STAEDEAN Binding Corporate Rules

1.1 Purpose

This Binding Corporate Rules Policy document is designed to give data subjects a clear, concise explanation of how STAEDEAN stands over our commitments and what rights are available to data subjects as provided by EU law.

This document complements our Privacy Notices that provide detailed information on how we process personal data at STAEDEAN, our sources of information, how we apply EU Data Protection Laws (including the EU GDPR) to processing of personal data, and rights as a EU data subject and how those rights can be exercised.

1.2 Scope

This document explains what Binding Corporate Rules (BCRs) are and how they apply to personal data that STAEDEAN (“we”, “us”, “our”) processes and transfers outside of the European Union (EU).

In short, BCRs are STAEDEAN’s publicly declared commitment to ensuring that any personal data exported outside of the EU to other companies within the STAEDEAN group are afforded the same degree of protection as offered by EU Data Protection law.

1.3 Definitions

Term	Definition
Data Controller	A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes (“why”) and the means (“how”) of the processing of your personal data. If two or more data controllers jointly determine the purposes and means of the processing, they are considered joint controllers and must cooperate in a transparent manner to ensure adherence to the BCRs.
Data Processor	Is a natural or legal person which processes your personal data on behalf of a data controller.
Binding Corporate Rules or BCR	Means the STAEDEAN Binding Corporate Rules set out in this document
Consent	Means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
European Data Protection Laws or simply Data Protection Laws	Means the General Data Protection Regulation and any national data protection legislation enacted by member states of the European Economic Area in accordance with the right granted to Member States under the GDPR.
General Data Protection Regulation (GDPR)	Means the EU Regulation (EU) 2016/679 General Data Protection Regulation to be applied as of 25 May 2018.
List of Entities	Means the list of STAEDEAN entities participating in the BCR as set out in Par. 2.2.1 to the BCRs.
Member State	Means a member state of the European Union.
STAEDEAN	Means STAEDEAN and its subsidiaries owned and controlled directly or indirectly, which are participating in the BCRs from time to time.
STAEDEAN Entity	Means a STAEDEAN entity participating in the BCRs.
Personal Data	Means any information relating to an identified or identifiable natural person as defined in article 4(1) of the GDPR.
Service Level Agreement (SLA)	Means an agreement between a STAEDEAN entity acting as a service provider and another STAEDEAN entity acting as a service recipient that defines the level of service expected from the STAEDEAN entity acting as a service provider.
Special Categories of Personal Data	Means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Supervisory Authority	Means an independent public authority which is established by a Member State to oversee compliance with data protection legislation as defined in article 4(21) of the GDPR.

1.4 Reference documents

1. STANDARD OPERATING PROCEDURE:

a. SOP 007 Supplier Management

b. SOP ISMS 002 Information Security Incident Management

2. OPERATING INSTRUCTIONS:

a. OI ISMS 003 Incident Response Plan_Data Breach

3. TEMPLATES:

a. Data Breach Notification Form (DBNF)

b. Personal Data Breach Report (PDBR)

4. DATA PROTECTION POLICY:

a. DPP 001 Global Data Protection Policy

b. DPP 002 Global Data Retention Policy

c. DPP 003 Global Data Subject Rights Policy

d. DPP 004 Global Multimedia Data Policy

e. DPP 005 Global Data Protection Impact Assessment Policy

f. DPP 006 Global Record of Processing Activities Policy

5. RECORDS:

a. Record of Processing Activities

1.5 Acronyms

BCRs – Binding Corporate Rules

EU – European Union

GDPR – General Data Protection Regulation

EDPB – European Data Protection Board

2.1 What are Binding Corporate Rules (BCRs)?

Binding Corporate Rules are a set of internal data protection rules and processes, approved by the European Data Protection Board (EDPB), that organisations must commit to when exporting personal data to another part of the same company from the European Union (EU).

BCRs are needed because some countries do not have the same high levels of data protection in place in the EU. As a multinational company operating worldwide, STAEDEAN transfers data within the STAEDEAN group of companies to fulfil a range of data processing business functions.

BCRs ensure that EU data protection law rights ‘travel with personal data’ processed wherever the data moves within our company.

2.2 Binding effect upon the STAEDEAN Entities

The BCRs apply to STAEDEAN and subsidiaries owned and controlled indirectly or directly by STAEDEAN and included in the list of participating entities set out in par. 2.2.1 below.

All STAEDEAN entities participating in the BCRs, and their employees are bound to comply with the BCRs hereto in respect of any transfer of Personal Data between STAEDEAN entities covered by the BCRs.

STAEDEAN entities included in the List of Entities set out in par. 2.2.1 to the BCRs will fulfil the obligations set out herein.

2.2.1 List of STAEDEAN Entities subject to BCRs

These BCRs apply to:

STAEDEAN B.V. - John M. Keynesplein, 10A, 4th floor 1066 EP, Amsterdam, The Netherlands.
STAEDEAN S.r.l. - Viale Edison, 110 20099, Sesto San Giovanni (MI), Italy.
Staedean Solutions Private Limited - Office Unit No 12A, Gowra Palladium, Survey No. 83/1 Plot Nos. 8A and 8B-1, Hitech City Hyderabad Telangana 500081, India.
STAEDEAN Inc. - 100 S. Ashley Drive, Suite 600, Tampa, FL 33602, USA.

2.3 Availability of the BCRs

Data Subjects have the right to easily access the BCR if they require it. Each STAEDEAN entity that signs the BCR Intercompany Agreement is responsible for making information on the rights of the Data Subjects as covered by the BCR, including the means to exercise those rights, readily available to the Data Subjects. The BCRs will be published on the STAEDEAN website and intranet and/or the document management system.

2.4 Why we transfer Data

STAEDEAN has some affiliates located outside of the European Union and for certain business functions we transfer data to our centralised areas of excellence located at these affiliates: STAEDEAN transfers EU data subject personal data using these Binding Corporate Rules to provide the same level of protection as in the EU.

STAEDEAN has completed detailed Transfer Impact Assessments (TIA) for all our personal data transfers outside of the EU to perform a legal analysis of the legal framework of the third country importing the data. The TIA focuses on the specific transfer type: the reason and details for the transfer, the origin and destination, parties involved, the associated potential risks and mitigations in place such as technical controls, organizational controls, contractual measures and processor controls.

2.5 Information to be provided to Data Subjects

Prior to processing any Personal Data on data subjects, it must be ensured that the data subject is provided with the information required pursuant to articles 13 and 14 of the GDPR.

When providing the information, STAEDEAN will ensure to observe the requirements set out in this clause.

2.5.1 Personal Data obtained from the Data Subject

Except where the data subject already has the information, each STAEDEAN entity subject to the BCRs will provide data subjects (from whom Personal Data relating to the data subject is collected) with at least the following information at the time when the Personal Data is obtained:

the identity and contact details of the controller and its representative, if any,
the contact details of STAEDEAN’s Data Protection representative,
the purpose(s) of the processing and the legal basis for the processing,
where the processing is based on a balancing of interests, the legitimate interest pursued by the relevant STAEDEAN entity,
the recipients or categories of recipients,
where applicable that the Personal Data is intended to be transferred to a third country, including how adequate safeguards for the protection of data is ensured and the means by which to obtain a copy of or more information on such adequate safeguards.

In addition, each STAEDEAN entity subject to the BCR will provide the following information to the data subject at the time when the Personal Data is obtained, insofar as such information is relevant and necessary to ensure fair and transparent processing:

the period for which the Personal Data will be stored or if that is not possible, the criteria used to determine that period,
the existence of the right to request access to, rectification or restriction of and/or erasure of Personal Data as well as the right to object to the processing and the right to data portability,
where a processing is based on consent, the right to withdraw such consent,
the right to lodge a complaint with a Supervisory Authority,
whether the voluntary provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, including whether the data subject is obliged to provide the Personal Data as well as the possible consequences of failure to provide such Personal Data; and
whether automated decision-making, including profiling, will be applied to the Personal Data, including information on the logic involved in such decision-making and the significance and envisaged consequences of such processing.

Where a STAEDEAN entity intends to process Personal Data for a different purpose than that for which the Personal Data were initially collected, the STAEDEAN entity in question will notify the data subject prior to that further processing on the purpose of such processing and provide the data subject with any other relevant information pursuant to the above.

2.5.2 Personal Data obtained from a Third Party

Where the Personal Data has not been obtained from the data subject and where the data subject does not already have the information, each STAEDEAN entity will provide the data subject with at least the following information:

the identity and contact details of the controller and its representative, if any,
the contact details of STAEDEAN’s Data Protection representative,
the purpose(s) of the processing and the legal basis for the processing,
the categories of Personal Data concerned,
the recipients or categories of recipients,
where applicable that the Personal Data is intended to be transferred to a third country, including how adequate safeguards for the protection of data is ensured and the means by which to obtain a copy of or more information on such adequate safeguards.

In addition, each STAEDEAN entity will provide the following information to the data subject, insofar as such information is relevant and necessary to ensure fair and transparent processing:

the period for which the Personal Data will be stored or if that is not possible, the criteria used to determine that period,
where the processing is based on a balancing of interests, the legitimate interest pursued by the relevant STAEDEAN entity,
the existence of the right to request access to, rectification or restriction of and/or erasure of Personal Data as well as the right to object to the processing and the right to data portability,
where a processing is based on consent, the right to withdraw such consent,
the right to lodge a complaint with a Supervisory Authority,
from which source the Personal Data originate, and if applicable, whether it came from publicly accessible sources,
whether automated decision-making, including profiling, will be applied to the Personal Data, including information on the logic involved in such decision- making and the significance and envisaged consequences of such processing.

2.5.3 Timeline for providing Information

Each STAEDEAN entity subject to the BCRs will provide the information set out in these clauses 2.5.1 and 2.5.2:

For information obtained from the data subject: at collection time,
For information obtained from a third party: within a reasonable period after obtaining the Personal Data, but no later than within one (1) month, or
where the Personal Data are to be used for communication with the data subject, at the latest when the STAEDEAN entity in question is first communicating to the data subject,
if disclosure to a third party is envisaged, at the latest when the Personal Data is first disclosed to such third party.

2.5.4 Exceptions to providing Data Subjects with Information

When provided for by applicable law of a Member State, data subjects, whose personal data are obtained from a third party, will not have a right to information under the following circumstances:

the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in article 89 (1) of the GDPR, or in so far as the obligation referred to in this clause 2.5 is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the relevant STAEDEAN entity will take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available,
if obtaining or disclosure of the Personal Data is expressly laid down by EU or Member State law to which the relevant STAEDEAN entity is subject and which provides appropriate measures to protect the data subject’s legitimate interests, or
where the Personal Data must remain confidential subject to an obligation of professional secrecy regulated by EU or Member State law.

2.6 Use of Data Processors

If an external service provider to a STAEDEAN entity has access to Personal Data about data subjects (e.g., an external hosting provider), the following requirements will be observed:

the service provider is assessed and selected by the STAEDEAN entity being the controller on the basis of the processor’s ability to ensure the implementation and maintenance of necessary technical and organizational security measures required for complying with the STAEDEAN BCRs in relation to data processing,
the controller will ensure and regularly verify that the processor remains fully compliant with the agreed technical and organizational security requirements,
the rights and obligations of the processor must be regulated in a written agreement in which the rights and obligations of the processor are unambiguously defined. In particular, such agreement will stipulate that the processor:
processes the Personal Data only on documented instructions from the controller,
ensures the confidentiality of persons processing the Personal Data,
will not engage another processor without prior authorisation from the controller,
takes all measures required to implement the necessary technical and organisational security measures,
ensures that any processing by a sub-processor will be subject to the same data protection requirements as stipulated in the agreement between the controller and the processor,
assists the controller with answering requests from data subjects to exercise their rights,
that the processor remains liable to the controller for any breach of the data protection obligations by a sub-processor,
assists the controller in ensuring compliance with applicable security requirements, notification of Supervisory Authorities and data subjects in case of a data breach and with conducting data protection impact assessments and prior consultations with Supervisory Authorities, if necessary,
at the choice of the controller deletes or returns all copies of the Personal Data to the controller upon termination of the services,
makes available to the controller all information necessary to demonstrate compliance with data protection legislation, in particular that the processor will contribute to audits, including inspections, conducted by the controller or a third party appointed by the controller, and
the controller retains responsibility for the legitimacy of the processing and continues to be the point of contact for the data subject.

Where STAEDEAN entities process Personal Data on behalf of other STAEDEAN entities, a written agreement must be entered between the STAEDEAN entities acting as processor and controller, respectively. Such agreement must meet the requirements set out in this clause 2.6.

2.7 STAEDEAN Data Protection Principles

The EU GDPR and related national data protection legislation is based on data protection principles that underpin our BCRs commitments. This means that any STAEDEAN company that has signed the BCRs is also legally bound to implementing and monitoring these data protection principles.

2.7.1 Legal basis for Processing Personal and Sensitive Data

STAEDEAN will only process Personal Data as allowed under the legal bases (Article 6) set out in the EU GDPR.
These are:

Legitimate Interest: STAEDEAN Legitimate Interests means the interests of our company in conducting and managing our business to enable us to develop and produce the best medicines for our patients.
Consent: This means the data subject has given their permission for STAEDEAN to process their data for a specific purpose.
Contract Obligation: STAEDEAN needs to process personal data to facilitate the creation and performance of a contract.
Legal Obligation: STAEDEAN needs to abide by a legal requirement that requires STAEDEAN to process personal data for that reason.
Vital Interests: STAEDEAN needs to process personal data when the life, health or safety needs to be protected.
Public Task: This legal basis means that processing of personal data is needed for a task carried out in the public interest or then an official authority order STAEDEAN to perform a specific task.

2.7.2 Special Category Data

This is personal data that needs more protection that other personal data because of its sensitivity. These are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

When we process this type of sensitive personal data, we rely on one of the legal bases mentioned above and where we meet one of the conditions in Article 9 of the GDPR:

Explicit consent
Employment, social security and social protection (if authorised by law),
Vital interests,
Not-for-profit bodies,
Made public by the data subject,
Legal claims or judicial acts,
Reasons of substantial public interest (with a basis in law),
Health or social care (with a basis in law),
Public health (with a basis in law),
Archiving, research and statistics (with a basis in law).

2.7.3 Purpose Limitation and Proportionality

STAEDEAN collects and processes personal data that is needed for specified, explicit and legitimate purposes (as outlined in the previous section) as permitted by the EU Data Protection Laws – in other words, we tell you when we collect your data what we will use it for – we do not use it for any other purposes unless they are compatible with the original purposes.

2.7.4 Data Minimization and Storage Limitation

STAEDEAN only collects and processes personal data that is adequate, relevant, and necessary for the purposes for which we collected it, and we do not retain it for longer than necessary for those purposes. In other words, we only process data that we need and no more (relevant and non-excessive data).

If the data is no longer needed, we will remove the data according to the STAEDEAN Record Retention Schedule: there may be legal reasons for us to retain the data for a specific period of time, but when this time ends, we will delete the data from our systems.

2.7.5 Transparency

STAEDEAN strives to be as upfront and transparent as possible when explaining to EU Data Subjects about how and why we collect and process data. Clear explanations on how EU data subject data is processed is provided at the point of collection but is also laid out in our comprehensive online privacy notices.

2.7.6 Data Quality and Accuracy

STAEDEAN places a huge emphasis on the quality and accuracy of the data we collect and process. STAEDEAN has implemented a strong Data Quality and Control process that covers all processing of personal data at STAEDEAN, with specific attention placed on our employee personal data.

2.7.7 Automated Individual Decisions

STAEDEAN does not make decisions based solely on automated processing (including profiling) of individual data unless we inform you otherwise before the processing has started. Every EU Data Subject has the right not to be subject to a decision that is based solely on automated processing (with no human intervention).

2.7.8 Security and Confidentiality

STAEDEAN has established and documented an IT security organization and has integrated data security into the processes of the organization.

STAEDEAN entities subject to the BCRs will always adhere to STAEDEAN’s IT security policies (as amended from time to time) and to any other data security procedures relevant to specific business areas or functions.

The STAEDEAN entities will take appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored, or otherwise processed. Considering the state of the art and the costs of implementation, STAEDEAN will ensure that such measures provide for a level of security appropriate to the risks represented by the processing and the nature of Personal Data (privacy by design). Such measures will further ensure that, by default, only Personal Data which are necessary for each specific purpose of the processing are processed (privacy by default).

STAEDEAN Italy, USA and Netherlands have obtained an ISO 27001 certification for the Information Security Management System.

STAEDEAN has implemented a Personal Data Breach Response Process that sets out how all potential data breaches must be reported to STAEDEAN’s Data Protection Office and procedures for how the Data Protection Office and the STAEDEAN entities must handle personal data breaches. The Personal Data Breach Response Process also sets out how STAEDEAN will ensure to notify relevant Supervisory Authorities without undue delay and no later than 72 hours after having become aware of a personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Further, the Personal Data Breach Response Process sets out how STAEDEAN will ensure to notify data subjects without undue delay where the personal data breach is likely to result in a high risk to the rights and freedoms of the data subjects.

Furthermore, any personal data breaches will be documented (comprising the facts relating to the personal data breach, its effects and the remedial action taken) and the documentation will be made available to Supervisory Authorities on request.

2.7.9 Data Protection by design and by default

STAEDEAN has implemented appropriate technical and organisational measures which are designed to meet the principles of data protection by design and by default, as set out in the EU GDPR, and to facilitate compliance with the requirements set out in this BCRs. Going forward, when STAEDEAN wishes to start new processing, it will implement any additional measures relevant to that processing to meet these principles and requirements.

2.7.10 Awareness and Training program

STAEDEAN commits to providing basic training on privacy and data protection, including the requirements under the BCRs, to its employees, and specific trainings to employees who have regular access to and Process Personal Information, as well as those who develop tools and systems for the Processing of Personal Information. Where relevant, the training will also be provided to other persons who Process Personal Information as part of their respective duties or responsibilities using STAEDEAN information technology systems or working primarily from STAEDEAN premises. The specialized training covers data protection standards and requirements specific to their areas of work.

2.7.11 Direct marketing

STAEDEAN entities will ensure that any direct marketing activities are performed in compliance with applicable local EU Member State law.

2.7.12 International Transfers to other Companies

STAEDEAN will not make transfers of personal data subject to the BCRs to any company outside the EU that is not a signatory to the BCRs unless permitted to do so by law. This might be the case, for example, where the Government has determined that the country in which the third party is located provides an adequate level of protection, where STAEDEAN puts appropriate safeguards in place (e.g., by executing appropriate contractual clauses), or where otherwise permitted by EU Data Protection laws (e.g., where data subject has explicitly consented to the proposed transfer, where the transfer is necessary for the performance of a contract between the data subject and the controller, or where it is transfer is necessary for the establishment, exercise, or defence of legal claims.)

2.7.13 Accountability

Accountability in data protection law means STAEDEAN being able to demonstrate that we can comply with the law and principles set out in the previous section. All STAEDEAN group companies that have signed the BCRs are responsible for being compliant and the ability to demonstrate that compliance. For example, if data is transferred from the EU to the USA based on consent, the entity involved needs to prove that the data subject has consented to that transfer. Therefore, all entities bound by our BCRs maintains a record of all processing activities including the following information (as a minimum):

the identity and the contact details of the controller,
the purposes of the processing activity,
the categories of Data Subjects and personal data being processed,
the categories and locations of importers receiving EU personal data,
and where possible, the proposed time limits for erasure of the different categories of Personal Data, and where possible,
a general description of the Technical and Organizational Security Measures in place.

2.8 Your Rights

Every data subject can contact STAEDEAN and exercise their rights under EU data protection law. According to the GDPR (articles 15 to 22), any data subject has the following rights:

Right of access. The right to obtain confirmation as to whether or not Personal Data concerning the data subject are being processed, and where that is the case, access to the information and in addition certain information as set out below (also known as an “access request”).
Right to rectification. The right to request rectification of inaccurate Personal Data concerning him or her, including the right to have incomplete Personal Data completed.
Right to erasure. The right to request erasure of Personal Data concerning him or her.
Right to restriction of processing. The right to request restriction of processing of Personal Data concerning him or her.
Right to data portability. The right to request portability of Personal Data, which the data subject has provided to STAEDEAN, where the processing by STAEDEAN is based on Consent or on a contract with the data subject and where the processing is carried out by automated means.
Right to object. The right to at any time object to the processing of Personal Data concerning him or her, on grounds relating to the data subject’s particular situation, where the processing of Personal Data is based on a balancing of interests, including against being subject to automated decision making, which produces legal affects or significantly affects the data subject, and against receiving direct marketing material.
Right to complain to STAEDEAN and/or Supervisory Authorities. The right to complain to STAEDEAN or a competent Supervisory Authority regarding the processing of the data subjects Personal Data by a STAEDEAN entity. This includes complaints regarding the response to a data subject request by STAEDEAN entities as well as complaints about STAEDEAN’s compliance with the BCRs.

2.9 How to make a Request or Complaint

Data subjects whose Personal Data is processed by STAEDEAN under these BCRs can make a request or bring a complaint by contacting STAEDEAN:

by mail, writing at privacy@staedean.com, or
by post at:

C/O Legal Counsel, Thomas Schouten

John M. Keynesplein, 10A, 4th floor

1066 EP, Amsterdam,The Netherlands

We do the work; you enjoy a trouble-free solution.

You gain the last mile of functionality in Dynamics 365 solutions that deliver the most value. Our solutions are embedded for efficiency and scalable for your growth.

Embedded Solutions

Deep Domain Expertise

Customer-centricity