The Gulf Air (“GF”) Binding Corporate Rules (“the BCRs”) express GF’s commitment to the protection of the Personal Data of GF Customers, Suppliers and Business Partners. Their objective is to provide adequate protection for the transfers and processing of personal data by GF staff and entities.
The BCRs explain how this commitment is implemented by GF throughout its operations. They specifically set out GF’s approach to transfers of Personal Data between offices and divisions of GF’s network and apply to GF’s operations worldwide.
The BCRs are communicated to all GF employees and are published on the external GF website accessible at www.gulfair.com.
1 ARTICLE 1: SCOPE, EFFECTIVE DATE AND IMPLEMENTATION OF THE BCRS
The BCRs apply to all Personal Data of employees, customers, suppliers, contractors and other natural persons in the European Economic Area (“EEA”), collected and used by GF.
They specifically set out GF’s approach to transfers of Personal Data between divisions in GF’s network of offices. .
For the privacy rules applicable to GF Employee personal data, please refer to the GF rules for Employee Data on GF’s intranet.
1.2 Effective Date
The BCRs enter into force on 25 May 2018 (the “Effective Date”). The GF BCRs supersede all prior GF privacy policies and notices that exist on the Effective Date to the extent they cover the same issues or conflict with the BCRs.
1.3 Implementation of the BCRs
(a) Data Protection Officer
The operation of the BCRs are the responsibility of the Data Protection Officer. If there is a question as to the interpretation, implementation or applicability of the BCRs, GF staff shall seek the advice of the Data Protection Officer prior to conducting any relevant Processing.
(b) Data Protection Authority
For the purposes of compliance with the GDPR, GF has selected the United Kingdom Information Commissioner’s Office (“ICO”) as its Supervisory Authority.
1.4 Applicable law being implemented by the BCRs
The BCRs implement the obligations created by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”).
GF is committed to interpret the terms of the BCRs according to the GDPR and relevant guidance from the European Commission and the ICO.
2 ARTICLE DEFINITIONS
“Consent” of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Data Protection Officer” means the person appointed by GF to oversee the observance of applicable data laws by Staff (including Processors), and to oversee the implementation of GF’s data compliance policies.
“Data Subject” means an identified or identifiable natural person.
“European Economic Area” means the area of the 28 European Union Member States and Iceland, Liechtenstein and Norway where the European Economic Area treaty of 1 January 1994 applies.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”), as such may be amended or modified.
“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Sensitive Personal Data” means Personal Data that reveals a Data Subject’s racial or ethnic origin; political opinions or membership of political parties or organisations; religious or philosophical beliefs; membership of a professional or trade organisation or union; physical or mental health or condition, including disabilities; sexual orientation; criminal record; or social security numbers issued by state or public authorities.
“Staff” means all GF employees (including consultants, and temporary or permanent staff) as of the Effective Date, who Process Personal Data as part of their duties or responsibilities using GF data systems or working primarily from GF premises.
“Third Party” means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to Process Personal Data.
3 ARTICLE 3: DATA SECURITY
3.1 Staff shall take appropriate, commercially reasonable measures to protect Personal Data from misuse or accidental, unlawful or unauthorised destruction, erasure, loss, alteration, modification, disclosure, acquisition or access.
(a) Staff access
Staff shall have access to Personal Data only to the extent necessary to serve the applicable business purpose and to perform their tasks.
Staff who have access to Personal Data shall meet their confidentiality obligations as specified by their contract and by GF staff guidelines and policies.
4 ARTICLE 4: DATA QUALITY AND PROPORTIONNALITY
4.1 Processing of Personal Data shall be restricted to data that is reasonably adequate for and relevant to the applicable legitimate purpose. It should be accurate, complete and kept up-to-date to the extent reasonably necessary for the applicable Legitimate Purpose.
GF shall take reasonable steps to securely delete or destroy Personal Data that is not required for the applicable Legitimate Purpose.
4.2 Personal Data shall be held only:
(b) For as long as necessary to serve the applicable Legitimate Purpose;
(c) For as long as necessary to comply with an applicable legal requirement; or
(d) For as long as necessary in light of any applicable statute of limitations.
4.3Promptly after the relevant retention period has ended, the Personal Data shall be treated in the following alternative ways
(a) It shall be securely deleted or destroyed; or
(b) It shall be pseudonymised; or
(c) It shall be transferred to an Archive (unless this is prohibited by applicable local law or an applicable GF records retention schedule).
4.4The Data Subject shall be required to inform GF if Personal Data they have provided are inaccurate, incomplete or outdated and GF shall rectify the data in accordance with Article 10.
ARTICLE 5: AUTHORISED PURPOSES FOR PROCESSING PERSONAL DATA
5.1Personal Data shall be collected, used, transferred or otherwise Processed for one or more of the following purposes:
(a) GF business purposes; or
(b) GF management purposes.
5.2 GF Business Purposes
Compliant purposes for the Processing of Personal Data necessary for GF Business purposes include:
(a) The conclusion and execution of agreements with customers, suppliers and business partners, (including providing customer services and the purchasing goods and/or services);
(b) Recording and financially settling the delivery of services, products and materials to and from GF;
(c) Conducting marketing activities and promotions;
(d) Finance and accounting management;
(e) Research and development;
(f) Internal management and control;
(g) Fulfilling obligations under laws and regulations, including conducting relations with government and regulatory agencies; and
(h) Transactions involving alliances, ventures, mergers, acquisitions, and divestitures.
5.3 GF Management Purposes
Compliant purposes for the Processing of Personal Data necessary for GF management purposes include:
(a) Internal management, such as Processing necessary for managing company assets, conducting internal audits and investigations, and implementing business controls;
(b) Internal management, such as Processing necessary for implementing GF health, safety and security policy, including the protection of GF and GF Staff assets; authenticating customers, suppliers or business partners for status and access rights;
(c) Internal management, such as Processing necessary for complying with legal obligations; and
(d) Internal management, such as Processing necessary to protect the vital interests of the Data Subject or of another natural person.
GF shall ensure that whenever Personal Data is Processed, at least one of the following applies:
(a) The Data Subject has given Consent to the processing of his or her personal data for one or more specific purposes;
(b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) Processing is necessary for compliance with a legal obligation to which the GF is subject;
(d) Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
(e) Processing is necessary for the purposes of the legitimate interests pursued by GF, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
5.5 Denial or Withdrawal of Consent
A Data Subject may deny or withdraw Consent at any time. Accordingly, Processing by GF will be discontinued unless GF has taken action that relies on Consent that has previously been given.
If the Data Subject unsubscribes/withdraws consent, GF shall discontinue Processing as soon as is reasonably practical.
6 ARTICLE 6: LEGAL BASIS FOR PROCESSING OF SENSITIVE PERSONAL DATA
6.1 GF shall Process Sensitive Personal Data only to the extent necessary to serve a legitimate purpose as permitted under applicable law.
6.2 In situations when Sensitive Data is Processed based on a legal requirement other than the local law applicable to the Processing, or based on the consent of the Data Subject, Processing will only occur either: (i) Obtaining the prior approval of the Data Protection Officer; or (ii) A privacy sub-policy governing the Processing.
6.3 Sensitive Data may be Processed under one or more of the following circumstances:
(a) Where the Data Subject has expressly consented to the Processing, including “opt-ins”;
(b) When providing services to the Data Subject providing the Sensitive Personal Data;
(c) Where the Data Subject providing the Sensitive Personal Data is voluntarily participating in a research project or service/product test;
(d) With regard to racial or ethnic data, where this is necessary to safeguard GF’s or Staff’s assets, for site access and security reasons, and for the authentication of, inter alia, customer, supplier or business partner status and access rights, GF may process photos and video images;
(e) With regard to genetic or biological data, where this is necessary to safeguard GF’s or Staff’s assets, for site access and security reasons, and for the authentication of, inter alia, customer, supplier or business partner status and access rights;
(f) To prevent, detect or prosecute (including cooperating with public authorities) suspected fraud, breaches of contract, violations of law, or other breaches of the terms of access to GF sites or assets;
(g) To establish, exercise or defend a legal claim;
(h) To protect the vital interest of the Data Subject or of another natural person, but only where it is impossible or impractical to obtain the relevant Consent first, (such as an accident requiring urgent action);
(i) Where this is required or necessary to comply with applicable law;
(j) Sensitive Data may only be processed for Secondary Purposes under the conditions set out in Article 7.
7 ARTICLE 7: LEGAL BASIS PROCESSING FOR OTHER PURPOSES THAN ORIGINAL PURPOSE
7.1 GF shall generally only Process Personal Data for the purposes for which they were originally collected (“Original Purpose”).
7.2 Such data may be Processed for a secondary purpose than the Original Purpose (“Secondary Purpose”) where the Original and Secondary Purposes are closely linked.
7.3 The provisions of this Article apply to the Processing of Sensitive Data for a Secondary Purpose.
7.4 In Processing data for a Secondary Purpose, GF shall conduct an impact assessment of the potential for harm to the Data Subject as a result of the Processing for a closely-linked Secondary Purpose, which shall assess the need for:
(a) Limiting access to the Personal Data;
(b) Implementing additional confidentiality and security measures;
(c) Informing the Data Subject about the Secondary Purpose, including providing an opt-out opportunity; and
(d) Obtaining the Data Subject’s Consent.
7.5 Permitted reasons for Processing Personal Data for Secondary Purposes, subject to clearance by the Data Protection Officer, are:
(a)Conducting internal audits or investigations;
(b)Implementing GF’s business policy;
(c)Conducting statistical, historical or scientific research;
(d)Dispute resolution management and using legal or business consulting services;
(e)Insurance management; or
8 ARTICLE 8:REASONABLE USE, EXTENT AND RETENTION OF PERSONAL DATA
8.1 GF shall limit the Processing of Personal Data to such data as is reasonably suitable for and relevant to the applicable legitimate purpose.
8.2 GF shall retain Personal Data only:
(a) For the period required to address the applicable lawful purpose;
(b) To the extent reasonably necessary to comply with an applicable legal obligation or requirement;
(c) For as long as advisable in light of an applicable statute of limitations; and
(d) Without prejudice to the above, GF may specify a time period for which certain categories of Personal Data will be kept (in an GF notice or GF records retention protocol).
8.3 GF shall take reasonable technical and physical steps safely and securely to delete or destroy Personal Data that is not required or no longer required for the applicable lawful purpose.
9 ARTICLE 9: DIRECT MARKETING
9.1 Direct marketing shall be performed by GF only with the consent of the targeted individual.
9.2 For the purpose of addressing direct marketing communications to existing or prospective customers, GF shall do the following:
(a) Obtain the prior affirmative consent of the targeted individual (to the extent that this is required by law);
(b) Offer the individual the opportunity to choose not to receive such communications; and
(c) In every subsequent direct marketing communication that is made to such individuals, offer the opportunity to opt-out of further marketing communication.
9.3 GF shall respect objections to marketing and if the targeted individual objects to receiving marketing communications from GF, or withdraws consent to receive such communications, GF shall cease sending further marketing materials as specifically requested by the individual and shall delete the individual’s Personal Data from its marketing data base (save under the conditions set out in Article 8).
9.4 In appropriate circumstances GF shall explain to the Data Subject the consequences of any decision by the Data Subject to withdraw from a GF scheme, e.g. FalconFlyer. This should include information the consequences of discontinuing membership or participation in a GF scheme, or the Passenger’s entitlement to benefit and similar rewards.
10 ARTICLE 10: INFORMATION TO THE INDIVIDUAL WHOSE PERSONAL DATA IS COLLECTED AND PROCESSED AND RESPECT OF THE RIGHTS OF DATA SUBJECTS
10.1 GF shall inform Data Subjects whose Personal Data is collected and processed by publishing a Privacy Notice which shall explain and provide information on:
10.2 The Legitimate Purposes for which Personal Data is Processed shall be Communicated to the Data Subject including the following Information:
(a) The GF entity responsible for the Processing of the Processed Personal Data.
(b) Information concerning the nature and categories of the Processed Personal Data, the categories of Third Parties to which the Personal Data are disclosed (if any), and on how the Data Subject who provides Personal Data can exercise rights under applicable laws.
(c) Where reasonably available, the source, type, purpose and categories of recipients of the relevant Personal Data.
(d) The Data Subject’s rights to access, rectify, delete or block access to the Personal Data provided and how such rights may be exercised (e.g. by contacting the Data Protection Officer or an appropriate page on the GF website).
(e) The Data Subject’s right to object to the Processing of the Personal Data provided on the basis of compelling grounds related to the individual’s situation and how such a right may be exercised (e.g. by contacting the Data Protection Officer or an appropriate page on the GF website).
(f) The above requirements may be dispensed with, under authorisation from the Data Protection Officer, where: (i) it is impossible to inform the individual; (ii) where this would involve a disproportionate effort; or (iii) the provision of such information would result in disproportionate cost.
10.3 Exercise of Rights under Articles 5 and 6
(a) The Data Subject exercising the rights referred to in Articles 5 and 6 may be requested to show proof of identity. In the case of a request to rectify, delete, or block, the Data Subject should be requested to specify the reasons why the Personal Data are incorrect, incomplete or not Processed in accordance with applicable law or the BCRs. In all cases, the Data Subject should be requested to specify the type of Personal Data in question and the circumstances under which GF obtained the Personal Data.
(b) The Data Protection Officer shall respond to the Data Subject making requests under 5 and 6 above within one month. The Data Protection Officer shall inform the Data Subject in writing either: (i) of GF’s position with regard to the request or the objection and any action GF has taken or will take in response to the request; or (ii) the ultimate date on which the Data Protection Officer will inform the Data Subject of GF’s position, which date shall be no later than two months thereafter.
10.4 Rights of Complaint
(a)Data Subject making requests under this Article shall be given the opportunity to file a complaint in accordance with Article 19 if:
(i)The response to the request or the objection is unsatisfactory to the Data Subject; or
(ii)The Data Subject has not received a response as required.
(b)A Data Subject’s request or objection may be denied under the guidance of the Data Protection Officer by GF if:
(iii)The request or objection does not meet the requirements of the BCRs, in particular Article 7;
(iv)The request or objection is not sufficiently precise or specific or supported by evidence;
(v)The request or objection is made within an unreasonable time interval of a prior request or objection or otherwise;
(vi)Is reasonably considered to be an abuse of rights, for instance because of its repetitive character or unreasonable interval since a previous request or objection.
11 ARTICLE 11:AUTOMATED INDIVIDUAL DECISIONS
GF may use automated tools to make decisions about Data Subjects but decisions shall not be based solely on the results provided by this process.
11.1 This restriction does not apply if:
(a) The use of automated tools is required or authorized by law;
(b) The decision is made by GF to enter into or performing a contract provided that the request leading to a decision by GF was made by the Data Subject; or
(c) Appropriate measures have been taken to safeguard the legitimate interests of the Data Subject (for example, the Data Subject has provided or been given an opportunity to express a view).
12 ARTICLE 12:SECURITY AND CONFIDENTIALITY
12.1 Appropriate and commercially reasonable technical, physical and organisational measures shall be taken by GF to protect Personal Data from its misuse or accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, acquisition or access.
12.2 Staff shall be authorised to access Personal Data only to the extent necessary to serve the applicable legitimate purpose and to perform their tasks as GF employees. Such GF staff shall be subject to appropriate confidentiality obligations as specified by contract and GF policies.
13 ARTICLE 14:RESTRICTIONS ON TRANSFERS AND ONWARD TRANSFERS TO EXTERNAL PROCESSORS AND CONTROLLERS
13.1 When transferring Personal Data to external processors, a distinction shall be made between:
(a) Third Party Data Processors, namely parties that Process Personal Data solely on behalf of GF and under GF direction (e.g. Third Parties that Process passenger registration data on behalf of GF); and
(b) Third Party Data Controllers, namely Third Parties that Process Personal Data and determine the purposes and methods of the Processing (e.g. GF business partners that provide their own goods or services to Customers).
13.2 GF shall transfer Personal Data to a Third Party only to the extent necessary to serve the legitimate purpose for which the Personal Data is Processed (including processing for Secondary Purposes or for purposes for which the Data Subject has provided consent in accordance with Article 5).
13.3 GF shall ensure that Third Party Data Controllers (other than public authorities) can Process Personal Data obtained in connection with their relationship with GF only if such Third Party Data Controllers have a written contract with GF.
13.4 GF shall ensure that the data privacy rights of Data Subjects concerned by such Processing are protected contractually.
13.5 The transfer of business contact information may be made to a Third Party Data Controller without a contract if GF take reasonable steps to ensure that such information will be used by the Third Party Data Controller to contact the Data Subject for legitimate business purposes related to that same Data Subject’s business or interests.
13.6 GF shall not transfer, sell, lease, or offer for hire Business Contact Information in bulk to a Third Party Data Controller without consent except as permitted or required under applicable law and to the extent such transfer, sale, lease, or rent serves a Business Purpose (per Article 5.1).
13.7 Third Party Data Processor Contracts
Third Party Data Processors may Process Personal Data only if the Third Party Data Processor has a written contract with GF which includes terms and conditions addressing the following:
(a) The Third Party Data Processor shall Process Personal Data only in accordance with GF’s instructions and for the purposes authorised by GF;
(b) The Third Party Data Processor shall keep the Personal Data confidential;
(c) The Third Party Data Processor shall take appropriate technical, physical, administrative and organisational security measures to protect the Personal Data;
(d) The Third Party Data Processor shall not permit subcontractors to Process Personal Data in connection with its obligations to GF without the prior written consent of GF;
(e) That GF shall have the right to review the security measures taken by the Third Party Data Processor and the Third Party Data Processor shall be required submit its relevant data processing facilities to audits and inspections by GF or any relevant government authority; and
(f) The Third Party Data Processor shall promptly inform GF of any incident involving Personal Data, including hacking or data breaches concerning the obligations set out by the GDPR.
13.8 Transfers to Territories without an EU Adequacy Decision or Data Treaty
Transfers of Personal Data to a Third Party located in a country that is not considered by the European Commission to provide an ‘adequate level of protection’ for Personal Data under Chapter V of the GDPR (“Non-Adequate territory”) shall only be made if the following conditions are satisfied:
(a) A contract has been concluded between GF and the relevant Third Party that provides for safeguards at a similar level of protection as that provided by the BCRs;
(b) The contract shall conform to any model contract required under applicable local law (if any, including those covered by guidance from the European Data Protection Board or the ICO);
(c) The Third Party has been certified under the EU-US Privacy Shield as such treaty may be modified or succeeded by EU-US data treaties or any other similar scheme or treaty that is recognised as providing an ‘adequate’ level of data protection for GDPR purposes;
(d) The Third Party has established binding corporate rules or a similar transfer control mechanism which provide adequate safeguards as required under applicable law and these have been deemed GDPR compliant by competent authorities;
(e) The transfer is necessary for the performance of a contract with the customer, supplier or business partner or to take necessary steps at the request of the customer, supplier or business partner prior to entering into a contract;
(f) The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between GF and a Third Party;
(g) The transfer is necessary to protect a vital interest of the Data Subject or of another natural person (for example, dealing with an emergency);
(h) The transfer is necessary for the establishment, exercise or defence of a legal claim;
(i) The transfer is required by any law to which the relevant GF entity is subject; or
(j) The individual has consented to such transfer.
13.9 Non-Adequate Territory Consent for Transfer
When seeking consent pursuant to Article 14.8(j), GF shall provide the Data Subject with the following information:
(a) The purpose of the transfer;
(b) The identity of the transferring GF entity;
(c) The identity or categories of Third Parties to which the Personal Data will be transferred;
(d) The categories of Personal Data that will be transferred;
(e) The country to which the Personal Data will be transferred; and
(f) The fact that the Personal Data will be transferred to a Non-Adequate territory.
13.10 Transfers between Non-Adequate Territories
Personal Data collected by GF in the EEA and transferred to a Third Party located in a Non-Adequate territory may in turn be transferred to a second Third Party located in that same or another Non-Adequate territory only if the following conditions are met:
(a) The transfer must be necessary for compliance with a legal obligation to which the relevant GF entity is subject;
(b) The transfer must be necessary to serve the public interest; or
(c) The transfer must be necessary to satisfy a legitimate purpose of GF (per Article 5).
14 ARTICLE 15: TRAINING PROGRAMME
GF shall provide training on the BCRs and other data privacy and data security obligations and best practices to staff who have access to Personal Data or who have responsibilities concerning the management of Personal Data.
15 ARTICLE 16: AUDIT PROGRAMME
GF shall bear responsibility for auditing all GF entities’ business processes and procedures involving the Processing of Personal Data to assess their compliance with the BCRs:
(a) Such an audit shall be carried out on a regular basis by the internal GF audit team or an accredited external audit team or on the specific request of the Data Protection Officer.
(b) Such audits shall be performed up to appropriate professional standards of independence, integrity and confidentiality.
(c) The Data Protection Officer shall be informed of the results of the audits and a report submitted to GF senior management.
(d) GF shall ensure that adequate steps are taken to address any shortcomings or breaches of the BCRs identified during the monitoring or auditing of compliance pursuant to this Article.
(e) A copy of the audit results shall be provided to the ICO upon request, which may in turn carry out a data protection audit if required.
16 ARTICLE 17: COMPLIANCE AND SUPERVISION OF COMPLIANCE, APPOINTMENT OF A DATA PROTECTION OFFICER
16.1 GF shall appoint a Data Protection Officer who is responsible for:
(a) Supervising compliance with the BCRs;
(b) Providing advice on the implementation of the BCRs and interpretation of GDPR obligations, including coordination with the General Counsel, and advice to the GF Board and senior management;
(c) Organising GF’s response to investigations or inquiries into the Processing of Personal Data by public authorities including the ICO;
(d) Presenting annual reports on compliance with GDPR obligations. Appropriate professional standards of independence, integrity and confidentiality shall be maintained when conducting GF internal compliance reviews;
(e) Supervising GF’s response to any Data Requests or complaints about GF’s compliance with GDPR obligations;
(f) Supervising GF’s response to any issues of compliance, including privacy issues and breaches of GDPR obligations (if these occur); and
(g) GF shall wherever appropriate ensure that adequate steps are taken to address breaches of the BCRs identified during the monitoring or auditing of compliance.
16.2 Sanctions for Non-Compliance
Non-compliance with the BCRs may result in disciplinary action and sanctions including termination of employment.
17 ARTICLE 18: ACTIONS IN CASE OF NATIONAL LEGISLATION PREVENTING RESPECT OF THE BCRs
17.1 Conflicts of Law when Transferring Personal Data
In a situation where a legal requirement to transfer Personal Data conflicts with the national laws of EEA Member States or other countries with legal requirements regarding cross-border data transfer, any relevant Personal Data transfer shall be authorised in advance by the Data Protection Officer. Where appropriate, guidance shall be requested from the ICO or other competent public authority.
17.2 Conflicts between the BCRs and Local Law
(a) In a situation where there is a conflict between an applicable local law and the BCRs, GF staff must consult with the Data Protection Officer. Appropriate legal advice from local counsel shall be obtained. Where appropriate, guidance shall be requested from the ICO or other competent public authority.
(b) Where local law, including the GDPR and other EU legislation, requires a higher level of protection for personal data it will take precedence over the BCRs.
(c) In all cases, Personal data shall be processed by GF in accordance to the GDPR, any other applicable law or relevant local legislation.
18 ARTICLE 19: INTERNAL COMPLAINT MECHANISMS
18.1 Data Subjects shall be entitled to submit a complaint regarding compliance with the BCRs:
(b) With the Data Protection Officer, who shall conduct an investigation of the complaint and where necessary and advise GF regarding appropriate compliance measures, monitoring such steps until their completion. The Data Protection Officer shall consult with the ICO if appropriate on the measures to be taken.
18.2 Within two (2) weeks of GF receiving a complaint, the Data Protection Officer shall inform the complainant in writing either:
(a) GF’s response with regard to the complaint and any action GF has taken or proposes to take in response; or
(b) The ultimate date on which the complainant will be informed of GF’s position, which date shall be no later than a further two (2) weeks thereafter.
18.3 Admissibility of Complaints
Complaints shall only be admissible if the complainant has followed the procedure set out in the BCRs. Any complaints of an individual concerning any right the individual may have under the BCRs shall be directed to GF only and shall exclusively be brought before the ICO in the UK (except in case of jurisdiction of a Data Protection Authority of one of the EEA countries) or the competent court in England and Wales.
18.4 Entitlement to Remedies for Breaches
Under the BCRs, Data Subjects or other natural persons shall only be entitled to remedies available to them under the UK Data Protection Act as such may be amended or replaced from time to time, English Common Law and English Civil Procedure Rules, which shall include the right to damages. However, GF shall be liable only for direct damages suffered by an individual resulting from a violation of the BCRs.
19 ARTICLE 20: LIABILITY OF GF AND THIRD PARTY BENEFICIARY RIGHTS
19.1GF entities and Staff shall comply with the BCRs:
(a) The BCRs are binding obligations and failure to follow them may result in employee disciplinary action, including termination and other penalties as provided by law.
(b) The Data Protection Officer shall investigate claims of non-compliance to determine if a violation of the BCRs has occurred. If a violation is confirmed, the Data Protection Officer and the relevant concerned GF entity shall work together to address and resolve the violation within a commercially reasonable time.
19.2 GF customers, contractors and employees shall have the right to claim enforcement of the BCRs or liability as third party beneficiaries as set out in the BCRs in respect of:
(a) Application of laws;
(b) Principles for processing Personal Data;
(c) Security, confidentiality;
(e) Transfers of Personal Data;
(f) Direct marketing;
(g) Complaint handling processes;
(h) Liability and third party rights; and
(i) Obligations towards Data Protection Authorities.
GF customers, contractors and employees shall have the right to claim appropriate compensation from GF before the ICO or courts in accordance with the BCRs and applicable law. The enforcement rights and mechanisms described in this Article are in addition to other remedies or rights provided available under applicable law.
20 ARTICLE 21:OBLIGATIONS TOWARDS DATA PROTECTION AUTHORITIES
20.1 Obligations towards the ICO
(a) GF entities shall respond diligently and appropriately to requests from the ICO about the BCRs and their compliance with privacy laws and regulations.
(b) If any member of Staff receives such a request from the ICO, he or she should immediately inform the Data Protection Officer, who shall reply to the ICO.
(c) With regard to transfers of Personal Data between GF entities, the importing and exporting GF entities shall cooperate with inquiries and accept audits from the ICO, and respect decisions, consistent with applicable law and due process rights.
20.2 Mutual Assistance and Cooperation with Data Protection Authorities
(a) GF entities shall cooperate and assist each other when responding to a request or complaint from an individual or an investigation or inquiry by the ICO or other relevant data authority.
(b) GF entities shall abide by the advice of the ICO on any issues regarding the interpretation of the BCRs.
21 ARTICLE 22: UPDATES OF THE BCRs
21.1 The BCRs shall only be amended after consultation with the Data Protection Officer. Where applicable, the Data Protection Officer shall obtain the authorisation of the ICO for any relevant changes to the BCRs.
21.2 No transfer of data shall be made to a GF office or division or Staff until the transfer is appropriately covered by the BCRs and relating compliance measures are in operation.
21.3 Any amendment shall only enter into force after it has been approved by the Data Protection Officer and published on the GF website.
21.4 The Data Protection Officer shall be responsible for informing the ICO of significant changes to the BCRs on an annual basis. The Data Protection Officer shall inform the GF Board of the advice, guidance or response of the ICO, if any.
21.5 Any request, complaint or claim involving the BCRs shall be determined by reference to the version of the BCRs that is in force at the time the request, complaint or claim is made.