Binding Corporate Rules - Processor Policy

INTRODUCTION TO THIS POLICY

This Binding Corporate Rules Processor Policy and its Appendices (together the “Policy”) set out the approach taken by Avature Group (as defined below) in respect of the protection and management of personal data by the Avature Group members adhered to this Policy when processing information on behalf of a controller Third Party (as defined below).

The Avature group of companies (“Avature Group”) is a corporate organization operating in several countries dedicated to bringing new technology, new ideas and new solutions to customers’ challenges. In particular, the Avature Group provides cutting-edge talent acquisition and talent management software solutions that fit customers’ specific needs, accommodate to their particular transformation objectives, and deliver a competitive advantage when deployed within each customers’ organization.

In addition to other definitions provided under this Policy, the following further terms shall have the meanings ascribed to them:

“Applicable Local Law” means any national / local data protection law (including, as the case may be, European data protection law) applicable to the pertinent Group Member.

“customer” means a controller Third Party for which a Group Member provides a service;

“customer personal data” means any customer´s employees (and other personnel) personal data which Group Members process on behalf of a customer (controller) in the context of the services provided to it. Customer personal data does not include personal data for the operation of the service (i.e., billing data), which is processed by Group Members in their capacity as controllers and is therefore excluded from this Policy;

“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

“data processing agreement” means a contract or any other type of legal instrument containing data processing terms and conditions;

“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

“Europe” means the countries in the European Economic Area (“EEA”);

“European data protection law” means the GDPR and any data protection law of an EU Member State, including local legislation implementing the requirements of the GDPR, including subordinate legislation, in each case as amended from time to time;

“GDPR” means European Union (EU) Regulation 2016/679 (the General Data Protection Regulation);

“Group Member” means the Avature Group members adhered to this Policy;

“Liable BCR Member” means Avature Spain, S.L.U.;

“personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“processing” means any operation or set of operations that is performed by a Group Member on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“profiling” means any form of automated processing consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

“special categories of personal data”, “sensitive data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation; and

“supervisory authority” or “competent supervisory authority” means an independent public authority established in a European jurisdiction which is responsible for monitoring the application of European data protection law in order to protect the fundamental rights and freedoms of natural persons in relation to processing; and

“Third-Party” means any entity which is not a Group Member.

This Policy applies to all customer personal data processed by Group Members as processors and/or sub-processors as part of their regular business activities in the course of providing services to a customer.

Group Members and their employees must fully comply with, and respect, this Policy in the course of processing customer personal data in their capacity as service providers (processor or sub-processor) to a customer.

This Policy is additional to, and does not replace or supersede, any specific data protection requirements or rules regarding confidentiality that might apply to a business area or function within the Avature Group or as required by applicable law.

This Policy, together with a list of current Group Members and their contact details, is published on the company intranet and the website publicly accessible here.

PART I: BACKGROUND AND ACTIONS

What is data protection law?

European data protection law gives people the right to control how their personal data is processed. Under European data protection law, when an organisation processes personal data for its own purposes, that organisation is deemed to be a controller of that information and is therefore primarily responsible for meeting the legal requirements. So, for example, where we are an employer, we will be the controller of the personal data that we process about our employees.

When, on the other hand, an organisation processes information on behalf of another entity (a controller) (for example, to provide a service), the former is deemed to be a processor of the data and: (i) the controller will be primarily responsible for its own compliance and ensuring the compliance of its processor(s); and (ii) the processor will be responsible of, among other things, complying with obligations such as those contained in Articles 28 and 30 GDPR.

How does European data protection law affect Group Members internationally?

European data protection law does not allow transfers of personal data to countries, territories or international organisations outside Europe that do not ensure an adequate level of protection for individuals’ data privacy rights. As some of the countries in which Group Members operate are not regarded by the European Commission as providing an adequate level of protection, appropriate safeguards must be put in place that meet the requirements of European data protection law.

What are Group Members doing about it?

Group Members must take proper steps to ensure that their processing of personal data on an international basis is safe and, hence, lawful. The purpose of this Policy, therefore, is to set out a framework to satisfy the standards contained in European data protection law and, as a result, provide an adequate level of protection for all customer personal data which is transferred to or processed by Group Members as processors and/or sub-processors.

As anticipated above, under European data protection law, processors shall put in place a data processing agreement with controllers that complies with obligations such as those contained in article 28 GDPR. Such agreement will regulate, among others, the international transfers of data carried out to and/or by the processor. In this regard, where the Group Members’ customers rely upon this Policy as providing adequate safeguards, a link to this Policy will be incorporated into the agreement with that customer, as well as at least:

contractual provisions to the effect of making this Policy enforceable by the pertinent customers;
a commitment by the pertinent customers to inform data subjects about (i) international transfers involving special categories of personal data; (ii) the existence of processors based outside Europe; and (iii) the existence of this Policy (making available to them upon request a copy of such Policy and the pertinent agreement in place);
a clear description of (i) confidentiality and security measures implemented; and (ii) instructions and data processing; and
a clarification about (i) whether the data may be sub-processed inside or outside Avature Group; and (i) if the prior authorization to it expressed by the customer is general or needs to be given specifically for each new sub-processing activities.

In such cases, if a customer demonstrates that it has suffered damage, and that it is likely that the damage occurred because of a breach of this Policy (made binding under the data processing agreement referred to above), the obligation will be for the Liable BCR Member to show that the Group Member outside Europe (or a Third-Party sub-processor established outside Europe) is not responsible for the breach, or that no such breach took place. In addition, a customer that has entered into a data processing agreement with a Group Member that incorporates this Policy may enforce this Policy in the European courts, where permitted by law and subject to the terms of the data processing agreement, against (i) any Group Member processing customer personal data on behalf of that customer in respect of a breach of the Policy caused by that Group Member; and, moreover, (ii) the Liable BCR Member in case of a breach of the Policy by a Group Member outside Europe (or a Third Party sub-processor established outside Europe).

This Policy is legally binding and applies to all Group Members and their employees where those Group Members process customer personal data both manually and by automatic means and requires that Group Members who process customer personal data as processors and/or sub-processors comply with the Rules set out in Part II of this Policy together with the policies and procedures set out in the appendices in Part III of this Policy.

What personal data does this policy cover?

Personal data processed under this Policy includes customer personal data; specifically personal data regarding current, past and prospective employees or other personnel (such as trainees, secondees or independent contractors) of customers shared by the latter through the agreed configuration / agreement, which mainly comprises the following data: (a) personal and contact details (e.g. name, age, date of birth, contact details, government issued identification numbers (such as social security numbers, driver’s license numbers or national identification numbers); (b) talent, recruitment and application, education and training details (e.g. educational history, work experience, CV, notes from users in relation to personnel’s qualities and qualifications); and (c) financial information (e.g. bank account numbers provided by customers’ personnel for the sole purposes of receiving salary payments and details of dependents and emergency contacts).

Also, special categories of personal data may be processed by the Group Members when necessary and required or permitted by Applicable Local Law for the purposes described in the following section. Specifically, health and medical information (including health insurance identification numbers), or sexual, racial, political, ethnic, ideological or religious orientation of individuals (only for EEO compliance or as required and permitted by laws applicable to the controller in the jurisdictions where the controller collects the data).

For what purposes is personal data transferred under this policy?

Transfers of customer personal data under this Policy take place between Group Members globally (see the location of all such Group Members here), whatever the origin of the data, for the purposes of providing the required services to customers (as agreed via agreement), which entails, among others, accessing to customer personal data in order to: (i) store such data on customers’ behalf; (ii) provide them technical support services; (iii) perform configuration or reconfiguration services in the pertinent instances as instructed by the customers; (iv) carry out the processing operations required to provide the various functionalities of the services offered to customers; and (v) provide security and availability of the services.

Further information

Avature Group has a team of data protection specialists (with a Group Data Protection Officer [as this term is defined below] leading the team) in charge of ensuring that all Group Members are in strict compliance with the applicable data protection legislation (“Privacy Team”). If you have any questions regarding the provisions of this Policy, your rights under this Policy or any other data protection issues, you can contact the Privacy Team at the address below. The Privacy Team will either deal with the matter, forward it to the appropriate person or department within Avature Group or escalate the issue to Avature Group’s data protection officer (“Data Protection Officer”) when appropriate.

Attention: Privacy Team

Online Form: https://www.avature.net/contact-privacy-officer/

The Privacy Team is responsible for ensuring that changes to this Policy are notified in accordance with Appendix 5.

If you are unhappy about the way in which any Group Member has processed your personal data, Avature Group has a separate complaint handling procedure which is set out in Part III, Appendix 3.

PART II: PROCESSOR OBLIGATIONS

Part II of this Policy is divided into three sections:

Section A addresses the basic principles under European data protection law that a Group Member must observe when it processes and transfers customer personal data as a processor and/or sub-processor on behalf of a controller Third-Party.
Section B deals with the practical commitments made by Group Members to the competent supervisory authorities when they process customer personal data as processors on behalf of customers.
Section C describes the third-party beneficiary rights that Group Members have granted to data subjects in their capacity as processors under this Policy.

SECTION A: BASIC PRINCIPLES

RULE 1 – TRANSPARENCY, FAIRNESS AND LAWFULNESS

Rule 1A – Group Members will ensure that compliance with this Policy will not conflict with data protection laws where they exist.

Where this Policy applies and:

Applicable Local Law requires a higher level of protection than is provided for in this Policy, the higher level of protection will take precedence over this Policy; or
Applicable Local Law prevents Group Members from fulfilling or has a substantial effect on its ability to comply with its obligations under this Policy, Group Members will follow the process set out in Rule 12.

Rule 1B – Group Members will help and assist a customer to comply with its obligations under European data protection law in a reasonable time and to the extent reasonably possible.

Group Members will, taking into account the nature of processing and information available to them, within a reasonable time and to the extent reasonably possible, and as may be required under data processing agreements with its customers and / or Applicable Local Law, assist customers on request to comply with their obligations as controllers under European data protection law. For example, Group Members will be transparent about sub-processor activities so that its customers may correctly inform individuals.

RULE 2 – ENSURING PERSONAL DATA IS PROCESSED FOR A KNOWN PURPOSE ONLY

Rule 2 – Group Members will only process customer personal data on behalf of and in accordance with the instructions of their customers.

Group Members and its employees will respect the Policy and only process customer personal data in compliance with the terms of the data processing agreement they have with their customers in relation to such processing, and which contains the terms required by European data protection law in so far as it relates to the engagement of a processor, including in relation to transfers of customer personal data to destinations outside Europe, unless required to do so by European laws to which the Group Members are subject. In such cases, the Group Members will inform the customer of that legal requirement before the processing takes place, unless that law prohibits such information on important grounds of public interest.

If, for any reason, Group Members are unable to comply with this Rule or their obligations under this Policy in respect of any data processing agreement it may have with a customer, they will inform the customer promptly of this fact. Group Members’ customers may then suspend the transfer of customer personal data to them and/or terminate the contract, depending upon the terms of its contract with Group Members.

On the termination of the provision of the services related to data processing to a customer, Group Members and their sub-processors will act in accordance with the instructions of the customer and delete or return the customer personal data and delete the copies thereof and certify to the customer that they have done so, unless legislation imposed upon them requires storage of the customer personal data. In that case, Group Members will inform the customer and ensure that such information remains confidential and will not process the customer personal data otherwise than in accordance with the instructions of the customer or as required by Applicable Local Law.

Group Members will immediately inform their customer if, in their opinion, an instruction infringes European data protection law.

RULE 3 – ENSURING DATA QUALITY

Rule 3 – Group Members will help and assist customers to keep the customer personal data accurate and up to date to the extent reasonably possible.

Group Members will comply with any instructions from their customers in order to assist them to comply with their obligation to keep customer personal data accurate and up to date.

When required to do so on instruction from its customers, Group Members will delete, anonymise, update or correct customer personal data. Where for technical reasons customer personal data cannot be deleted, Group Members will advise their customers accordingly and take steps to put such customer personal data beyond processing.

Group Members will notify other Group Members or any Third-Party sub-processor to whom customer personal data has been disclosed accordingly so that they can update their records.

RULE 4 – HONOURING INDIVIDUAL RIGHTS

Rule 4 – Group Members will assist customers to comply with the rights of individuals.

Group Members will act in accordance with the instructions of their customers and undertake any appropriate technical and organisational measures to enable their customers to comply with their duty to respect the rights of individuals. Including the following rights:

right of access, by the data subject shall have the right to obtain confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and information about such processing;
right to rectification, by which the data subject shall have the right to obtain the rectification of any personal data that might be inaccurate or incomplete;
right to erasure or “right to be forgotten”, by which the data subject shall have the right to have his or her personal data erased without undue delay where one of the following grounds apply: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; (iii) the data subject objects to the processing and, as applicable, there are no overriding legitimate grounds for the processing; (iv) the personal data have been unlawfully processed; (v) he personal data have to be erased for compliance with a legal obligation; or (vi) the personal data have been collected in relation to the offer of information society services to a child;
right to restriction of processing, by which the data subject shall have the right to request the restriction of the processing of his or her personal data when one of the following applies (i) the accuracy of the personal data is contested by the data subject, for the period required to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or (iv) the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject;
right to have each recipient to whom the personal data have been disclosed notified regarding any rectification or erasure of personal data or restriction of processing, unless his proves impossible or involves disproportionate effort. The data subject may also request to be informed about such recipients;
right to data portability, by which the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured format, and to transmit such data to another controller where the processing is based on consent or necessary for the performance of a contract and the processing is carried out by automated means;
right to object, by which the data subject shall have the right to object , on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on public or legitimate interest, including profiling. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such marketing, as described in Rule 7;
Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her (where applicable, as described in Rule 8); and
withdraw consent given for a specific processing at any time. It shall be as easy to withdraw as to give consent.

In particular, if any Group Member receives a request from an individual exercising their rights, the Group Member will transfer such request promptly to the relevant customer and not respond to such a request unless authorised to do so. Group Members will follow the steps set out in the Data Subjects’ Rights Procedure (see Appendix 1).

RULE 5 – SECURITY AND CONFIDENTIALITY

Rule 5A – Group Members will implement appropriate technical and organisational security measures required by Applicable Local Law as specified in a contract with a customer.

Where Group Members provide a service to their customers which involves the processing of customer personal data, the contract between Group Members and their customers impose clear obligations dealing with the security of that information which will at least meet the requirements of European data protection law to ensure that Group Members have in place appropriate technical and organisational security measures to ensure a level of security to customer personal data appropriate to the risk presented by the processing.

Group Members will adhere to the security and organisational measures specified in contracts with their customers and will assist customers in implementing appropriate technical and organisational security measures to facilitate compliance with this Policy in practice (such as data protection by design and by default) so far as is reasonable taking into account the state of the art, cost of implementation, risks to individuals, nature, scope, context and purpose of the processing.

Rule 5B – Group Members will notify customers of any Personal Data Breach.

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, customer personal data transmitted, stored or otherwise processed (a “Personal Data Breach”), the person who becomes aware of the Personal Data Breach within the relevant Group Member will, without undue delay and in any event within twenty-four (24) hours from the moment he/she becomes aware, notify it to Avature’s Data Protection Officer and the Security Team, following the steps set out in Avature’s personal data breach response policy.

Once Avature’s Data Protection Officer has received the information concerning the Personal Data Breach, he/she will assess, together with the Legal Team, whether it can be considered as a Personal Data Breach or, on the contrary, as a security incident that has not affected personal data. Avature’s Data Protection Officer, together with the Legal Team, will analyse the details of the Personal Data Breach and notify the customer without undue delay and in accordance with the terms of its contract with that customer (in any case, not later than 72 hours after having become aware of it).

If sub-processors are appointed in accordance with Rule 5C below, sub-processors will inform the customer and the processor Group Member of any Personal Data Breach without undue delay (in any case, not later than 72 hours after having become aware of it).

Personal Data Breaches suffered by Group Members and Third-Party sub-processors, comprising the facts, the effects of such incidents and the remedial action taken, will be documented in a Personal Data Breach report which will be available to the customer on request.

Rule 5C – Group Members will comply with the requirements of customers regarding the appointment of any internal and external sub-processor.

Group Members will inform their customers where the processing undertaken on their behalf will be conducted by an internal and external sub-processor and will comply with the particular requirements of customers with regard to the appointment of sub-processors as set out under the terms of their contract with them, and in particular will obtain prior informed specific or general written authorisation of the customers regarding the appointment of any sub-processors.

Where the customers have provided general written authorisation, Group Members will ensure that up to date information regarding their appointment of sub-processors is available to those customers at all times so that customers have the opportunity to object before the data is transferred to a new sub-processor. If, on reviewing this information, a customer objects to the appointment of a sub-processor to process customer personal data on its behalf, that customer will be entitled to take such steps as are consistent with the terms of its contract with Group Members and as referred to in Rule 2 of Part II of this Policy (i.e. Group Members’ customers may then suspend the transfer of customer personal data to Group Members and/or terminate the contract, depending upon the terms of their contract with Group Members).

Rule 5D – Group Members will ensure that internal and external sub-processors undertake to comply with provisions which are consistent with (i) the terms in their contracts with their customers and (ii) this Policy, and in particular that the sub-processor will adopt appropriate and equivalent security measures.

Group Members must only appoint internal and external sub-processors who provide sufficient guarantees in respect of the commitments made by Group Members in this Policy. In particular, such sub-processors must be able to provide appropriate technical and organisational measures that will govern their processing of the customer personal data to which they will have access in accordance with the terms of the Group Members’ contracts with their customer.

To comply with this Rule, where a sub-processor has access to customer personal data covered by this Policy, Group Members will take steps to ensure that they have in place appropriate technical and organisational security measures to safeguard the customer personal data and will impose strict contractual obligations in writing on the sub-processor in accordance with European data protection law. Those requirements include:

commitments on the part of the sub-processor regarding its assistance in the compliance with applicable law, data quality, transparency and purpose limitation principles, individuals’ rights and security of that information, consistent with those contained in this Policy (and in particular, and without limitation, Rules 1, 2, 3, 4, 5A and 5B above) and with the terms of the contracts Group Members have with their customers in respect of the processing in question;
that the sub-processor will act only on Group Members’ instructions when processing customer personal data;
adequate safeguards (as understood in European data protection law) with respect to transfers of customer personal data to a Third-Party sub-processor established in a country outside Europe that supervisory authorities do not consider ensures an adequate level of protection for individuals’ data privacy rights; and
such obligations as may be necessary to ensure that the commitments on the part of the sub-processor reflect those made by Group Members in this Policy as may be applicable to sub-processors.

SECTION B: PRACTICAL COMMITMENTS

RULE 6 – COMPLIANCE AND ACCOUNTABILITY

Rule 6A – Group Members will have appropriate staff and support to ensure and oversee privacy compliance with this Policy throughout the business and will make available to the customer all necessary information to demonstrate compliance.

Avature Group has appointed a team of data protection specialists (with a Group Data Protection Officer leading the team) in charge of ensuring and overseeing that all Group Members are in strict compliance with this Policy on a day-to-day basis. Additionally, Avature Group has a Risk Team and Security Team which assist the Privacy Team in dealing with the technical aspects of privacy compliance.

The Data Protection Officer enjoys the highest management support for the fulfilling of its tasks (to whom it shall report directly and also inform if any questions or problems arise during the performance of its duties as further described below) and has the following responsibilities:

leading the Privacy Team, including coordinating with the Risk Team and Security Team on technical aspects of privacy compliance;
implementing / informing about and monitoring privacy related practices, policies and issues within the Avature Group, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
escalating issues to senior management for proper consideration in accordance with acceptable standard practice;
cooperating and coordinating with competent supervisory authorities; and
acting as the contact point for competent supervisory authorities and data subjects on issues or requests relating to the processing of personal data.

The team of data protection specialists assist the Data Protection Officer comply with obligations above and, more specifically, control and manage data protection compliance on a day-to-day basis (including mainly handling local complaints from data subjects, monitoring compliance of corporate policies at local level and reporting major privacy issued to the Data Protection Officer).

Group Members will ensure that the Data Protection Officer’s contact details (or those or the Privacy Team) are always published together with the Policy.

Where required for reasons of the complexity and volume of the specific task, the Privacy Team is supported by external counsel.

Rule 6B – Group Members processing personal data will maintain a written record (including in electronic form) of their processing activities and make that record available to competent supervisory authorities on request.

The data processing records maintained by Group Members, acting as processors for a customer which is the controller, will contain:

the Group Member’s name and contact details, and, where applicable, of the Group Member’s representative, and data protection officer;
the name and contact details of each customer on whose behalf Group Members process customer personal data and, where applicable, the customer’s representative and data protection officer;
the categories of processing carried out on behalf of each customer;
details of the third country or countries to which personal data is transferred, including the identification of that third country or international organisation and the documentation of suitable safeguards;
where possible, a general description of the technical and organisational security measures used to protect personal data.

The data processing records maintained by Group Members shall be in writing, including in electronic form, and will be made available to competent supervisory authorities on request.

RULE 7 – TRAINING

Rule 7 – Group Members will provide appropriate training to employees who have permanent or regular access to customer personal data, who are involved in the processing of customer personal data or in the development of tools used to process such personal data.

Group Members will provide appropriate and up-to-date training to all employees, specially to those who have permanent or regular access to customer personal data and/or who are involved in the processing of such personal data or in the development of tools used to process such personal data. Such training will be provided at least once a year and will cover, among others, procedures of managing requests for access to personal data by public authorities.

RULE 8 – AUDIT

Rule 8 – Group Members will comply with the Audit Protocol set out in Appendix 2.

Group Members will comply with the Audit Protocol by performing regular internal audits and allowing for external audits where required in accordance with the formal assessment process as stipulated in the Audit Protocol. The outcome of such audits will be communicated in accordance with Appendix 2.

RULE 9– COMPLAINT HANDLING

Rule 9 – Group Members will comply with the Complaint Handling Procedure set out in Appendix 3.

Group Members will comply with the Complaint Handling Procedure as set out in Appendix 3 in order to handle complaints of data subjects and to safeguard the processing of personal data by Group Members. Group Members also allow for exercising the third-party beneficiary rights as set out in Section C of this Policy.

RULE 10 – COOPERATION WITH SUPERVISORY AUTHORITIES

Rule 10 – Group Members will comply with the Co-operation Procedure set out in Appendix 4.

Group Members will comply with the Cooperation Procedure set out in Appendix 4 and will co-operate, accept to be audited and inspected by with the supervisory authorities in relation to this Policy; as well as to take into account their advice and abide by their decisions on any issues related to this Policy.

RULE 11 – UPDATE OF THE RULES

Rule 11 – Group Members will comply with the Updating Procedure set out in Appendix 5.

Group Members will comply with the Updating Procedure set out in Appendix 5 and will communicate, without undue delay, any update of this Policy and of the list of Group Members to competent supervisory authorities, the customers concerned and Group Members.

RULE 12 – ACTION WHERE NATIONAL LEGISLATION AFFECTS COMPLIANCE WITH THE POLICY

Rule 12A – Group Members commit to only use this Policy as a tool for transfers where they have duly assessed that the law and practices in the third country of destination applicable to the processing of the personal data by the importing entities, including any requirements to disclose personal data or measures authorising access by public authorities, do not prevent them from fulfilling its obligations under this Policy.

Group Members will use this Policy as a tool to safeguard international transfers only where they have assessed that the law and practices in the third countries of destination applicable to the processing of the personal data by the importing entities, including any requirements to disclose personal data or measures authorizing access by public authorities, do not prevent them from fulfilling their obligations under this Policy. This shall be based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) GDPR, are not in contradiction with this Policy.

In assessing the laws and practices of the third countries which may affect the respect of the commitments contained in this Policy, Group Members shall take due account in particular of the following elements:

the specific circumstances of the transfers or set of transfers, and of any envisaged onward transfers within the same third country or to another third country, including:
purposes for which the data are transferred and processed;
types of entities involved in the processing (the importing entity and any further recipient of any onward transfer);
sector in which the transfer or set of transfers occur;
categories and format of personal data transferred;
location of the processing including storage;
transmission channels used;
the laws and practices of the third countries of destination relevant in light of the circumstances of the transfer, including those requiring to disclose data to public authorities or authorising access by such authorities including those providing for access to these data during the transit between the countries of the exporting entities and the countries of the importing entities, as well as the applicable limitations and safeguards;
any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under this Policy, including measures applied during transmission and to the processing of the personal data in the countries of destination.

Where any safeguards in addition to those envisaged under this Policy should be put in place, the Liable BCR Member and the Data Protection Officer, shall be informed and involved in the assessment.

Group Members shall document appropriately such assessment as well as the supplementary measures selected and implemented and shall make such documentation available to the competent supervisory authority upon request.

Group Members acting as importing entities shall promptly notify the relevant exporting entities and the customer (to the extent it is not the exporting entity) if, when using this Policy as a tool for transfers, and for the duration of the membership, they have reasons to believe that they are or have become subject to laws or practices that would prevent them from fulfilling their obligations under this Policy, the instructions received by the pertinent customer and / or their obligations under the contract in place with the pertinent customer, including following a change in the laws in the pertinent third country or a measure (such as a disclosure request). This information should also be provided to the Liable BCR Member and the Data Protection Officer.

Upon verification of such notification, the relevant exporting entity (to the extent it is a Group Member), along with the Liable BCR Member and the Data Protection Officer, commit to promptly identify supplementary measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the exporting entity and/or the importing entity (if appropriate and pertinent in consultation with the customer) in order to enable them to fulfil their obligations under this Policy. The same applies if an exporting entity has reason to believe that an importing entity can no longer fulfil its obligations under this Policy.

Where the relevant exporting entity, along with the Liable BCR Member and the Data Protection Officer, assess that the Policy –even if accompanied by supplementary measures– cannot be complied with for a transfer or set of transfers or if instructed by the customer (as applicable) or the competent supervisory authority, it commits to suspend the transfer or set of transfers at stake, as well as all transfers for which the same assessment and reasoning would lead to a similar result, until compliance is again ensured or the transfer is ended.

Following such a suspension, the exporting entity has to end the transfer or set of transfers if this Policy cannot be complied with and compliance is not restored within one month of suspension. In this case, personal data that has been transferred prior to the suspension, and any copies thereof, should at the choice of the exporting entity be returned to it or destroyed in their entirety.

The Liable BCR Member and the Data Protection Officer, will inform all other Group Members of the assessment carried out and of its results so that the identified supplementary measures will be applied in case the same type of transfers are carried out by any other Group Member or, where effective supplementary measures could not be put in place, the transfers at stake will be suspended or ended.

Exporting entities shall also monitor, on an ongoing basis, and where appropriate in collaboration with importing entities, developments in the third countries to which exporting entities have transferred personal data that could affect the initial assessment of the level of protection and the decisions taken accordingly on such transfers.

Rule 12B – Group Members acting as importing entities will ensure that where they receive a legally binding request by a public authority under the laws of the country of destination for disclosure of personal data transferred pursuant to the Policy or became aware of any direct access by public authorities to personal data transferred pursuant to the Policy in accordance with the laws of the country of destination, they will promptly notify the relevant exporting entity, the customer (to the extent it is not the exporting entity), the pertinent supervisory authorities and, where possible, the data subject (if necessary with the help of the exporting entity).

Group Members acting as importing entities will promptly notify the relevant exporting entity, the customer (to the extent it is not the exporting entity), the pertinent supervisory authorities (i.e. including, as required, that of the exporting entity and, to the extent it is not the same, the supervisory authority of the customer) and, where possible, the data subject (if necessary, with the help of the exporting entity) if they:

receive a legally binding request by a public authority under the laws of the country of destination or of another third country, for disclosure of personal data transferred pursuant to the Policy; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided;
become aware of any direct access by public authorities to personal data transferred pursuant to the Policy in accordance with the laws of the country of destination; such notification shall include all information available to the importing entity.

If prohibited from notifying the relevant exporting entity, the customer (to the extent it is not the exporting entity), the pertinent supervisory authorities and / or the data subject (if necessary with the help of the exporting entity), the Group Members acting as importing entities will use reasonable efforts to obtain a waiver of the prohibition, with a view to communicate as much information as possible and as soon as possible and will document its reasonable efforts in order to be able to demonstrate them upon request. If, in the above cases, despite having used reasonable efforts, the importing entity is not in a position to notify the competent supervisory authorities, it will annually provide them with general information on the requests received.

Group Members acting as importing entities will provide the relevant exporting entity and the customer (to the extent it is not the exporting entity), at regular intervals and at least annually, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority or authorities, whether requests have been challenged and the outcome of such challenges, etc.). If it is or becomes partially or completely prohibited from providing the relevant exporting entity or the customer (to the extent it is not the exporting entity) with the aforementioned information, it shall without undue delay inform them accordingly.

Group Members acting as importing entities will preserve the abovementioned information for as long as the data are subject to the safeguards provided by the Policy and make it available to the competent supervisory authorities upon request.

Group Members acting as importing entities will review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and will challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. Group Members acting as importing entities shall, under the same conditions, pursue possibilities of appeal. When challenging a request, Group Members acting as importing entities shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. They shall not disclose the personal data requested until required to do so under the applicable procedural rules.

Group Members acting as importing entities will document their legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to relevant exporting entity, the customer (to the extent it is not the exporting entity) and the pertinent supervisory authorities.

Group Members acting as importing entities will provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

In any event, Group Members will ensure that any transfers of personal data under this Policy that they make to a public authority are not massive, disproportionate or indiscriminate in a manner that would go beyond what is necessary in a democratic society.

RULE 13 – NON-COMPLIANCE WITH THE POLICY AND TERMINATION

Rule 13A – Group Members shall be effectively bound by the Policy and shall be able to deliver compliance.

When a Group Member acting as an importing entity is unable to comply with the Policy, for whatever reason, it shall promptly inform the relevant exporting entity and / or the customer (to the extent it is not the exporting entity). In the event the Group Member is in breach of the Policy or unable to comply with the Policy, the relevant exporting entity and / or the customer (to the extent it is not the exporting entity) shall / will be entitled to suspend the transfer.

The Group Member shall, at the choice of the exporting entity and / or the customer (to the extent it is not the exporting entity), immediately return or delete the personal data that has been transferred under the Policy in its entirety where:

the exporting entity and / or the customer (to the extent it is not the exporting entity) has suspended the transfer and compliance with this Policy is not restored within a reasonable time and in any event within one month of suspension; or
the Group Member is in substantial or persistent breach of the Policy or fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under the Policy.

The same shall apply to any copies of the data. The Group Member shall certify the deletion of the data to the exporting entity and / or the customer (to the extent it is not the exporting entity). Until the data is deleted or returned, the Group Member shall continue to ensure compliance with the Policy. In case Applicable Local Law prohibit the Group Member the return or deletion of the transferred personal data, the Group Member warrants that it will continue to ensure compliance with the Policy and will only process the data to the extent and for as long as legally required.

Rule 13B – Group Members that cease to be bound by the Policy shall ensure that personal data is appropriately kept, returned or deleted, as applicable.

Group Members acting as importing entities that cease to be bound by the Policy may keep (to the extent required to comply with Applicable Local Laws), return or delete the personal data received under the Policy. If the exporting entity or the customer (to the extent it is not the exporting entity) and the Group Member acting as an importing entity agree that the data may be kept by the latter, protection hereunder must be maintained.

SECTION C: THIRD PARTY BENEFICIARY RIGHTS

Where customer personal data is processed under this Policy by a Group Member acting as a processor under a data processing agreement with a customer, that individual whose customer personal data is transferred under the terms of that data processing agreement to a Group Member outside Europe, will have the rights as third party beneficiaries to enforce the following elements directly against the processor:
- Rules 1B, 2, 3, 4, 5, 6B, 9, 10 and 12 of the Policy;
- the right to access the Policy via avature.net/legal, or the internal wiki available here, or to obtain a hard copy of the Policy as well as a list of the Group Members bound by this Policy through Avature Group’s online form available here https://www.avature.net/contact-privacy-officer/; and
- the right to enforce the provisions in Section C (a), (c), (d), (e), (f) and (g) granting third-party beneficiary rights and setting the liability and jurisdiction rules under the Policy.
Where customer personal data is processed under this Policy by a Group Member acting as a processor under a data processing agreement with a customer and where the individual whose customer personal data is transferred as described in (a) above is unable to bring a claim against the customer because: (i) the customer has factually disappeared or ceased to exist in law or has become insolvent; and (ii) no successor entity has assumed the entire legal obligations of the customer by contract or by operation of law, that individual will have the rights as third party beneficiary to enforce the following elements directly against the processor:
- Rules 1B, 2, 3, 4, 5, 6A, 9, 10 and 12 of the Policy;
- the right to access the Policy via avature.net/legal, or the internal wiki available here, or to obtain a hard copy of the Policy as well as a list of the Group Members bound by this Policy through Avature Group’s online form available here https://www.avature.net/contact-privacy-officer/; and
- the right to enforce the provisions in Section C (b), (c), (d), (e), (f), (g) and (h) granting third-party beneficiary rights and setting the liability and jurisdiction rules under the Policy.
This Policy ensures that the individuals referred to in Section C (a) and (b) above are able to enforce the rights outlined in those sections by:
- making a complaint: data subjects may lodge complaints to a Group Member (in accordance with the Complaint Handling Procedure set out in Appendix 3) and to the competent supervisory authority in the Member State in which the alleged infringement took place, or in which the individual works or habitually resides; and/or
- bringing proceedings: data subjects can bring proceedings against Group Members in the courts of a Member State in which the Group Member has an establishment, or in the Member State in which the individual has his habitual residence.
Where the Group Member and the customer involved in the same processing are found responsible for any damage caused by such processing, the individuals referred to in Section C (a) and (b) above will be entitled to receive compensation for the entire damage directly from the Group Member.
The individuals referred to in Section C (a) and (b) above may also seek appropriate redress from the Liable BCR Member including the remedy of any breach of the provisions in those sections, and where appropriate, receive compensation from the Liable BCR Member for the entirety of any damage whether material or non-material suffered as a result of a breach of those provisions by:
- any Group Member outside Europe acting as a processor; or
- any Third-Party sub-processor which is established outside Europe, and which is acting on behalf of the Group Members, in accordance with the determination of a court or other competent authority.
The Liable BCR Member will ensure that any necessary action is taken to remedy any breach of this Policy by a Group Member outside Europe or any Third-Party sub-processor which is established outside Europe, and which is processing customer personal data on behalf of a customer.
For the avoidance of doubt, individuals shall benefit from the third-party beneficiary rights as described in this Section C and the European courts or competent supervisory authorities shall have jurisdiction as if the breach of the provisions described in this Section C or any of them was caused by the Liable BCR Member. The Liable BCR Member may not rely on a breach by a sub-processor (internal or external) of its obligations in order to avoid its own liabilities.
In the event of a claim being made under this Section C in which an individual has suffered damage as described above and where that individual can demonstrate that it is likely that the damage has occurred because a breach of this Policy, the Group Members have agreed that the burden of proof to show that a Group Member outside Europe (or any Third Party sub-processor which is established outside Europe and which is acting on behalf of a Group Member) is not responsible for the breach, or that no such breach took place, will rest with the Liable BCR Member. Where the Liable BCR Member can prove that the Group Member outside Europe is not responsible for the act, it may discharge itself from any responsibility / liability.

PART III: APPENDICES

Appendix 1

Data Subjects’ Rights Procedure

Requests made to the Group Member where the Group Member is a processor
1. When a Group Member processes information on behalf of a controller (e.g., a customer to whom it provides a service), the former Group Member is deemed to be a processor of the personal data and the customer, as controller, will be primarily responsible for meeting the legal requirements under European data protection law.
2. Certain data protection obligations are passed on to the Group Members acting as processor on the basis of the contractual commitments entered into with customers acting as controllers. In particular, the Group Member acting as processor must proceed in accordance with the instructions of the customer acting as controller and undertake any reasonably necessary measures to enable the controller to comply with their duty to respect the rights of data subjects. This means that if any Group Member receives a request from an data subject to exercise his or her rights under European data protection law in its capacity as a processor on behalf of a customer (acting as a controller), it must transfer such request promptly to the relevant customer acting as controller and refrain from responding to the request unless expressly authorised to do so, in accordance with the contract between the Group Member and the customer, and with Avature’s Data Subject’s Rights Response Policy.
3. When the Group Member (acting as a processor) is notified by the customer (acting as a controller) of a request for erasure, rectification or restriction in relation to personal data that had been previously disclosed by said customer, the Group Member (acting as a processor) will update its records accordingly.

Appendix 2

Audit Protocol

Background
1. Group Members are required to audit their compliance with the Policy and satisfy certain conditions in so doing, and this document describes how Group Members deal with such requirements.
2. The role of Avature’s Data Protection Officer and Privacy Team is to provide guidance about the processing of personal data subject to the Policy and to assess the processing of personal data by Group Members for potential privacy-related risks on the day-to-day business. The processing of personal data is, therefore, subject to detailed review and evaluation on an on-going basis. Accordingly, although this Audit Protocol describes the formal assessment process adopted by Group Members to ensure compliance with the Policy as required by the competent supervisory authorities, this is only one way in which Group Members ensure that the provisions of the Policy are observed, and corrective actions are taken as required.
Approach
1. Overview of audit
  1. Compliance with the Policy is overseen on a day-to-day basis by the Data Protection Officer and Privacy Team.
  2. The entity responsible for performing the audits of compliance with the Policy and ensuring that such audits address all aspects of the Policy can vary depending on the specific circumstances of the relevant Group Member. Normally, audits are carried out by Avature’s Data Protection Officer (which is guaranteed independence as to the performance of their duties related to these audits), internal or external auditors, as applicable. The relevant auditor will be responsible for ensuring that any issues or instances of non-compliance are brought to the attention of the Data Protection Officer and that any corrective actions to ensure compliance take place within a reasonable timescale.
  3. To the extent that a Group Member acts as a processor for a customer, audits of compliance with the commitments made in the Policy may also be carried out by or on behalf of Group Member’s customers in accordance with the terms of a contract Group Member has with a customers in respect of such processing, and such audits may also extend to any sub-processors acting on Group Member’s behalf in respect of such processing and the ability to audit such sub-processors will be carried out in accordance with the terms of the contract between Group Member and the sub-processors.
    Upon request and to the extent that an audit relates to personal data processed by a Group Member on behalf of that controller, Group Member will make the portion of results of such audit of compliance with this Policy that relate to the relevant controller available to that controller upon request.
2. Timing and scope of audit
  1. As indicated above, the Data Protection Officer will determine the timing of the audits. Audit of the Policy will take place:
    - Every twenty four (24) months in accordance with Avature Group’s audit procedure(s); and/or
    - more frequently, at the request and/or as determined necessary by the Data Protection Officer.
  2. To the extent that a Group Member processes personal data on behalf of a customer, audit of the Policy will take place as required under the contract in place between that Group Member and that customer (so long the indicated time limit is the same or shorter to the one specified under 2.2.1. (a) above).
  3. In the same line, the scope and coverage of the audit performed will be determined by the Data Protection Officer based on a risk-based analysis which will consider relevant criteria, for example: areas of known non-compliance; areas of current regulatory focus; areas of specific or new risk for the business; areas with changes to the systems or processes used to safeguard information; areas where there have been previous audit findings or complaints; the period since the last review; the nature, method and location of the personal data processed; IT systems, applications and databases; onward transfers; and issues arising from conflict of laws or vendor management.
  4. In the event that customer on whose behalf the Group Member processes personal data exercises its right to audit the Group Member for compliance with the Policy, the scope of the audit shall be limited to the data processing facilities, files, documents (where appropriate) and activities relating to that controller. The Group Member will not provide a controller with access to systems which process personal data of other controllers.
3. Auditors
  1. Audit of the procedures and controls in place to give effect to the commitments made in the Policy will be undertaken by the Data Protection Officer and Privacy Team, internal or external auditors, as applicable. Where audits are carried out by external auditors, at least the following conditions shall be met:
    - Carry out a proper due diligence prior to its selection in order to ensure that the pertinent auditors have the appropriate qualifications and status in order to assist with this exercise; and
    - Put in place an agreement with the same in order to regulate the provision of their services in accordance with applicable regulations.
  2. In the event that a customer on whose behalf the Group Member processes personal data exercises their right to audit the Group Member for compliance with the Policy, such audit may be undertaken by that controller or by independent, accredited auditors selected by that controller as stipulated in the contract between the Group Member and that controller, where applicable, in agreement with the supervisory authority.
4. Report
  1. On completion of the audit, the report and findings shall be made available to the Data Protection Officer, the board of the Liable BCR Member and, in any case, to the different Group Members where the audit has identified data processing activities that must be reviewed bearing in mind the conclusions of the audit. The audit report will also contain details of any remedial action required, recommendations and timescales for remedial action to be undertaken. Where appropriate, the results may also be communicated to Avature Group’s ultimate parent board.
  2. Upon request, Group Members have agreed to:
    - provide copies of the results of any audit of the Policy to any competent supervisory authority who will upon receiving the audit results be reminded of their duty of professional secrecy under Article 54(2) GDPR; and
    - to the extent that an audit relates to personal data processed by Group Members on behalf of a customer, to make the results of any audit of compliance with the Policy available to that controller.
  3. The Data Protection Officer shall have the task of liaising with the competent supervisory authorities for the purpose of providing the information outlined in section 4.2.

Appendix 3

Complaint Handling Procedure

Introduction
1. The purpose of this Complaint Handling Procedure is to explain how complaints brought by a data subject whose personal data is processed by Group Members under the Policy are dealt with.
How data subjects can bring complaints
1. All complaints of data subjects made under the Policy, when a Group Member is collecting and/or using personal data as a processor on behalf of a customer acting as a controller, can be brought in writing (which includes email) to the Data Protection Officer. The Data Protection Officer may be contacted through Avature Group’s online form available here https://www.avature.net/contact-privacy-officer/.
Duty to communicate the complaint to the controller
1. The Group Member will communicate the details of the complaint to the controller promptly and will act strictly in accordance with the terms of the contract between the customer and Group Member if the customer requires Group Member to deal with the complaint in accordance with procedure described below.
2. When a customer ceases to exist
3. In circumstances where a customer has disappeared, no longer exists or has become insolvent, individuals whose personal data is collected and/or processed in accordance with European data protection law and transferred between Group Members on behalf of that customer under the Policy have the right to complain to Group Members and the Group Members will deal with such complaints in accordance with section 4 of this Complaint Handling Procedure. In such cases, individuals also have the right to complain to a European supervisory authority in the jurisdiction in which the alleged infringement took place, or in which the individual works or habitually resides; and/or to lodge a claim with a court of competent jurisdiction as described in Section C of this Policy and this will apply whether or not they have first made a complaint to the Group Member.
Who handles complaints
1. Without prejudice to section 3 above, the Data Protection Officer, with support of the Privacy Team, will handle all complaints arising under the Policy in respect of the processing of personal data where the relevant Group Member is the processor of that information. The Data Protection Officer will liaise with relevant business units to investigate the complaint and will coordinate a response (which shall include information on the actions taken to the complainant).
2. What is the response time?
  The Data Protection Officer, with support of the Privacy Team, will acknowledge receipt of a complaint to the data subject concerned within ten (10) working days, investigating and making a substantive response within one (1) calendar month. If, due to the complexity of the complaint or number of requests, a substantive response cannot be given within this period, the Data Protection Officer, with support of the Privacy Team, will advise the complainant of the reason for the delay within one (1) calendar month of receipt of the complaint, and provide a reasonable estimate (not exceeding two (2) further calendar months from the date on which the data subject was notified of the extension) for the timescale within which a response will be provided.
  If the response time is not met and the reply to the complaint is delayed without any informed reason, the data subject can notify this fact to the Data Protection Officer who will, without undue delay and in any event within ten (10) working days, explain the reasons for such delay and inform the data subject about the actions taken so far. The matter will be referred to Avature’s General Counsel (together with a reasoned report determining the measures to be taken) who will review the case and advise the Data Protection Officer how to solve the issues object of the complaint as soon as possible and in any event within ten (10) working days. In any case, the data subject can also make use of the rights described in Section 4.4 below.
3. When a complainant disputes a finding or the refusal of a complaint
  If a complaint is considered justified, the Data Protection Officer will take the necessary actions to solve the issue raised by the data subject and will inform him or her accordingly.
  If the complainant disputes the response of the Data Protection Officer (including if such response is a refusal to attend the complaint) or any aspect of a finding, and notifies the relevant Group Member accordingly, the matter will be referred to Avature’s General Counsel who will review the case and advise the complainant of his/her decision either to accept the original finding or to substitute a new finding. Avature’s General Counsel will respond to the complainant within one (1) calendar month of the referral. If, due to the complexity of the complaint, a substantive response cannot be given within this period, Avature’s General Counsel will advise the complainant of the reason for the delay within one (1) calendar month of receipt of the referral, and provide a reasonable estimate for the timescale (not exceeding two (2) further calendar months) within which a response will be provided. If the complaint is upheld, Avature’s General Counsel will arrange for any necessary steps to be taken as a consequence.
4. Data subjects whose personal data is processed in accordance with European data protection law also have the right to: (i) complain to a competent supervisory authority in the Member State in which the alleged infringement took place, or in which the data subject works or habitually resides; (ii) and/or lodge a claim with a court of competent jurisdiction which means in a court in the European country where the Group Member is established or in the European country where the individual resides. These rights will apply whether or not they have first made a complaint to a Group Member.
  If the matter relates to personal data that is or has been subject to European data protection law and which has been processed by a Group Member in Europe and transferred to a Group Member outside Europe, the claim may be made against the Group Member in Europe responsible for transferring the personal data.

Appendix 4

Co-Operation Procedure

Introduction
1. This Co-operation Procedure sets out the way in which Group Members will co-operate, accept to be audited and inspected, including where necessary, on-site, by with the competent supervisory authorities in relation to this Policy; as well as to take into account their advice and abide by their decisions on any issues related to this Policy.
Co-operation Procedure
1. Where required, Group Members will make the necessary personnel available for dialogue with a supervisory authority in relation to the Policy.
2. Upon request, the Data Protection Officer will provide copies of the results of any audit of the Policy pursuant to Appendix 2 to any competent supervisory authority, as well as with any information about the processing operations covered by the Policy, who will upon receiving such information be reminded of their duty of professional secrecy under Article 54(2) GDPR.
3. Group Members agree that supervisory authorities may carry out a data protection audit or inspection, including where necessary, on-site, of that Group Member in accordance with the applicable law of the European country from which the data is transferred.
4. Where any Group Member is located within the jurisdiction of a supervisory authority based in Europe, Group Members acknowledge that any supervisory authority may audit that Group Member for the purpose of reviewing compliance with this Policy, in accordance with the applicable law of the country in which the Group Member is located.
5. All Group Members agree to be audited by the supervisory authorities in accordance with the applicable audit procedures of such supervisory authorities.
6. Group Members agree to take into account the advice, and comply with the formal decisions, of, a competent supervisory authority relating to the interpretation and application of this Policy, without prejudice to any right to appeal such formal decisions.

Appendix 5

Updating Procedure

Introduction
1. This Updating Procedure sets out the way in which the Liable BCR Member will communicate changes to the Policy to the competent supervisory authorities, customers and to the Group Members bound by the Policy.
Material changes to the Policy
1. The Liable BCR Member will communicate in advance any material changes to the Policy (i.e., any modification that would possibly be detrimental to the level of protection offered by the Policy or significantly affect the Policy –e.g., changes to its binding character–, etc.) to the Spanish Data Protection Agency (the “BCR Lead”) without undue delay and, via the BCR Lead, to any other relevant supervisory authorities. Such communication shall include a brief explanation of the reasons for the update. The relevant supervisory authority will also assess whether the changes made require a new approval.
2. Where a change to the Policy materially affects the conditions under which a Group Member processes personal data on behalf of a customer under the terms of the contract between them (for instance, on any intended changes concerning the addition or replacement of subcontractors), the Group Member will communicate such information to any affected controller. If such change is contrary to any term of the contract between the Group Member and the controller, the Group Member will communicate the proposed change before it is implemented, and with sufficient notice to enable affected customers to object. The controller may then suspend the transfer of such personal data to the Group Member and/or terminate the relevant contract, in accordance with the terms of its contract with the Group Member.
Administrative changes to the Policy
1. The Liable BCR Member will communicate to the BCR Lead and, via the BCR Lead, to other supervisory authorities concerned, when requested or at least once a year, changes to the Policy. Examples of such changes that may arise include those that are administrative in nature (including changes in the list of Group Members); have occurred as a result of a change of applicable European data protection law; or resulting from any legislative, court or supervisory authority measure. The Liable BCR Member will also provide a brief explanation to the BCR Lead and to any other relevant supervisory authorities of the reasons for any notified changes to the Policy.
Communicating and logging changes to the Policy
1. The Policy contains a change log which sets out the date of revisions to the Policy and the details of any revisions made. The Data Protection Officer (together with the Privacy Team) will maintain an up-to-date list of the changes made to the Policy and provide the necessary information systematically to the customer and to the supervisory authorities upon request.
2. The Liable BCR Member will communicate all changes to the Policy, whether administrative or material in nature:
  - to the Group Members bound by the Policy, without undue delay and publish an updated version of this Policy on the Avature wiki website https://wiki.xcade.net/wiki/Policies,_Guidelines,_Agreements_%26_Certifications;
  - systematically to customers on whose behalf Group members process personal data and to data subjects who benefit from the Policy, via the Avature website avature.net/legal;
  - to the supervisory authorities upon request, or via the competent supervisory authorities, as applicable.
3. The Data Protection Officer (together with the Privacy Team) will maintain an up-to-date list of the changes made to the Policy and the list of Group Members bound by the Policy and a list of the sub-processors appointed by Group Members to process personal data on behalf of its customers. The list of Group Members, sub-processors and any updates to the Policy will be available to and accessible by the data subjects, customers and competent supervisory authorities on request from Group Members.
New Group Members
1. The Data Protection Officer (together with the Privacy Team) will ensure that all new Group Members are effectively bound by and can deliver compliance with the Policy before a transfer of personal data to them takes place.

Binding Corporate Rules – Processor Policy