Data Transfers Policy

Definition

World Options and subsidiaries companies will hereafter be referred to as “World Options”

Purpose

This policy and procedure establishes an effective, accountable and transparent framework for ensuring compliance with the requirements for data transfers by the GDPR.

Scope

This policy and procedure applies across all entities or subsidiaries owned, controlled, or operated by World Options and to all employees, including part-time, temporary, or contract employees, that handle personal data and/or personal data transfers.

Policy statement

The World Options services/entities may transfer personal data to internal or third-party recipients located in another country where that country is recognised as having an adequate level of legal protection for the rights and freedoms of the relevant data subjects. Where transfers need to be made to countries lacking an adequate level of legal protection (i.e. third countries), they must be made in compliance with an approved transfer mechanism. The World Options services/entities may only transfer personal data where one of the transfer scenarios listed below applies:

• The data subject has given consent to the proposed transfer.

• The transfer is necessary for the performance of a contract with the data subject

• The transfer is necessary for the implementation of pre-contractual measures taken in response to the data subject’s request.

• The transfer is necessary for the conclusion or performance of a contract concluded with a third party in the interest of the data subject.

• The transfer is legally required on important public interest grounds.

• The transfer is necessary for the establishment, exercise or defence of legal claims.

• The transfer is necessary in order to protect the vital interests of the data subject

Transfers between World Options services/entities

In order for World Options to carry out its operations effectively across its various services/entities, there may be occasions when it is necessary to transfer personal data internally from one Entity to another or to allow access to the personal data from an overseas location. Should this occur, the World Options service/entity sending the personal data remains responsible for ensuring protection for that personal data.

From time to time, World Options handles the transfer of personal data between World Options services/entities, where the location of the recipient entity is a third country. World Options only transfer the minimum amount of personal data necessary for the particular purpose of the transfer (for example, to fulfil a transaction or carry out a particular service). We ensure adequate security measures are used to protect the personal data during the transfer (including password-protection and encryption, where necessary).

Transfers to Third Parties

Each World Options service/entity will only transfer personal data to, or allow access by, third parties when it is assured that the information will be processed legitimately and protected appropriately by the recipient. Where third party processing takes place, each World Options service/entity will first identify if, under applicable law, the third party is considered a data controller, or a data processor of the personal data being transferred.

Where the third party is deemed to be a data controller, the World Options service/entity will enter into, in cooperation with the Board of Directors, an appropriate agreement with the controller to clarify each party’s responsibilities in respect to the personal data transferred. Where the third party is deemed to be a data processor, the World Options service/entity will enter into, in cooperation with the Board of Directors, an adequate processing agreement with the data processor. The agreement must require the data processor to protect the personal data from further disclosure and to only process personal data in compliance with the World Options instructions. In addition, the agreement will require the data processor to implement appropriate technical and organisational measures to protect personal data as well as procedures for providing notification of personal data breaches.

The World Options have a ‘Standard Data Processing Agreement’ document that, should be used as a baseline template. When a World Options service/entity is outsourcing services to a third party (including cloud computing services), they will identify whether the third party will process personal data on its behalf and whether the outsourcing will entail any third country transfers of personal data. In either case, it will make sure to include, in cooperation with the World Options Board of Directors, adequate provisions in the outsourcing agreement for such processing and third-country transfers.

Responsibility

Compliance, monitoring and review

The overall responsibility for ensuring compliance with the requirements of the related legislation in relation to performing data transfers activities at World Options rests with the Board of Directors.

All operating units’ staff that deal with personal data are responsible for processing this data in full compliance with the relevant World Options policies and procedures.

Records management

Staff must maintain all records relevant to administering this policy and procedure in electronic form in a recognised World Options record-keeping system.

All records relevant to administering this policy and procedure will be maintained for a period of 5 years.

Terms and Definitions

General Data Protection Regulation (GDPR): the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.

Data Controller: the entity that determines the purposes, conditions and means of the processing of personal data

Data Processor: the entity that processes data on behalf of the Data Controller

Data Protection Authority: national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union

Data Protection Officer (DPO): an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR

Data Subject: a natural person whose personal data is processed by a controller or processor

Personal Data: any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person

Privacy Impact Assessment: a tool used to identify and reduce the privacy risks of entities by analysing the personal data that are processed and the policies in place to protect the data

Processing: any operation performed on personal data, whether by automated means, including collection, use, recording, etc.

Profiling: any automated processing of personal data intended to evaluate, analyse, or predict data subject behaviour

Regulation: a binding legislative act that must be applied in its entirety across the Union

Subject Access Right: also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them

Related legalisations and documents

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

• World Options Data Protection Policy

For more information

Contact our Data Protection Officers who are the World Options Board of Directors by emailing: gdpr@worldoptions.co.uk