Privacy Policy

Johnlobb.com privacy policy and protection of personal data - October 2013

JOHN LOBB has created this privacy policy ("Privacy Policy") in order to communicate its policies and practices relating to the collection, use and disclosure of information obtained on the Johnlobb.com website.

Please read this Privacy Policy carefully. JOHN LOBB may change or update this Privacy Policy periodically; see "Changes and Updates to Privacy Policy." You can view the most current version of the Privacy Policy at any time by visiting this section or by contacting our Customer Services Department.

If you decide to purchase John Lobb products on the Johnlobb.com website, you consent to the collection, the use and the disclosure of your information, including personal and financial information, on the terms described in this Privacy Policy. If you do not agree with the terms of this Privacy Policy, or any modifications thereto, please exit the Johnlobb.com website now and do not purchase any of the John Lobb products offered for sale on the website.

What information is collected on Johnlobb.com?

You may use the Johnlobb.com website without providing any personal information to JOHN LOBB. You will however, need to provide certain information, including:

- Your e-mail address if you wish to receive such information by JOHN LOBB,

- Your name, address, telephone number, as well as certain financial information (such as your debit or credit card number) if you choose to purchase products offered on the Johnlobb.com website for the purposes of paying for the products you ordered, the processing of your order and to ensure full completion of any legal, administrative, accounting and/or fiscal requirements linked to your order.

Any information you provide on the Johnlobb.com website may be processed in France and will be stored on John Lobb’s server in France.

Your personal information is kept for ten (10) years in relation to any purchase made, pursuant to the articles of the French “Code de Commerce”. However, your credit and/or debit card information collected in order to facilitate refunds by JOHN LOBB in the event of a withdrawal shall be deleted from our system within fifteen (15) days from delivery to you of your ordered product(s).

In addition, you may at any time request deletion of your personal information by sending an e-mail to JOHN LOBB as soon as your order has been processed and delivered (see "Changes and access to your personal information"). JOHN LOBB may collect non-personal information about you even if you do not purchase any products on the Johnlobb.com website; see "Cookies."

Receiving information

With your prior and explicit consent only, JOHN LOBB, also provides you with the opportunity to receive information which may be of interest to you, including information relating to JOHN LOBB and new products offered on the Johnlobb.com website. If you do not wish to receive such information by e-mail anymore, you may, at any time, choose not to receive further communications by contacting our Customer Services Department.

What use is made of the information you provide on Johnlobb.com?

JOHN LOBB may also disclose the information you provide on the Johnlobb.com website to third parties such as service providers who perform services to the Johnlobb.com website. To verify your information, authenticate payments and process orders, JOHN LOBB may disclose certain financial and other information you provide to JOHN LOBB to third parties that provide credit reporting, payment or order fulfillment services.

JOHN LOBB may disclose your information if we reasonably believe that such disclosure is necessary to comply with applicable laws, a subpoena or other legal process. For example, JOHN LOBB may disclose such information as is necessary to identify, contact or bring legal action against a person or entity who may be violating the Johnlobb.com Terms and Conditions, or who may be causing injury to, or interfering with, other users of the Johnlobb.com website. In the event that JOHN LOBB or all or part of its or their assets, are acquired by a third party, the Johnlobb.com customer list may be included in the transferred assets.

Please be aware that JOHNLOBB will use all reasonable efforts to ensure the safeguarding, security and confidentiality of all collected personal information on such transfers. 

Cookies

JOHN LOBB reserves the right to use cookies and similar devices strictly necessary to facilitate your navigation and performance on the Johnlobb.com website and to customize the information that appears on the website. JOHN LOBB collects this information in order to monitor usage of the Johnlobb.com website and to improve aspects of the website.

Most browsers accept cookies automatically, but can also be configured not to do so or to indicate when a cookie is being sent. If you disable your browser from accepting cookies, it will prevent you from moving freely from page to page and from taking full advantage of all of the features of the Johnlobb.com website.

Links

The Johnlobb.com website may contain links to other third party websites. JOHN LOBB has no control over the content, policies or actions of these websites. The use of any information you may provide to third parties on other websites, or which such parties may otherwise collect on other websites, is not governed by this Privacy Policy and Protection of Personal Data. You should carefully review the privacy policies and protection of personal data of any third party websites and contact the operators of those websites if you have any questions about their use of your information. JOHN LOBB shall not be responsible for any third party, its affiliates or agents, for failing to use your personal information in accordance with such third party's privacy policy and/or practices, or any contractual or other legal obligations to which such third party, its affiliates or agents, may be subject to.

Security

JOHN LOBB has implemented security measures to protect your personal information you provide to us against unauthorized access and use. All financial information you provide on the Johnlobb.com website is stored on a secure site operated by JOHN LOBB’s financial institution. Transactions conducted on the Johnlobb.com website are protected by an SSL encrypting system. Please be aware, however, that no data transmission over the Internet is 100% secure and any information disclosed online can potentially be collected and used by persons other than the intended recipient.

Changes and updates to Privacy Policy

By using the Johnlobb.com website, you consent to the collection, use and disclosure of your personal information as described in this Privacy Policy. This Privacy Policy reflects the John Lobb current business practices, and is subject to changes and updates. In the event of any changes or updates, a revised policy will be posted online on the Johnlobb.com website, with the last date of update noted on the bottom of the page. Please check the Johnlobb.com website periodically to remain informed of any changes or updates to the JOHN LOBB’s privacy policies and practices. If you allow JOHN LOBB to retain your personal information you provide to us on the Johnlobb.com website in its customer database and JOHN LOBB intends to disclose that information to third parties or affiliates in a manner that is not already outlined in this Privacy Policy, JOHN LOBB will notify you as soon as possible by e-mail and provide you with an opportunity to refuse any further use or disclosure of your personal information.

Changes and access to your personal information

You may at any time, ask JOHN LOBB for access to or to correct, update or delete information you have provided to JOHN LOBB for customer database of Johnlobb.com, by contacting our Customer Services Department. If applicable, you should ensure to provide JOHN LOBB with any updates and changes to your personal information, including any changes to your postal or e-mail address as to ensure that your orders are shipped to the correct address and to enable us to contact you about your order if necessary. JOHN LOBB may also retain, for archival purposes, copies of communications with users of the Johnlobb.com website and any response to questions or comments sent to users by our Customer Services Department.

Contact us

If you have any questions or comments about the JOHN LOBB privacy policies and practices, please feel free to contact our Customer Services Department by e-mail.

 

BINDING CORPORATE RULES (BCRs)

Binding Corporate Rules (BCRs),
for intra-group transfers of personal data to non EEA countries
January 2015

TABLE OF CONTENTS   

1.    INTRODUCTION

2.    DEFINITIONS AND DATA PROTECTION PRINCIPLES

2.1.  DEFINITIONS

2.2.  DATA PROTECTION PRINCIPLES

3.    SCOPE OF THE BCRs

3.1.  GEOGRAPHICAL SCOPE

3.2.  MATERIAL SCOPE

4.    EFFECTIVENESS OF THE BCRs

4.1.  TRANSPARENCY AND INFORMATION RIGHT

4.2.  RIGHTS OF ACCESS, RECTIFICATION, ERASURE AND BLOCKING OF DATA

4.3.  AUTOMATED INDIVIDUAL DECISIONS

4.4.  INTERNAL COMPLAINT MECHANISM

4.5.  SECURITY AND CONFIDENTIALITY / RELATIONSHIPS WITH PROCESSORS THAT ARE MEMBERS OF THE GROUP

4.6.  TRAINING PROGRAMS

4.7.  AUDIT PROGRAMME

5.    BINDINGNESS OF THE BCRs

5.1.  COMPLIANCE AND SUPERVISION OF COMPLIANCE

5.2.  THIRD PARTY BENEFICIARY RIGHTS

5.3.  LIABILITY

5.4.  JURISDICTION

5.5.  SANCTIONS

5.6.  MUTUAL ASSISTANCE AND COOPERATION WITH DATA PROTECTION AUTHORITIES

6.    FINAL PROVISIONS

6.1.  RELATIONSHIP BETWEEN NATIONAL LAWS AND THE BCRs

6.2.  RESTRICTIONS ON TRANSFERS AND ONWARD TRANSFERS TO EXTERNAL PROCESSORS AND CONTROLLERS

6.3.  ACTIONS IN CASE OF NATIONAL LEGISLATION PREVENTING RESPECT OF BCRs

6.4.  UPDATES OF THE BCRs

6.5.  DEROGATIONS OF ARTICLE 26 EU DIRECTIVE 95/46

6.6.  APPLICABLE LAW / JURISDICTION / TERMINATION / INTERPRETATION OF TERMS

1.       INTRODUCTION

HERMES GROUP is committed to ensure the highest possible level of customer care and to improve constantly the quality of its service to clients as well as customer trust. In this context, customers’ right to privacy is a prime consideration for HERMES GROUP.

Under the provisions of the European Union Directive 95/46, any transfer of personal data outside the European Economic Area (EEA) shall be framed by specific safeguards, with a view to make the use of personal data compliant with European Data Protection Principles. Thus, the adoption and the implementation of Binding Corporate Rules (BCRs) within the HERMES GROUP will aim to regulate intra-group data transfers related to customers’ data outside the European Economic Area (EEA), in accordance with the provisions of the 95/46 and 2002/58 EU Directives.

Beyond, HERMES GROUP and its employees are responsible for protecting and respecting personal information to which they have access. Therefore, we believe that our BCRs are an essential tool to effectively manage this important responsibility and to broadcast and share our culture on Privacy within the Group.

With regard to the scope of our BCRs, appropriate entities and employees of the HERMES GROUP shall comply with the following provisions, as well as with applicable local laws.

At local level, and according to the terms of our BCRs, each Local Data Controller will have to sign a BCRs agreement and shall take every necessary step to ensure compliance with the provisions of the BCRs. Compliance with these provisions and procedures will especially rely on training programs and auditing activities, on a day to day basis.

Because of their wide scope in terms of Privacy compliance, the use of BCRs at local level will, without any doubt, ease the management of privacy compliance and will help to ensure that local representatives take ownership of data protection.

Would a violation of the BCRs be established, any corrective measure (legal, technical or organizational measure) as well as any appropriate sanction (against the local Data Controller or, according to local labor law, a local employee) may be taken on the initiative of the Head Controller, the Global CRM General Manager, the Global Privacy Office, the local Data Controller or the local CRM Manager.

2.      DEFINITIONS AND DATA PROTECTION PRINCIPLES

2.1.   DEFINITIONS

The terms and expressions used in the BCRs are defined in appendix 1, provided that these terms and expressions shall always be interpreted according to the EU 95/46 and 2002/58 Directives.

2.2.   DATA PROTECTION PRINCIPLES

Within the scope of the BCRs (see paragraph 3), any transfer of personal data to a third country which does not ensure an adequate level of protection shall always comply with the following data protection principles, defined in specific paragraphs of the BCRs or in appendix 2, in accordance with the provisions of the EU 95/46 and 2002/58.

-Legal basis for processing personal data and sensitive personal data: personal data and sensitive personal data shall only be processed under the conditions defined in the 95/46 EU Directive.

-Purpose limitation: personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.

-Data quality and proportionality: personal data shall be processed fairly and lawfully. Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. Personal data shall be accurate and, where necessary, kept up to date.  Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.

-Automated individual decisions: each data subject has the right not to be subject to a decision which produces legal effects concerning him and which would be based solely on automated processing of data.

-Information right: personal data shall always be collected and further processed on a transparent basis (see paragraph 4.1)

-Rights of access, rectification, erasure and blocking of data: data subjects are entitled to be told what information HERMES GROUP holds on them and to keep this information under control (see paragraph 4.2).

-Security and confidentiality: appropriate technical and organizational measures shall be implemented to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of processing (see paragraph 4.5).

3.      SCOPE OF THE BCRs

3.1.   GEOGRAPHICAL SCOPE 

The BCRs shall apply to transfers of Personal Data between entities of the HERMES GROUP Group established throughout the world.

Appendix 3 gives a list of all HERMES GROUP entities bound by the BCRs.

3.2.   MATERIAL SCOPE

The nature and purposes of the personal data being transferred within the scope of the BCRs is detailed in appendix 4.

4.      EFFECTIVENESS OF THE BCRs

4.1.   TRANSPARENCY AND INFORMATION RIGHT

To make the data processing fair, personal data shall always be collected and further processed on a transparent basis. Thus: 

1. The BCRs shall always be readily available to every data subject and therefore shall be uploaded on HERMES GROUP internet websites. A data subject shall always be able to obtain, upon request, a copy of the BCRs from the local CRM manager, the local data controller, the Global CRM General Manager or the Global Privacy Office.

2. Furthermore, specific FAQs shall be available for customers on HERMES GROUP internet websites, with a view to clarify any question customers may have about the BCRs or any related matter, such as concerns or requests related to submitting an access request to their personal data (see paragraph 4.2) or submitting a claim (see paragraph 4.3).

3. All data processing and, when appropriate, data transfers between entities of the HERMES GROUP established throughout the world shall be associated with relevant data protection notices.

Local CRM managers, in coordination with the Global CRM General Manager and the Global Privacy Office, shall be able to provide templates of notices to every local data controller within the Group, for any purpose that requires information to be made to the data subjects.

HERMES GROUP will provide a data subject with at least the following information, except where he already has it:

a. the identity of the controller and of his representative, if any, and, when appropriate, the place in which the Local Data Importer is based outside the EEA;

b. the purposes of the processing for which the data are intended, and, when appropriate, the purpose(s) of the transfer(s) outside the EEA;

c. any further information such as:

- the categories of data concerned;

- the recipients or categories of recipients of the data;

- whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply;

- the existence of the right of access to and the right to rectify the data concerning him.

Where, with regard to an existing data processing, a new purpose or a new category of recipient arise, the appropriate notice of information shall be consequently modified and the data subjects shall be informed.

Where the data has not been directly obtained from the data subjects, HERMES GROUP will provide with the information above at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed.

According to article 11.2 of the 95/46 EU Directive, and notwithstanding any specific provision set out in national legislations, information will exceptionally not apply where the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law (see paragraph 6.3).

4.2.   RIGHTS OF ACCESS, RECTIFICATION, ERASURE AND BLOCKING OF DATA

Data subjects are entitled to be told what information HERMES GROUP holds on them and to keep this information under control. Thus:

1. Every data subject has the right to obtain from HERMES GROUP:

a. without constraint at reasonable intervals and without excessive delay or expense, and, where applicable, according to national legislations:

- confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,

-  communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,

- knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated individual decisions referred to paragraph 4.3).

b. as appropriate the rectification, erasure or blocking of personal data, in particular because of the incomplete or inaccurate nature of the data;

c. to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him.

According to the 95/46 EU directive, the exercise of those rights may be subject to certain limitations.

2. Every data subject shall be clearly informed, in accordance with paragraph 4.1, on how he can exercise his rights.

3. Specific guidelines and procedures shall be in place within the Group, at local level, to ensure the exercise of the rights specified above. In particular, HERMES GROUP employees who collect, process or have access to personal data shall be trained to recognize a data subject access, rectification, erasure or blocking request. Each request shall be acknowledged and handled according to the local procedure in place. A specific answer, given within a reasonable period of time, shall be systematically given to the data subject. If the request is found legitimate, HERMES GROUP shall take any necessary step to handle the matter in due times. If the request is denied, the reason for denial shall be communicated in writing to the data subject. In such a case, the data subject may follow the internal complaint mechanism specified in paragraph 4.4.

4. Local CRM managers, in coordination with the Global CRM General Manager and the Global Privacy Office, shall always be at the disposal of both local data controllers and data subjects to provide any help.

4.3.   AUTOMATED INDIVIDUAL DECISIONS 

Subject to local applicable law, every data subject has the right not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, reliability, conduct, etc.

4.4.   INTERNAL COMPLAINT MECHANISM

If a data subject believes that its personal data is not processed in accordance with the BCRs or the applicable local law, he may register a claim to obtain adequate correction measures and, where appropriate, adequate compensation (see paragraph 5.2 and 5.4). Therefore:

1. Specific guidelines and procedures shall be in place within the Group, at local level, to ensure a complaint mechanism to be consistent and to ensure sufficient information to be provided to the data subjects about these procedures. The complaints shall be dealt by a clearly identified local department which benefits from an appropriate level of independence in the exercise of its functions (for instance the local compliance officer or the General counsel). When a complaint is registered, it must be acknowledged and handled within a reasonable period of time (two months).

2. If the data subject of Hermes Group representatives fail to solve the claim at local level, the complaint handling mechanism shall allow escalating the problem to the Global CRM General Manager or the Global Privacy Office which shall respond within 2 months. Each local data controller and local CRM manager shall regularly report to the Legal Global CRM General Manager and the Global Privacy Office about the complaints settled at local level, with a view to take corrective actions and improve guidelines and procedures implemented within the Group, where the complaints may have revealed a "gap" in terms of Privacy compliance.

4. All HERMES GROUP representatives and employees shall, at local level, do their best efforts to help the local data controller or the local CRM manager to settle a complaint (see paragraph 5.3).

Prior referring a case to the relevant court, each party should make its best efforts to solve a claim through the internal complaint mechanism described above.

4.5.   SECURITY AND CONFIDENTIALITY / RELATIONSHIPS WITH PROCESSORS THAT ARE MEMBERS OF THE GROUP

Ensuring that personal information is appropriately protected from data breaches is a HERMES GROUP top priority. Thus:

1. Each local data controller shall implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

Consequently, appropriate information security policies and procedures shall be designed and implemented within the Group. These security policies set up all appropriate physical and logical measures with a view to prevent or deter accidental destruction, modification or unauthorized disclosure or access to personal data. These policies and procedures shall be regularly audited (see paragraph 4.7).

2. Sensitive Data shall be processed with enhanced and specific security measures.

3. Access to Personal Data is limited to recipients for the sole purpose of performing their professional duties. Disciplinary sanctions may occur if a HERMES GROUP employee fails to comply with the appropriate information security policies and procedures.

Where a local data controller requests that another entity of the HERMES GROUP undertakes processing of personal data on its behalf (for a short term period as well as for a long term period, depending on the case), the following safeguards shall be followed:

1. Where the data processing is carried out, the local data controller shall choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures. The appointed entity of the HERMES GROUP shall undertake in writing to provide those sufficient guarantees. Local CRM Managers, in coordination with the Global CRM General Manager and the Global Privacy Office, shall be able to provide templates of the appropriate clauses to a local data controller within the Group.

2. The appointed entity of the HERMES GROUP must not process the data except on instructions from the controller, unless he is required to do so by law.

3. Upon termination of the work to be done, the appointed entity of the HERMES GROUP shall undertake to delete all the data transferred or, if any legal data retention requirement is applicable, to keep it recorded, provided that appropriate technical and organizational measures are taken to protect personal data against any unlawful form of processing.

4.6.   TRAINING PROGRAMS

Any HERMES GROUP employee who collects, processes or has access to personal data related to customers shall be provided with specific training programs in order to improve its practical skills and knowledge that relate to data protection issues, especially the BCRs:

1. BCR's and all related guidelines, procedures or policies shall be uploaded on HERMES GROUP corporate intranet and permanently accessible to every employee.

2. Access to the BCRs and all related guidelines, procedures or policies shall be granted to every HERMES GROUP new employee. Internal notices shall also be transmitted within the Group to raise awareness on the BCRs. 

3. New employees who collect, process or have access to personal data shall be required to follow a privacy compliance training program. Furthermore, all employees who collect, process or have access to personal data shall be required to follow such a program, on a regular basis. All employees must pass a knowledge check (certification) following their completion of the training to confirm their knowledge and skills on privacy issues.

4. At local level, each data controller and/or Local CRM Manager shall feel free to enhance the privacy training programs described above by adding any appropriate training material.

5. Privacy training programs shall be reviewed and approved by experienced HERMES GROUP officers, in coordination with the local data controller, the local CRM Manager, the Global CRM General Manager and the Global Privacy Office. Procedures related to privacy training programs shall be regularly audited (see paragraph 4.7).

4.7.   AUDIT PROGRAMME

Data Protection audits shall be carried out on a regular basis (at least one audit every 3 years) by internal or external accredited audit teams to ensure that the BCRs and all related policies, procedures or guidelines are updated and applied :

1. Data Protection audits shall cover all aspects of the BCRs and all related policies, procedures or guidelines, including methods of insuring that corrective measures will take place. However, the scope of each audit can be strengthened to limited aspects of the BCRs and/or the related policies, procedures or guidelines, including methods of insuring that corrective measures will take place.

2. Data Protection audits shall be decided directly by the Compliance Department or upon specific request of the Head Controller, a local data controller, a local CRM Manager, the Global CRM General Manager or the Global Privacy Office. The ones in charge of handling an audit will always benefit from an appropriate level of independence in the exercise of their duties.

3. The results of all audits shall be communicated to the Head Controller (especially to the ultimate parent's board), and the local data controller, and/or the local CRM Manager, and/or the Global CRM General Manager, and/or the Global Privacy Office.

4. The relevant Data Protection Authorities shall receive a copy of such audit upon request. Each local data controller shall accept to be audited by a Data Protection Authority and to abide by the advice of a Data Protection Authority on any issue related to the BCRs.

5. As provided by section 3 of paragraph 5.1, Local CRM Managers, in coordination with the Global CRM General Manager and the Global Privacy Office shall report every year to the Head controller about all the actions and measures taken with regard to Data Protection issues (training programs, inventory of personal data processing implemented, management of complaints, etc.). Furthermore, each local data CRM Manager shall take every necessary step to make sure that local data controllers comply with the provisions of the BCRs. To this end, a "BCR compliance check-list" shall be used at local level to make compliance checks.

6. The Global CRM General Manager and the Global Privacy Office shall also regularly report to the Head Controller about the implementation of the BCRs within each local Data Controller.

7. Thanks to the audit results and the reports mentioned above, the Head Controller (especially to the ultimate parent's board), and/or the Global CRM General Manager, and/or the Global Privacy Office shall decide any appropriate legal, technical or organizational measure in order to improve Data Protection management within the Group, both at global and/or local level.

5.      BINDINGNESS OF THE BCRs  

5.1.   COMPLIANCE AND SUPERVISION OF COMPLIANCE

At local level, each local CRM Manager shall be responsible for the implementation of the BCRs. Thus:

1. Each entity of the HERMES GROUP shall take every necessary step to make sure that local data controllers comply with the provisions of the BCRs. To this end, a "BCR compliance check list" shall be used at local level to make compliance checks. Data Protection audits decided by the Compliance Department, the Global CRM General Manager or the Global Privacy Office may focus on how these compliance checks are made at local level.

2. Local CRM Managers, in coordination with the Global CRM General Manager and the Global Privacy Office, shall always be at the disposal of both local data controller and data subjects to provide any help with regard to a data protection issue, especially the BCRs.

3. Local CRM Managers, in coordination with the Global CRM General Manager and the Global Privacy Office, shall report every year to the Head controller about all the actions and measures taken with regard to Data Protection issues (training programs, inventory of personal data processing implemented, management of complaints, etc.), especially the implementation of the BCRs.

4. Each local data controller and local CRM Manager shall regularly report to the Global CRM General Manager and the Global Privacy Office about the complaints settled at local level, with a view to take corrective actions and improve guidelines and procedures implemented within the Group, where the complaints may have revealed a "gap" in terms of Privacy.

5. Local CRM Managers, in coordination with the Global CRM General Manager and the Global Privacy Office, shall be able to provide any appropriate templates (i.e. notices of information, clauses, etc.) to each local data controller within the Group for any purpose related to a data protection issue.

Furthermore, in terms of supervision of compliance, specific measures shall be taken to ensure the right implementation of the BCRs:

1. The Global CRM General Manager and the Global Privacy Office shall regularly report to the Head Controller about the implementation of the BCRs within each local Data Controller.

2. Data Protection audits shall be decided directly by the Compliance Department or upon specific request of a local data controller, a local CRM Manager, the Global CRM General Manager or the Global Privacy Office. The results of all audits or reports shall be communicated to the Head Controller (especially to the ultimate parent's board), and the local data controller and/or the local CRM Manager, and/or the Global CRM General Manager, and/or the Global Privacy Office.

3. Thanks to the audit results and the reports mentioned above, the Head Controller (especially to the ultimate parent's board), the Global CRM General Manager, the Global Privacy Office, a local data controller or a local CRM Manager shall decide any appropriate measure in order to improve Data Protection management within the Group, both at global and/or local level.

4. If a violation of the BCRs is established, any correction measure (legal, technical or organizational measure) as well as any appropriate sanction (against the local Data Controller or, according to local labor law, a local employee) may be taken on the initiative of the Head Controller, the Global CRM General Manager, the Global Privacy Office, a local Data Controller or a local CRM Manager.

5. Privacy training programs shall be reviewed and approved by HERMES GROUP senior officers, in coordination with the Global CRM General Manager, the Global Privacy Office and local CRM managers. Procedures related to privacy training programs shall be regularly audited (see paragraph 4.7).

5.2.   THIRD PARTY BENEFICIARY RIGHTS

A data subject shall have the right to enforce, as a third party beneficiary, the provisions of the BCRs related to:

  -  Purpose limitation, data quality, proportionality and legitimacy principles (see paragraph 2.2 and appendix 2)

  -  Transparency principle and easy access to BCRs (see paragraph 4.1)

  -  Rights of access, rectification, erasure, blocking of data and object to the processing (see paragraph 4.2)

  -  Rights in case automated individual decisions are taken (see paragraph 4.3)

  -  Security and confidentiality principles (see paragraph 4.5)

  -  Restrictions on onward transfers outside of the group of companies (see paragraph 6.2)

  -  National legislation preventing respect of BCR (see paragraph 6.3)

  -  Right to complain through the internal complaint mechanism (see paragraph 4.4)

  -  Cooperation duties with Data Protection Authority (see paragraph 5.6)

  -  Liability and jurisdiction provisions (see paragraphs 5.3 and 5.4)

5.3.   LIABILITY

Either the Local Data Importer or the Local Data Exporter shall be liable for any breach of the BCRs, under the following conditions:

1. In cases involving allegations of breach by the Local Data Importer, the data subject shall first request the Local Data Exporter to take appropriate action to enforce his rights against the Local Data Importer. If the Local Data Exporter does not take such action within a reasonable period (which under normal circumstances would be three months), the data subject may then enforce his rights against the Local Data Importer directly. A data subject shall also be entitled to proceed directly against a Local Data Exporter that has failed to use reasonable efforts to determine that the Local Data Importer is able to satisfy its obligations under the BCRs. Both Local Data Exporter and Local Data Importer shall agree to take necessary actions to remedy and to pay compensation for actual damages they may be recognized liable for. Both Local Data Exporter and Local Data Importer shall have therefore sufficient financial resources at their disposal to cover the payment of compensation for breach of the BCRs. Liability as between the parties shall be limited to actual damage suffered. Indirect or punitive damages shall be specifically excluded.

2. The burden of proof shall stay with the Local Data Exporter to demonstrate that the entity of the HERMES GROUP outside the EEA is not liable for the violation resulting in the damages claimed by the Data Subject. The Local Data Exporter shall also have the burden to prove that it took reasonable efforts to determine that the local data importer is able to satisfy its obligations under the BCRs. Either the Local Data Importer or the Local Data Exporter may be exempted from any liability, in whole or in part, if it is proved that they are not responsible for the event giving rise to the damage or that the Local Data Exporter took reasonable efforts to determine that the Local Data Importer is able to satisfy its obligations under the BCRs.

3. If a violation of the BCRs is established, any correction measure (legal, technical or organizational measure) as well as any appropriate sanction (against the local Data Controller or, according to local labor law, a local employee) shall be taken on the initiative of the Head Controller, the Global CRM General Manager, the Global Privacy Office, the local Data Controller or the local CRM Manager.

5.4.   JURISDICTION

1. Each Data Subject shall have the right to take its case, at its best convenience, to the competent Data Protection Authorities or before the jurisdiction of the Local Data Exporter or before the jurisdiction of the Local Data Importer, for any breach of the BCRs.

2. According to the relevant provisions in paragraph 5.3, each Data Subject who has suffered damage shall be entitled to receive compensation (e.g. judicial remedies), provided that the internal complaint mechanism failed to settle the case (see paragraph 4.4).

3. The BCRs shall always be readily available to every data subject, in the conditions described in paragraph 4.1. Furthermore, a data subject shall always be able to obtain, upon request, a copy of the BCRs from the local CRM Manager, the local data controller, the Global CRM General Manager or the Global Privacy Office.

5.5.   SANCTIONS

Would a violation of the BCRs, either by local data controller representatives or employees, be established, any appropriate disciplinary sanction or judicial action may occur, in accordance with local labor law, on the initiative of the Head Controller, the Global CRM General Manager, the Global Privacy Office, the local Data Controller or the local CRM Manager.

Thus, each local Data Controller and local CRM Manager shall pay specific attention to any audit results (see paragraph 4.7) establishing non-compliance issues against representatives or employees, especially in case of:

  -  non compliance with the Data Protection Principles set out in paragraph 2.2 and appendix 2;

  -  non compliance with guidelines or procedures relating to the exercise of the rights specified in paragraph 4.1, 4.2 and 4.4 (information, access, rectification, erasure, blocking and internal complaint rights);

  -  non compliance with security policies designed to implement appropriate technical and organizational measures to protect personal data;

  -  non compliance with training programs designed to raise employee's awareness on Data Protection issues.

5.6.   MUTUAL ASSISTANCE AND COOPERATION WITH DATA PROTECTION AUTHORITIES

All HERMES GROUP entities are committed to a full cooperation with the EEA data protection authorities who have competent jurisdiction. Thus:

  -  The relevant Data Protection Authorities shall receive, upon request, an update copy of the BCRs or all related procedures, policies or guidelines.

  -  The Local Data Controller shall reply within a reasonable period of time to any request addressed by a relevant Data Protection Authority with competent jurisdiction, including audit requests.

  -  The Local Data Controller shall apply any relevant recommendation or advice from a relevant Data Protection Authority relating to the implementation of the BCRs.

  -  The Local Data Controller shall abide by a decision of a relevant Data Protection Authority with competent jurisdiction, related to the implementation of the BCRs, against which no further appeal is possible before competent courts.

  -  The Global CRM General Manager and the Global Privacy Office shall be at the disposal of the relevant Data Protection Authorities for any matter related to the implementation of the BCRs.

Furthermore, members of HERMES GROUP shall cooperate and assist each other to handle a request or complaint from an individual (see paragraph 4.4) or inquiry by Data Protection Authorities.

 

6.        FINAL PROVISIONS

6.1.   RELATIONSHIP BETWEEN NATIONAL LAWS AND THE BCRs  

HERMES GROUP undertakes that appropriate entities and employees of the HERMES GROUP Group shall comply with the provisions of the BCRs, as well as with the provision of the 65/46 and 2002/50 EU Directives and applicable local laws, as provided by article 4 of the 95/46 EU Directive.

Where the local legislation requires a higher level of protection for personal data, it always will take precedence over the BCRs.

6.2.   RESTRICTIONS ON TRANSFERS AND ONWARD TRANSFERS TO EXTERNAL PROCESSORS AND CONTROLLERS 

Where a local data controller requests that a non-HERMES GROUP entity undertakes processing of personal data, the following safeguards shall be followed:

1. External processors located inside the EEA or in a country recognised by the EU Commission as ensuring an adequate level of protection shall be bound by a written agreement stipulating that the processor shall act only on instructions from the controller and shall be responsible for the implementation of the adequate security and confidentiality measures (see paragraph 4.5). Local CRM Managers, in coordination with the Global CRM General Manager and the Global Privacy Office, shall be able to provide templates of the appropriate clauses to a local data controller within the Group.

2. All transfers of personal data to external controllers located out of the EEA must respect the European rules on transborder data flows (Articles 25-26 of the 95/46 EU Directive), for instance by making use of the EU Standard Contractual Clauses approved by the EU Commission 2001/497/EC or 2004/915/EC.

3. All transfers of personal data to external processors located out of the EEA must respect the rules relating to the processors (Articles 16-17 of the 95/46 EU Directive) in addition to the rules on transborder data flows (Articles 25-26 of the 95/46 EU Directive), for instance by making use of the EU Standard Contractual Clauses approved by the EU Commission on February, 10, 2010 (c2010/0593).

6.3.   ACTIONS IN CASE OF NATIONAL LEGISLATION PREVENTING RESPECT OF BCRs

Shall a local data controller have reasons to believe that the legislation applicable to him prevents the company from fulfilling its obligations under the BCRs and has substantial effect on the guarantees provided by the rules, he will promptly inform the Global CRM General Manager or the Global Privacy Office (except where prohibited by a law enforcement authority, such as prohibition under criminal law to preserve the confidentiality of a law enforcement investigation).

Where there shall be conflict between national law and the commitments in the BCRs, the local CRM Manager and the local data controller, in coordination with the Global CRM General Manager and the Global Privacy Office, shall take a responsible decision on what action to take and will consult the competent Data Protection Authorities in case of doubt.

6.4.   UPDATES OF THE BCRs 

In case of, for instance, changes in laws or HERMES GROUP procedures, the terms of the BCRs may be updated on the initiative of the Head Controller, in coordination with the Global CRM General Manager and the Global Privacy Office.

Any substantial or non substantial update of the BCRs shall be recorded and kept by the Global CRM General Manager and the Global Privacy Office. The Global CRM General Manager and the Global Privacy Office keep as well a fully updated list of the members of the Group.

Any substantial or non substantial update will lead to the communication, to each entity of HERMES GROUP, of an updated version of the BCRs for signature purpose.

HERMES GROUP undertakes that appropriate information will be given, once a year, to the data subjects, the appropriate local data controllers and the competent Data Protection Authorities about any substantial update.

No transfer shall be made to a new HERMES GROUP entity until this new entity is effectively bound by the BCR and can deliver compliance.

6.5.   DEROGATIONS OF ARTICLE 26 EU DIRECTIVE 95/46

In accordance with article 26 of the 95/46 EU Directive and applicable local law, a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection may take place from a Local Data Controller on condition that:

-  the data subject has given his consent unambiguously to the proposed transfer;

- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request;

- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party ;

- the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims;

- the transfer is necessary in order to protect the vital interests of the data subject;

- the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.  

6.6.   APPLICABLE LAW / JURISDICTION / TERMINATION / INTERPRETATION OF TERMS

The BCRs shall be adopted by the Head Controller, in coordination with the Global CRM General Manager and the Global Privacy Office.

The BCRs shall take effect on the date when each entity of the HERMES GROUP signs this BCRs agreement and, as a consequence, is legally bound. Each entity of the HERMES GROUP recognizes to be bound by the BCRs, from the date of signature of the BCRs agreement and without any other formalities, with respect to other HERMES GROUP entities already bound or about to be bound from the date of their signature, notwithstanding the date and place of signature of a BCRs agreement by each other entity of the HERMES GROUP involved, and provided that the terms of the BCRs are strictly identical between each other. Except if an entity of the HERMES GROUP is able to prove that the signed BCRs agreement is not strictly identical to the ones signed by other entities, it expressly and irrevocably disclaims challenging the evidence that it is bound by the terms of the BCRs.

In the event that a Local Data Controller would be found in substantial or persistent breach of the terms of the BCRs, the Head Controller may temporarily suspend the transfer of Personal Data until the breach is repaired. Should the breach not be repaired in due times, the Head Controller shall take the initiative to terminate the BCRs Agreement. In such a case, the local Data Controller shall take every necessary step in order to respect the European rules on transborder data flows (Articles 25-26 of the 95/46 EU Directive), for instance by making use of the EU Standard Contractual Clauses approved by the EU Commission.

The provisions of the BCRs shall be governed by the law of the EEA Member State in which the Local Data Exporter is located.

In accordance with paragraph 5.2 and 5.4, jurisdiction shall be attributed to the courts of the Local Data Importer or Local Data Exporter.

In case of contradiction between the BCRs and the appendixes, the BCR shall always prevail. In case of contradiction between the BCRs and other global or local policies, procedures or guidelines, the BCR shall always prevail.  In case of contradiction or inconsistency, the terms of the BCRs shall always be interpreted and governed by the provisions of the 95/46 and 2002/58 EU Directives.

APPENDIXES

    Appendix 1 – Definitions

    Appendix 2 – Data Protection Principles

    Appendix 3 - Nature and purposes of the personal data being transferred within the scope of the BCRs

 

APPENDIX 1 : DEFINITIONS

The terms and expressions used in the BCRs are defined in this appendix, provided that these terms and expressions shall always be interpreted according to the EU 95/46 and 2002/58 Directives.

"Hermes Group" shall mean HERMES INTERNATIONAL itself and/or any corporate entity of the HERMES GROUP hold, directly or indirectly, by HERMES INTERNATIONAL, according to article L. 233-3 of the French Commercial Code.

"Head Controller" shall mean HERMES GROUP Headquarters located in France which alone or jointly with others determines the purposes and means of the processing of personal data and which is in charge of the formal adoption of BCRs to be implemented within HERMES GROUP.

“Local Data Controller” shall mean the legal entity of the HERMES GROUP which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law.

“Local Data Exporter” shall mean the legal entity of the HERMES GROUP located within the EEA which transfers the Personal Data outside the EEA.

“Local Data Importer” shall mean the legal entity of the HERMES GROUP located outside the EEA which agrees to receive from the Local Data Exporter Personal Data for further Processing.

"Local CRM Manager" shall mean an experienced HERMES GROUP officer within a Local Data Controller who is responsible for managing business awareness and compliance with applicable data protection law and HERMES GROUP privacy policies, procedures and guidelines, especially the BCRs.

"Global CRM General Manager" shall mean the senior level manager who is responsible, within the Group at Global level, for managing business awareness and compliance with applicable data protection law and HERMES GROUP privacy policies, procedures and guidelines, especially the BCRs.

"Global Privacy Office" shall mean the department located within the Head Controller Offices who is in charge, within the Group at worldwide level, for managing business awareness and compliance with applicable data protection law and HERMES GROUP privacy policies, procedures and guidelines, especially the BCRs.

 “Directive” means the European Union Directive number 95/46/EC entitled ‘Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data.

“Personal Data”: shall mean any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

"Processing of Personal Data" shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

“Processor” shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

“Recipient” shall mean a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients.

“Sensitive Data” shall mean Personal Data revealing directly or indirectly the racial or ethnic origin, political, philosophical or religious opinions, trade union affiliation, or related to the health or sexual life of individuals.

“Third Party” shall mean any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data.

“The Data Subject's Consent” shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

"Applicable data protection law" shall mean the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the EEA Member State in which the Local Data Exporter is established.

"Technical and organizational security measures" shall mean measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

APPENDIX 2 : DATA PROTECTION PRINCIPLES

Within the scope of the BCRs, any transfer of personal data to a third country which does not ensure an adequate level of protection shall always comply with the following data protection principles, set out by the EU Directive 95/46.

LEGAL BASIS FOR PROCESSING PERSONAL DATA

Personal data shall be processed only if:

- the data subject has unambiguously given his consent ;

- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract ;

- processing is necessary for compliance with a legal obligation to which the controller is subject ;

- processing is necessary in order to protect the vital interests of the data subject ;

- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed ;

- processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data is disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection.

LEGAL BASIS FOR PROCESSING SENSITIVE DATA

Sensitive Personal data, especially personal data concerning health, shall be processed only if :

- the data subject has given his explicit consent to the processing of those sensitive data, except where the applicable laws prohibit it ;

- the processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorized by national law providing for adequate safeguards ;

- the processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent ;

- the processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data is not disclosed to a third party without the consent of the data subjects ;

- the processing relates to sensitive data which is manifestly made public by the data subject ;

- the processing of sensitive data is necessary for the establishment, exercise or defense of legal claims ;

- the processing of the sensitive data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those sensitive data is processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.

PURPOSE LIMITATION

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards.

In accordance with the provisions of the 95/46 EU Directive, sensitive data shall only be provided with additional safeguards.

DATA QUALITY AND PROPORTIONALITY

Personal data shall be processed fairly and lawfully.

Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed ; accurate and, where necessary, kept up to date. Every reasonable step shall be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified.

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

AUTOMATED INDIVIDUAL DECISIONS

Subject to local applicable law, every data subject has the right not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, reliability, conduct, etc.

APPENDIX 3 : NATURE AND PURPOSES OF PERSONAL DATA BEING TRANFERRED WITHIN THE SCOPE OF THE BCRs

 

Purposes

 

 

Nature of the data transferred

►   Customer relationship management (CRM)

i.e :

- provide and charge for goods or services purchase ;

- process electronic payments ;

 - provide customers with a more personalized level of service ;

- conduct market research, customer satisfaction and quality assurance surveys, direct marketing and sales promotions ;

- respond to any request from customer (information, claim, etc.) ;

- organization of special events for clients :

- administer general record keeping.

►  contact information (name, gender, home contact details, business title, date and place of birth, email, etc.) ;

►  goods or services purchased, location of the purchase, special requests made, observations about service preferences, etc.

►  billing details (amount of sells, credit card details, etc.) ;

►  information provided regarding marketing preferences or in the course of participating in surveys or promotional offers.

 



This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more here.
x