BCRs are a legally binding mechanism allowing any CGI entity to transfer personal data of European Union residents to any other CGI entities outside the European Economic Area. 

CGI has 2 types of BCRs:

  • Controller BCR when CGI acting as a Data Controller and
  • Processor BCRs when acting as a Data Processor according to the instructions of an EU client.

The Controller Binding Corporate Rules (BCR-C) applies when CGI acts as a Data Controller and when CGI acts as a Data Processor on behalf of CGI further referred to as Internal Data Processor.  

Download BCR-C

1 – Definitions

For the purposes of this Controller Binding Corporate Rules (BCR-C), the following definitions apply:

Applicable Data Protection Legislation” refers to (i) the European Data Protection Regulation 2016/679 relating to the Processing of Personal Data as of its date of application and (ii) any implementing laws of the EU Data Protection Regulation.

CGI” refers, as the case may be, to one, several or all of the participating legal entities controlled or owned by CGI Inc., as well as to the strategic business units and business units acting on their behalf, that Process Personal Data and whose adherence to this BCR-C is not in violation of, or inconsistent with, any local laws, regulations, statutes, court orders, mandatory standards or binding commitments. The participating CGI entities are listed in Appendix A. This list may be updated from time to time.

Data Controller” refers to any legal entity that, alone or jointly with other Data Controllers, determines the purposes and means for the Processing of Personal Data.

Data Processor” refers to any legal entity acting on behalf of a Data Controller.

Data Subject” refers to an identified or identifiable natural person whose Personal Data is Processed by CGI, including any CGI Member, external consultant to CGI, or employees or end users of a CGI client.

European Economic Area” or “EEA” refers to the EU member states (Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden), as well as Norway, Liechtenstein and Iceland hereinafter also refered to as “Member States”.

GDPR” means European Regulation 2016/679 titled General Data Protection Regulation.

Internal Data Processor” refers to any CGI entity listed in Annex A acting as a Data Processor on behalf of another CGI entity listed in Annex A acting as the Data Controller.

Local Legislation” has the meaning ascribed to such expression in Section 13.5 herein.

Member”, “Members” refers to a CGI Employee(s).

Personal Data” refers to any information relating to a Data Subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data includes Sensitive Personal Data.

Process”, “Processing” or “Processed” refers to any operation or set of operations performed on Personal Data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting (including remote access), using, disclosing by transmitting, disseminating or otherwise making available, aligning or combining, restricting, erasing, or destroying.

Sensitive Personal Data” refers to specific categories of Personal Data that reveal racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, as well as the Processing of genetic or biometric data for the purpose of uniquely identifying a natural person, health data, and data concerning a natural person’s sex life or sexual orientation.

Third Parties” or “Third Party” refer to CGI’s supplier(s) and subcontractor(s), as well as any other entity or public body to which Personal Data may be disclosed.

Transfer of Personal Data” refers to the transfer of Personal Data located in the European Economic Area (EEA) to a country located outside of the EEA.

2 – Scope

2.1 Activities covered

This Controller Binding Corporate Rules (BCR-C) applies when CGI acts as a Data Controller and when CGI acts as a Data Processor on behalf of CGI further referred to as Internal Data Processor.

The categories of Processing, Data Subjects and Personal Data covered by this BCR-C are set forth in Appendix B.

2.2 Territories covered

The principles referred to herein apply to the Transfer of Personal Data in the following cases:

  • From CGI in the EEA to CGI outside of the EEA
  • From CGI outside of the EEA to CGI in or outside of the EEA but only to the extent Personal Data of Data Subjects who are in the EEA are Processed
  • From CGI in the EEA to Third Parties outside of the EEA
  • From Third Parties outside of the EEA to CGI in the EEA but only to the extent Personal Data of Data Subjects who are in the EEA are Processed
3 – Compliance and accountability with the Data Privacy Policy

3.1 Accountability of CGI

This BCR-C is binding on CGI, including all participating CGI legal entities listed in Appendix A.

Each CGI entity listed in Appendix A, acting as Data Controller or as Internal Data Processor, will be responsible for demonstrating its compliance with this BCR-C.

3.2 Compliance of Members

All CGI Members (employees) are bound by this BCR-C through the obligation, in all employment contracts, to comply with applicable confidentiality and privacy obligations and CGI policies, processes and standards, as covered by CGI’s Code of Ethics. CGI Members will, if applicable, annually acknowledge this BCR-C together with the Code of Ethics.

As further detailed in Sections 13.1 and 14 of the BCR-C, CGI Members are made aware of the BCR through internal communication and training. CGI Members are also made aware of the fact that non-compliance with the Code of Ethics and in this specific instance the BCR-C may lead to sanctions according to applicable local laws.

3.3 Compliance related to CGI suppliers and subcontractors and other Third Parties

Any Third Party that Processes Personal Data on CGI’s behalf is required to implement appropriate organizational measures to ensure compliance with the principles and requirements of this BCR-C.

A CGI entity acting as Data Controller or as an Internal Data Processor will only permit other CGI entities or Third Parties to Process Personal Data on its behalf if a contract between them comprising the requirements set out in Article 28-3 of the GDPR is in place.

4 – CGI basic principles of Processing Personal Data

Complying with the following principles not only meets or exceeds Applicable Data Protection Legislation but also meets the highest market standards and practices for Processing Personal Data.

4.1 Applicable principles when CGI acts as a Data Controller

(i) Transparency, fairness and lawfulness

CGI will Process Personal Data lawfully, fairly and in a transparent manner in relation to the Data Subject, in accordance with the requirements of this BCR-C and in particular Sections 4.1 and 13.

(ii) Defining a purpose

Any Processing of Personal Data by CGI, particularly the collection thereof, will be preceded by the identification of the specific purpose for such Processing. Such purpose must be explicit and legitimate. Personal Data cannot be further Processed in a manner that is incompatible with such purpose.

(iii) Data minimization

Once the purpose for the Processing of Personal Data has been established, CGI will only collect Personal Data to the extent required for accomplishing such purpose. Each Processing detail is reviewed as part of the early solution design phases and included in the data privacy checklist review process or otherwise in order to ensure that the personal data is adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed.

(iv) Quality of personal data

Throughout the life cycle of any Processing, CGI will ensure that the collected Personal Data remains accurate and up to date. Every reasonable step will be taken to ensure that personal data that are inaccurate are erased or rectified without delay including but not limited to self-service options for Data Subjects. In particular, CGI will provide adequate means to Data Subjects to inform CGI in case of any change in their Personal Data.

CGI will implement unscheduled audits as further defined under Section 15.

(v) Data retention limitation

CGI will ensure that it does not retain Personal Data for a longer period than strictly necessary to achieve the purpose for which the Personal Data is collected. Consequently, CGI will determine an appropriate retention period before commencing the Processing. In doing so, CGI will consider the time during which the Personal Data is necessary to achieve the purpose of the Processing, while taking into account the following factors:

  • Period after which maintenance of such Personal Data may have an impact on Data Subject rights to be forgotten;
  • Any legal obligations imposing a minimum data retention period, as may be defined in the CGI Records Retention Policy and Records Retention Schedule or otherwise.
(vi) Security measures

CGI will implement appropriate operational and technical measures, at least equivalent to those prescribed in CGI’s security policies and standards, to guard against unlawful access, loss, destruction, alteration and/or Processing of Personal Data.

In particular, CGI will grant Members access to Personal Data only when it is necessary to accomplish assigned tasks consistent with the purpose for which the Personal Data is Processed.

In the event of unlawful access and / or Processing, CGI will comply with its Information Security Policy and related procedures.

(vii) Defining a legal basis

In addition to the above principles, Processing may only be performed if:

  • It is necessary to comply with a legal obligation applicable to CGI (e.g., report data to tax authorities); or
  • It is necessary in the context of a contract with a Data Subject (e.g., employment contract); or
  • In the absence of a contract with a Data Subject, it is necessary for the legitimate interest of CGI, which will be assessed against the interests of the Data Subject. A legitimate interest exists if:
    1. The Processing is necessary to achieve the legitimate interest pursued by CGI without adversely impacting the Data Subject’s interest,
    2. CGI’s interest is not overridden by the fundamental rights or interests of the Data Subjects, and
    3. CGI is in compliance with any applicable legislation and is meeting its obligations in a transparent manner.

Such legitimate interest will therefore be determined in light of CGI’s core business and applicable law, as well as any negative impact on the Data Subjects’ privacy.

  • Where Processing does not fall under any of the above, CGI will obtain the Data Subject‘s prior consent before Processing his/her Personal Data. Consent is valid when:

    • It is freely given by a clear affirmative act; and
    • It represents a specific, informed and unambiguous indication of the Data Subject's agreement to the Processing of his/her Personal Data.

The Processing of Personal Data by CGI may be deemed lawful when the Processing is necessary to the vital interest of the Data Subject or when the Processing is necessary for the performance of a task carried out in the public interest, following Applicable Data Protection Legislation.

5 – Processing of Sensitive Personal Data

The Processing of Sensitive Personal Data requires that reinforced guarantees, as described below, are implemented.

CGI will Process Sensitive Personal Data only when strictly necessary. When Processing Sensitive Personal Data on its own behalf, CGI will ensure that at least one of the following conditions is met:

  • The Data Subject has given his/her prior consent;
  • The Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Controller or of the Data Subject in the field of employment and social security and social protection law;
  • If the Data Subject is not in a position to give his/her consent (e.g., for medical reasons), the Processing is necessary to protect the vital interests of the Data Subject or of another person;
  • The Processing is required in the context of preventive medicine or medical diagnosis by a health professional under national law;
  • The Data Subject has already manifestly placed the relevant Sensitive Personal Data in the public domain;
  • The Processing is essential for the purpose of establishing, exercising or defending legal claims, provided that there are no grounds for assuming the Data Subject has an overriding legitimate interest in ensuring that such Sensitive Personal Data is not Processed; or
  • The Processing is explicitly permitted by EEA/Member State laws (e.g., registration/protection of minority groups).

In any case CGI will Process Sensitive Personal Data in accordance with Applicable Data Protection Legislation. Where such law requires specific hosting and Processing conditions, CGI will either obtain the required certification or qualification or will use a third party already certified or qualified for such purpose.

6 – Transfer of Personal Data to third countries

A Transfer of Personal Data occurs when an entity located outside of the EEA is involved in Processing performed by an entity located in the EEA.

A Transfer of Personal Data may require additional guarantees or conditions, as further described below.

6.1 Transfer of Personal Data within CGI

This BCR-C provides appropriate safeguards with respect to any Transfer of Personal Data:

  • from CGI in the EEA acting as a Data Controller to CGI located outside of the EEA acting as a Data Controller or as an Internal Data Processor;
  • from CGI located outside of the EEA acting as a Data Controller and Processing Personal Data falling within the scope of this BCR-C, to CGI acting either as a Data Controller or as an Internal Data Processor, wherever it is located.

The expected purposes of such Transfer of Personal Data are defined in Section 2.1 above.

6.2 Transfer of Personal Data outside of CGI

Where a Transfer of Personal Data occurs between CGI in the EEA and a Third Party located outside of the EEA, the Transfer of Personal Data will include one of the following appropriate safeguards, as applicable:

  • The adoption by the parties of the EU model clauses resulting from the EU Commission implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
  • Any other appropriate safeguards recognized by the Applicable Data Protection Legislation that require the same or a higher level of protection for Personal Data than is contemplated in the European Data Protection Regulation 2016/679 such as an adequacy decision, an approved code of conduct or an appropriate certification mechanism.

Any other personal information flows that are not Personal Data and do not originate from an EEA entity are not considered a Transfer of Personal Data under this BCR-C. Consequently, such transfer is not subject to the requirements contained herein. However, the CGI entity involved in such transfers will implement all necessary and reasonable appropriate technical and organizational measures commensurate with the risks associated with such Processing, in accordance with this BCR-C and applicable CGI security policies.

7 – Third Party beneficiary rights

7.1 Where CGI acts as a Data Controller

In case of a breach of this BCR-C by CGI, Data Subjects have the right to enforce the following provisions of this BCR-C as third party beneficiaries:

  • Section 4: CGI BASIC PRINCIPLES WHEN PROCESSING PERSONAL DATA
  • Section 5: PROCESSING OF SENSITIVE PERSONAL DATA
  • Section 6: TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
  • Section 7: THIRD PARTY BENEFICIARY RIGHTS
  • Section 8: CGI LIABILITY IN CASE OF BREACH OF THE DATA PRIVACY POLICY
  • Section 9: DATA SUBJECT REQUEST & COMPLAINT HANDLING PROCEDURE
  • Section 10: DATA SUBJECT RIGHTS
  • Section 11 : PRIVACY BY DESIGN / PRIVACY BY DEFAULT
  • Section 13.1: (TRANSPARENCY) REGARDING THE DATA PRIVACY POLICY
  • Section 13.4 : COOPERATION WITH DATA PROTECTION AUTHORITIES
  • Section 13.5 : WHERE LOCAL LAW HAS PRECEDENCE OVER THIS BCR-C

In case of breach of any rights guaranteed under this BCR-C, Data Subjects and CGI may seek an amicable solution under a settlement entered into in accordance with Section 9 of this BCR-C (“Data Subject request & complaint handling process”).

Data Subjects also have the right to lodge a claim directly with the competent Data Protection Authority of the Member State of his/her habitual residence, place of work or place of the alleged infringement or to seek directly judicial remedies in the Member State Court against CGI France SAS where CGI has an establishment or where the data subject has his/her habitual residence for any breach of the rights guaranteed under this BCR-C and, as appropriate, shall be entitled to receive compensation for any material or non-material damage resulting from such breach. However, CGI encourages Data Subjects to use this dedicated complaint handling procedure while they remain free not to rely on it.

7.2 Jurisdiction

Where a Data Subject intends to lodge a complaint according to Section 7.1 above for a breach of any of the rights granted under this BCR-C related to Processing falling within the scope of this BCR-C, the following authorities or courts shall have jurisdiction:

  • Where the breach originates from Processing performed by CGI located in the EEA, the Data Subject has the right to lodge a complaint against CGI with one of the following authorities:

    • With a supervisory Data Protection Authority in the Member State of his or her habitual residence, place of work or place of the alleged infringement;
    • With the Courts of of the Member State where the Data Subject has his or her habitual residence;
    • With the Courts of the Member State where CGI, as data exporter, has an establishment.
  • Where the breach originates from Processing performed by CGI located outside of the EEA, the Data Subject has the right to file a complaint against CGI France SAS directly with the competent Data Protection Authority in the EU of his/her place of residence, place of work or place of the alleged infringement or before the Court of the Member State where the Data Subject has his/her place of residence or where CGI has an establishment.
8 – liability in case of breach of the Data Privacy Policy

In case of violation of this BCR-C by CGI located outside of the EEA, CGI France SAS is responsible for such violation and will deploy the necessary actions to remedy the breach and to pay compensation for demonstrated damages resulting therefrom. CGI France SAS also bears the burden of proof in demonstrating that CGI is not liable for any alleged violation of the BCR-C.

In case of violation of this BCR-C by CGI located in the EEA, CGI France SAS is responsible for such violation and will take the necessary actions to remedy the breach and to pay compensation for demonstrated damages resulting therefrom. Any such compensation to be paid by CGI France SAS shall be buttressed by CGI Inc., the controlling entity of all CGI operating subsidiaries, thereby confirming that CGI France SAS has accepted liability for the acts of CGI operating subsidiaries bound by this Policy outside of the EU and has sufficient assets to pay compensation for damages resulting from the breach of this Policy. CGI France SAS also bears the burden of proof in demonstrating that CGI is not liable for any alleged violation of the BCR-C.

In each of the above situations, Data Subjects have the right to file a complaint in accordance with the conditions defined in Section 7.1 above.

9 – Data Subject request & complaint handling process

The procedure set out under this Section applies to a Data Subject’s complaint or where a Data Subject exercises his/her right to access, update or delete his/her Personal Data.

Data Subjects may file a complaint or a request concerning the Processing of Personal Data if they consider that CGI is in breach of this BCR-C. The complaint or request may be made against the CGI entity they believe is in breach or, where the breach is likely to result from an act of a CGI entity outside the EEA, the Data Subject is entitled to lodge the complaint or file a request directly against CGI France SAS.

Such complaint or request must be lodged with Enterprise Data Privacy by using the contact details made available on CGI’s intranet and website. The complaint or request will be handled by Enterprise Data Privacy with the assistance of the relevant functions, without any undue delay and at the latest within one month after receiving the complaint or request.

10 – Data Subject rights

When CGI acts as a Data Controller, Data Subjects may also at any time:

  • Access Personal Data relating to them and processed by CGI;
  • Request the rectification or deletion of any inaccurate or incomplete Personal Data relating to them, or which is no longer Processed for a valid or appropriate purpose;
  • Object to the Processing of their Personal Data at any time, unless such Processing is required by applicable EEA/Member State law, provided that the Data Subject demonstrates that he/she has a reason to object as it pertains to his/her particular situation (e.g. a Data Subject objects on grounds that the processing is causing them substantial damage or distress such as financial loss; a CGI member asks CGI to remove his/her photograph from an org chart because it misrepresents his/her appearance).
  • Have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her.
  • Request restriction of the Processing when the Personal Data is no longer accurate or necessary, the Processing is unlawful, or the Data Subject has objected to the Processing while the Data Controller verifies the legal basis for the Processing; or
  • Receive his/her Personal Data in a structured, commonly used and machine-readable format, when the Personal Data has been collected with the Data Subject’s consent or as part of a contract with the latter.

CGI will ensure that it handles such requests without undue delay and in accordance with the complaint handling process.

11 – Privacy by design / privacy by default

In line with the principles contained in this BCR-C, CGI will provide the appropriate level of protection to the Personal Data it Processes.

To ensure that such principles are effectively taken into account when CGI Processes Personal Data, CGI will identify and implement data protection constraints during the development and delivery lifecycles of any project or service that involves Processing of Personal Data.

12 – Privacy impact assessment

CGI is responsible for monitoring Processing compliance with Applicable Data Protection Legislation. Consequently, CGI has implemented a privacy impact assessment procedure that enables it to:

(i) Identify which Processing presents any specific risk for the protection of Personal Data;
(ii) Assess the level of compliance with Applicable Data Protection Legislation Processing principles;
(iii) Assess the level of severity or likelihood of risk associated with the Processing; and
(iv) Determine the corrective measures to be implemented to ensure that Personal Data is Processed in compliance with Applicable Data Protection Legislation and risks are mitigated.

If, after mitigation, the risks to the Data Subjects remain significant, the competent Data Protection Authority will be consulted prior to the start of the intended processing.

13 – Transparency

13.1 Regarding the Data Privacy Policy

CGI will raise awareness of this BCR-C to encourage compliance with it. CGI will communicate to Data Subjects whose Personal Data is Processed by CGI the information as required by Articles 13 and 14 GDPR (listed in Section 13.2 below), information on their third party beneficiary rights with regards to the processing of their Personal Data and on the means to exercises those rights, the clause relating to the liability as well as the clauses relating to the data protection principles(i.e. the key requirements of this BCR-C referenced under Sections 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13.4, 13.5) and will make such information accessible, in full, through publication on CGI’s corporate intranet and public facing website for other Data Subjects, as the case may be.

13.2 Regarding Data Processing

When acting as a Data Controller, CGI will provide Data Subjects with relevant information about the Processing of their Personal Data as required by Applicable Data Protection Legislation, including the following:

  • Identity and contact details of the Data Controller;
  • Contact details of the Chief Privacy Officer and related team;
  • Purposes of the Processing as well as the legal basis for the Processing;
  • Entities to which the Personal Data is disclosed and/or made accessible;
  • Where applicable, the existence of Transfer of Personal Data out of the EEA, the countries to which the Personal Data is transferred, and the measures implemented to ensure an adequate level of protection;
  • Data retention period;
  • Rights of the Data Subjects, as defined under Section 10 above;
  • Right to lodge a complaint before the Data Protection Authority; and
  • If the Processing is based on a legitimate interest of CGI, explanations regarding the said legitimate interest;
  • If the Processing is based on consent the existence of the right to withdraw consent at any time;
  • Whether the provision of Personal Data is a statutory or contractual requirement, or a requirement to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data;
  • Where CGI intends to further Process the Personal Data for a purpose other than that for which the Personal Data were collected, CGI will provide the Data Subjects prior to that Processing with information on that other purpose and with any relevant further information as detailed earlier in this article.

In addition to the above the following applies if the information is not collected directly from the Data Subject

  • the categories of Personal Data Processed;
  • the source from which the personal data originate, and if applicable, if it comes from a publicly accessible source;
  • Within a reasonable period after obtaining the Personal Data, but at least within one month, having regard to the specific circumstances in which the Personal Data are processed;
  • If the Personal Data are to be used for communication with the Data Subject, at the latest at the time of the first communication to that Data Subject; or
  • If a disclosure to another recipient is envisage, at the latest when the personal data are first disclosed.

CGI will provide such information in an easily understandable and accessible form in general upon collection of the personal data in a short description with a link to the privacy notice on the CGI’s corporate intranet and on its public facing website for other Data Subjects, as the case may be. For some of the IT systems a short description is provided on access with a link to the detailed privacy notice for that IT system.

13.3 Notification of Personal Data breach

In accordance with CGI’s security policies and standards if CGI identifies a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed, CGI will, without undue delay and, where feasible, no later than 72 hours after having become aware of the breach; provide security incident notification and status updates to the relevant Data Protection Authority and to Data Subjects and/or to the Data Controller as required by Applicable Data Protection legislation and/or as agreed upon in the relevant agreement. Similarly and for greater clarity, in the event a Personal Data breach occurs outside of the EEA involving Personal Data transferred from the EEA, CGI France SAS will be notified and Data Subjects, where the Personal Data breach is likely to result in a high risk to their rights and freedoms. All Personal Data breaches shall be documented and made available to the supervisory authorities on request.

13.4 Cooperation with Data Protection Authorities

CGI seeks to maintain strong relationships with Data Protection Authorities. CGI will cooperate with competent Data Protection Authorities in relation to any of their requests sent in accordance with Applicable Data Protection Legislation, including any audit requests. CGI also will comply with recommendations issued by competent Data Protection Authorities in relation to Personal Data Processing carried out by CGI as a Data Controller.

13.5 Where Local Legislation has precedence over this BCR-C

Prior to a Data Transfer taking place, the data exporting entity with help of the data importing entity will, taking into account the circumstances of the transfer, evaluate, if local legislation, regulations, statutes, court orders or mandatory standards (hereinafter “Local Legislation”) will prevent CGI from fulfilling its obligations under the BCR-C and determine any required supplementary measures to be taken.

Before any updated Local Legislation comes into force and where the transfer already takes place, the data exporting entity with help of the data importing entity will evaluate, if the updated Local Legislation will prevent CGI from fulfilling its obligations under the BCR-C and determine any required supplementary measures to be taken.

The Chief Privacy Officer, Chief Legal Officer and CGI France SAS, will review and approve the documented investigation and any proposed supplementary measures.

Where Local Legislation requires a higher level of protection than is contemplated under this BCR-C, such Local Legislation will take precedence over this BCR-C, and the Processing will be made in accordance with the Local Legislation.

Where the outcome of the evaluation of Local Legislation demonstrates the need to implement supplementary measures, CGI will implement those. However if no supplementary measures can be put in place CGI must suspend the transfer.

The outcome of the evaluation and proposed supplementary measures will be properly documented and kept at the disposal of the Data Protection Authority(ies).

Where a CGI entity has reasons to believe that any legal requirement CGI is or may become subject to in a third country prevents or may prevent CGI from fulfilling its obligations under the BCR-C or has or may have substantial effect on the guarantees provided by the Applicable Data Protection Legislation, including any legally binding request for disclosure of Personal Data by a law enforcement authority or state security body, the Chief Privacy Officer and CGI France SAS will be promptly informed (except where prohibited by a law enforcement authority, such as prohibition under criminal law to preserve the confidentiality of a law enforcement investigation). In specific cases where the abovementioned notification is prohibited, the relevant CGI entity will use best efforts for such prohibition to be waived. If, despite its efforts, the requested CGI entity is not in a position to notify the competent Data Protection Authority(ies), it will annually provide general information on the requests it received to the competent Data Protection Authority(ies).

In any case, transfers of Personal Data by a CGI entity subject to this BCR-C to any public authority cannot be massive, disproportionate and indiscriminate in a manner that would go beyond what is necessary in a democratic society.

Transfers or disclosures not authorised by Union law

For CGI entities located in the EEA, any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a Controller or Processor to transfer or disclose Personal Data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to Chapter V of GDPR.

14 – Training

CGI will adopt and deploy a privacy training program so that its members are aware of the principles and procedures contained in this BCR-C.

The training program will provide CGI members with the following:

  • Common core knowledge regarding the applicable principles when Processing Personal Data
  • Good understanding of the existing procedures and their application
  • Specific training adapted to the different functions within the organization

This training program aims at ensuring that proper training is provided to members whose functions require the Processing of Personal Data.

In addition to deploying appropriate data protection training, CGI will continue to promote a data protection culture within its organization. For this purpose, CGI will conduct specific communication actions, including awareness campaigns, privacy-related materials, webinars, and forums, to provide guidance and respond to queries on any matter related to this BCR-C.

Privacy training is mandatory for members whose functions require the Processing of Personal Data.

15 – Audit

CGI will integrate into its internal audit program a review of CGI’s compliance with all aspects of this BCR-C.

The internal audit process will define the following:

  • Schedule under which audits shall be carried out;
  • Expected scope of the audit;
  • Team responsible for the audit.

The internal audit process may be revised on a regular basis. However, CGI will perform internal audits on a regular basis through a qualified audit team. Such program will be initiated by CGI’s internal audit department.

The results of the audit will be communicated to CGI headquarters, as well as to the data privacy organization, and resulting actions will be defined and prioritized, enabling the data privacy organization to determine a schedule for the implementation of corrective and preventive measures.

Competent Data Protection Authorities may request access to the audit results.

16 – Privacy organization

The implementation of the Data Privacy Policy requires all participating CGI entities listed in Appendix A to fully participate in its application. They remain in any case fully responsible for their own compliance with this BCR-C.

CGI will set up an internal data privacy organization responsible for defining appropriate policies, processes and standards covering all participating CGI entities, and for monitoring compliance with this BCR-C.

In particular, CGI will designate a Chief Privacy Officer (CPO) and a network of Data Protection Officers and regional Privacy Business Partners, in accordance with Applicable Data Protection Legislation.

The CPO reports directly to the Chief Legal Officer who reports directly to the Chief Executive Officer. As regards this Policy, the CPO has mainly the following tasks:

  • Define the Group’s strategy in terms of implementation of this Policy and procedures to be implemented throughout the organisation to ensure that each Strategic Business Unit (SBU) and Business Unit (BU) comply with this Policy;
  • Define the training program;
  • Define the audit strategy to monitor the effective application of this Policy;
  • Provide advice to the SBU where required.

For each Strategic Business Unit of each Region of the Group, we have appointed a Regional Privacy Business Partner who can rely on a network of Privacy Business Partners appointed at local and/or Business Unit level. The SBU Privacy Business Partners shall ensure that this Policy is duly implemented at the SBU level and that any complaint raised at this level, including data subjects’ complaints, is handled appropriately and in particular in accordance with the process described under this Policy. They shall also monitor together with the local Privacy Business Partners that the data transfers and commitment are actually implemented.

In any case, Data Subjects will be provided a key contact with relevant expertise in case of they have questions and/or complaints.

17 – Record of Processing activities

CGI will maintain a record of Processing activities carried out as a Data Controller (the “Data Processing Inventory”) that contains all of the following information:

  • the name and contact details of the Data Controller and, where applicable, the joint Data Controller, the Controller's representative and the data protection officer;
  • the purposes of the processing;
  • a description of the categories of Data Subjects and of the categories of Personal Data;
  • the categories of recipients to whom the Personal Data have been or will be disclosed including recipients in third countries or international organisations;
  • where applicable, Transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of the different categories of data;
  • where possible, a general description of the technical and organisational security measures.

CGI will make sure that any new Processing of Personal Data is recorded in the Data Processing Inventory with relevant information regarding the context of each Processing of Personal Data. CGI shall make the record(s) of processing available to the supervisory authorities on request.

18 – Update to the Data Privacy Policy

This BCR-C may be amended from time to time, as necessary and according to a specific procedure. When amendments significantly affect the BCR or the level of protection offered, CGI will, promptly inform the competent Data Protection Authority and all the CGI entities listed in Appendix A. For any other changes to the BCR-C, CGI will, at least once a year, communicate with all of the following groups:

  • Each participating CGI entity listed in Appendix A;
  • CGI members;
  • Data Subjects for whom CGI acts as a Data Controller; and
  • Relevant Data Protection Authorities, via the competent Data Protection Authority along with a brief explanation of the reasons justifying the update.

CGI will keep an up-to-date list of the entities bound by this BCR-C and the data privacy organization will keep track of and record any updates to the rules, ensure that information is communicated in due course to the above-mentioned stakeholders and provide the necessary information to the data subjects or Relevant Data Protection Authorities upon request.

CGI commits not to transfer Personal Data to a new CGI entity that is not effectively bound by this BCR-C according to the procedure defined in Section 3.

Where a non-EEA CGI entity listed in Appendix A ceases to be part of the group of CGI Entities bound by the BCR-C in the future, it needs to be ensured that it will continue to apply the BCR-C requirements to the processing of those personal data transferred to it by means of the BCR’s unless, at the time of leaving this group, the former member will delete or return the entire amount of these data to entities to which the BCR-C still apply.

19 – Communication

For CGI members: any question, request or guidance in relation to this BCR-C should be sent to the following address: enterprisedataprivacy@cgi.com

For Data Subjects other than CGI members: any question, request or guidance in relation to this BCR-C should be sent to the following address: privacy@cgi.com

 

The categories of Processing, Data Subjects and Personal Data covered by this BCR-C are set forth in Appendix B.

 

The Processor Binding Corporate Rules (BCR-P) applies when CGI acts as a Data Processor according to the instructions of a non-CGI Data Controller established in the EU. 

Download BCR-P

1 – Definitions

For the purposes of this Processor Binding Corporate rules (BCR-P), the following definitions apply:

Applicable Data Protection Legislation” refers to (i) the European Data Protection Regulation 2016/679 relating to the Processing of Personal Data as of its date of application and (ii) any implementing laws of the EU Data Protection Regulation.

CGI” refers, as the case may be, to one, several or all of the participating legal entities controlled or owned by CGI Inc., as well as to the strategic business units and business units acting on their behalf, that Process Personal Data and whose adherence to this BCR-P is not in violation of, or inconsistent with, any local laws, regulations, statutes, court orders, mandatory standards or binding commitments. The participating CGI entities are listed in Appendix A. This list may be updated from time to time.

Data Controller” refers to any legal entity that, alone or jointly with other Data Controllers, determines the purposes and means for the Processing of Personal Data.

Data Processor” refers to any legal entity acting on behalf of a Data Controller.

Data Subject” refers to an identified or identifiable natural person whose Personal Data is Processed by CGI, including any CGI member, external consultant to CGI, or employees or end users of a CGI client.

European Economic Area” or “EEA” refers to the EU member states (Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden), as well as Norway, Liechtenstein and Iceland, hereinafter also referred to as “Member States”.

GDPR” means European Regulation 2016/679 titled General Data Protection Regulation.

Local Legislation” has the meaning ascribed to such expression in Section 12.5 herein.

Member” or “Members” refer to CGI Employee(s)

Personal Data” refers to any information relating to a Data Subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data includes Sensitive Personal Data.

Process”, “Processing” or “Processed” refers to any operation or set of operations performed on Personal Data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting (including remote access), using, disclosing by transmitting, disseminating or otherwise making available, aligning or combining, restricting, erasing, or destroying.

Sensitive Personal Data” refers to specific categories of Personal Data that reveal racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, as well as the Processing of genetic or biometric data for the purpose of uniquely identifying a natural person, health data, and data concerning a natural person’s sex life or sexual orientation.

Third Parties” or “Third Party” refers to CGI’s supplier(s) and subcontractor(s), as well as any other entity or public body to which Personal Data may be disclosed.

Transfer of Personal Data” refers to the transfer of Personal Data located in the European Economic Area (EEA) to a country located outside of the EEA.

2 – Scope

2.1 Activities covered

This BCR-P applies when CGI acts as a Data Processor according to the instructions of a non-CGI Data Controller established in the EU.

The categories of Processing, Data Subjects and Personal Data covered by this BCR-P are set forth in Appendix B.

2.2 Territories covered

The principles referred to herein apply to the Transfer of Personal Data in the following cases:

  • From CGI in the EEA to CGI outside of the EEA;
  • From CGI outside of the EEA to CGI in or outside of the EEA but only to the extent Personal Data of Data Subjects who are in the EEA are Processed;
  • From CGI in the EEA to Third Parties outside of the EEA;
  • From Third Parties outside of the EEA to CGI in the EEA but only to the extent Personal Data of Data Subjects who are in the EEA are Processed.
3 – Compliance and accountability with the Data Privacy Policy

3.1 Accountability of CGI

This BCR-P is binding on CGI, including all participating CGI legal entities listed in Appendix A.

Any CGI entity acting as Data Processor will make available to the Data Controller all reasonable information necessary to demonstrate the Data Processor’s compliance with its obligations under this BCR-P.

3.2 Compliance of Members

All CGI Members (employees) are bound by this BCR-P through the obligation, in all employment contracts, to comply with applicable confidentiality and privacy obligations and CGI policies, processes and standards, as covered by CGI’s Code of Ethics. CGI Members will, if applicable, annually acknowledge this BCR-P together with the Code of Ethics.

As further detailed in Sections 13.1 and 14 of the BCR-P, CGI Members are made aware of the BCR through internal communication and training. CGI Members are also made aware of the fact that non-compliance with the Code of Ethics and in this specific instance the BCR-P may lead to sanctions according to applicable local laws.

3.3 Compliance related to CGI clients and other Data Controllers

CGI, acting as Data Processor, makes a commitment to clients as well as to other Data Controllers, to comply with this BCR-P.

CGI including their employees commits to Process the Data Controllers’ Personal Data solely in accordance with their instructions, and, in particular, with respect to the nature, method, purpose and duration of the Processing, as well as to the operational and technical measures required to prevent unlawful access to the Personal Data. Following Art 28 GDPR, such commitment must be expressly reflected in agreements entered into between CGI and the Data Controllers.

3.4 Compliance related to CGI suppliers and subcontractors and other Third Parties

Any Third Party that Processes Personal Data on CGI’s behalf is required to implement appropriate organizational measures to ensure compliance with the principles and requirements of this BCR-P along with any and all other required elements to be contained in the contract under art 28.3 GDPR.

4 – CGI basic principles of Processing Personal Data

Complying with the following principles not only meets or exceeds Applicable Data Protection Legislation but also meets the highest market standards and practices for Processing Personal Data.

When acting as a Data Processor, CGI will ensure that it Processes Personal Data solely in accordance with the instructions of the Data Controller, which in most cases will be a CGI client.

In particular, such Processing must meet each of the following conditions:

  • Performed pursuant to the Data Controller’s sole expressed purposes;
  • Performed under the conditions agreed to between CGI and the Data Controller; and
  • Performed only for such period as is expressly prescribed by the Data Controller.

In particular, as a Data Processor, CGI will Process Personal Data according to Applicable Data Protection Legislation and the Data Controller’s instructions as set out in the agreement entered into between CGI and the Data Controller. Such Processing will be performed by CGI according to the Data Controller’s instructions and not for any further incompatible purposes, unless expressly authorized by the Data Controller and subject to Applicable Data Protection Legislation. CGI will immediately inform the Data Controller if, in its opinion, an instruction of the latter infringes the Applicable Data Protection Legislation.

The Data Controller shall be responsible for defining the retention period necessary to achieve the purposes of the Processing and CGI undertakes in this respect to only Process the Data Controller Personal Data pursuant to the instructions of the latter.

CGI will Process the Data Controller Personal Data with transparency in accordance with Section 12 of this BCR-P and will only sub-contract such Processing to Third Parties according to a general or specific prior authorization from the Data Controller and in accordance with Section 6 below. CGI will help and provide reasonable assistance to the Data Controller to comply with its obligations under the Applicable Data Protection Legislation.

In addition, upon a Data Controller’s request and as per its instructions, CGI will update, correct, anonymize or delete any Personal Data, and, as applicable, will instruct its Third Parties to comply with any such request.

CGI will, upon request by the Data Controller, implement appropriate technical and organizational measures for the fulfilment of the Data Controller’s obligations to respond to requests for exercising the data subjects rights accordance with the relevant CGI procedure.

When acting as a Data Processor, and unless otherwise instructed by the Data Controller, CGI will apply the same security baseline as it applies when it is acting as a Data Controller. Subject to the nature of processing and the information available to CGI will provide reasonable assistance to the Data Controller in ensuring compliance with its obligations under Article 32 to 36 of the GDPR.

Upon termination of the relevant Data Controller agreement, CGI and any Third Parties will either destroy or return all Data Controller Personal Data to the latter according to its instructions and Applicable Data Protection Legislation. In such a case, CGI will certify to the Data Controller that such deletion and/or return took place. In case of a return, CGI will ensure the confidentiality of the Personal Data transferred to the Data Controller.

The assistance to be provided by CGI to Data Controller for compliance purposes in accordance with this Section will be subject to the financial, technical and organizational conditions agreed between CGI and Data Controller in the relevant services agreement.

For the avoidance of doubt, nothing in this BCR-P limits CGI’s right to keep Personal Data for the purpose of existing litigation or to bring or defend future claims, in accordance with applicable legal statutes of limitation applicable to CGI.

The Data Controller remains solely responsible for ensuring that the required Processing complies with Applicable Data Protection Legislation.

5 – Processing of Sensitive Personal Data

The Processing of Sensitive Personal Data requires that reinforced guarantees, as described below, are implemented.

When CGI is required by a Data Controller to Process Sensitive Personal Data regulated as such under Applicable Data Protection Legislation, such Data Controller remains solely responsible for defining the security measures it considers appropriate for addressing the underlying risks, in accordance with the Applicable Data Protection Legislation. However, unless instructed to the contrary by the Data Controller, CGI will Process the Personal Data in accordance with the best practices it normally applies under similar circumstances. CGI will, in any case, follow the Data Controller’s instructions and apply the measures agreed to between the parties.

When CGI performs the Processing of Sensitive Personal Data as a Data Processor, CGI will not be required to ensure that the Processing relies on one of the legal basis defined in art 9 GDPR.

In any case, CGI will Process Sensitive Personal Data in accordance with applicable law. Where such law requires specific hosting and Processing conditions, CGI will either obtain the required certification or qualification or will use a third party already certified or qualified for such purpose.

6 – Transfer of Personal Data to third countries

A Transfer of Personal Data occurs when an entity located outside of the EEA is involved in Processing performed by an entity located in the EEA.

A Transfer of Personal Data may require additional guarantees or conditions, as further described below.

6.1 Transfer of Personal Data within CGI

This BCR-P provides appropriate safeguards with respect to any Transfer of Personal Data:

  • from CGI in the EEA acting as a Data Processor to CGI located outside of the EEA acting as a Data Processor;
  • from CGI located outside of the EEA acting as a Data Processor and Processing Personal Data falling within the scope of this BCR-P, to CGI as a Data Processor, wherever it is located.

The expected purposes of such Transfer of Personal Data are defined in Section 2.1 above.

When acting as a Data Processor, CGI will ensure that it obtains specific or general written authorization of the Data Controller prior to any Transfer of Personal Data. If a general authorization is given, CGI will inform the Data Controller of any intended changes concerning the addition or replacement of a Sub-Processor in such a timely fashion that the Data Controller has the possibility to object to the change or to terminate the contract before any transfer of Personal Data to the new sub-processor.

6.2 Transfer of Personal Data outside of CGI

When CGI acts as a Data Processor on behalf of a Data Controller located in the EEA, and when the Data Controller’s Personal Data is further transferred to a Third Party located outside of the EEA, CGI will ensure that:

(i) the Data Controller gives prior specific or general written authorization to such transfer and
(ii) that the Data Controller in the EEA and the Third Party located outside of the EEA frame the Transfer of Personal Data with one of the appropriate safeguards referred to below:

  • The adoption by the parties of the EU model clauses resulting from the EU Commission implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
  • Any other appropriate safeguards recognized by the Applicable Data Protection Legislation that require the same or a higher level of protection for Personal Data than is contemplated in the European Data Protection Regulation 2016/679 such as an adequacy decision, an approved code of conduct or an appropriate certification mechanism.

If a general authorization is given, CGI will inform the Data Controller of any intended changes concerning the addition or replacement of an external Sub-Processor in such a timely fashion that the Data Controller has the possibility to object to the change or to terminate the contract before any transfer of Personal Data to the new external sub-processor.

Any other personal information flows that are not Personal Data and do not originate from an EEA entity are not considered a Transfer of Personal Data under this BCR-P. Consequently, such transfer is not subject to the requirements contained herein. However, the CGI entity involved in such transfers will implement all necessary and reasonable appropriate technical and organizational measures commensurate with the risks associated with such Processing, in accordance with this BCR-P and applicable CGI security policies.

7 – Third Party beneficiary rights

7.1 Where CGI acts as a Data Processor

Where CGI acts as Data Processor, Data Subjects are entitled to enforce the following provisions of this BCR-P as third party beneficiaries directly against CGI where the requirements at stake are specifically directed to Data Processors in accordance with the European Regulation 2016/679 relating to the Processing of Personal Data:

  • Section 3.3: COMPLIANCE RELATED CGI CLIENTS AND OTHER DATA CONTOLLERS
  • Section 4: CGI BASIC PRINCIPLES WHEN PROCESSING PERSONAL DATA
  • Section 5: PROCESSING OF SENSITIVE PERSONAL DATA
  • Section 6: TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
  • Section 7: THIRD PARTY BENEFICIARY RIGHTS
  • Section 8: CGI LIABILITY IN CASE OF BREACH OF THE DATA PRIVACY POLICY
  • Section 9: DATA SUBJECT REQUEST & COMPLAINT HANDLING PROCEDURE
  • Section 12.1: (TRANSPARENCY) REGARDING THE DATA PRIVACY POLICY
  • Section 12.2: (TRANSPARENCY) REGARDING DATA PROCESSING
  • Section 12.3: NOTIFICATION OF PERSONAL DATA BREACH
  • Section 12.4 : COOPERATION WITH DATA PROTECTION AUTHORITIES
  • Section 12.5 : WHERE LOCAL LAW HAS PRECEDENCE OVER THIS BCR-P

In the event that the Data Controller has factually disappeared or no longer exists in law as a legal entity or has become insolvent and that no other entity has assumed the legal obligations of the Data Controller, Data Subjects will be entitled to bring a claim directly against CGI to exercise the rights contained in the BCR-P as third party beneficiaries.

In such an instance, Data Subjects and CGI may seek an amicable solution under a settlement entered into in accordance with Section 9 of this BCR-P (“Data Subject request & complaint handling process”).

Where CGI acting as Data Processor and the Data Controller involved in a same given Processing are found responsible for any damage caused by the said Processing, then Data Subjects will be entitled to receive compensation for the entire damage directly from CGI acting as Data Processor or from the Data Controller.

While CGI encourages Data Subjects to use this dedicated complaint handling procedure, they also have the right to lodge a claim directly with the competent Data Protection Authority in the EU of his/her habitual residence, place of work or place of the alleged infringement or to seek judicial remedies in the Member State Court against CGI France SAS where CGI has an establishment or where the data subject has his/her habitual residence for any breach of the rights guaranteed under this BCR-P and, as appropriate, shall be entitled to receive compensation for any material or non-material damage resulting from such breach.

7.2 Jurisdiction

Where a Data Subject intends to lodge a complaint according to Section 7.1 above for a breach of any of the rights granted under this BCR-P related to Processing falling within the scope of this BCR-P, the following authorities or courts shall have jurisdiction:

  • Where the breach originates from Processing performed by CGI located in the EEA, the Data Subject has the right to lodge a complaint against CGI with one of the following authorities:

    • With a supervisory Data Protection Authority in the Member State of his or her habitual residence, place of work or place of the alleged infringement;
    • With the Courts of the Member State where the Data Subject has his or her habitual residence;
    • With the Courts of the Member State where CGI, as data exporter, or the Data Controller has an establishment.
  • Where the breach originates from Processing performed by CGI located outside of the EEA, the Data Subject has the right to file a complaint against CGI France SAS directly with the competent Data Protection Authority in the EU of his/her place of residence, place of work or place of the alleged infringement or before the Court of the Member State where the Data Subject has his/her place of residence or where CGI or the Data Controller has an establishment
8 – CGI liability in case of breach of the Data Privacy Policy

When CGI or an external sub-processor engaged by CGI Processes Personal Data on behalf of a Data Controller, it can be held liable for any damage caused by the Processing only where it has not complied with its obligations or where it has acted outside or contrary to lawful instructions of the Data Controller. In the event the Data Controller and CGI France SAS are involved in the same processing and where they are responsible for any damage caused by processing, each of the Data Controller and CGI France SAS may be held liable for the entire damage in order to ensure effective compensation of the data subject.

When CGI Processes Personal Data on behalf of a Data Controller that has factually disappeared or ceased to exist in law as a legal entity, or has become insolvent and no successor entity has assumed the entire obligation of such Data Controller by contract or by operation of law, the Data Subject can either enforce its rights against the successor entity, if applicable, or otherwise against CGI France SAS. In such case, the Data Subject will have the right to file a complaint before any Court or competent Data Protection Authority that would have had jurisdiction over such Data Controller or that has jurisdiction over CGI France SAS. In all cases Data Subjects will have the right to lodge a claim directly with the competent Data Protection Authority of the Member State of his/her habitual residence, place of work or place of the alleged infringement or to seek judicial remedies in Court against CGI in the Member State where it has an establishment or where the data subject has his/her habitual residence for any breach of the rights guaranteed under this BCR-P and, as appropriate, shall be entitled to receive compensation for any material or non-material damage resulting from such breach.

CGI France SAS also bears the burden of proof in demonstrating that CGI or Third Party located outside of the EEA is not liable for any alleged violation of the Policy However, in the event of a demonstrated violation under such circumstances, CGI France SAS will take the necessary actions to remedy the breach and to pay compensation for demonstrated damages resulting therefrom. Any such compensation to be paid by CGI France SAS shall be buttressed by CGI Inc., the controlling entity of all CGI operating subsidiaries, thereby confirming that CGI France SAS has accepted liability for the acts of CGI operating subsidiaries bound by this Policy outside of the EU and has sufficient assets to pay compensation for damages resulting from the breach of this Policy.

In addition, the relevant Data Controller has the right to enforce this BCR-P against any CGI entity that Processes Personal Data on its behalf and that breaches this BCR-P. In case such breach involves a CGI entity or an external sub-processor engaged by CGI outside of the EU, the Data Controller has the right to enforce this BCR-P against CGI France SAS accepting liability in the EU/EEA, as descripted earlier in this article. The Data Controller is entitled to receive compensation and judicial remedies under the conditions set out in the relevant agreement entered into between CGI and such Data Controller.

9 – Data Subject request & complaint handling process

The procedure set out in this Section also applies to a Data Subject’s exercise of his or her right to access, update or delete his/her Personal Data.

Where a Data Subject makes a complaint or a request directly to CGI acting as a Data Processor, CGI will inform the Data Controller, about the complaint or request, and CGI is not legally responsible for handling it. CGI will be responsible only for handling those requests according to the Data Controller’s instructions. Where the Data Controller has disappeared factually, has ceased to exist or has become insolvent, CGI will then handle such requests directly, to the extent possible, in accordance with the relevant CGI procedure.

Any such complaint or request will be managed by CGI in due course in accordance with relevant CGI Procedure.

Unless a specific request or complaint form or contact has been made available by CGI as part of the services delivered to the Data Controller at stake, Data Subjects can send their requests or file their complaints as indicated in the Communication Section of this BCR-P.

CGI will ensure it communicates all relevant information that it receives from the Data Subject to the Data Controller and will expressly indicate to the latter that it is the Data Controller’s responsibility to handle such complaint or request.

10 – Privacy by design / privacy by default

In line with the principles contained in this BCR-P, CGI will provide the appropriate level of protection to the Personal Data it Processes.

To ensure that such principles are effectively taken into account when CGI Processes Personal Data, CGI will identify and implement data protection constraints during the development and delivery lifecycles of any project or service that involves Processing of Personal Data.

11 – Privacy impact assessment

When acting as a Data Processor, CGI may be required by the Data Controller to cooperate and provide relevant information to enable the Data Controller to conduct a privacy impact assessment. CGI will provide the Data Controller with all of the relevant information it has while ensuring that it does not provide any legal advice in the performance of such impact assessment.

12 – Transparency

12.1 Regarding the Data Privacy Policy

CGI will raise awareness of this BCR-P to encourage compliance with it.

CGI will ensure that the Data Controller can easily access this BCR-P, notably by making a publc version accessible on its website and by including it by reference in the agreement entered into with the Data Controller.

12.2 Regarding Data Processing

When acting as a Data Processor, CGI will provide Data Controllers, upon request, with relevant information enabling them to comply with their own obligations to Data Subjects. Unless otherwise indicated in any contractual agreement, CGI will not be required to inform Data Subjects directly thereof, as such obligations remain the responsibility of the Data Controllers.

12.3 Notification of Personal Data breach

In accordance with CGI’s security policies and standards, if CGI or any external Sub-Processor engaged by CGI identifies a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed, CGI will, without undue delay, provide security incident notification and status updates to the Data Controller and when agreed upon in the relevant agreement also to the relevant Data Protection Authority and/or Data Subjects where the Personal Data breach is likely to result in a high risk to their rights and freedoms. Similarly and for greater clarity, in the event a Personal Data breach is identified by an external Sub-Processor engaged by CGI, the Sub-Processor will inform CGI as agreed upon in the relevant agreement and in the event the Personal Data breach occurs outside of the EEA involving Personal Data transferred from the EEA, CGI France SAS will be notified. All Personal Data breaches shall be documented and made available to the supervisory authorities on request.

12.4 Cooperation with Data Protection Authorities

CGI seeks to maintain strong relationships with Data Protection Authorities. CGI will cooperate with competent Data Protection Authorities, including Data Protection Authorities competent for the relevant Data Controller in relation to any of their requests sent in accordance with Applicable Data Protection Legislation, including any audit requests. CGI also will comply with recommendations issued by competent Data Protection Authorities in relation to Personal Data Processing carried out by CGI as a Data Processor.

12.5 Where Local Legislation has precedence over this BCR-P

Prior to a Data Transfer taking place, the data exporting entity with help of the data importing entity will, taking into account the circumstances of the transfers, evaluate if local legislation, regulations, statutes, court orders or mandatory standards (hereinafter “Local Legislation”) will prevent CGI from fulfilling its obligations under the BCR-P and determine any required supplementary measures to be taken.

Before any updated legislation comes into force where the transfer already takes place, the data exporting entity with help of the data importing entity will evaluate if the Local Legislation will prevent CGI from fulfilling its obligations under the BCR-P and determine any required supplementary measures to be taken.

The Chief Privacy Officer, Chief Legal Officer and CGI France SAS, will review and approve the documented investigation and any proposed supplementary measures and present those to the Data Controller for validation.

Where Local Legislation requires a higher level of protection than is contemplated under this BCR-P, such Local Legislation will take precedence over this BCR-P, and the Processing will be made in accordance with the Local Legislation.

Where the outcome of the evaluation of Local Legislation demonstrates the need to implement supplementary measures, CGI will implement those after consultation with the Data Controller. However if no supplementary measures can be put in place CGI will promptly notify the relevant Data Controller, to allow the Data Controller the possibility to suspend the transfer and/or terminate the contract.

The outcome of the evaluation and proposed supplementary measures will be properly documented and kept at the disposal of the Data Protection Authority(ies).

When a CGI entity has reasons to believe that Local Legislation prevents or may prevent CGI from complying with the instructions of a Data Controller or its obligations as set out in their agreement or under the BCR-P, including any legally binding request for disclosure of Personal Data by a law enforcement authority or state security body, the Chief Privacy Officer and CGI France SAS will be promptly informed (except where prohibited by a law enforcement authority, such as prohibition under criminal law to preserve the confidentiality of a law enforcement investigation).

When CGI receives a request under which a competent law enforcement authority requires it to disclose Personal Data, and to the extent permitted by applicable law, CGI will inform the Data Controller of such request. To the extent permitted by law, CGI will defer the request until the competent Data Protection Authority(ies) is duly informed about it. In specific cases where the abovementioned notification is prohibited, the relevant CGI entity will use best efforts for such prohibition to be waived. If, despite its efforts, the requested CGI entity is not in a position to notify the competent Data Protection Authority(ies), it will annually provide general information on the requests it received to the competent Data Protection Authority(ies).

In any case, transfers of Personal Data by a CGI entity subjet to this BCR-P to any public authority cannot be massive, disproportionate and indiscriminate in a manner that would go beyond what is necessary in a democratic society.

Transfers or disclosures not authorised by Union law

For CGI entities located in the EEA, any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a Controller or Processor to transfer or disclose Personal Data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to Chapter V of GDPR.

13 – Training

CGI will adopt and deploy a privacy training program so that its members are aware of the principles and procedures contained in this BCR-P.

The training program will provide CGI members with the following:

  • Common core knowledge regarding the applicable principles when Processing Personal Data
  • Good understanding of the existing procedures and their application
  • Specific training adapted to the different functions within the organization

This training program aims at ensuring that proper training is provided to members whose functions require the Processing of Personal Data.

In addition to deploying appropriate data protection training, CGI will continue to promote a data protection culture within its organization. For this purpose, CGI will conduct specific communication actions, including awareness campaigns, privacy-related materials, webinars, and forums, to provide guidance and respond to queries on any matter related to this BCR-P.

Privacy training is mandatory for members whose functions require the Processing of Personal Data.

14 – Audit

CGI will integrate into its internal audit program a review of CGI’s compliance with all aspects of this BCR-P.

The internal audit process will define the following:

  • Schedule under which audits shall be carried out;
  • Expected scope of the audit;
  • Team responsible for the audit.

The internal audit process may be revised on a regular basis. However, CGI will perform internal audits on a regular basis through a qualified audit team. Such program will be initiated by CGI’s internal audit department.

The results of the audit will be communicated to CGI headquarters, as well as to the data privacy organization, and resulting actions will be defined and prioritized, enabling the data privacy organization to determine a schedule for the implementation of corrective and preventive measures.

Competent Data Protection Authorities, as well as Data Controllers when CGI is acting as a Data Processor, may request access to the audit results.

In addition, when CGI is acting as a Data Processor, a Data Controller may request, that CGI conducts audits to assess the compliance of CGI or its sub-processors with the relevant contractual obligations and with this BCR-P. These audits will be conducted by the Data Controller or an inspection body composed of independent members.

15 – Privacy organization

The implementation of the Data Privacy Policy requires all participating CGI entities listed in Appendix A to fully participate in its application. They remain in any case fully responsible for their own compliance with this BCR-P.

CGI will set up an internal data privacy organization responsible for defining appropriate policies, processes and standards covering all participating CGI entities, and for monitoring compliance with this BCR-P.

In particular, CGI will designate a Chief Privacy Officer (CPO) and a network of Data Protection Officers and regional Privacy Business Partners, in accordance with Applicable Data Protection Legislation.

The CPO reports directly to the Chief Legal Officer who reports directly to the Chief Executive Officer. As regards this Policy, the CPO has mainly the following tasks:

  • Define the Group’s strategy in terms of implementation of this Policy and procedures to be implemented throughout the organisation to ensure that each Strategic Business Unit (SBU) and Business Unit (BU) comply with this Policy;
  • Define the training program;
  • Define the audit strategy to monitor the effective application of this Policy;
  • Provide advice to the SBU where required.

For each Strategic Business Unit of each Region of the Group, we have appointed a Regional Privacy Business Partner who can rely on a network of Privacy Business Partners appointed at local and/or Business Unit level. The SBU Privacy Business Partners shall ensure that this Policy is duly implemented at the SBU level and that any complaint raised at this level, including data subjects’ complaints, is handled appropriately and in particular in accordance with the process described under this Policy. They shall also monitor together with the local Privacy Business Partners that the data transfers and commitment are actually implemented.

In any case, Data Subjects and Data Controllers (when CGI is acting as a Data Processor) will be provided a key contact with relevant expertise in case of they have questions and/or complaints.

16 – Record of Processing activities

CGI will maintain a record of Processing activities carried out as a Data Processor (the “Data Processing Inventory”) on behalf of a Data Controller, that contains all of the following information:

  • the name and contact details of the Data Processor or Data Processors and of each Data Controller on behalf of which the Data Processor is acting, and, where applicable, of the Data Controller's or the Data Processor's representative, and the data protection officer;
  • the categories of Processing carried out on behalf of each Controller;
  • where applicable, Transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;
  • where possible, a general description of the technical and organisational security measures.

CGI will make sure that any new Processing of Personal Data is recorded in the Data Processing Inventory with relevant information regarding the context of each Processing of Personal Data. CGI shall make the record(s) of processing available to the supervisory authorities on request.

17 – Update to the Data Privacy Policy

This BCR-P may be amended from time to time, as necessary and according to a specific procedure. When amendments significantly affect the BCR or the level of protection offered, CGI will, promptly inform the competent Data Protection Authority and all the CGI entities listed in Appendix A. For any other changes to the Data Privacy Policy, CGI will, at least once a year, communicate with all of the following groups:

  • Each participating CGI entity listed in Appendix A;
  • CGI members; and
  • Relevant Data Protection Authorities, via the competent Data Protection Authority along with a brief explanation of the reasons justifying the update.

When CGI is acting as a Data Processor, any changes to this BCR-P will be communicated in a timely manner to Data Controllers, to allow the Data Controller the possibility to object to the change or to terminate the contract before the modification is made.

CGI will keep an up-to-date list of the entities bound by this BCR-P and the data privacy organization will keep track of and record any updates to the rules, ensure that information is communicated in due course to the above-mentioned stakeholders and provide the necessary information to the Data Controllers or Relevant Data Protection Authorities upon request.

CGI commits not to transfer Personal Data to a new CGI entity that is not effectively bound by this BCR-P according to the procedure defined in Section 3.

Where a non-EEA CGI entity listed in Appendix A ceases to be part of the group of CGI Entities bound by the BCR-P in the future, it needs to be ensured that it will continue to apply the BCR-P requirements to the processing of those personal data transferred to it by means of the BCR’s unless, at the time of leaving this group, the former member will delete or return the entire amount of these data to entities to which the BCR-P still apply.

18 – Communication

For CGI members: any question, request or guidance in relation to this BCR-P should be sent to the following address: enterprisedataprivacy@cgi.com.

For Data Subjects other than CGI members: any question, request or guidance in relation to this BCR-P should be sent to the following address: privacy@cgi.com.

 

The categories of Processing, Data Subjects and Personal Data covered by this BCR-P are set forth in Appendix B.