BINDING CORPORATE RULES: ROYAL JORDANIAN AIRLINES
Contact details
Royal Jordanian Data Protection Officer
Alia – The Royal Jordanian Airline Plc (Royal Jordanian)
Um Uthaina
Mohammad Ali Janah Street.
Building No.37
P.O Box 302 Amman
11118 Jordan
e-mail: dpo@rj.com
www.rj.com
E-mail: dpo@rj.com
Version #1: [24 MAY 2018]
Contents
INTRODUCTION.
1.ARTICLE 1: SCOPE, EFFECTIVE DATE AND IMPLEMENTATION OF THE BCRS.
2.ARTICLE 2: DEFINITIONS.
3. ARTICLE 3: DATA SECURITY.
4.ARTICLE 4: DATA QUALITY AND PROPORTIONNALITY.
5.ARTICLE 5: AUTHORISED PURPOSES FOR PROCESSING PERSONAL DATA.
6. ARTICLE 6: LEGAL BASIS FOR PROCESSING OF SENSITIVE PERSONAL DATA.
7. ARTICLE 7: LEGAL BASIS PROCESSING FOR OTHER PURPOSES THAN ORIGINAL PURPOSE.
8.ARTICLE 8: REASONABLE USE, EXTENT AND RETENTION OF PERSONAL DATA.
9. ARTICLE 9: DIRECT MARKETING.
10.ARTICLE 10: INFORMATION TO THE INDIVIDUAL WHOSE PERSONAL DATA IS COLLECTED AND PROCESSED AND RESPECT OF THE RIGHTS OF DATA SUBJECTS.
11.ARTICLE 11: AUTOMATED INDIVIDUAL DECISIONS.
12. ARTICLE 12: SECURITY AND CONFIDENTIALITY.
13. ARTICLE 13: RELATIONSHIPS WITH PROCESSORS THAT ARE MEMBERS OF THE GROUP.
14.ARTICLE 14: RESTRICTIONS ON TRANSFERS AND ONWARD TRANSFERS TO EXTERNAL PROCESSORS AND CONTROLLERS (NOT MEMBERS OF THE GROUP).
15.ARTICLE 15: TRAINING PROGRAMME.
16.ARTICLE 16: AUDIT PROGRAMME.
17. ARTICLE 17: COMPLIANCE AND SUPERVISION OF COMPLIANCE, APPOINTMENT OF A DATA PROTECTION OFFICER.
18. ARTICLE 18: ACTIONS IN CASE OF NATIONAL LEGISLATION PREVENTING RESPECT OF THE BCRs.
19.ARTICLE 19: INTERNAL COMPLAINT MECHANISMS.
20. ARTICLE 20: LIABILITY OF RJ AND THIRD PARTY BENEFICIARY RIGHTS.
21. ARTICLE 21: OBLIGATIONS TOWARDS DATA PROTECTION AUTHORITIES.
22. ARTICLE 22: UPDATES OF THE BCRs.
INTRODUCTION
Alia- The Royal Jordanian Airlines Plc (hereinafter “Royal Jordanian” or “RJ”) sets out in this document its Binding Corporate Rules (the “BCRs”) that express its commitment to the protection of the Personal Data of RJ Customers, Suppliers and Business Partners. Their objective is to provide adequate protection for the transfers and processing of personal data by RJ staff and entities in the RJ, its companies, subsidiaries, affiliates and any other entity under its ownership or control.
The BCRs explain how this commitment is implemented by the RJ Group throughout its operations. They specifically set out RJ’s approach to transfers of Personal Data between entities in the RJ Group and apply to RJ’s operations worldwide.
The BCRs are communicated to all RJ employees and are published on the external RJ website accessible at www.RJ.com.
ARTICLE 1: SCOPE, EFFECTIVE DATE AND IMPLEMENTATION OF THE BCRS
1:1 Scope
The BCRs apply to all Personal Data of employees, customers, suppliers, contractors and other natural persons in the European Economic Area (“EEA”), collected and used by RJ.
They specifically set out RJ’s approach to transfers of Personal Data between entities in the RJ Group.
For the privacy rules applicable to the personal data of RJ Employees in EEA, please refer to the Employee Privacy Notice.
1.2 Effective Date
The BCRs enter into force on 25 May 2018 (the “Effective Date”). The RJ BCRs supersede all prior RJ privacy policies and notices that exist on the Effective Date to the extent they cover the same issues or conflict with the BCRs.
1.3 Implementation of the BCRs
Data Protection Officer
The operation of the BCRs are the responsibility of the Data Protection Officer. If there is a question as to the interpretation, implementation or applicability of the BCRs, RJ staff shall seek the advice of the Data Protection Officer prior to conducting any relevant Processing.
Data Protection Authority
For the purposes of compliance with the GDPR, RJ has selected the United Kingdom Information Commissioner’s Office (“ICO”) as its Supervisory Authority.
Applicable law being implemented by the BCRs
The BCRs implement the obligations created by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”).RJ is committed to interpret the terms of the BCRs according to the GDPR and relevant guidance from the European Commission and the ICO.
ARTICLE 2:DEFINITIONS
“Consent” of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her;
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
“Data Protection Officer” means the person appointed by RJ to oversee the observance of applicable data laws by Staff (including Processors), and to oversee the implementation of RJ’s data compliance policies
“Data Subject” means an identified or identifiable natural person
“European Economic Area” means the area of the 28 European Union Member States and Iceland, Liechtenstein and Norway where the European Economic Area treaty of 1 January 1994 applies
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”), as such may be amended or modified
“Legitimate Purpose” means the authorised ground for collecting and processing Personal Data set out in Article 5 of these BCRs
“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
“RJ Group” means Alia – The Royal Jordanian Airlines plc (Royal Jordanian), Royal Wings Co., LTD., Royal Tours and Tikram For Airport Services PSC.
“Sensitive Personal Data” means Personal Data that reveals a Data Subject’s racial or ethnic origin; political opinions or membership of political parties or organisations; religious or philosophical beliefs; membership of a professional or trade organisation or union; physical or mental health or condition, including disabilities; sexual orientation; criminal record; or social security numbers issued by state or public authorities
“Staff” means all RJ employees (including temporary or permanent staff) as of the Effective Date, who Process Personal Data as part of their duties or responsibilities using RJ data systems or working primarily from RJ premises. For the purposes of these BCRs, consultants hired to work for RJ are Staff.
“Third Party” means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to Process Personal Data.
ARTICLE 3: DATA SECURITY
3.1 Staff shall take appropriate, commercially reasonable measures to protect Personal Data from misuse or accidental, unlawful or unauthorised destruction, erasure, loss, alteration, modification, disclosure, acquisition or access.
(a) Staff access:
Staff shall have access to Personal Data only to the extent necessary to serve the applicable business purpose and to perform their tasks.
Staff who have access to Personal Data shall meet their confidentiality obligations as specified by their contract and by RJ staff guidelines and policies.
ARTICLE 4: DATA QUALITY AND PROPORTIONNALITY
4.1 Processing of Personal Data shall be restricted to data that is reasonably adequate for and relevant to the applicable Legitimate Purpose.It should be accurate, complete and kept up-to-date to the extent reasonably necessary for the applicable Legitimate Purpose.
RJ shall take reasonable steps to securely delete or destroy Personal Data that is not required for the applicable Legitimate Purpose.
Personal Data shall be held only:
(b) For as long as necessary to serve the applicable Legitimate Purpose;
(c) For as long as necessary to comply with an applicable legal requirement; or
(d) For as long as necessary in light of any applicable statute of limitations.
Promptly after the relevant retention period has ended, the Personal Data shall be treated in the following alternative ways
(a) It shall be securely deleted or destroyed; or
(b) It shall be pseudonymised in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, and that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed or attributable to an identified or identifiable natural person; or
(c) It shall be transferred to an Archive (unless this is prohibited by applicable local law or an applicable RJ records retention schedule).
The Data Subject shall be required to inform RJ if Personal Data they have provided are inaccurate, incomplete or outdated and RJ shall rectify the data in accordance with Article 10.
ARTICLE 5: AUTHORISED PURPOSES FOR PROCESSING PERSONAL DATA
Personal Data shall be collected, used, transferred or otherwise Processed for one or more of the following purposes:
(a) RJ business purposes; or
(b) RJ management purposes.
5.1 RJ Business Purposes
Compliant purposes for the Processing of Personal Data necessary for RJ Business purposes include:
(a) The conclusion and execution of agreements with customers, suppliers and business partners, (including providing customer services and the purchasing goods and/or services);
(b) Recording and financially settling the delivery of services, products and materials to and from RJ;
(c) Conducting marketing activities and promotions;
(d) Finance and accounting management;
(e) Research and development;
(f) Internal management and control;
(g) Fulfilling obligations under laws and regulations, including conducting relations with government and regulatory agencies; and
(h) Transactions involving alliances, ventures, mergers, acquisitions, and divestitures.
5.2 RJ Management Purposes
Compliant purposes for the Processing of Personal Data necessary for RJ management purposes include:
(a) Internal management, such as Processing necessary for managing company assets, conducting internal audits and investigations, and implementing business controls;
(b) Internal management, such as Processing necessary for implementing RJ health, safety and security policy, including the protection of RJ and RJ Staff assets; authenticating customers, suppliers or business partners for status and access rights
(c) Internal management, such as Processing necessary for complying with legal obligations; and
(d) Internal management, such as Processing necessary to protect the vital interests of the Data Subject or of another natural person.
5.3 Consent
RJ shall ensure that whenever Personal Data is Processed, at least one of the following applies:
(a) The Data Subject has given Consent to the processing of his or her personal data for one or more specific purposes;
(b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) Processing is necessary for compliance with a legal obligation to which the RJ is subject;
(d) Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
(e) Processing is necessary for the purposes of the legitimate interests pursued by RJ, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
5.4 Denial or Withdrawal of Consent
Since a Data Subject may deny or withdraw Consent at any time, Processing by RJ will be discontinued unless RJ has taken action that relies on Consent that has previously been given. In this latter case RJ shall discontinue Processing as soon as reasonably practical.
ARTICLE 6: LEGAL BASIS FOR PROCESSING OF SENSITIVE PERSONAL DATA
RJ shall Process Sensitive Personal Data only to the extent necessary to serve a Legitimate Purpose as permitted under applicable law.
In situations when Sensitive Data is Processed based on a legal requirement other than the local law applicable to the Processing, or based on the consent of the Data Subject, Processing will only occur either: (i) Upon obtaining the prior approval of the Data Protection Officer; or (ii) A privacy sub-policy governing the Processing.
6.1 Sensitive Data may be Processed under one or more of the following circumstances:
(a) Where the Data Subject has expressly consented to the Processing, including “opt-ins”;
(b) When providing services to the Data Subject providing the Sensitive Personal Data;
(c) Where the Data Subject providing the Sensitive Personal Data is voluntarily participating in a research project or service/product test;
(d) With regard to racial or ethnic data, where this is necessary to safeguard RJ’s or Staff’s assets, for site access and security reasons, and for the authentication of, inter alia, customer, supplier or business partner status and access rights, RJ may process photos and video images;
(e) With regard to genetic or biological data, where this is necessary to safeguard RJ’s or Staff’s assets, for site access and security reasons, and for the authentication of, inter alia, customer, supplier or business partner status and access rights;
(f) To prevent, detect or prosecute (including cooperating with public authorities) suspected fraud, breaches of contract, violations of law, or other breaches of the terms of access to RJ sites or assets;
(g) To establish, exercise or defend a legal claim;
(h) To protect the vital interest of the Data Subject or of another natural person, but only where it is impossible or impractical to obtain the relevant Consent first, (such as an accident requiring urgent action);
(i) Where this is required or necessary to comply with applicable law;
(j) Sensitive Data may only be processed for Secondary Purposes under the conditions set out in Article 7.
ARTICLE 7: LEGAL BASIS PROCESSING FOR OTHER PURPOSES THAN ORIGINAL PURPOSE
7.1 RJ shall generally only Process Personal Data for the purposes for which they were originally collected (“Original Purpose”).
7.2 Such data may be Processed for a secondary purpose than the Original Purpose (“Secondary Purpose”) where the Original and Secondary Purposes are closely linked.
7.3 The provisions of this Article apply to the Processing of Sensitive Data for a Secondary Purpose.
7.4 In Processing data for a Secondary Purpose, RJ shall conduct an impact assessment of the potential for harm to the Data Subject as a result of the Processing for a closely-linked Secondary Purpose, which shall assess the need for:
(a) Limiting access to the Personal Data;
(b) Implementing additional confidentiality and security measures;
(c) Informing the Data Subject about the Secondary Purpose, including providing an opt-out opportunity; and
(d) Obtaining the Data Subject’s Consent.
7.5 Permitted reasons for Processing Personal Data for Secondary Purposes, subject to clearance by the Data Protection Officer, are:
(a) Conducting internal audits or investigations;
(b) Implementing RJ business policy;
(c) Conducting statistical, historical or scientific research;
(d) Dispute resolution management and using legal or business consulting services;
(e) Insurance management; or
(f) Archiving.
ARTICLE 8: REASONABLE USE, EXTENT AND RETENTION OF PERSONAL DATA
RJ shall limit the Processing of Personal Data to such data as is reasonably suitable for and relevant to the applicable Legitimate Purpose.
8.1 RJ shall retain Personal Data only:
(a) For the period required to address the applicable lawful purpose;
(b) To the extent reasonably necessary to comply with an applicable legal obligation or requirement;
(c) For as long as advisable in light of an applicable statute of limitations; and
(d) Without prejudice to the above, RJ may specify a time period for which certain categories of Personal Data will be kept (in an RJ notice or RJ records retention protocol).
RJ shall take reasonable technical and physical steps safely and securely to delete or destroy Personal Data that is not required or no longer required for the applicable lawful purpose.
ARTICLE 9: DIRECT MARKETING
Direct marketing shall be performed by RJ only with the consent of the targeted individual.
9.1 For the purpose of addressing direct marketing communications to existing or prospective customers, RJ shall do the following:
(a) Obtain the prior affirmative consent of the targeted individual (to the extent that this is required by law);
(b) Offer the individual the opportunity to choose not to receive such communications; and
(c) In every subsequent direct marketing communication that is made to such individuals, offer the opportunity to opt-out of further marketing communication.
RJ shall respect objections to marketing and if the targeted individual objects to receiving marketing communications from RJ, or withdraws consent to receive such communications, RJ shall cease sending further marketing materials as specifically requested by the individual and shall delete the individual’s Personal Data from its marketing data base (save under the conditions set out in Article 8).
ARTICLE 10:INFORMATION TO THE INDIVIDUAL WHOSE PERSONAL DATA IS COLLECTED AND PROCESSED AND RESPECT OF THE RIGHTS OF DATA SUBJECTS
RJ shall inform Data Subjects whose Personal Data is collected and processed by publishing a Privacy Notice which shall explain and provide information on:
10.1 The Legitimate Purposes for which Personal Data is Processed shall be Communicated to the Data Subject including the following Information:
The RJ entity responsible for the Processing of the Processed Personal Data.
Information concerning the nature and categories of the Processed Personal Data, the categories of Third Parties to which the Personal Data are disclosed (if any), and on how the Data Subject who provides Personal Data can exercise rights under applicable laws.
Where reasonably available, the source, type, purpose and categories of recipients of the relevant Personal Data.
The Data Subject’s rights to access, rectify, delete or block access to the Personal Data provided and how such rights may be exercised (e.g. by contacting the Data Protection Officer or an appropriate page on the RJ website).
The Data Subject’s right to object to the Processing of the Personal Data provided on the basis of compelling grounds related to the individual’s situation and how such a right may be exercised (e.g. by contacting the Data Protection Officer or an appropriate page on the RJ website).
The above requirements may be dispensed with, under authorisation from the Data Protection Officer, where: (i) it is impossible to inform the individual; (ii) where this would involve a disproportionate effort; or (iii) the provision of such information would result in disproportionate cost.
10.2 Exercise of Rights under Articles 5 and 6
The Data Subject exercising the rights referred to in Articles 5 and 6 may be requested to show proof of identity. In the case of a request to rectify, delete, or block, the Data Subject should be requested to specify the reasons why the Personal Data are incorrect, incomplete or not Processed in accordance with applicable law or the BCRs.In all cases, the Data Subject should be requested to specify the type of Personal Data in question and the circumstances under which RJ obtained the Personal Data.
The Data Protection Officer shall respond to the Data Subject making requests under 5 and 6 above within one month.The Data Protection Officer shall inform the Data Subject in writing either: (i) of RJ’s position with regard to the request or the objection and any action RJ has taken or will take in response to the request; or (ii) the ultimate date on which the Data Protection Officer will inform the Data Subject of RJ’s position, which date shall be no later than two months thereafter.
10.3 Rights of Complaint
(a) Data Subject making requests under this Article shall be given the opportunity to file a complaint in accordance with Article 19 if:
The response to the request or the objection is unsatisfactory to the Data Subject; or
The Data Subject has not received a response as required.
(b) A Data Subject’s request or objection may be denied under the guidance of the Data Protection Officer by RJ if:
The request or objection does not meet the requirements of the BCRs;
The request or objection is not sufficiently precise or specific or supported by evidence;
The request or objection is made within an unreasonable time interval of a prior request or objection or otherwise;
Is reasonably considered to be an abuse of rights, for instance because of its repetitive character or unreasonable interval since a previous request or objection.
ARTICLE 11: AUTOMATED INDIVIDUAL DECISIONS
RJ may use automated tools to make decisions about Data Subjects but decisions shall not be based solely on the results provided by this process.
11.1 This restriction does not apply if:
The use of automated tools is required or authorized by law;
The decision is made by RJ to enter into or performing a contract provided that the request leading to a decision by RJ was made by the Data Subject; or
Appropriate measures have been taken to safeguard the legitimate interests of the Data Subject (for example, the Data Subject has provided or been given an opportunity to express a view).
ARTICLE 12: SECURITY AND CONFIDENTIALITY
Appropriate and commercially reasonable technical, physical and organisational measures shall be taken by RJ to protect Personal Data from its misuse or accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, acquisition or access.
Staff shall be authorised to access Personal Data only to the extent necessary to serve the applicable Legitimate Purpose and to perform their tasks as RJ employees.Such RJ staff shall be subject to appropriate confidentiality obligations as specified by contract and RJ policies.
ARTICLE 13:RELATIONSHIPS WITH PROCESSORS THAT ARE MEMBERS OF THE GROUP
13.1 When transferring Personal Data to parties within the RJ Group, RJ shall transfer Personal Data only to the extent necessary to serve the Legitimate Purpose for which the Personal Data is Processed (this includes processing for purposes for which the Data Subject has provided consent or for Secondary Purposes in accordance with Articles 5 and 7, respectively).
13.2 RJ shall ensure that Personal Data shall be Processed within the RJ Group in compliance with the terms of the BCRs and that the data privacy interests of Data Subjects concerned are protected as required by the BCRs and applicable laws.
ARTICLE 14: RESTRICTIONS ON TRANSFERS AND ONWARD TRANSFERS TO EXTERNAL PROCESSORS AND CONTROLLERS (NOT MEMBERS OF THE GROUP)
14.1 When transferring Personal Data to parties not members of the RJ Group, a distinction shall be made between:
(a) Third Party Data Processors, namely parties that Process Personal Data solely on behalf of RJ and under RJ direction (e.g. Third Parties that Process passenger registration data on behalf of RJ); and
(b) Third Party Data Controllers, namely Third Parties that Process Personal Data and determine the purposes and methods of the Processing (e.g. RJ business partners that provide their own goods or services to Customers).
14.2 RJ shall transfer Personal Data to a Third Party only to the extent necessary to serve the Legitimate Purpose for which the Personal Data is Processed (including processing for Secondary Purposes or for purposes for which the Data Subject has provided consent in accordance with Article (5).
14.3 RJ shall ensure that Third Party Data Controllers (other than public authorities) can Process Personal Data obtained in connection with their relationship with RJ only if such Third Party Data Controllers have a written contract with RJ.
14.4 RJ shall ensure that the data privacy rights of Data Subjects concerned by such Processing are protected contractually.14.5
14.5 The transfer of business contact information may be made to a Third Party Data Controller without a contract if RJ take reasonable steps to ensure that such information will be used by the Third Party Data Controller to contact the Data Subject for legitimate business purposes related to that same Data Subject’s business or interests.
14.6 RJ shall not transfer, sell, lease, or offer for hire Business Contact Information in bulk to a Third Party Data Controller without consent except as permitted or required under applicable law and to the extent such transfer, sale, lease, or rent serves a Business Purpose (per Article 5.1).
14.7 Third Party Data Processor Contracts
Third Party Data Processors may Process Personal Data only if the Third Party Data Processor has a written contract with RJ which includes terms and conditions addressing the following:
The Third Party Data Processor shall Process Personal Data only in accordance with RJ’s instructions and for the purposes authorised by RJ;
The Third Party Data Processor shall keep the Personal Data confidential;
The Third Party Data Processor shall take appropriate technical, physical, administrative and organisational security measures to protect the Personal Data;
The Third Party Data Processor shall not permit subcontractors to Process Personal Data in connection with its obligations to RJ without the prior written consent of RJ;
That RJ shall have the right to review the security measures taken by the Third Party Data Processor and the Third Party Data Processor shall be required submit its relevant data processing facilities to audits and inspections by RJ or any relevant government authority; and
The Third Party Data Processor shall promptly inform RJ of any incident involving Personal Data, including hacking or data breaches concerning the obligations set out by the GDPR.
14.8 Transfers to Territories without an EU Adequacy Decision or Data Treaty
Transfers of Personal Data to a Third Party located in a country that is not considered by the European Commission to provide an ‘adequate level of protection’ for Personal Data under Chapter V of the GDPR (“Non-Adequate territory”) shall only be made if the following conditions are satisfied:
A contract has been concluded between RJ and the relevant Third Party that provides for safeguards at a similar level of protection as that provided by the BCRs;
The contract shall conform to any model contract required under applicable local law (if any, including those covered by guidance from the European Data Protection Board or the ICO);
The Third Party has been certified under the EU-US Privacy Shield as such treaty may be modified or succeeded by EU-US data treaties or any other similar scheme or treaty that is recognised as providing an ‘adequate’ level of data protection for GDPR purposes;
The Third Party has established binding corporate rules or a similar transfer control mechanism which provide adequate safeguards as required under applicable law and these have been deemed GDPR compliant by competent authorities;
The transfer is necessary for the performance of a contract with the customer, supplier or business partner or to take necessary steps at the request of the customer, supplier or business partner prior to entering into a contract;
The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between RJ and a Third Party;
The transfer is necessary to protect a vital interest of the Data Subject or of another natural person (for example, dealing with an emergency);
The transfer is necessary for the establishment, exercise or defence of a legal claim;
The transfer is required by any law to which the relevant RJ entity is subject; or
The individual has consented to such transfer.
14.9 Non-Adequate Territory Consent for Transfer
When seeking consent pursuant to Article 14.8(j), RJ shall provide the Data Subject with the following information:
The purpose of the transfer;
The identity of the transferring RJ entity;
The identity or categories of Third Parties to which the Personal Data will be transferred;
The categories of Personal Data that will be transferred;
The country to which the Personal Data will be transferred; and
The fact that the Personal Data will be transferred to a Non-Adequate territory.
14.10 Transfers between Non-Adequate Territories
Personal Data collected by RJ in the EEA and transferred to a Third Party located in a Non-Adequate territory may in turn be transferred to a second Third Party located in that same or another Non-Adequate territory only if the following conditions are met:
The transfer must be necessary for compliance with a legal obligation to which the relevant RJ entity is subject;
The transfer must be necessary to serve the public interest; or the transfer must be necessary to satisfy a Legitimate Purpose of RJ (per Article 5).
ARTICLE 15: TRAINING PROGRAMME
RJ shall provide training on the BCRs and other data privacy and data security obligations and best practices to staff who have access to Personal Data or who have responsibilities concerning the management of Personal Data.
ARTICLE 16: AUDIT PROGRAMME
RJ shall bear responsibility for auditing all RJ entities’ business processes and procedures involving the Processing of Personal Data to assess their compliance with the BCRs:
Such an audit shall be carried out on an annual basis by the internal RJ audit team or an accredited external audit team or on the specific request of the Data Protection Officer.
Such audits shall be performed up to appropriate professional standards of independence, integrity and confidentiality.
The Data Protection Officer shall be informed of the results of the audits and a report submitted to RJ senior management.
RJ shall ensure that adequate steps are taken to address any shortcomings or breaches of the BCRs identified during the monitoring or auditing of compliance pursuant to this Article.
A copy of the audit results shall be provided to the ICO upon request, which may in turn carry out a data protection audit if required.
Every member of the RJ Group submits that they may be audited by the ICO and that they will abide by the advice of the ICO on any issue related to the BCRs.
ARTICLE 17: COMPLIANCE AND SUPERVISION OF COMPLIANCE, APPOINTMENT OF A DATA PROTECTION OFFICER
- RJ shall appoint a Data Protection Officer who is responsible for:
-
Supervising compliance with the BCRs;
Providing advice on the implementation of the BCRs and interpretation of GDPR obligations, including coordination with the General Counsel, and advice to the RJ Board and senior management;
Organising RJ’s response to investigations or inquiries into the Processing of Personal Data by public authorities including the ICO;
Presenting annual reports on compliance with GDPR obligations.Appropriate professional standards of independence, integrity and confidentiality shall be maintained when conducting RJ internal compliance reviews;
Supervising RJ’s response to any Data Requests or complaints about RJ’s compliance with GDPR obligations;
Supervising RJ’s response to any issues of compliance, including privacy issues and breaches of GDPR obligations (if these occur); and
RJ shall wherever appropriate ensure that adequate steps are taken to address breaches of the BCRs identified during the monitoring or auditing of compliance.
17.2 Sanctions for Non-Compliance
Non-compliance with the BCRs may result in disciplinary action and sanctions including termination of employment.
ARTICLE 18: ACTIONS IN CASE OF NATIONAL LEGISLATION PREVENTING RESPECT OF THE BCRs
18.1 Conflicts of Law when Transferring Personal Data
In a situation where a legal requirement to transfer Personal Data conflicts with the national laws of EEA Member States or other countries with legal requirements regarding cross-border data transfer, any relevant Personal Data transfer shall be authorised in advance by the Data Protection Officer. Where appropriate, guidance shall be requested from the ICO or other competent public authority.
18.2 Conflicts between the BCRs and Local Law
ARTICLE 19: INTERNAL COMPLAINT MECHANISMS
19.1 Data Subjects shall be entitled to submit a complaint regarding compliance with the BCRs:
- In accordance with the complaint procedure stipulated in the relevant privacy policy or contract; or
- With the Data Protection Officer, who shall conduct an investigation of the complaint and where necessary and advise RJ regarding appropriate compliance measures, monitoring such steps until their completion. The Data Protection Officer shall consult with the ICO if appropriate on the measures to be taken.
19.2 Within one month of RJ receiving a complaint, the Data Protection Officer shall inform the complainant in writing either:
- Of RJ’s response with regard to the complaint and any action RJ has taken or proposes to take in response; or
The ultimate date on which the complainant will be informed of RJ’s position, which date shall be no later than one month thereafter.
19.3 Admissibility of Complaints
Complaints shall only be admissible if the complainant has followed the procedure set out in the BCRs. Any complaints of an individual concerning any right the individual may have under the BCRs shall be directed to RJ only and shall exclusively be brought before the ICO in the UK (except in case of jurisdiction of a Data Protection Authority of one of the EEA countries) or the competent court in England and Wales.
19.4 Entitlement to Remedies for Breaches
Under the BCRs, Data Subjects or other natural persons shall only be entitled to remedies available to them under the UK Data Protection Act as such may be amended or replaced from time to time, English Common Law and English Civil Procedure Rules, which shall include the right to damages. However, RJ shall be liable only for direct damages (which excludes, without limitation, lost profits or revenue, and lost turnover) suffered by an individual resulting from a violation of the BCRs.
ARTICLE 20: LIABILITY OF RJ AND THIRD PARTY BENEFICIARY RIGHTS
20.1 RJ entities and Staff shall comply with the BCRs:
- The BCRs are binding obligations and failure to follow them may result in employee disciplinary action, including termination and other penalties as provided by law.
- RJ accepts responsibility for and agrees to oversee the RJ Group’s compliance with the BCRs and shall help ensure Third Parties take the necessary action to remedy any acts of non-compliance relating to the BCRs.
- The Data Protection Officer shall investigate claims of non-compliance to determine if a violation of the BCRs has occurred. If a violation is confirmed, the Data Protection Officer and the relevant concerned RJ entity shall work together to address and resolve the violation within a commercially reasonable time.
20.2 As maybe permitted by the GDPR, RJ customers, contractors and employees shall have the right to claim enforcement of the BCRs or liability as third party beneficiaries as set out in the BCRs in respect of:
- Application of laws;
- Principles for processing Personal Data;
- Security, confidentiality;
- Consent;
- Transfers of Personal Data;
- Direct marketing;
- Complaint handling processes;
- Liability and third party rights; and
- Obligations towards Data Protection Authorities.
As maybe permitted by the GDPR, RJ customers, contractors and employees shall have the right to claim appropriate compensation from RJ before the ICO or courts in accordance with the BCRs and applicable law. The enforcement rights and mechanisms described in this Article are in addition to other remedies or rights provided available under applicable law.
ARTICLE 21: OBLIGATIONS TOWARDS DATA PROTECTION AUTHORITIES
21.1 Obligations towards the ICO
- RJ entities shall respond diligently and appropriately to requests from the ICO about the BCRs and their compliance with privacy laws and regulations.
- If any member of Staff receives such a request from the ICO, he or she should immediately inform the Data Protection Officer, who shall reply to the ICO.
- With regard to transfers of Personal Data between RJ entities, the importing and exporting RJ entities shall cooperate with inquiries and accept audits from the ICO, and respect decisions, consistent with applicable law and due process rights.
21.2 Mutual Assistance and Cooperation with Data Protection Authorities
- RJ entities shall cooperate and assist each other when responding to a request or complaint from an individual or an investigation or inquiry by the ICO or other relevant data authority.
RJ entities shall abide by the advice of the ICO on any issues regarding the interpretation of the BCRs.
ARTICLE 22: UPDATES OF THE BCRs
22.1 The BCRs shall only be amended with the prior approval of the Data Protection Officer.Where applicable, the Data Protection Officer shall obtain the authorisation of the ICO for any relevant changes to the BCRs.
22.2 No transfer of data shall be made to an RJ entity or Staff until the transfer is appropriately covered by the BCRs and relating compliance measures are in operation.
22.3 Any amendment shall only enter into force after it has been approved by the Data Protection Officer and published on the RJ website.
22.4 The Data Protection Officer shall be responsible for informing the ICO of significant changes to the BCRs on an annual basis.The Data Protection Officer shall inform the RJ Board of the advice, guidance or response of the ICO, if any.
22.5 Any request, complaint or claim involving the BCRs shall be determined by reference to the version of the BCRs that is in force at the time the request, complaint or claim is made.