- INTRODUCTION
GDPR refers to a regulation on data protection and privacy in European Union (EU) law that affects European Economic Areas (EEA). It also addresses the transfer of Personal Data outside the EU and EEA areas. The goal of the GDPR is to give control to individuals over their Personal Data and to simplify the regulatory environment for international business.
This regulation also outlines specific measures that controllers and processors of Personal Data must put in place to implement the data protection principles. Any business processes that use Personal Data must be designed and built with consideration of the principles and provide safeguards to protect that data.
1.1 Purpose and Scope
The purpose and scope of these binding corporate rules (“Rules”) is to set out a framework to ensure an adequate level of protection for all Personal Data that is transferred from Ready Computing Iberia SLU, which is within the EEA, to Ready Computing Affiliates, which are outside the EEA, in compliance with the GDPR. These Rules will apply to Transferred Data globally and in all cases where Ready Computing Affiliates Process Personal Data both by automatic means and manually, and whether the Personal Data relates to its employees, contractors, business contacts, customers or third parties. All members of Ready Computing Companies must comply with these Rules where applicable.
Ready Computing Companies will always comply with any applicable data protection legislation and will ensure that collection and use of Personal Data is carried out in accordance with applicable data protection laws. Where there are no such data protection laws or the relevant data protection laws do not meet the standards set out in these Rules, Ready Computing Companies will process Personal Data (relating to Transferred Data) in compliance with these Rules.
Ready Computing Iberia SLU is responsible for ensuring compliance by Ready Computing Affiliates with these Rules. Individuals can enforce these Rules against Ready Computing Iberia SLU as a third-party beneficiary as described below.
1.2 Definitions and Acronyms
- “GDPR” stands for European Union’s General Data Protection Regulation ((EU)2016/679)
- “Ready Computing Affiliates” means Ready Computing Iberia SLU’s affiliates outside the EEA
- “Ready Computing Companies” means Ready Computing Iberia SLU and Ready Computing Affiliates collectively (individually, “Ready Computing Company”)
- “Special Categories of Personal Data” has the meaning set out in the GDPR and in general includes: Personal Data relating to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health and sex life or sexual orientation
- “Transferred Data” means Personal Data that is transferred from Ready Computing Iberia SLU, which is within the EEA, to Ready Computing Affiliates, which are outside of the EEA.
- Additionally, the terms “Personal Data”, “Processing”, “Data Controller”, “Data Processor,” “Data Subject,” and “Supervisory Authority” have the meanings set out in the GDPR.
- FAIR, LAWFUL, AND TRANSPARENT PROCESSING
Ready Computing Iberia SLU will process all Personal Data and Ready Computing Affiliates will process Transferred Data fairly and lawfully and in a transparent manner in compliance with the obligations under the GDPR. Ready Computing Iberia SLU will only Process Personal Data and Ready Computing Affiliates will only process Transferred Data for purposes that they identify and make the Data Subject aware of through Ready Computing Iberia SLU’s Privacy Policy. Ready Computing Iberia SLU will provide such information when the Personal Data is obtained and Ready Computing Affiliates will provide such information when the Transferred Data is obtained, if not practicable to do so at the time of collection of the data, as soon as possible thereafter, unless there is a legitimate reason for not doing so (for example, where it is necessary to safeguard national security, the prevention or detection of crime, legal proceedings, tax purposes or where otherwise permitted by law).
Ready Computing Iberia SLU’s Privacy Policy explains the types of Personal Data and Special Categories of Personal Data that they process, how Personal Data and Special Categories of Personal Data will be Processed, the purposes for which Personal Data and Special Categories of Personal Data is intended to be Processed, the legal grounds for Processing that data, which companies within Ready Computing Companies are responsible for that Processing and the contact details of the Data Protection Officer. Ready Computing Companies will also explain who they share a Data Subject’s Personal Data and Special Categories of Data with, as well as what countries outside of the EEA a Data Subject’s Personal Data may be transferred to and the safeguards in place to protect it. A copy of Ready Computing Iberia SLU’s Privacy Policy will be made available on this webpage. A Data Subject may also request a copy of the Privacy Policy from Ready Computing Iberia SLU whose contact details are set out in a section below, or from the local Ready Computing Company in a Data Subject’s country.
2.1 Purpose Limitation
If Ready Computing Iberia SLU wants to Process a Data Subject’s Personal Data or Ready Computing Affiliates wants to Process a Data Subject’s Transferred Data for a purpose other than the purpose for which it was originally collected, then the Ready Computing Company will make Data Subjects aware of such a change unless there is a legitimate reason for not doing so (as described above). In certain instances, a Ready Computing Company will need to obtain the Data Subject’s consent to any such new purposes.
2.2 Accuracy
Ready Computing Iberia SLU will keep Personal Data accurate and Ready Computing Affiliates will keep Transferred Data accurate, and where necessary, up to date. Ready Computing Companies will keep will actively encourage Data Subjects to inform Ready Computing Companies when such data changes. Ready Computing Companies will take reasonable steps to ensure inaccuracies in such data are erased or rectified without delay.
2.3 Data Minimisation
Ready Computing Iberia SLU will only keep Personal Data and Ready Computing Affiliates will only keep Transferred Data that are adequate, relevant, and limited to what is necessary to properly fulfill the purpose for which that data is Processed.
2.4 Limited Storage Periods
Ready Computing Iberia SLU will only keep a Data Subject’s Personal Data and Ready Computing Affiliates will only keep a Data Subject’s Transferred Data for as long as is necessary for the purpose or purposes for which that data is Processed.
2.5 Processing of Special Categories of Personal Data
Ready Computing Iberia SLU will only Process a Data Subject’s Special Categories of Personal Data, and Ready Computing Affiliates will only Process a Data Subject’s Special Categories of Personal Data that are Transferred Data, if it is absolutely necessary and where Ready Computing Companies have obtained the Data Subject’s express consent which must be genuine and freely given (unless there is another legitimate basis for Processing without a Data Subject’s consent). Further information about how Ready Computing Companies Process Special Categories of Personal Data will be set out in Ready Computing Iberia SLU’s Privacy Policy.
2.6 Availability
These Rules will be made available on this webpage. A Data Subject may also request a copy of these Rules from Ready Computing Iberia SLU at the address set out in the section below, or from the local Ready Computing Company in a Data Subject’s country.
- DATA SUBJECT’S RIGHTS
3.1 Access Request
A Data Subject is entitled to make a Data Subject access request to:
- Be informed of whether Ready Computing Iberia SLU hold and Process Personal Data or Ready Computing Affiliates hold and Process Transferred Data about the Data Subject
- Be provided with a description of any Personal Data that Ready Computing Iberia SLU holds or Transferred Data that Ready Computing Affiliates hold about a Data Subject, the purposes for which any such data are being held, the recipients or classes or recipients to whom the information is, or maybe, disclosed (including any recipients in countries outside of the EEA), and either how long the data will be retained or the criteria used to determine how long the data will be stored
- Be provided with any available information as to the source of a Data Subject’s data where the data was not collected directly from the Data Subject
- If Ready Computing Iberia SLU transfers Personal Data to a country outside of the EEA, Ready Computing Iberia SLU will inform the Data Subjects of the safeguards Ready Computing Iberia SLU has in place to protect a Data Subject’s Personal Data
- A copy of the Personal Data held by Ready Computing Iberia SLU or Transferred Data held by Ready Computing Affiliates, in an intelligible form. Ready Computing Companies may ask a Data Subject for any information that the companies reasonably require to confirm the identity of the person making the request and for the Ready Computing Companies to locate the relevant information to which the Data Subject access request relates
3.2 Processing
In regards to Personal Data held by Ready Computing Iberia SLU or Transferred Data held by Ready Computing Affiliates, a Data Subject has the right to request correction or erasure, and the right to restrict or object to certain types of Processing. A Data Subject also has a right to data portability.
3.3 Transferred Data
Ready Computing Iberia SLU will correct or restrict Personal Data and Ready Computing Affiliates will correct or restrict Transferred Data without undue delay. Ready Computing Iberia SLU will erase Personal Data and Ready Computing Affiliates will erase Transferred Data without undue delay (unless an exception applies which allows Ready Computing Companies to continue Processing such data).
3.4 No Charge
A Data Subject can exercise these rights free of charge and at any time.
3.5 Use of Data Subject’s Personal Data
A Data Subject also has the right to object (opt-out), free of charge and on request, to the use of the Data Subject’s Personal Data that Ready Computing Iberia SLU holds or Transferred Data that Ready Computing Affiliates hold for direct marketing purposes and Ready Computing Companies will honor all such requests. In addition, Ready Computing Companies will take all necessary steps to prevent marketing materials being sent to Data Subjects that have opted out of receiving such messages.
3.6 Contact Information
Any requests under this section should be sent to:
- The Data Protection Officer of your local Ready Computing Company is Francisco Martinez Rojas. For any inquiries, please contact lopd@edorteam.com (attn: Francisco Martinez Rojas) and Carbon Copy (CC) security@readycomputing.com
- AUTOMATED INDIVIDUAL’S DECISION-MAKING AND PROFILING
4.1 Decision-Making
Ready Computing Companies will not make any decision that would significantly affect the Data Subjects based solely on Processing by automated means, including profiling unless permitted by law and where Ready Computing Companies have taken measures to protect a Data Subject’s legitimate interests.
4.2 Automated Decision-Making
If decisions are made by automated means, a Data Subject has the right to know the logic involved in that decision making, as well as the significance and envisaged consequences of that Processing.
- SECURITY
Ready Computing Iberia SLU will take appropriate technical and organizational measures to protect Personal Data and Ready Computing Affiliates will take appropriate technical and organizational measures to protect Transferred Data against accidental loss, destruction, damage, or unauthorized or unlawful Processing (including taking reasonable steps to ensure the reliability of employees who have access to such data). Ready Computing Companies’ employees may only process data in accordance with these Rules, and any employees who breach these Rules may be subject to disciplinary action, up to and including dismissal.
5.1 Data Processors That Are Members of Ready Computing Companies
If a Ready Computing Company Processes Personal Data on behalf of another, the Ready Computing Company carrying out the Processing must:
- Act in compliance with contractual commitments to act only on the written instructions of the Ready Computing Company on whose behalf the Processing is being conducted
- Ensure that the Ready Computing Company carrying out the Processing has in place appropriate technical and organizational security measures to safeguard the data
- Notify any Personal Data breaches to the Ready Computing Company on whose behalf the Processing is being conducted, the Data Protection and Privacy Officer, and Data Subjects (if appropriate), without undue delay
5.2 Third-Party Data Processors and International Transfer
5.2.1 Third-Party Data Processors
If Ready Computing Iberia SLU uses a third-party Data Processor to Process Personal Data on its behalf or a Ready Computing Affiliate uses a third-party Data Processor to Process Transferred Data on its behalf, the Ready Computing Company will obtain contractual commitments to safeguard the security of the data to ensure that the third party only acts on the Ready Computing Company’s instructions when using that data and that the third party has in place appropriate technical and organizational security measures to safeguard the data.
5.2.2 International Transfer
Ready Computing Iberia SLU will not transfer Personal Data and Ready Computing Affiliates will not transfer Transferred Data to third parties outside of the Ready Computing Companies without ensuring an adequate level of protection for the data, for example, ensuring that contractual clauses (such as the EU standard contractual clauses) are in place with any third-party Data Processor and/or Data Controller to ensure an adequate level of protection of the data transferred.
5.3 Training
Ready Computing Companies will provide appropriate training to its employees who have permanent or regular access to Personal Data, who are involved in the collection of Personal Data or in the development of tools used to Process Personal Data to ensure they are aware of their obligations under these Rules.
- AUDIT
6.1 Conducting an Audit
Our internal audit function (or an external auditor appointed by us) shall conduct an audit at least annually (or within a shorter timescale as specifically requested by the Data Protection and Privacy Officer to evaluate and report on all aspects of Ready Computing Companies’ compliance with these Rules.
6.2 Results of an Audit
The results of the audit will be reported by our internal audit function, or an external auditor (as appropriate), to the Data Protection and Privacy Officer and Ready Computing Companies’ management team, which will ensure that any corrective action takes place as soon as reasonably practicable. If requested by a Supervisory Authority, our internal audit function will also provide a copy of the results of the audit to the Supervisory Authority (subject to applicable laws and respect for any confidential, privileged or commercially sensitive information provided).
6.3 Who Conducts an Audit
We agree that relevant Supervisory Authorities may conduct audits of the relevant Ready Computing Companies for the purposes of demonstrating the Ready Computing Company’s compliance with these Rules and the relevant Ready Computing Company shall comply with any directions issued by the relevant Supervisory Authority.
- COMPLIANCE
Ready Computing Companies have a Security Team which is chaired by the Data Protection and Privacy Officer/Privacy and Security Officer and is composed of the Data Protection and Privacy Officer/Privacy and Security Officer, Deputy Privacy and Security Officer, and Vice President of Finance and Administration/In-House Counsel. The Data Protection and Privacy Officer reports to the CEO. The Data Protection and Privacy Officer is responsible for overseeing all privacy and data protection issues, including ensuring compliance with all aspects of these Rules and reporting compliance to senior management. The Data Protection and Privacy Officer is supported by the Security Team and any of its delegates responsible for overseeing and ensuring compliance with these Rules on a day-to-day basis at a local level, including monitoring training and compliance at a local level. The Security Team reports any substantial or major privacy issues to the Data Protection and Privacy Officer.
7.1 Actions in Case of National Legislation Preventing Compliance with the Rules
7.1.1 Notification
Where a Ready Computing Company has reason to believe that legislation applicable to the Ready Computing Company prevents it from fulfilling its obligations under these Rules or has a substantial effect on the guarantees provided by these Rules, the Ready Computing Company will promptly inform Ready Computing Iberia SLU and the Data Protection and Privacy Officer (unless otherwise prohibited by a law enforcement authority).
7.1.2 Decision-Making
Ready Computing Companies will ensure that where there is a conflict between national law and these Rules, the Data Protection and Privacy Officer will make a responsible decision regarding what action to take and will consult with the relevant Supervisory Authority in case of doubt.
7.2 Complaint Handling
Ready Computing Companies shall follow RC PROC-0011_GDPR Complaint Handling Procedure in relation to any complaints received from Data Subjects regarding its compliance with these Rules or if the Data Subject claims to have suffered any loss because of an alleged breach of these Rules.
- THIRD-PARTY BENEFICIARY RIGHTS AND ENFORCEMENT
8.1 Rights and Enforcement
All Ready Computing Companies must comply with these Rules. Any Data Subjects whose Personal Data are used or collected in Europe and transferred to Ready Computing Affiliates outside of the EEA shall have the right to enforce these Rules as a third-party beneficiary and shall have the right to seek compensation for damage suffered as a result of breach of the Rules, including, but not limited to, a judicial award of compensation for damage suffered by the Data Subject as a result of a breach of these Rules. Any such claims can be brought by the Data Subject before a Supervisory Authority in his or her home country, country of work, or where the alleged infringement took place. Data Subjects may also bring a claim before a competent court in the EEA jurisdiction in which the Ready Computing Company exported the Personal Data outside of the EEA and has an establishment or in the Data Subject’s country of habitual residence.
8.2 Burden of Proof
In the event of a claim by a Data Subject that he/she has suffered damage and has established that such damage occurred because of a breach of these Rules, the burden of proof to show that the damages suffered by the Data Subject due to a breach of the Rules are not attributable to relevant Ready Computing Company will rest with Ready Computing Iberia SLU.
8.3 Cooperation with Supervisory Authorities
8.3.1 Abiding by Final Decisions
Ready Computing Companies will abide by any formal decision of a competent Supervisory Authority on any issues regarding the interpretation of these Rules, provided that such decision is final and no further appeal is possible.
8.3.2 Providing Copies of Audit Results
Ready Computing Companies will provide copies of the results of any audit carried out in relation to these Rules to a Supervisory Authority with competent jurisdiction upon request, subject to applicable laws, and respect for any confidential, privileged, or commercially sensitive information provided.
8.3.3 Responding to Requests for Information
Where any Ready Computing Company is located in a jurisdiction of a Supervisory Authority, the Ready Computing Company shall (subject to applicable law and respect for any confidential, privileged, or commercially sensitive information provided) respond to all requests for information from the relevant Supervisory Authority provided that such requests relate to compliance with these Rules in the relevant jurisdiction or in relation to Personal Data transferred out of the EEA from the relevant jurisdiction by the local Ready Computing Company
- UPDATES OF THE RULE
9.1 Notification of Rule Changes
Ready Computing Iberia SLU will notify the competent Supervisory Authority at least once a year if any material changes are made to these Rules and will provide a brief explanation of the reasons for any such change.
9.2 Communicating and Recording Updates
Ready Computing Iberia SLU will communicate any substantive changes to these Rules to the affected Ready Computing Company and to the Data Subjects who benefit from these Rules. The Data Protection and Privacy Officer (or another officer appointed by him or her with delegated responsibility) will maintain an up-to-date list of Ready Computing Companies bound by these Rules, maintain a record of any updates to these Rules, and ensure that all new Ready Computing Companies are bound by these Rules before any Personal Data is transferred to them. Ready Computing Iberia SLU will report any changes to the list of Ready Computing Companies bound by the Rules to the competent Supervisory Authority or Data Subjects upon request.
9.3 Notification of Possible Effects on Level of Protection
Ready Computing Iberia SLU will promptly notify the competent Supervisory Authority of any substantive changes which could affect the level of protection offered by these Rules.
Effective Date: 01 June 2020
Last Updated: 01 June 2020