DATA TRANSFERS POLICY
World Options and subsidiaries companies will hereafter be referred to as “World Options”
This policy and procedure establishes an effective, accountable and transparent framework for ensuring compliance with the requirements for data transfers by the GDPR.
This policy and procedure applies across all entities or subsidiaries owned, controlled, or operated by World Options and to all employees, including part-time, temporary, or contract employees, that handle personal data and/or personal data transfers.
3 POLICY STATEMENT
The World Options services/entities may transfer personal data to internal or third-party recipients located in another country where that country is recognised as having an adequate level of legal protection for the rights and freedoms of the relevant data subjects. Where transfers need to be made to countries lacking an adequate level of legal protection (i.e. third countries), they must be made in compliance with an approved transfer mechanism. The World Options services/entities may only transfer personal data where one of the transfer scenarios list below applies:
- The data subject has given consent to the proposed transfer.
- The transfer is necessary for the performance of a contract with the data subject
- The transfer is necessary for the implementation of pre-contractual measures taken in response to the data subject’s request.
- The transfer is necessary for the conclusion or performance of a contract concluded with a third party in the interest of the data subject.
- The transfer is legally required on important public interest grounds.
- The transfer is necessary for the establishment, exercise or defence of legal claims.
- The transfer is necessary in order to protect the vital interests of the data subject
Transfers between World Options services/entities
In order for World Options to carry out its operations effectively across its various services/entities, there may be occasions when it is necessary to transfer personal data internally from one Entity to another, or to allow access to the personal data from an overseas location. Should this occur, the World Options service/entity sending the personal data remains responsible for ensuring protection for that personal data.
World Options handles the transfer of personal data between World Options services/entities, where the location of the recipient entity is a third country, using the binding corporate rules transfer mechanism. Binding corporate rules provide legally binding, enforceable rights on data subjects with regard to the processing of their personal data and must be enforced by each approved World Options service/entity, including their employees. Only transfer the minimum amount of personal data necessary for the particular purpose of the transfer (for example, to fulfil a transaction or carry out a particular service). Ensure adequate security measures are used to protect the personal data during the transfer (including password-protection and encryption, where necessary).
Transfers to Third Parties
Each World Options service/entity will only transfer personal data to, or allow access by, third parties when it is assured that the information will be processed legitimately and protected appropriately by the recipient. Where third party processing takes place, each World Options service/entity will first identify if, under applicable law, the third party is considered a data controller, or a data processor of the personal data being transferred.
Where the third party is deemed to be a data controller, the World Options service/entity will enter into, in cooperation with the Board of Directors, an appropriate agreement with the controller to clarify each party’s responsibilities in respect to the personal data transferred. Where the third party is deemed to be a data processor, the World Options service/entity will enter into, in cooperation with the Board of Directors, an adequate processing agreement with the data processor. The agreement must require the data processor to protect the personal data from further disclosure and to only process personal data in compliance with the World Options instructions. In addition, the agreement will require the data processor to implement appropriate technical and organisational measures to protect the personal data as well as procedures for providing notification of personal data breaches.
The World Options has a ‘Standard Data Processing Agreement’ document that, should be used as a baseline template. When a World Options service/entity is outsourcing services to a third party (including cloud computing services), they will identify whether the third party will process personal data on its behalf and whether the outsourcing will entail any third country transfers of personal data. In either case, it will make sure to include, in cooperation with the World Options Board of Directors, adequate provisions in the outsourcing agreement for such processing and third country transfers.
Compliance, monitoring and review
The overall responsibility for ensuring compliance with the requirements of the related legislation in relation to performing data transfers activities at World Options rests with the Board of Directors.
All operating units’ staff that deal with personal data are responsible for processing this data in full compliance with the relevant World Options policies and procedures.
Staff must maintain all records relevant to administering this policy and procedure in electronic form in a recognised World Options recordkeeping system.
All records relevant to administering this policy and procedure will be maintained for a period of 5 years.
5 TERMS AND DEFINITIONS
General Data Protection Regulation (GDPR): the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
Data Controller: the entity that determines the purposes, conditions and means of the processing of personal data
Data Processor: the entity that processes data on behalf of the Data Controller
Data Protection Authority: national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union
Data Protection Officer (DPO): an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR
Data Subject: a natural person whose personal data is processed by a controller or processor
Personal Data: any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person
Privacy Impact Assessment: a tool used to identify and reduce the privacy risks of entities by analysing the personal data that are processed and the policies in place to protect the data
Processing: any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
Profiling: any automated processing of personal data intended to evaluate, analyse, or predict data subject behaviour
Regulation: a binding legislative act that must be applied in its entirety across the Union
Subject Access Right: also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them
6 RELATED LEGISLATION AND DOCUMENTS
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
- World Options Data Protection Policy
7 FOR MORE INFORMATION
Contact our Data Protection Officers who are the World Options Board of Directors by emailing: firstname.lastname@example.org
8 APPROVAL AND REVIEW DETAILS
Approval and Review
Board of Directors
Next Review Date
Approval and Amendment History
Original Approval Authority and Date
Board of Directors 25/05/2018
Amendment Authority and Date