the rules and regulations issued by American Express, Discover Financial Services, JCB, Visa International, and MasterCard Worldwide, respectively, as the same may be amended from time to time. Upon request you must provide to Microsoft appropriate documentation to validate your compliance with the PCI DSS requirements.
Use of Personal Information; Restrictions on Sharing with Third Parties
You may use Personal Information only as necessary to perform the Services in accordance with the Agreement and not for any other purpose. You must maintain Personal Information in strict confidence in accordance with the confidentiality provisions of the Agreement. You may not share any Personal Information that you collect or possess with any third parties for any reason except as necessary to carry out the Services, and only under terms and conditions substantially similar to those contained in these Privacy and Data Protection Requirements.
Court Orders; Requests from Law Enforcement
If you are served with a court order compelling disclosure of any Personal Information or with notice of proceedings for such an order, you must:
- Give Microsoft sufficient notice to allow Microsoft a reasonable opportunity to seek a protective order or equivalent, and
- Either work with Microsoft to oppose the order or notice or provide Microsoft the opportunity to intervene before you file any response to the order or notice.
You need to take reasonable steps to protect Personal Information in your possession from unauthorized use, access, disclosure, alteration, or destruction. Security measures include access controls, encryption, or other means, where appropriate. You must immediately notify Microsoft of any known security breach that may result in the unauthorized use, access, disclosure, alteration, or destruction of Personal Information.
You are required to conduct an audit on at least an annual basis to evaluate the security of Personal Information in your possession and to verify that you are complying with the terms of the Agreement and these Privacy and Data Protection Requirements. You must make the results of the audit available to Microsoft on request.
Provision of Personal Information to Microsoft; Requirements upon Termination/Expiration
If Microsoft asks you to do so, you must provide Microsoft with any or all Personal Information in your possession. Within 10 days after termination or expiration of the Agreement, you must, at the sole discretion of Microsoft, either:
- Provide Microsoft with all documents and materials (including any and all copies) containing Personal Information, together with all other materials and property of Microsoft, which are in your possession or under your control, or
- Destroy all such specified documents and materials (including any and all copies in any and all formats) and provide Microsoft with a certificate of destruction signed by an officer of your company.