Binding corporate rules (BCR)

These BCR-C apply when a CGI Entity acts as a Data Controller and when a CGI Entity acts as an Internal Data Processor on behalf of another CGI Entity.

The list of CGI Entities bound by the BCR-C is provided in Appendix A.

The categories of Data Subjects and Personal Data, as well as the type of Processing and their purposes, covered by the BCR-C are set forth in Appendix B.

The BCR-C apply to all Transfer of Personal Data from CGI Entities in the EEA to CGI Entities in a Third Country, as well as to their onward transfers to other CGI Entities in a Third Country. As such, the BCR-C apply to all Data Subjects whose Personal Data are transferred within the scope of the BCR-C from CGI Entities under the scope of application of the Applicable Data Protection Legislation, being understood that the BCR-C apply to Transfer of Personal Data from CGI Entities in Third Countries to CGI Entities also established in Third Countries insofar as the GDPR applies to such Processing in accordance with the Applicable Data Protection Legislation.

3.1 Accountability of CGI

Each CGI Entity listed in Appendix A, acting as Data Controller or as Internal Data Processor, will be responsible for demonstrating its compliance with the BCR-C.

3.2 Compliance of CGI Partners

All CGI Partners are bound by the BCR-C through the obligation, in all employment contracts, to comply with applicable confidentiality and privacy obligations and CGI policies, processes and standards, as covered by CGI’s Code of Ethics. CGI Partners will, if applicable and as legally permissible, annually sign or acknowledge the BCR-C together with the Code of Ethics.

As further detailed in Sections 13.1 and 14 of the BCR-C, CGI Partners are made aware of the BCR through internal communication and training. CGI Partners are also made aware of the fact that non-compliance with the Code of Ethics and in this specific instance the BCR-C may lead to sanctions according to applicable local laws.

3.3 Compliance related to CGI suppliers and subcontractors and other Third Parties

Any Third Party that Processes Personal Data on CGI’s behalf is required to implement appropriate organizational measures to ensure compliance with the principles and requirements of the BCR-C.

A CGI entity acting as Data Controller or as an Internal Data Processor will only permit other CGI Entities or Third Parties to Process Personal Data on its behalf if a contract between them comprising the requirements set out in Article 28-3 of the GDPR is in place.

3.4 Termination

Where a Data Importing CGI Entity ceases to be bound by the BCR-C, it may keep, return or delete the Personal Data received under the BCR-C. If the Data Exporting CGI Entity and the Data Importing CGI Entity agree that the Personal Data may be kept by the Data Importing CGI Entity, protection must be maintained in accordance with the chapter V of the GDPR.

CGI Entities must comply with the following principles:

(i) Transparency, fairness and lawfulness

CGI will Process Personal Data lawfully, fairly and in a transparent manner in relation to the Data Subject, in accordance with the requirements of the BCR-C, in particular Sections 4.1 and 13 of the BCR-C.

(ii) Defining a purpose

Any Processing of Personal Data by CGI, particularly the collection thereof, must have a specific purpose which must be explicit and legitimate. Personal Data cannot be further Processed in a manner that is incompatible with such purpose.

(iii) Data minimization

CGI will only collect Personal Data to the extent required for accomplishing the purpose for such Processing. Each Processing element is reviewed as part of the early solution design phases and included in the data privacy review process to ensure that the Personal Data is adequate, relevant and limited to what is necessary in relation to the purpose for which it is Processed.

(iv) Quality of Personal Data

Throughout the life cycle of any Processing, CGI will ensure that the collected Personal Data remains accurate and up to date. Every reasonable step will be taken to ensure that Personal Data that is inaccurate is deleted or rectified without delay including but not limited to self-service options for Data Subjects. In particular, CGI will provide adequate means to Data Subjects to request changes to their Personal Data.

CGI will implement unscheduled audits as further defined under Section 15.

(v) Data retention limitation

CGI will ensure that it does not retain Personal Data for a longer period than strictly necessary to achieve the purpose for which the Personal Data is collected. Consequently, CGI will determine an appropriate retention period before carrying out any Processing. In doing so, CGI will consider the time during which the Personal Data is necessary to achieve the purpose of the Processing, while taking into account the following factors:

• Period after which the retention of such Personal Data may have an impact on Data Subject rights to be forgotten;
• Any legal obligations imposing a minimum data retention period, as may be defined in the CGI Records Retention Policy and Records Retention Schedule or otherwise.

(vi) Security measures

CGI will implement appropriate technical and organisational measures, at least equivalent to those prescribed in CGI’s security policies and standards, taking into account the state of the art (i.e., industry best practices), the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk for the rights and freedoms of Data Subjects. CGI will grant CGI Partners access to Personal Data only when it is necessary to accomplish assigned tasks consistent with the purpose for which the Personal Data is Processed.

In the event of unlawful access and / or Processing, CGI will comply with its Information Security Policy and related procedures.

(vii) Defining a legal basis

In addition to the above principles, Processing may only be performed if:

• It is necessary to comply with a legal obligation applicable to CGI; or
• It is necessary in the context of a contract with a Data Subject; or
• If it is necessary for the legitimate interest of CGI which exists if:

1. The Processing is necessary to achieve the legitimate interest pursued by CGI without adversely impacting the Data Subject’s interest,
2. It is not overridden by the fundamental rights or interests of the Data Subjects, and
3. CGI is acting in accordance with any applicable legislation.

• Where Processing does not fall under any of the above, CGI will obtain the Data Subject’s prior consent before Processing his/her Personal Data.
  Consent is valid when:

1. It is freely given by a clear affirmative act; and
2. It represents a specific, informed and unambiguous indication of the Data Subject's agreement to the Processing of his/her Personal Data.

The Processing of Personal Data by CGI may be deemed lawful when the Processing is necessary to the vital interest of the Data Subject or when the Processing is necessary for the performance of a task carried out in the public interest pursuant to the requirements of the Applicable Data Protection Legislation.

The Processing of Sensitive Personal Data requires that reinforced guarantees, as described below, be implemented.

CGI will Process Sensitive Personal Data only when strictly necessary. When Processing Sensitive Personal Data on its own behalf, CGI will ensure that at least one of the following conditions is met:

• The Data Subject has given his/her prior consent;
• The Processing is necessary for the purposes of carrying out the obligations and exercising CGI’s specific rights or those of the Data Subject in the field of employment and social security and social protection law;
• The Data Subject is not in a position to give his/her consent (e.g., for medical reasons) and the Processing is necessary to protect the vital interests of the Data Subject or of another person;
• The Processing is required in the context of preventive medicine or medical diagnosis by a health professional under national law;
• The Data Subject has already manifestly made public the relevant Sensitive Personal Data;
• The Processing is necessary for the purpose of establishing, exercising or defending legal claims, provided that there are no grounds for assuming the Data Subject has an overriding legitimate interest in ensuring that such Sensitive Personal Data is not Processed; or
• The Processing is explicitly permitted by EEA/Member State laws (e.g., registration/protection of minority groups).

In any case CGI will Process Sensitive Personal Data in accordance with Applicable Data Protection Legislation. Where such law requires specific hosting and Processing conditions, CGI will either obtain the required certification or qualification or will use a Third Party already certified or qualified for such purpose.

6.1 Transfer of Personal Data within CGI

No Transfer of Personal Data under the BCR-C shall be made to a CGI Entity, unless such CGI Entity is effectively bound by the BCR-C and can comply with the BCR-C, which includes that appropriate training on the BCR-C can effectively be provided to the CGI Partners.

The Data Importing CGI Entity should promptly inform the Data Exporting CGI Entity if it is unable to comply with the BCR-C, for whatever reason, including situations further described under Section 13.5 below.

Where the Data Importing CGI Entity is in breach of the BCR-C or unable to comply with them, the Data Exporting CGI Entity must suspend the Transfer of Personal Data.

The Data Importing CGI Entity must, at the option of the Data Exporting CGI Entity, immediately return or delete all the Personal Data that has been transferred under the BCR-C, where:

• the Data Exporting CGI Entity has suspended the Transfer of Personal Data, and compliance with the BCR-C is not restored within a reasonable time, and in any event within one month of suspension; or
• the Data Importing CGI Entity is in substantial or persistent breach of the BCR-C; or
• the Data Importing CGI Entity fails to comply with a binding decision of a competent court or Competent Data Protection Authority regarding its obligations under the BCR-C.

The same commitments apply to any copies of data. The Data Importing CGI Entity must certify the deletion of the data to the Data Exporting CGI Entity.

Until the Personal Data is deleted or returned, the Data Importing CGI Entity must continue to ensure compliance with the BCR-C.

If local laws applicable to the Data Importing CGI Entity prohibit the return or deletion of the transferred Personal Data, the Data Importing CGI Entity must continue to ensure compliance with the BCR-C and must only Process the Personal Data to the extent and for as long as required under such local laws.

In cases where applicable local laws and/or practices affect compliance with the BCR-C, Section 13.5 below shall apply.

6.2 Transfer of Personal Data outside of CGI

Where a Transfer of Personal Data occurs between CGI in the EEA and a Third Party located outside of the EEA, or an onward transfer between CGI outside the EEA and a Third Party located outside of the EEA, the Transfer of Personal Data will include one of the following appropriate safeguards, as applicable:

• The adoption by the parties of the EU model clauses resulting from the EU Commission implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
• Any other appropriate safeguards recognized by the Applicable Data Protection Legislation that require the same or a higher level of protection for Personal Data than is contemplated in the European Data Protection Regulation 2016/679 such as an approved code of conduct or an appropriate certification mechanism.

Any other personal information flows that are not Personal Data and do not originate from an EEA entity are not considered a Transfer of Personal Data under the BCR-C. Consequently, such transfer is not subject to the requirements contained herein.

Data Subjects have the right to enforce the following as third-party beneficiaries:

• Section 4: CORE PRINCIPLES WHEN PROCESSING PERSONAL DATA
• Section 5: PROCESSING OF SENSITIVE PERSONAL DATA
• Section 6.2: TRANSFER OF PERSONAL DATA OUTSIDE OF CGI
• Section 7: THIRD PARTY BENEFICIARY RIGHTS
• Section 8: CGI LIABILITY IN CASE OF BREACH OF THE BCR-C
• Section 9: DATA SUBJECT REQUEST & COMPLAINT HANDLING PROCEDURE
• Section 10: DATA SUBJECT RIGHTS
• Section 13: TRANSPARENCY
• Section 18: UPDATE TO THE BCR-C

In case of breach of one of the enforceable elements of the BCR-C as enumerated above, Data Subjects and CGI may seek an amicable solution under a settlement entered into in accordance with Section 9 of the BCR-C (“Data Subject request & complaint handling process”).

In case of such breach, Data Subjects also have the right to lodge a claim directly with a Supervisory Authority, in particular in the Member State of his/her habitual residence, place of work or place of the alleged infringement and to seek judicial remedies before the competent court of the Member States where CGI has an establishment or where the Data Subject has his/her habitual residence. Data Subjects shall be entitled to obtain redress and, where appropriate, receive compensation for any material or non-material damage resulting from such breach. CGI encourages Data Subjects to use the dedicated complaint handling procedure while they remain free not to rely on it.

Data Subjects may choose to be represented by not-for-profit body, organisation or association under the conditions set out in Article 80(1) GDPR.

In case of violation of the BCR-C by any CGI Entity, CGI France SAS shall assume responsibility for such violation and will make sure that the necessary actions are taken to remedy the breach and to pay compensation for demonstrated damages resulting therefrom.

Where Date Subjects can demonstrate that they have suffered damage and establish facts which show it is likely that the damage has occurred because of the breach of the BCR-C, it will be for CGI France SAS to prove that the CGI Entity outside of the EEA was not responsible for the breach of the BCR-C giving rise to those damages, or that no such breach took place.

If a CGI Entity outside the EEA violates the BCR-C, the courts or other judicial authorities in the EEA will have jurisdiction and Data Subjects will have the rights and remedies against CGI France SAS as if the violation had been caused by the latter in France, instead of the CGI Entity outside the EEA.

The procedure set out under this Section applies to a Data Subject’s complaint or where a Data Subject exercises his/her right to access, update or delete his/her Personal Data.

Data Subjects may file a complaint or a request concerning the Processing of Personal Data if they consider that CGI is in breach of the BCR-C. The complaint or request may be made against the CGI Entity they believe is in breach or, where the breach is likely to result from an act of a CGI Entity outside the EEA, the Data Subject is entitled to lodge the complaint or file a request directly against CGI France SAS.

Such complaint or request must be lodged with CGI’s privacy team by using the contact details in Section 19 below, being understood that these details may change from time to time and the latest information is published on CGI intranet and CGI public facing website. CGI will provide information on actions taken to the complainant without undue delay, and in any event within one month, by a clearly identified department or person with an appropriate level of independence in the exercise of their functions. Taking into account the complexity and number of the requests, that one-month period may be extended at maximum by two further months, in which case the complainant should be informed accordingly.

When CGI acts as a Data Controller, Data Subjects may also at any time:

• Access their Personal Data;
• Request the rectification or deletion of any inaccurate or incomplete Personal Data relating to them, or which is no longer Processed for a valid or appropriate purpose;
• Object to the Processing of their Personal Data at any time, unless such Processing is required by applicable EEA/Member State law, provided that the Data Subject demonstrates that such objection pertains to his/her particular situation (e.g. a Data Subject objects on grounds that the Processing is causing them substantial damage or distress such as financial loss; a CGI Partner asks CGI to remove his/her photograph from an org chart because it misrepresents his/her appearance)
• Have the right not to be subject to a decision based solely on automated Processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her;
• Request restriction of the Processing when the Personal Data is no longer accurate or necessary, the Processing is unlawful, or the Data Subject has objected to the Processing while the Data Controller verifies the legal basis for the Processing; and
• Receive his/her Personal Data in a structured, commonly used and machine-readable format, when the Personal Data has been collected with the Data Subject’s consent or as part of a contract with the latter.

CGI shall notify any rectification or deletion of Personal Data or restriction of Processing carried out in accordance with GDPR requirements to each recipient to whom the Personal Data has been disclosed, unless this proves impossible or involves disproportionate effort. CGI shall inform the Data Subject about those recipients if the Data Subject requests it. CGI will ensure that it handles such requests without undue delay and in accordance with the relevant CGI complaint handling process.

In line with the principles contained in the BCR-C, CGI will provide the appropriate level of protection to the Personal Data it Processes.

To ensure that such principles are effectively taken into account when CGI Processes Personal Data, CGI will identify and implement data protection constraints during the development and delivery lifecycles of any project or service that involves Processing of Personal Data.

CGI is responsible for monitoring Processing compliance with Applicable Data Protection Legislation. Consequently, CGI has implemented a privacy impact assessment procedure that enables it to:

(ii) Identify which Processing presents any specific risk for the protection of Personal Data;

(ii) Assess the level of compliance with Applicable Data Protection Legislation Processing principles;

(iii) Assess the level of severity or likelihood of risk associated with the Processing; and

(iv) Determine the corrective measures to be implemented to ensure that Personal Data is Processed in compliance with Applicable Data Protection Legislation and risks are mitigated.

If, after mitigation, the risks to the Data Subjects remain significant, the competent Supervisory Authority will be consulted prior to the start of the intended Processing.

13.1 Regarding the BCR-C

CGI will raise awareness of the BCR-C to encourage compliance with it. CGI will communicate to Data Subjects whose Personal Data is Processed by CGI the information as required by Articles 13 and 14 GDPR (listed in Section 13.2 below), information on their third party beneficiary rights with regards to the Processing of their Personal Data and on the means to exercises those rights, the description of the scope of the BCR-C, the clauses relating to the liability as well as the clauses relating to the data protection principles, to the lawfulness of the Processing, to security and Personal Data breach notifications, to restrictions on onward transfers and the clauses relating to the rights of the Data Subjects (i.e. the key requirements of the BCR-C referenced under Sections 1, 2, 4, 5, 6.2, 7, 8, 9, 10, 13, 18, 19, Appendix A, Appendix B). This information shall be up-to-date, and presented to Data Subjects in a clear, intelligible, and transparent. It will be provided in full, through publication on CGI’s corporate intranet and public facing website for other Data Subjects, as the case may be. The list of definitions which are used in the BCR-C will be included in the parts of the BCR-C which are published.

13.2 Regarding Data Processing

When acting as a Data Controller, CGI will provide Data Subjects with relevant information about the Processing of their Personal Data as required by Applicable Data Protection Legislation, including the following:

• Identity and contact details of the Data Controller;
• Contact details of the Chief Privacy Officer and related team;
• Purposes of the Processing as well as the legal basis for the Processing;
• Entities to which the Personal Data is disclosed and/or made accessible;
• Where applicable, the existence of Transfer of Personal Data out of the EEA, the countries to which the Personal Data is transferred, and the measures implemented to ensure an adequate level of protection;
• Data retention period;
• Rights of the Data Subjects, as defined under Section 10 above;
• Right to lodge a complaint before the Supervisory Authority;
• Explanations regarding the legitimate interest of CGI for the Processing;
• The existence of the right to withdraw consent at any time;
• Whether the provision of Personal Data is a statutory or contractual requirement, or a requirement to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data;
• Where CGI intends to further Process the Personal Data for a purpose other than that for which the Personal Data was collected, CGI will provide the Data Subjects with information on that other purpose and with any relevant further information as detailed earlier in this Section.

In addition to the above, if the Personal Data are not collected directly from the Data Subject, CGI will inform Data Subjects:

• about the categories of Personal Data Processed and the source from which the Personal Data originate, and if applicable, if it comes from a publicly accessible source;
• within a reasonable period after obtaining the Personal Data, but at least within one month, having regard to the specific circumstances in which the Personal Data are Processed;
• if the Personal Data are to be used for communication with the Data Subject, at the latest at the time of the first communication to that Data Subject;
• if a disclosure to another recipient is envisaged, at the latest when the Personal Data are first disclosed.

CGI will provide such information in an easily understandable and accessible form in general upon collection of the Personal Data in a short description with a link to the privacy notice on the CGI’s corporate intranet and on its public facing website for other Data Subjects, as the case may be. For some of the IT systems, a short description is provided on access with a link to the detailed privacy notice for that IT system.

13.3 Notification of Personal Data breach

In accordance with CGI’s security policies and standards, if any CGI Entity identifies a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed, such CGI Entity will notify such Personal Data breach:

(i) without undue delay to CGI France SAS and the Chief Privacy Officer, as well as to the CGI Entity acting as a Data Controller when the CGI Entity acting as Internal Data Processor becomes aware of the Personal Data breach;

(ii) without undue delay and, where feasible, no later than 72 hours after having become aware of the Personal Data breach to the Competent Data Protection Authority, unless the Personal Data breach is unlikely to result in a risk to the rights and freedoms of natural persons;

(iii) without undue delay to Data Subjects, where the Personal Data breach is likely to result in a high risk to their rights and freedoms in line with Applicable Data Protection Legislation.

All Personal Data breaches shall be documented (comprising the facts relating to the Personal Data breach, its effects, and the remedial actions taken), and the documentation shall be made available to the Competent Data Protection Authority upon request as required by Applicable Data Protection Legislation.

13.4 Cooperation with Data Protection Authorities

CGI seeks to maintain strong relationships with Data Protection Authorities. CGI will cooperate with Competent Data Protection Authorities in relation to any of their requests sent in accordance with Applicable Data Protection Legislation, including any remote and on-site audit requests. CGI will take into account the advice and abide by decisions of the Competent Data Protection Authorities in relation to Personal Data Processing carried out by CGI as a Data Controller.

CGI will provide the Competent Data Protection Authorities, upon request, with any information about the Processing operations covered by the BCR-C.

CGI agrees that any dispute related to the Competent Data Protection Authority’s exercise of supervision of compliance with the BCR-C, will be resolved by the courts of the Member State of that Competent Data Protection Authority, in accordance with that Member State’s procedural law. CGI Entities agree to submit themselves to the jurisdiction of these courts.

13.5 Local laws and practices affecting compliance with the BCR-C

CGI Entities will use the BCR-C as a tool for transfers only where they have assessed that the law and practices in the Third Country of destination applicable to the Processing of the Personal Data by a Data Importing CGI Entity, including any requirements to disclose Personal Data or measures authorising access by public authorities, do not prevent it from fulfilling its obligations under the BCR-C.

This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms, and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) GDPR, are not in contradiction with the BCR-C. In assessing the laws and practices of the Third Country which may affect the respect of the commitments contained in the BCR-C, CGI Entities take due account, in particular, of the following elements:

• (i) the specific circumstances of the transfer(s) or set of transfers, and any envisaged onward transfer(s) within the same Third Country or to another Third Country, including:
  • purpose for which the Personal Data is transferred and Processed;
  • types of CGI Entities involved in the Processing;
  • economic sector in which the transfer or the set of transfers occur;
  • categories and format of the Personal Data transferred;
  • location of the Processing, including storage; and
  • transmission channels used.
• (ii) the laws and practices of the Third Country of destination relevant in light of the circumstances of the transfer, including those requiring disclosing data to public authorities or authorising access by such authority and those providing for access to these data during the transit between the country of the Data Exporting CGI Entity and the country of the Data Importing CGI Entity, as well as the applicable limitations and safeguards.
• (iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under the BCR-C, including measures applied during the transmission and to the Processing of the Personal Data in the country of destination.

Where any safeguards in addition to those envisaged under the BCR-C should be put in place, CGI France SAS and the Chief Privacy Officer will be informed and involved in such assessment.

CGI Entities shall document appropriately such assessment, as well as the supplementary measures selected and implemented. They should make such documentation available to the Competent Data Protection Authorities upon request.

The Data Importing CGI Entity shall promptly notify the Data Exporting CGI Entity if, when using the BCR-C as a tool for transfers, and for the duration of the BCR-C membership, it has reasons to believe that it is or has become subject to laws or practices that would prevent it from fulfilling its obligations under the BCR-C, including following a change in the laws in the Third Country or a measure (such as a disclosure request). This information should also be provided to CGI France SAS.

Upon verification of such notification, the Data Exporting CGI Entity, along with CGI France SAS and the Chief Privacy Officer, should commit to promptly identify supplementary measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the Data Exporting CGI Entity and/or the Data Importing CGI Entity, in order to enable them to fulfil their obligations under the BCR-C. The same applies if a Data Exporting CGI Entity has reasons to believe that a Data Importing CGI Entity can no longer fulfil its obligations under the BCR-C.

Where the Data Exporting CGI Entity, along with CGI France SAS and the Chief Privacy Officer, assesses that the BCR-C – even if accompanied by supplementary measures – cannot be complied with for a transfer or set of transfers, or if instructed by the Competent Data Protection Authorities, it commits to suspend the transfer or set of transfers at stake, as well as all transfers for which the same assessment and reasoning would lead to a similar result, until compliance is again ensured or the transfer is ended.

Following such a suspension, the Data Exporting CGI Entity has to end the transfer or set of transfers if the BCR-C cannot be complied with and compliance with the BCR-C is not restored within one month of suspension. In this case, Personal Data that have been transferred prior to the suspension, and any copies thereof, should, at the choice of the Data Exporting CGI Entity, be returned to it or destroyed in their entirety.

CGI France SAS and the Chief Privacy Officer will inform all other CGI Entities of the assessment carried out and of its results, so that the identified supplementary measures will be applied in case the same type of transfers is carried out by any other CGI Entity or, where effective supplementary measures could not be put in place, the transfers at stake are suspended or ended.

The Data Exporting CGI Entities will monitor, on an ongoing basis, and where appropriate in collaboration with the Data Importing CGI Entities, developments in the Third Countries to which the Data Exporting CGI Entities have transferred Personal Data that could affect the initial assessment of the level of protection and the decisions taken accordingly on such transfers.

13.6 Government access requests

Without prejudice to the obligation of the Data Importing CGI Entity to inform the Data Exporting CGI Entity of its inability to comply with the commitments contained in the BCR-C (see Section 13.5 above), the Data Importing CGI Entity will promptly notify the Data Exporting CGI Entity and, where possible, the Data Subject (if necessary with the help of the Data Exporting CGI Entity) if it:

• (i) receives a legally binding request by a public authority under the laws of the country of destination, or of another Third Country, for disclosure of Personal Data transferred pursuant to the BCR-C; such notification will include information about the Personal Data requested, the requesting authority, the legal basis for the request and the response provided;
• (ii) becomes aware of any direct access by public authorities to Personal Data transferred pursuant to the BCR-C in accordance with the laws of the country of destination; such notification will include all information available to the Data Importing CGI Entity.

If prohibited from notifying the Data Exporting CGI Entity and / or the Data Subject, the Data Importing CGI Entity will use its best efforts to obtain a waiver of such prohibition, with a view to communicate as much information as possible and as soon as possible, and will document its best efforts in order to be able to demonstrate them upon request of the Data Exporting CGI Entity.

The Data Importing CGI entity will provide the Data Exporting CGI Entity, at regular intervals, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority or authorities, whether requests have been challenged and the outcome of such challenges etc). If the Data Importing CGI Entity is or becomes partially or completely prohibited from providing the Data Exporting CGI Entity with the aforementioned information, it will, without undue delay, inform the Data Exporting CGI Entity accordingly.

The Data Importing CGI Entity will preserve the abovementioned information for as long as the Personal Data are subject to the safeguards provided by the BCR-C and shall make it available to the Competent Data Protection Authority upon request.

The Data Importing CGI Entity will review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and will challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the local laws, applicable obligations under international law, and principles of international comity.

The Data Importing CGI Entity will, under the same conditions, pursue possibilities of appeal.

When challenging a request, the Data Importing CGI Entity will seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It will not disclose the Personal Data requested until required to do so under the applicable procedural rules.

The Data Importing CGI Entity will document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the Data Exporting CGI Entity. It will also make it available to the Competent Data Protection Authorities upon request.

The Data Importing CGI Entity will in any case only provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

In any case, Transfer of Personal Data by a CGI Entity subject to the BCR-C to any public authority cannot be massive, disproportionate and indiscriminate in a manner that would go beyond what is necessary in a democratic society.

Transfers or disclosures not authorised by Union law

For CGI Entities located in the EEA, any judgment of a court or tribunal and any decision of an administrative authority of a Third Country requiring a Data Controller or Data Processor to transfer or disclose Personal Data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting Third Country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to Chapter V of GDPR.

CGI develops and deploys an up-to-date annual data privacy fundamentals training program so that the CGI Partners are aware of the core privacy principles and procedures contained in the BCR-C.

The training program provides CGI Partners with the following:

• Common core knowledge regarding the applicable principles when Processing Personal Data;
• Good understanding of the existing procedures and their application;
• Overview on the latest changes in the Data Privacy legislation and associated impacts on CGI’s operations at every level of the organization;
• Role specific training modules adapted to the different functions within the organization.

This training program aims at ensuring that appropriate training is effectively provided to CGI Partners that have permanent or regular access to Personal Data, who are involved in the collection of Personal Data or in the development of tools used to Process Personal Data.

In addition to deploying appropriate data protection training, CGI will continue to promote a data protection culture within its organization. For this purpose, CGI will conduct specific communication actions, including awareness campaigns, privacy-related materials, webinars, and forums, to provide guidance and respond to queries on any matter related to the BCR-C.

The annual data privacy fundamentals training is mandatory for all CGI Partners.

CGI will integrate into its internal audit program a review of CGI’s compliance with all aspects of the BCR-C.

The internal audit process will define the following:

• Schedule under which audits shall be carried out;
• Expected scope of the audit;
• Team responsible for the audit.

The internal audit process may be revised on a regular basis. However, CGI will perform internal audits on a regular basis through a qualified audit team. The independence of the persons responsible for the audits in the performance of their duties related to these audits will be guaranteed. The data protection officers should not be the ones responsible for auditing compliance with the BCR-C if such situation can result in a conflict of interest. Such program will be overseen by CGI’s internal audit department.

The results of the audit will be communicated to the board of directors of CGI Inc., the board of CGI France SAS, as well as to the data privacy organization, and resulting actions will be defined and prioritized, enabling the data privacy organization to determine a schedule for the implementation of corrective and preventive measures.

Competent Data Protection Authorities may request access to the audit results.

The implementation of the BCR-C requires all CGI Entities listed in Appendix A to participate in its application. They remain in any case fully responsible for their own compliance with the BCR-C.

CGI has set up an internal data privacy organization responsible for defining appropriate policies, processes and standards covering all participating CGI Entities, and for monitoring compliance with the BCR-C.

In particular, CGI has a designated Chief Privacy Officer (CPO) and a network of Data Protection Officers and Strategic Business Unit Privacy Business Partners, in accordance with Applicable Data Protection Legislation. A Records Management Shared Services team supports the organisation with the application of data retention rules and records management obligations.

The CPO reports directly to the Executive Vice-President, Legal and Economic Affairs, and Corporate Secretary who reports directly to the Chief Executive Officer. The CPO benefits from the support of the Executive Vice-President, Legal and Economic Affairs, and Corporate Secretary and can inform the Executive Vice-President, Legal and Economic Affairs, and Corporate Secretary if any questions or problems arise during the performance of his/her duties. As regards the BCR-C, the CPO has mainly the following tasks:

• Define the Group’s strategy in terms of implementation of the BCR-C and procedures to be implemented throughout the organisation to ensure that each Strategic Business Unit (SBU) and Business Unit (BU) comply with the BCR-C;
• Define the training program;
• Define the audit strategy to monitor the effective application of the BCR-C;
• Provide advice to the Strategic Business Unit (SBU) where required. The CPO should not have any tasks that could result in conflict of interests.

The CPO should not be in charge of carrying out data protection impact assessments, neither should he/she be in charge of carrying out the BCR-C audits if such situations can result in a conflict of interest.

For each of CGI’s Strategic Business Units, which regroup CGI Entities operating in major geographic regions, CGI has appointed a Strategic Business Unit Privacy Business Partner who can rely on a network of Privacy Business Partners appointed at local levels. Local privacy experts ensure that the BCR-C are duly implemented at the Strategic Business Unit level and that any complaint raised at this level, including Data Subjects’ complaints, are handled appropriately and in particular in accordance with the process described under the BCR-C. They also monitor the data transfer mechanisms and ensure compliance with associated commitments.

In any case, the CPO may be directly contacted by using contact details specified in Section 19 below. CGI also publishes the CPO’s contact details on CGI’s intranet and CGI’s public facing website.

CGI will maintain a record of Processing activities carried out as a Data Controller (the “Data Processing Inventory”) that contains all of the following information:

• the name and contact details of the Data Controller and, where applicable, the joint Data Controller, the Controller's representative and the data protection officer;
• the purposes of the Processing;
• a description of the categories of Data Subjects and of the categories of Personal Data;
• the categories of recipients to whom the Personal Data have been or will be disclosed including recipients in Third Countries or international organisations;
• where applicable, Transfers of Personal Data to a Third Country or an international organisation, including the identification of that Third Country or international organisation and the documentation of suitable safeguards;
• where possible, the contemplated time limits for deletion of the different categories of Personal Data;
• where possible, a general description of the technical and organisational security measures.

CGI will ensure that any new Processing of Personal Data is recorded in the Data Processing Inventory with relevant information regarding the context of each Processing of Personal Data. CGI shall make the record(s) of Processing available to the Competent Data Protection Authorities on request.

The BCR-C may be amended from time to time, as necessary and according to a specific procedure. CGI shall report changes to the BCR-C without undue delay to all CGI Entities listed in Appendix A.

When amendments significantly affect the BCR or the level of protection offered, CGI will inform in advance the Supervisory Authorities, via the BCR-C lead Supervisory Authority, with a brief explanation of the reasons of the update.

For any other changes to the BCR-C, CGI will, at least once a year, notify the Supervisory Authorities, via the BCR-C lead Supervisory Authority, with a brief explanation of the reasons for the changes. The Supervisory Authorities will also be notified once a year in instances where no changes have been made.  

CGI will keep an up-to-date list of the CGI Entities bound by the BCR-C and the data privacy organization will keep track of and record any updates to the BCR-C, ensure that information is communicated in due course to the above-mentioned stakeholders and provide the necessary information to the Data Subjects and Competent Data Protection Authorities upon request.

Any question, request or guidance in relation to the BCR-C should be sent to the following address: privacy@cgi.com or to the attention of the Office of the CGI Chief Privacy Officer at Immeuble Carré Michelet, 12 Cours Michelet, 92800 Puteaux, France, or through the completion of the following online form.

Related documents

References

Revision history