Data Protection Our Binding Corporate Rules
1. Introduction

Established in 2002, Crayon Group and its subsidiaries provide the following services which involve the processing of Personal Data on behalf of other subsidiaries within the group:

  • Software License Procurement and Agreement Services
  • Software Asset Management (SAM) Services
  • Cloud and Digital Services
  • Data Science and Data Intelligence Services
  • Information Technology (IT) Application Services
  • Data Protection Services and IT Security Services

These Binding Corporate Rules for Data Processors (BCR-Processor) are binding in nature and express the commitment of the Executive Board of Directors and our team members to the protection of that personal data and compliance with these BCRs. Failure to follow them may result in corrective action, disciplinary proceedings, up to and including termination.

The BCR-Processor laid down in this document are effective as of 1st January 2018 with a transition period lasting until 1st June 2018, by which time all aspects will be subject to compliance monitoring of the terms set out in this document. Under these BCR-Processor, all members of Crayon Group and employees have the duty to respect the BCR-Processor, as required by the Confidentiality and Privacy Agreement, signed by all individuals processing Personal Data on behalf of Crayon Group.

These BCR-Processor affirm the duties of Crayon Group subsidiaries as follows:

respect the instructions from a Controller regarding data processing and transfers to third countries

implement appropriate technical and organisational security measures and a duty to notify any personal data breach to the Controller

  • respect the conditions when engaging a sub-processor
  • cooperate with and assist the Controller in complying with data protection laws
  • cooperate with the Supervisory Authorities
  • provide liability, compensation and jurisdiction provisions
  • respect third party beneficiary rights for Data Subjects

1.1.        Scope + Updates

These BCR-Processor cover any intra group processing of personal data by one Crayon Group subsidiary on behalf of another subsidiary. They are binding to all members of the group and its subsidiaries. These codes are applicable to any staff with the function of a ‘data handler’ who is in any way involved in the collection, storage, utilisation, rectification or deletion of personal data on behalf of Crayon Group.

The DPO maintains a fully up to date list of the members of the BCRs and records any updates to the rules, providing the necessary information to all Group Members and to the SA on request. Any changes in the BCR will be reported to all Group members, Controller and concerned SA by the Data Protection Officer. The DPO maintains the list of BCR members and sub-processors involved in data processing and keeps track of and records any updates to the rules. No transfers of personal data to a new BCR member can be made until it is effectively bound by BCR and can demonstrate compliance with the rules. The DPO will annually report to the SA of any substantial changes with a brief explanation.

1.2.         Definitions + Acronyms

BCR-Processor Personal Data Protection Policy which is adhered to process Personal Data on behalf of Controllers within a group of undertakings.

Board of Management Executive decision-making level inside Crayon Group which acts as the primary reporting level of the DPO.

Consent (of Data Subject) A freely given, specific, informed and unambiguous indication of a Data Subject by which he/she, in a clear affirmative action/statement, signifies agreement to the processing of personal data relating to him/her.

 Controller The party, alone or jointly with others, determining the purposes and means of personal data processing.

Cross-Border Processing Processing of personal data which takes place in the context of the activities of: (a) establishments in more than one MS of a controller or processor in the Union where the controller or processor is established in more than one MS; or (b) a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect.

Data Subjects in more than one Member State. Data Subject An identified or identifiable natural person.

DPIA Data Protection Impact Assessment.

PDPA Personal Data Processing Agreement.

Filing System Any structured set of personal data which are accessible according to specific criteria, whether (de-)centralised or dispersed on a functional/geographical basis.

GDPR General Data Protection Regulation: of the European Union:

Group (of undertakings) A controlling undertaking and its controlled undertakings.

Main Establishment (a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment.

MS Member State of the European Union.

Personal Data Information relating to an identified/identifiable natural person (‘Data Subject’); i.e., who can be (in-)directly identified by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Profiling Any form of automated processing of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Processing Any operation(s) performed on personal data (also by automated means), such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor The party (natural/legal person) processing Personal Data on behalf of a Controller.

Pseudo/Ano-nymisation Processing personal data so that it can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Supervisory Authority (SA) Independent public authority/ies in each EU Member State responsible for monitoring the application of the EU GDPR. A Supervisory Authority is defined as being concerned by the processing of personal data when: (a) the controller or processor is established on the MS territory of that SA; (b) Data Subjects residing in the MS of that supervisory authority are (likely to be) substantially affected; or (c) a complaint has been lodged with that SA.

Third Party Company acting as a Processor or a Sub-Processor and receiving personal data transfer that is located in a third country, territory or one or more specified sectors within a third country, or an international organisation. OR: A party (natural/legal person) who, under the direct authority of the Controller or Processor, are authorised to process personal data.