Binding corporate rules (BCR)

The Controller Binding Corporate Rules (BCR-C) applies when CGI acts as a Data Controller and when CGI acts as a Data Processor on behalf of CGI further referred to as Internal Data Processor.  

Download BCR-C

1 – Definitions

For the purposes of this Controller Binding Corporate Rules (BCR-C), the following definitions apply:

“Applicable Data Protection Legislation” refers to (i) the European Data Protection Regulation 2016/679 relating to the Processing of Personal Data as of its date of application and (ii) any implementing laws of the EU Data Protection Regulation.

“CGI” refers, as the case may be, to one, several or all of the participating legal entities controlled or owned by CGI Inc., as well as to the strategic business units and business units acting on their behalf, that Process Personal Data and whose adherence to this BCR-C is not in violation of, or inconsistent with, any local laws, regulations, statutes, court orders, mandatory standards or binding commitments. The participating CGI entities are listed in Appendix A. This list may be updated from time to time.

“Data Controller” refers to any legal entity that, alone or jointly with other Data Controllers, determines the purposes and means for the Processing of Personal Data.

“Data Processor” refers to any legal entity acting on behalf of a Data Controller.

“Data Subject” refers to an identified or identifiable natural person whose Personal Data is Processed by CGI, including any CGI Member, external consultant to CGI, or employees or end users of a CGI client.

“European Economic Area” or “EEA” refers to the EU member states (Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden), as well as Norway, Liechtenstein and Iceland hereinafter also refered to as “Member States”.

“GDPR” means European Regulation 2016/679 titled General Data Protection Regulation.

“Internal Data Processor” refers to any CGI entity listed in Annex A acting as a Data Processor on behalf of another CGI entity listed in Annex A acting as the Data Controller.

“Local Legislation” has the meaning ascribed to such expression in Section 13.5 herein.

“Member”, “Members” refers to a CGI Employee(s).

“Personal Data” refers to any information relating to a Data Subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data includes Sensitive Personal Data.

“Process”, “Processing” or “Processed” refers to any operation or set of operations performed on Personal Data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting (including remote access), using, disclosing by transmitting, disseminating or otherwise making available, aligning or combining, restricting, erasing, or destroying.

“Sensitive Personal Data” refers to specific categories of Personal Data that reveal racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, as well as the Processing of genetic or biometric data for the purpose of uniquely identifying a natural person, health data, and data concerning a natural person’s sex life or sexual orientation.

“Third Parties” or “Third Party” refer to CGI’s supplier(s) and subcontractor(s), as well as any other entity or public body to which Personal Data may be disclosed.

“Transfer of Personal Data” refers to the transfer of Personal Data located in the European Economic Area (EEA) to a country located outside of the EEA.

2 – Scope

2.1 Activities covered

This Controller Binding Corporate Rules (BCR-C) applies when CGI acts as a Data Controller and when CGI acts as a Data Processor on behalf of CGI further referred to as Internal Data Processor.

The categories of Processing, Data Subjects and Personal Data covered by this BCR-C are set forth in Appendix B.

2.2 Territories covered

The principles referred to herein apply to the Transfer of Personal Data in the following cases:

• From CGI in the EEA to CGI outside of the EEA
• From CGI outside of the EEA to CGI in or outside of the EEA but only to the extent Personal Data of Data Subjects who are in the EEA are Processed
• From CGI in the EEA to Third Parties outside of the EEA
• From Third Parties outside of the EEA to CGI in the EEA but only to the extent Personal Data of Data Subjects who are in the EEA are Processed

3 – Compliance and accountability with the Data Privacy Policy

3.1 Accountability of CGI

This BCR-C is binding on CGI, including all participating CGI legal entities listed in Appendix A.

Each CGI entity listed in Appendix A, acting as Data Controller or as Internal Data Processor, will be responsible for demonstrating its compliance with this BCR-C.

3.2 Compliance of Members

All CGI Members (employees) are bound by this BCR-C through the obligation, in all employment contracts, to comply with applicable confidentiality and privacy obligations and CGI policies, processes and standards, as covered by CGI’s Code of Ethics. CGI Members will, if applicable, annually acknowledge this BCR-C together with the Code of Ethics.

As further detailed in Sections 13.1 and 14 of the BCR-C, CGI Members are made aware of the BCR through internal communication and training. CGI Members are also made aware of the fact that non-compliance with the Code of Ethics and in this specific instance the BCR-C may lead to sanctions according to applicable local laws.

3.3 Compliance related to CGI suppliers and subcontractors and other Third Parties

Any Third Party that Processes Personal Data on CGI’s behalf is required to implement appropriate organizational measures to ensure compliance with the principles and requirements of this BCR-C.

A CGI entity acting as Data Controller or as an Internal Data Processor will only permit other CGI entities or Third Parties to Process Personal Data on its behalf if a contract between them comprising the requirements set out in Article 28-3 of the GDPR is in place.

4 – CGI basic principles of Processing Personal Data

Complying with the following principles not only meets or exceeds Applicable Data Protection Legislation but also meets the highest market standards and practices for Processing Personal Data.

4.1 Applicable principles when CGI acts as a Data Controller

(i) Transparency, fairness and lawfulness

CGI will Process Personal Data lawfully, fairly and in a transparent manner in relation to the Data Subject, in accordance with the requirements of this BCR-C and in particular Sections 4.1 and 13.

(ii) Defining a purpose

Any Processing of Personal Data by CGI, particularly the collection thereof, will be preceded by the identification of the specific purpose for such Processing. Such purpose must be explicit and legitimate. Personal Data cannot be further Processed in a manner that is incompatible with such purpose.

(iii) Data minimization

Once the purpose for the Processing of Personal Data has been established, CGI will only collect Personal Data to the extent required for accomplishing such purpose. Each Processing detail is reviewed as part of the early solution design phases and included in the data privacy checklist review process or otherwise in order to ensure that the personal data is adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed.

(iv) Quality of personal data

Throughout the life cycle of any Processing, CGI will ensure that the collected Personal Data remains accurate and up to date. Every reasonable step will be taken to ensure that personal data that are inaccurate are erased or rectified without delay including but not limited to self-service options for Data Subjects. In particular, CGI will provide adequate means to Data Subjects to inform CGI in case of any change in their Personal Data.

CGI will implement unscheduled audits as further defined under Section 15.

(v) Data retention limitation

CGI will ensure that it does not retain Personal Data for a longer period than strictly necessary to achieve the purpose for which the Personal Data is collected. Consequently, CGI will determine an appropriate retention period before commencing the Processing. In doing so, CGI will consider the time during which the Personal Data is necessary to achieve the purpose of the Processing, while taking into account the following factors:

• Period after which maintenance of such Personal Data may have an impact on Data Subject rights to be forgotten;
• Any legal obligations imposing a minimum data retention period, as may be defined in the CGI Records Retention Policy and Records Retention Schedule or otherwise.

(vi) Security measures

CGI will implement appropriate operational and technical measures, at least equivalent to those prescribed in CGI’s security policies and standards, to guard against unlawful access, loss, destruction, alteration and/or Processing of Personal Data.

In particular, CGI will grant Members access to Personal Data only when it is necessary to accomplish assigned tasks consistent with the purpose for which the Personal Data is Processed.

In the event of unlawful access and / or Processing, CGI will comply with its Information Security Policy and related procedures.

(vii) Defining a legal basis

In addition to the above principles, Processing may only be performed if:

• It is necessary to comply with a legal obligation applicable to CGI (e.g., report data to tax authorities); or
• It is necessary in the context of a contract with a Data Subject (e.g., employment contract); or
• In the absence of a contract with a Data Subject, it is necessary for the legitimate interest of CGI, which will be assessed against the interests of the Data Subject. A legitimate interest exists if:
  1. The Processing is necessary to achieve the legitimate interest pursued by CGI without adversely impacting the Data Subject’s interest,
  2. CGI’s interest is not overridden by the fundamental rights or interests of the Data Subjects, and
  3. CGI is in compliance with any applicable legislation and is meeting its obligations in a transparent manner.

Such legitimate interest will therefore be determined in light of CGI’s core business and applicable law, as well as any negative impact on the Data Subjects’ privacy.

• Where Processing does not fall under any of the above, CGI will obtain the Data Subject‘s prior consent before Processing his/her Personal Data. Consent is valid when:
  • It is freely given by a clear affirmative act; and
  • It represents a specific, informed and unambiguous indication of the Data Subject's agreement to the Processing of his/her Personal Data.

The Processing of Personal Data by CGI may be deemed lawful when the Processing is necessary to the vital interest of the Data Subject or when the Processing is necessary for the performance of a task carried out in the public interest, following Applicable Data Protection Legislation.

5 – Processing of Sensitive Personal Data

The Processing of Sensitive Personal Data requires that reinforced guarantees, as described below, are implemented.

CGI will Process Sensitive Personal Data only when strictly necessary. When Processing Sensitive Personal Data on its own behalf, CGI will ensure that at least one of the following conditions is met:

• The Data Subject has given his/her prior consent;
• The Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Controller or of the Data Subject in the field of employment and social security and social protection law;
• If the Data Subject is not in a position to give his/her consent (e.g., for medical reasons), the Processing is necessary to protect the vital interests of the Data Subject or of another person;
• The Processing is required in the context of preventive medicine or medical diagnosis by a health professional under national law;
• The Data Subject has already manifestly placed the relevant Sensitive Personal Data in the public domain;
• The Processing is essential for the purpose of establishing, exercising or defending legal claims, provided that there are no grounds for assuming the Data Subject has an overriding legitimate interest in ensuring that such Sensitive Personal Data is not Processed; or
• The Processing is explicitly permitted by EEA/Member State laws (e.g., registration/protection of minority groups).

In any case CGI will Process Sensitive Personal Data in accordance with Applicable Data Protection Legislation. Where such law requires specific hosting and Processing conditions, CGI will either obtain the required certification or qualification or will use a third party already certified or qualified for such purpose.

6 – Transfer of Personal Data to third countries

A Transfer of Personal Data occurs when an entity located outside of the EEA is involved in Processing performed by an entity located in the EEA.

A Transfer of Personal Data may require additional guarantees or conditions, as further described below.

6.1 Transfer of Personal Data within CGI

This BCR-C provides appropriate safeguards with respect to any Transfer of Personal Data:

• from CGI in the EEA acting as a Data Controller to CGI located outside of the EEA acting as a Data Controller or as an Internal Data Processor;
• from CGI located outside of the EEA acting as a Data Controller and Processing Personal Data falling within the scope of this BCR-C, to CGI acting either as a Data Controller or as an Internal Data Processor, wherever it is located.

The expected purposes of such Transfer of Personal Data are defined in Section 2.1 above.

6.2 Transfer of Personal Data outside of CGI

Where a Transfer of Personal Data occurs between CGI in the EEA and a Third Party located outside of the EEA, the Transfer of Personal Data will include one of the following appropriate safeguards, as applicable:

• The adoption by the parties of the EU model clauses resulting from the EU Commission implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
• Any other appropriate safeguards recognized by the Applicable Data Protection Legislation that require the same or a higher level of protection for Personal Data than is contemplated in the European Data Protection Regulation 2016/679 such as an adequacy decision, an approved code of conduct or an appropriate certification mechanism.

Any other personal information flows that are not Personal Data and do not originate from an EEA entity are not considered a Transfer of Personal Data under this BCR-C. Consequently, such transfer is not subject to the requirements contained herein. However, the CGI entity involved in such transfers will implement all necessary and reasonable appropriate technical and organizational measures commensurate with the risks associated with such Processing, in accordance with this BCR-C and applicable CGI security policies.

7 – Third Party beneficiary rights

7.1 Where CGI acts as a Data Controller

In case of a breach of this BCR-C by CGI, Data Subjects have the right to enforce the following provisions of this BCR-C as third party beneficiaries:

• Section 4: CGI BASIC PRINCIPLES WHEN PROCESSING PERSONAL DATA
• Section 5: PROCESSING OF SENSITIVE PERSONAL DATA
• Section 6: TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
• Section 7: THIRD PARTY BENEFICIARY RIGHTS
• Section 8: CGI LIABILITY IN CASE OF BREACH OF THE DATA PRIVACY POLICY
• Section 9: DATA SUBJECT REQUEST & COMPLAINT HANDLING PROCEDURE
• Section 10: DATA SUBJECT RIGHTS
• Section 11 : PRIVACY BY DESIGN / PRIVACY BY DEFAULT
• Section 13.1: (TRANSPARENCY) REGARDING THE DATA PRIVACY POLICY
• Section 13.4 : COOPERATION WITH DATA PROTECTION AUTHORITIES
• Section 13.5 : WHERE LOCAL LAW HAS PRECEDENCE OVER THIS BCR-C

In case of breach of any rights guaranteed under this BCR-C, Data Subjects and CGI may seek an amicable solution under a settlement entered into in accordance with Section 9 of this BCR-C (“Data Subject request & complaint handling process”).

Data Subjects also have the right to lodge a claim directly with the competent Data Protection Authority of the Member State of his/her habitual residence, place of work or place of the alleged infringement or to seek directly judicial remedies in the Member State Court against CGI France SAS where CGI has an establishment or where the data subject has his/her habitual residence for any breach of the rights guaranteed under this BCR-C and, as appropriate, shall be entitled to receive compensation for any material or non-material damage resulting from such breach. However, CGI encourages Data Subjects to use this dedicated complaint handling procedure while they remain free not to rely on it.

7.2 Jurisdiction

Where a Data Subject intends to lodge a complaint according to Section 7.1 above for a breach of any of the rights granted under this BCR-C related to Processing falling within the scope of this BCR-C, the following authorities or courts shall have jurisdiction:

• Where the breach originates from Processing performed by CGI located in the EEA, the Data Subject has the right to lodge a complaint against CGI with one of the following authorities:
  • With a supervisory Data Protection Authority in the Member State of his or her habitual residence, place of work or place of the alleged infringement;
  • With the Courts of of the Member State where the Data Subject has his or her habitual residence;
  • With the Courts of the Member State where CGI, as data exporter, has an establishment.
• Where the breach originates from Processing performed by CGI located outside of the EEA, the Data Subject has the right to file a complaint against CGI France SAS directly with the competent Data Protection Authority in the EU of his/her place of residence, place of work or place of the alleged infringement or before the Court of the Member State where the Data Subject has his/her place of residence or where CGI has an establishment.

8 – liability in case of breach of the Data Privacy Policy

In case of violation of this BCR-C by CGI located outside of the EEA, CGI France SAS is responsible for such violation and will deploy the necessary actions to remedy the breach and to pay compensation for demonstrated damages resulting therefrom. CGI France SAS also bears the burden of proof in demonstrating that CGI is not liable for any alleged violation of the BCR-C.

In case of violation of this BCR-C by CGI located in the EEA, CGI France SAS is responsible for such violation and will take the necessary actions to remedy the breach and to pay compensation for demonstrated damages resulting therefrom. Any such compensation to be paid by CGI France SAS shall be buttressed by CGI Inc., the controlling entity of all CGI operating subsidiaries, thereby confirming that CGI France SAS has accepted liability for the acts of CGI operating subsidiaries bound by this Policy outside of the EU and has sufficient assets to pay compensation for damages resulting from the breach of this Policy. CGI France SAS also bears the burden of proof in demonstrating that CGI is not liable for any alleged violation of the BCR-C.

In each of the above situations, Data Subjects have the right to file a complaint in accordance with the conditions defined in Section 7.1 above.

9 – Data Subject request & complaint handling process

The procedure set out under this Section applies to a Data Subject’s complaint or where a Data Subject exercises his/her right to access, update or delete his/her Personal Data.

Data Subjects may file a complaint or a request concerning the Processing of Personal Data if they consider that CGI is in breach of this BCR-C. The complaint or request may be made against the CGI entity they believe is in breach or, where the breach is likely to result from an act of a CGI entity outside the EEA, the Data Subject is entitled to lodge the complaint or file a request directly against CGI France SAS.

Such complaint or request must be lodged with Enterprise Data Privacy by using the contact details made available on CGI’s intranet and website. The complaint or request will be handled by Enterprise Data Privacy with the assistance of the relevant functions, without any undue delay and at the latest within one month after receiving the complaint or request.

10 – Data Subject rights

When CGI acts as a Data Controller, Data Subjects may also at any time:

• Access Personal Data relating to them and processed by CGI;
• Request the rectification or deletion of any inaccurate or incomplete Personal Data relating to them, or which is no longer Processed for a valid or appropriate purpose;
• Object to the Processing of their Personal Data at any time, unless such Processing is required by applicable EEA/Member State law, provided that the Data Subject demonstrates that he/she has a reason to object as it pertains to his/her particular situation (e.g. a Data Subject objects on grounds that the processing is causing them substantial damage or distress such as financial loss; a CGI member asks CGI to remove his/her photograph from an org chart because it misrepresents his/her appearance).
• Have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her.
• Request restriction of the Processing when the Personal Data is no longer accurate or necessary, the Processing is unlawful, or the Data Subject has objected to the Processing while the Data Controller verifies the legal basis for the Processing; or
• Receive his/her Personal Data in a structured, commonly used and machine-readable format, when the Personal Data has been collected with the Data Subject’s consent or as part of a contract with the latter.

CGI will ensure that it handles such requests without undue delay and in accordance with the complaint handling process.

11 – Privacy by design / privacy by default

In line with the principles contained in this BCR-C, CGI will provide the appropriate level of protection to the Personal Data it Processes.

To ensure that such principles are effectively taken into account when CGI Processes Personal Data, CGI will identify and implement data protection constraints during the development and delivery lifecycles of any project or service that involves Processing of Personal Data.

12 – Privacy impact assessment

CGI is responsible for monitoring Processing compliance with Applicable Data Protection Legislation. Consequently, CGI has implemented a privacy impact assessment procedure that enables it to:

(i) Identify which Processing presents any specific risk for the protection of Personal Data;
(ii) Assess the level of compliance with Applicable Data Protection Legislation Processing principles;
(iii) Assess the level of severity or likelihood of risk associated with the Processing; and
(iv) Determine the corrective measures to be implemented to ensure that Personal Data is Processed in compliance with Applicable Data Protection Legislation and risks are mitigated.

If, after mitigation, the risks to the Data Subjects remain significant, the competent Data Protection Authority will be consulted prior to the start of the intended processing.

13 – Transparency

13.1 Regarding the Data Privacy Policy

CGI will raise awareness of this BCR-C to encourage compliance with it. CGI will communicate to Data Subjects whose Personal Data is Processed by CGI the information as required by Articles 13 and 14 GDPR (listed in Section 13.2 below), information on their third party beneficiary rights with regards to the processing of their Personal Data and on the means to exercises those rights, the clause relating to the liability as well as the clauses relating to the data protection principles(i.e. the key requirements of this BCR-C referenced under Sections 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13.4, 13.5) and will make such information accessible, in full, through publication on CGI’s corporate intranet and public facing website for other Data Subjects, as the case may be.

13.2 Regarding Data Processing

When acting as a Data Controller, CGI will provide Data Subjects with relevant information about the Processing of their Personal Data as required by Applicable Data Protection Legislation, including the following:

• Identity and contact details of the Data Controller;
• Contact details of the Chief Privacy Officer and related team;
• Purposes of the Processing as well as the legal basis for the Processing;
• Entities to which the Personal Data is disclosed and/or made accessible;
• Where applicable, the existence of Transfer of Personal Data out of the EEA, the countries to which the Personal Data is transferred, and the measures implemented to ensure an adequate level of protection;
• Data retention period;
• Rights of the Data Subjects, as defined under Section 10 above;
• Right to lodge a complaint before the Data Protection Authority; and
• If the Processing is based on a legitimate interest of CGI, explanations regarding the said legitimate interest;
• If the Processing is based on consent the existence of the right to withdraw consent at any time;
• Whether the provision of Personal Data is a statutory or contractual requirement, or a requirement to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data;
• Where CGI intends to further Process the Personal Data for a purpose other than that for which the Personal Data were collected, CGI will provide the Data Subjects prior to that Processing with information on that other purpose and with any relevant further information as detailed earlier in this article.

In addition to the above the following applies if the information is not collected directly from the Data Subject

• the categories of Personal Data Processed;
• the source from which the personal data originate, and if applicable, if it comes from a publicly accessible source;
• Within a reasonable period after obtaining the Personal Data, but at least within one month, having regard to the specific circumstances in which the Personal Data are processed;
• If the Personal Data are to be used for communication with the Data Subject, at the latest at the time of the first communication to that Data Subject; or
• If a disclosure to another recipient is envisage, at the latest when the personal data are first disclosed.

CGI will provide such information in an easily understandable and accessible form in general upon collection of the personal data in a short description with a link to the privacy notice on the CGI’s corporate intranet and on its public facing website for other Data Subjects, as the case may be. For some of the IT systems a short description is provided on access with a link to the detailed privacy notice for that IT system.

13.3 Notification of Personal Data breach

In accordance with CGI’s security policies and standards if CGI identifies a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed, CGI will, without undue delay and, where feasible, no later than 72 hours after having become aware of the breach; provide security incident notification and status updates to the relevant Data Protection Authority and to Data Subjects and/or to the Data Controller as required by Applicable Data Protection legislation and/or as agreed upon in the relevant agreement. Similarly and for greater clarity, in the event a Personal Data breach occurs outside of the EEA involving Personal Data transferred from the EEA, CGI France SAS will be notified and Data Subjects, where the Personal Data breach is likely to result in a high risk to their rights and freedoms. All Personal Data breaches shall be documented and made available to the supervisory authorities on request.

13.4 Cooperation with Data Protection Authorities

CGI seeks to maintain strong relationships with Data Protection Authorities. CGI will cooperate with competent Data Protection Authorities in relation to any of their requests sent in accordance with Applicable Data Protection Legislation, including any audit requests. CGI also will comply with recommendations issued by competent Data Protection Authorities in relation to Personal Data Processing carried out by CGI as a Data Controller.

13.5 Where Local Legislation has precedence over this BCR-C

Prior to a Data Transfer taking place, the data exporting entity with help of the data importing entity will, taking into account the circumstances of the transfer, evaluate, if local legislation, regulations, statutes, court orders or mandatory standards (hereinafter “Local Legislation”) will prevent CGI from fulfilling its obligations under the BCR-C and determine any required supplementary measures to be taken.

Before any updated Local Legislation comes into force and where the transfer already takes place, the data exporting entity with help of the data importing entity will evaluate, if the updated Local Legislation will prevent CGI from fulfilling its obligations under the BCR-C and determine any required supplementary measures to be taken.

The Chief Privacy Officer, Chief Legal Officer and CGI France SAS, will review and approve the documented investigation and any proposed supplementary measures.

Where Local Legislation requires a higher level of protection than is contemplated under this BCR-C, such Local Legislation will take precedence over this BCR-C, and the Processing will be made in accordance with the Local Legislation.

Where the outcome of the evaluation of Local Legislation demonstrates the need to implement supplementary measures, CGI will implement those. However if no supplementary measures can be put in place CGI must suspend the transfer.

The outcome of the evaluation and proposed supplementary measures will be properly documented and kept at the disposal of the Data Protection Authority(ies).

Where a CGI entity has reasons to believe that any legal requirement CGI is or may become subject to in a third country prevents or may prevent CGI from fulfilling its obligations under the BCR-C or has or may have substantial effect on the guarantees provided by the Applicable Data Protection Legislation, including any legally binding request for disclosure of Personal Data by a law enforcement authority or state security body, the Chief Privacy Officer and CGI France SAS will be promptly informed (except where prohibited by a law enforcement authority, such as prohibition under criminal law to preserve the confidentiality of a law enforcement investigation). In specific cases where the abovementioned notification is prohibited, the relevant CGI entity will use best efforts for such prohibition to be waived. If, despite its efforts, the requested CGI entity is not in a position to notify the competent Data Protection Authority(ies), it will annually provide general information on the requests it received to the competent Data Protection Authority(ies).

In any case, transfers of Personal Data by a CGI entity subject to this BCR-C to any public authority cannot be massive, disproportionate and indiscriminate in a manner that would go beyond what is necessary in a democratic society.

Transfers or disclosures not authorised by Union law

For CGI entities located in the EEA, any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a Controller or Processor to transfer or disclose Personal Data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to Chapter V of GDPR.

14 – Training

CGI will adopt and deploy a privacy training program so that its members are aware of the principles and procedures contained in this BCR-C.

The training program will provide CGI members with the following:

• Common core knowledge regarding the applicable principles when Processing Personal Data
• Good understanding of the existing procedures and their application
• Specific training adapted to the different functions within the organization

This training program aims at ensuring that proper training is provided to members whose functions require the Processing of Personal Data.

In addition to deploying appropriate data protection training, CGI will continue to promote a data protection culture within its organization. For this purpose, CGI will conduct specific communication actions, including awareness campaigns, privacy-related materials, webinars, and forums, to provide guidance and respond to queries on any matter related to this BCR-C.

Privacy training is mandatory for members whose functions require the Processing of Personal Data.

15 – Audit

CGI will integrate into its internal audit program a review of CGI’s compliance with all aspects of this BCR-C.

The internal audit process will define the following:

• Schedule under which audits shall be carried out;
• Expected scope of the audit;
• Team responsible for the audit.

The internal audit process may be revised on a regular basis. However, CGI will perform internal audits on a regular basis through a qualified audit team. Such program will be initiated by CGI’s internal audit department.

The results of the audit will be communicated to CGI headquarters, as well as to the data privacy organization, and resulting actions will be defined and prioritized, enabling the data privacy organization to determine a schedule for the implementation of corrective and preventive measures.

Competent Data Protection Authorities may request access to the audit results.

16 – Privacy organization

The implementation of the Data Privacy Policy requires all participating CGI entities listed in Appendix A to fully participate in its application. They remain in any case fully responsible for their own compliance with this BCR-C.

CGI will set up an internal data privacy organization responsible for defining appropriate policies, processes and standards covering all participating CGI entities, and for monitoring compliance with this BCR-C.

In particular, CGI will designate a Chief Privacy Officer (CPO) and a network of Data Protection Officers and regional Privacy Business Partners, in accordance with Applicable Data Protection Legislation.

The CPO reports directly to the Chief Legal Officer who reports directly to the Chief Executive Officer. As regards this Policy, the CPO has mainly the following tasks:

• Define the Group’s strategy in terms of implementation of this Policy and procedures to be implemented throughout the organisation to ensure that each Strategic Business Unit (SBU) and Business Unit (BU) comply with this Policy;
• Define the training program;
• Define the audit strategy to monitor the effective application of this Policy;
• Provide advice to the SBU where required.

For each Strategic Business Unit of each Region of the Group, we have appointed a Regional Privacy Business Partner who can rely on a network of Privacy Business Partners appointed at local and/or Business Unit level. The SBU Privacy Business Partners shall ensure that this Policy is duly implemented at the SBU level and that any complaint raised at this level, including data subjects’ complaints, is handled appropriately and in particular in accordance with the process described under this Policy. They shall also monitor together with the local Privacy Business Partners that the data transfers and commitment are actually implemented.

In any case, Data Subjects will be provided a key contact with relevant expertise in case of they have questions and/or complaints.

17 – Record of Processing activities

CGI will maintain a record of Processing activities carried out as a Data Controller (the “Data Processing Inventory”) that contains all of the following information:

• the name and contact details of the Data Controller and, where applicable, the joint Data Controller, the Controller's representative and the data protection officer;
• the purposes of the processing;
• a description of the categories of Data Subjects and of the categories of Personal Data;
• the categories of recipients to whom the Personal Data have been or will be disclosed including recipients in third countries or international organisations;
• where applicable, Transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;
• where possible, the envisaged time limits for erasure of the different categories of data;
• where possible, a general description of the technical and organisational security measures.

CGI will make sure that any new Processing of Personal Data is recorded in the Data Processing Inventory with relevant information regarding the context of each Processing of Personal Data. CGI shall make the record(s) of processing available to the supervisory authorities on request.

18 – Update to the Data Privacy Policy

This BCR-C may be amended from time to time, as necessary and according to a specific procedure. When amendments significantly affect the BCR or the level of protection offered, CGI will, promptly inform the competent Data Protection Authority and all the CGI entities listed in Appendix A. For any other changes to the BCR-C, CGI will, at least once a year, communicate with all of the following groups:

• Each participating CGI entity listed in Appendix A;
• CGI members;
• Data Subjects for whom CGI acts as a Data Controller; and
• Relevant Data Protection Authorities, via the competent Data Protection Authority along with a brief explanation of the reasons justifying the update.

CGI will keep an up-to-date list of the entities bound by this BCR-C and the data privacy organization will keep track of and record any updates to the rules, ensure that information is communicated in due course to the above-mentioned stakeholders and provide the necessary information to the data subjects or Relevant Data Protection Authorities upon request.

CGI commits not to transfer Personal Data to a new CGI entity that is not effectively bound by this BCR-C according to the procedure defined in Section 3.

Where a non-EEA CGI entity listed in Appendix A ceases to be part of the group of CGI Entities bound by the BCR-C in the future, it needs to be ensured that it will continue to apply the BCR-C requirements to the processing of those personal data transferred to it by means of the BCR’s unless, at the time of leaving this group, the former member will delete or return the entire amount of these data to entities to which the BCR-C still apply.

19 – Communication

For CGI members: any question, request or guidance in relation to this BCR-C should be sent to the following address: enterprisedataprivacy@cgi.com

For Data Subjects other than CGI members: any question, request or guidance in relation to this BCR-C should be sent to the following address: privacy@cgi.com

The categories of Processing, Data Subjects and Personal Data covered by this BCR-C are set forth in Appendix B.

• Appendix A - CGI entities bound by the BCR controller
• Appendix B - Activities covered by the BCR controller