Data Processing Agreements
In accordance with GDPR requirements for ensuring appropriate contractual obligations between data controllers and their processors, ANSYS has developed the following data processing agreement (DPA) for use with entities that perform data processing activities for or on behalf of ANSYS. ANSYS uses the definitions outlined by the GDPR, including definitions for "personal data", "processing", "data processor", and “data controller.” ANSYS will require a valid DPA with each data processor within the scope of GDPR in order to continue or initiate data processing activities, including ANSYS partners who process personal data for or on behalf of ANSYS. The ANSYS DPA template may be downloaded using the link below. Please complete all highlighted fields on the DPA template, including identification of types of data processed, processing activities undertaken, subprocessors used, and cross-border data transfers required by the processing activities, as requested in the attachments to the DPA. The completed agreement, together with all attachments, must be emailed to firstname.lastname@example.org. Any questions about the DPA provisions or whether a DPA is required may also be directed to email@example.com.
With respect to ANSYS customers and partners, the data processed by ANSYS in marketing, selling, delivering, licensing, and supporting its products and services is processed by ANSYS in the role of a data controller. ANSYS has undertaken and continues to improve its processes to comply with all requirements under applicable data protection laws, including the GDPR, as further outlined by the ANSYS Privacy Notice, which can be located at www.ansys.com/privacy. ANSYS does not currently offer products and services in the role of a data processor; therefore, any GDPR requirements of a DPA between ANSYS and its customers and partners with respect to data processed by ANSYS does not apply. More details about how data processing agreements apply to the ANSYS business model can be found in the Data Processing Agreement FAQs, accessible below.
FREQUENTLY ASKED QUESTIONS - Data Processing Agreements and GDPR
What is the GDPR?
The General Data Protection Regulation (GDPR) outlines a single data privacy law for the European Union. It replaces all data protection legislation in EU member states, including the EU Data Protection Directive (Directive 95/46/EC), without the need for further national legislation. The GDPR goes into effect on 25 May 2018.
Which companies are impacted?
The GDPR applies to all companies that process the personal data of individuals residing in the European Union, regardless of the company’s location or whether payment is involved, including those non-EU entities that have access to shared systems that hold or process this personal data.
What constitutes personal data?
Any information related to a natural person that can be used to directly or indirectly identify the person is considered personal data. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites or other usage data, medical information, location data or persistent identifiers, such as a username, account number, or a computer IP address. Business contact information about individuals is considered personal data (i.e. a person's work email address).
What is the difference between a Data Processor and a Data Controller?
A Data Controller is the entity that determines the purposes, conditions and means of processing personal data (i.e. the owner of the data), while the Data Processor is an entity which processes personal data on behalf of the Data Controller (i.e. a service provider). Service companies can be both a Data Controller (for data about their own employees) and a Data Processor (for services delivered to others). Processing, as defined by the GDPR, includes any action taken with the data, such as destruction, storage, analysis, and transfer.
When is a Data Processing Agreement (DPA) needed between a Data Processor and a Data Controller?
The GDPR requires that specific contractual obligations be outlined between a Data Controller and each Data Processor any time in-scope data is processed on behalf of the Data Controller. For example, any vendor that provides a service to companies that involves the processing of personal data (i.e. payroll providers, benefits providers, document shredding services, cloud storage providers) is likely a Data Processor and will require a DPA outlining its obligations to the Data Controller. However, vendors that provide a product or service in which personal data is not processed on behalf of a third party (i.e. the leasing company who manages an office park, a company that produces and sells supplies and furniture to a business) are not Data Processors for these customers.
ANSYS, as a manufacturer of off-the-shelf software, does not collect and process personal data in the role of Data Processor for its customers. As part of its business advertising, selling, and administering its products, ANSYS may collect personal data of individuals but it does so as a Data Controller rather than a Data Processor because the data is not processed for or on behalf of its customers. While GDPR and other data privacy regulations apply to how ANSYS handles this data, the obligations of a Data Processor under a DPA would not normally apply. Please see our privacy notice for more information about how ANSYS collects and uses personal data: www.ansys.com/privacy
When should we ask a vendor to sign the ANSYS DPA?
Any time a vendor provides ANSYS with a product or service that processes data that may include personal data, ANSYS Legal should be consulted about a DPA. Remember- personal data can mean any data attributed to an individual person, and processing involves any action related to that data (including storage of the data without additional services or even destruction of the data). Except in limited circumstances where other privacy law may govern, it is likely that a vendor offering these kinds of products and services will require a DPA prior to initiating services with ANSYS.
When should we sign a DPA requested by a customer?
Currently, ANSYS does not offer any products or services for which we act as a Data Processor. It is extremely unlikely that we will need to sign a DPA in the role of Data Processor given our business model and any such cases must be reviewed and pre-approved by Legal. Our stance is that we only collect and process personal data as a Data Controller, in accordance with the practices we outline in our privacy notice.