Maailmanlaajuisena tietotekniikka- ja liiketoimintakonsultointipalveluiden tarjoajana CGI on sitoutunut ylläpitämään alan parhaiden käytäntöjen mukaista henkilötietojen suojan tasoa, joka on vähintään sovellettavan tietosuojalainsäädännön vaatimusten ja CGI:n sopimusvelvoitteiden mukainen.
Osana tätä sitoumusta CGI edellyttää, että sen työntekijät ja kaikki kolmannet osapuolet, jotka ovat CGI:n palveluksessa tai jotka toimittavat tavaroita ja/tai palveluja CGI:lle (mukaan lukien kolmansien osapuolten toimittajat/myyjät, alihankkijat ja freelancerit), ryhtyvät asianmukaisiin toimenpiteisiin henkilötietojen suojaamiseksi suorittaessaan tehtäviään.
Koska CGI on läpinäkyvä käyttämiensä tietojen suhteen, se on julkaissut tämän Tietosuojapolitiikan (“politiikka"), jonka tarkoituksena on kertoa sinulle, miten ja miksi keräämme ja käsittelemme henkilötietojasi, CGI:n tietosuojakäytännöistä ja oikeuksistasi rekisteröitynä henkilötietojesi käsittelyyn liittyen.
Tässä politiikassa esitetään yleiset standardit, jota CGI noudattaa käsitellessään henkilötietoja. Tätä politiikkaa sovelletaan, kun CGI toimii rekisterinpitäjänä tai henkilötietojen käsittelijänä. Sitä sovelletaan kaikkeen henkilötietojen käsittelyyn riippumatta henkilötietojen luonteesta tai kategoriasta ja siitä, millä välineellä tiedot on tallennettu.
Tarkemmat tiedot yksittäisistä käsittelytoimista ovat saatavilla asianomaisissa tietosuojaselosteissa (Privacy Information Notice).
CGI on sitoutunut käsittelemään henkilötietoja samalla suojelun tasolla riippumatta siitä, käsitteleekö se henkilötietoja omiin tarpeisiinsa vai asiakkaidensa tai kolmannen osapuolen tarpeisiin. Tämän tietosuojapolitiikan täytäntöönpano edellyttää, että kaikki CGI:n oikeushenkilöiden (legal entity) työntekijät ja kaikki CGI:n käyttämät kolmannet osapuolet osallistuvat sen soveltamiseen täysimääräisesti ja poikkeuksetta.
CGI Suomi Oy:n julkinen Tietosuojapolitiikka
- 1 – Definitions
For the purposes of this Policy, the following definitions apply:
“Applicable Data Protection Legislation” refers to (i) the European Data Protection Regulation 2016/679 relating to the Processing of Personal Data and (ii) any implementing laws of the EU Data Protection Regulation and (iii) any applicable local laws relating to the Processing of Personal Data.
“CGI Legal Entities” refers to all legal entities controlled directly or indirectly by CGI Inc. that handle Personal Data, excluding any legal entities that are within the operational scope of CGI Federal.
“Data Controller” refers to any entity (i.e. natural or legal person, public authority, agency or other body) that, alone or jointly with other Data Controllers, determines the purposes and means of the Processing of Personal Data.
“Data Processor” refers to any entity (i.e. natural or legal person, public authority, agency or other body) acting on behalf of and under instructions from a Data Controller or another Data Processor to Process Personal Data.
“Data Subject” refers to an identified or identifiable natural person whose Personal Data is Processed, which could include e.g. a CGI member or an external consultant in a CGI internal context, or the employees or end users of a client in a business context.
“EEA” refers to European Economic Area, which consists of the European Union (EU) member countries, as well as Iceland, Liechtenstein and Norway, hereinafter also referred to as “Member States”.
“Employee” - for the purpose of this Policy only, this means an employee, staff member, worker, individual consultant, agent, officer or director, and “employment” shall be construed accordingly. CGI employees are referred to as “Member” or “Members”.
“Local Legislation” means local regulations, statutes, court orders or mandatory standards.
“Personal Data” refers to any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to identifiers such as the natural person’s name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data includes Sensitive Personal Data.
“Process”, “Processing” or “Processed” refers to any operation or set of operations performed on Personal Data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting (including remote access), using, disclosing by transmitting, disseminating or otherwise making available, aligning or combining, restricting, erasing, or destroying.
“Sensitive Personal Data” refers to specific categories of Personal Data that reveal racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, as well as the Processing of genetic or biometric data for the purpose of uniquely identifying a natural person, health data, and data concerning a natural person’s sex life or sexual orientation or is confidential according to the Finnish legislation e.g. candidate security screening data.
- 2 – Scope
This Policy sets out the general standard that CGI has implemented when Processing Personal Data. This Policy applies when CGI acts as a Data Controller or as a Data Processor. It applies to the Processing of all Personal Data, irrespective of the nature or category of the Personal Data, regardless of the media on which that data is stored.
Further details for specific Processing activities are made available in the relevant privacy information notices. Such information may cover i.a. specific data subjects’ rights, Personal Data shared, data retention periods or specific legal basis.
- 3 – Categories of Data Subjects
As part of its operations, CGI shall collect and Process Personal Data relating to:
- Employment candidates,
- Employees and former Employees,
- Public and private clients and prospects,
- Public and private clients and prospects customers,
- Service providers, professional advisors, suppliers, contractors and subcontractors,
- Any other third parties.
- 4 – Which Personal Data do we use about you?
Subject to Applicable Data Protection Legislation, some or all of the following Personal Data categories may be Processed by CGI and any third party engaged by CGI or providing goods and/or services to CGI:
- identity and contact information (e.g. first name, last name, title, username or similar identifier)
- professional life/business information (e.g. email address, employer, department, job title, telephone numbers, billing or delivery address),
- personal information (e.g. date of birth, personal contact details, biographies, memberships, declared conflicts of interests, health data, diversity information),
- economic and financial data,
- data related to location, logging, traffic and tracking and demographic data.
4.1 Personal Data of our Members or former employees
When Processing Personal Data relating to our Members or former employees, acting as Data Controller, we will comply with Applicable Data Protection Laws (including the Act on the Protection of Privacy in Working Life (759/2004)). In addition to this Policy, CGI's standard employment contracts, applicable policies and Member communications may specify the precise and detailed purposes for which CGI may, from time to time, collect and Process Personal Data.
The main purposes for Processing Personal Data (including Sensitive Personal Data) relating to Members may include the following:
Payroll, Pension, Finance and Shares - CGI may share relevant Personal Data with pensions and share scheme administrators, scheme providers, insurance companies, tax authorities and other similar service providers in relation to employment obligations and Member benefits. CGI will also Process Personal Data for the purpose of identifying and paying Members as well as Sensitive Personal Data, if and where required by applicable local laws (e.g. health data).
Commercial Administration and Management - CGI may use Personal Data for managing its commercial activities such as paying invoices, communicating with its business partners and potential business partners, arranging meetings, business travel, visa applications, asset management, and complying with and managing business partner contractual obligations (including Member placement/assignment with clients).
Employee Administration and Management - CGI may process Personal Data (including where appropriate, and subject to this Policy and the Applicable Data Protection Legislation, Sensitive Personal Data) about Members and (where relevant) their dependents and next of kin, for purposes related to their employment with CGI. This may include recruitment, general management, performance management, career development, health and safety compliance, provision of health insurance, life insurance, sickness monitoring/compliance, diversity monitoring, disciplinary procedures, security checks (if and where required), visa applications and other immigration requirements, communications to and from Members, Member contact directories, sensitive/secure area access controls, IT system administration and management, payment of taxes, expense processing and Member benefits. From time to time, and subject to local requirements, CGI may offer its Members a range of benefits and discounts that it has negotiated with other companies and may supply relevant Personal Data to carefully screened third-party organizations to offer and provide such benefits.
Enterprise Security and Quality Control - CGI provides its Members computers, laptops and (mobile) phones enabling access to the Internet, e-mail and social media, CGI Intranet and various software applications and tools. Besides these digital equipment, CGI may also provide cars and physical workspaces (all being company property). CGI trusts that each Member acts responsibly and lawfully when using company property and strictly abides by all applicable codes of conduct that are issued in that respect like, but not limited to, the Code of Ethics and Business Conduct, Security and Acceptable Use Policy and the policy governing the use of third-party software. For security reasons only and subject to local law, CGI may monitor its premises with cameras. CGI may have good and legally justifiable reasons to monitor the use of digital equipment/devices and digital traffic through the equipment and devices used by Members taking into consideration the necessity for monitoring and the Member’s privacy and always subject to local law. Incidental investigations will only be conducted for substantial reasons in targeted situations and CGI Global Security will always be involved in such investigations, taking into account the security incident investigation and reporting processes. CGI organization-wide monitoring and recording of Internet usage history and e-mail correspondence will only be implemented following a collective consultation process.
Corporate Finance, Mergers and Acquisitions – From time to time, CGI buys, sells and/or transfers group companies, business assets, financial instruments/arrangements, and contracts. In relation to such opportunities, operations and arrangements, CGI may share relevant Personal Data with potential buyers, sellers, professional advisors and regulatory authorities (incl. make regulatory filings with relevant governmental authorities), subject to obligations of confidentiality and local legal restrictions.
Regulatory, Professional and Membership Requirements – CGI may process Personal Data about Members, and transfer Personal Data to relevant regulatory bodies, governmental authorities and professional/trade/industry organizations in relation to membership applications and renewals, regulatory requirements (including security, regulatory/legal reporting requirements), professional standards, membership fees etc.
Health, Safety, Law and Insurance – CGI may Process and transfer Personal Data to appropriate third parties (including CGI facilities’ managers, event organizers, insurers, advisors and business partners) to comply with health, safety, legal, insurance, travel and emergency requirements.
Compliance with local legal requirements and agreed practices – CGI may process and transfer Personal Data to other entities within the CGI Group and/or appropriate third parties, as and when local laws require or permit it or where local practices have been agreed upon with Members, employee representatives, data protection officers, and/or data protection authorities/regulators.
4.2 Personal Data of our clients
When Processing Personal Data of our clients, we will act as a Data Processor, following duly documented instructions of the relevant clients for their defined purposes, such as:
Management of client projects and services cross-industries such as banking, utilities, manufacturing, insurance, government, retail, consumer and services, health and life sciences, transportation and logistics, oil and gas or communications and media, including Personal Data entry, correction and consolidation, storage, record-keeping and back-up, data management and analysis, individual enquiry management, application and infrastructure management, development and testing, correspondence, delegated/consolidated/outsourced IT system administration, hosting and management including access control and audit, asset management, expense Processing, marketing and research analysis.
When acting as Data Controller, we will Process Personal Data of our clients for following purposes:
Management of governance, delivery and closing for client projects and services including recruitment operations, training, suppliers and subcontractor management, billing, invoicing, reporting and audit activities;
Press releases or marketing information as part of our corporate communication and the creation and maintenance of related mailing lists, require the Processing of the following Personal Data: name, e-mail-address, address and potentially additional information such as telephone numbers. This Processing is based on Art. 6 (1) lit. a) and f) GDPR, i.e. your consent and/or CGI’s legitimate interest regarding an efficient and appropriate corporate communication. Personal Data will be stored for as long as it is necessary for the purposes of corporate communication or will be deleted prior to that should you have informed us that you do not wish to receive information from CGI any longer.
4.3 Personal Data relating to other Data Subjects
CGI may also Process Personal Data relating to other Data Subjects (e.g. enquirers, website visitors, marketing/business contacts, prospective candidates, CGI offices’ visitors) for the purposes described below:
- Planning and administration,
- Human Resources and recruitment,
- Business engineering and operations
CGI will usually act as a Data Controller in relation to such Processing operations and any third party engaged by CGI or providing goods and/or services to CGI will usually act as Processor.
- 5 – Why do we use your Personal Data?
CGI will Process Personal Data only when strictly necessary and apply further principles on the basis of whether CGI acts as a Data Controller or as a Data Processor.
5.1 Principles when CGI acts as a Data Controller
Transparency, fairness and lawfulness: CGI will Process Personal Data lawfully, fairly and in a transparent manner in relation to the Data Subject, in accordance with the requirements of this Policy through the use of data privacy notices clearly setting out information necessary for compliance with the Applicable Data Protection Legislation.
Defining a purpose: any Processing of Personal Data by CGI, particularly the collection thereof, will be preceded by the identification of the specific purpose for such Processing. Such purpose must be explicit and legitimate. Personal Data cannot be further Processed in a manner that is incompatible with such purpose.
Data minimization: once the purpose for Processing Personal Data has been established, CGI will only collect Personal Data to the extent required for accomplishing such purpose. Each instance of Data Processing detail is to be reviewed as part of the early solution design phases and included in the Data Privacy and Security review and approval process or otherwise in order to ensure that the Personal Data is adequate, relevant and limited to what is necessary in relation to the purpose for which it is Processed.
Quality of Personal Data: throughout the life cycle of any Personal Data Processing, CGI will ensure that the collected Personal Data remains accurate and up to date. Every reasonable step will be taken to ensure that Personal Data that is inaccurate is erased or rectified without delay including but not limited to self-service options for Data Subjects. In particular, CGI will provide adequate means for Data Subjects to inform CGI in case of any change in their Personal Data.
Data retention limitation: CGI will ensure that it does not keep your Personal Data for a longer period than strictly necessary to achieve the purpose for which your Personal Data is collected. Consequently, CGI will determine before the performance of the Processing an appropriate retention period. In doing so, CGI will consider the time during which the Personal Data is necessary to achieve the purpose of the Processing while taking into account the following factors:
- Period after which maintenance of such Personal Data may have an impact on Data Subjects’ rights to be forgotten; and
- Any legal obligations imposing a minimum data retention period, as may be defined in the CGI Records Retention Policy and Records Retention Schedule or otherwise.
- It is necessary to comply with a legal obligation applicable to CGI (e.g., report data to tax authorities) (Art. 6 para. 1 lit. c) GDPR); or
- It is necessary for the execution of a contract (e.g. employment contract, services agreement with a client) (Art. 6 para. 1 lit. b) and Art. 88 para. 1 GDPR); or
- It is necessary for the legitimate interest of CGI, being understood that this legitimate interest of CGI must be assessed against the interests of the Data Subjects (Art. 6 para. 1 lit. f) GDPR):
- The Processing is necessary to achieve the interest pursued by CGI without adversely impacting the Data Subject’s interest and/or privacy;
- CGI’s interest is not overridden by the fundamental rights or interests of the Data Subjects; and
- CGI’s interest shall be determined in light of CGI’s core business but shall comply with any Applicable Data Protection Legislation in a transparent manner;
- It is necessary to the vital interest of the Data Subject (Art. 6 para. 1 lit. d) GDPR), or
- It is necessary for the performance of a task carried out in the public interest (Art. 6 para. 1 lit. e) GDPR).
If none of the above legal basis apply, CGI will seek and retain the Data Subjects’ prior consent (Art. 6 para. 1 lit. a) GDPR) before Processing its Personal Data, being understood that Data Subject’s consent is valid when (i) it is freely given by a clear affirmative act; and (ii) it represents a specific, informed and unambiguous indication of the Data Subject's agreement to the Processing of his/her/their Personal Data.
Technical and Organizational Measures: CGI will implement appropriate technical and organizational measures, to guard against unlawful access and/or Processing of Personal Data, including accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed. In particular, CGI will grant access to Personal Data only when it is necessary to accomplish assigned tasks consistent with the purpose for which the Personal Data is Processed. Where CGI uses a third party to undertake Processing on its behalf it will ensure that equivalent measures are put in place by that third party through contractual agreements. In the event of unlawful access and/or Processing, CGI will comply with its Information Security Policy and related procedures.
Data Protection Impact Assessment (DPIA): CGI shall be responsible for monitoring Data Processing compliance with Applicable Data Protection Legislation. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purpose of the processing, is likely to result in a high risk to the protection of your data, CGI shall implement a data protection impact assessment procedure that shall enable CGI to:
- identify which Processing presents any specific risk for the protection of Personal Data;
- assess the level of compliance with the Applicable Data Protection Legislation Processing principles;
- assess the level of severity or likelihood of risk associated with the Processing; and
- determine the corrective measures to be implemented to ensure that Personal Data is Processed with risks that are mitigated and performed in compliance with the Applicable Data Protection Legislation. If, after mitigation, the risks to the Data Subjects remain significant and when required by Applicable Data Protection Legislation, the competent Data Protection Authority will be consulted prior to the start of the intended Processing.
To comply with our accountability obligation according to Art. 5 para. 2 GDPR, any Data Privacy Impact assessment documents will be retained for at least the duration of Data Processing to which they apply.
5.2 Principles when CGI acts as a Data Processor
CGI will ensure that it Processes Personal Data solely in accordance with the documented instructions of the Data Controller.
In particular, such Processing shall be:
- For the Data Controller’s sole expressed purposes;
- Made under the conditions agreed to between CGI and the Data Controller;
- For no longer than is expressly prescribed by the Data Controller; and
- According to the Data Controller’s written instructions as set out in the Data Processing Agreement entered into between CGI and the Data Controller.
The Data Controller remains solely responsible for ensuring a valid legal basis for the Processing performed by CGI and that the required Processing complies with Applicable Data Protection Legislation including the retention period to be applied. Nonetheless, CGI will promptly inform the Data Controller if, in its opinion, an instruction of the latter infringes the Applicable Data Protection Legislation.
Unless otherwise instructed by the Data Controller, CGI will apply (as a minimum) the same security baseline as it applies when it is acting as a Data Controller.
CGI will provide reasonable assistance to the Data Controller to support it in undertaking its obligations under Applicable Data Protection Legislation. The assistance to be provided by CGI to Data Controller for compliance purposes in accordance with this section will be subject to the financial, technical and organizational conditions agreed between CGI and Data Controller in the relevant agreement. Upon termination of the relevant Data Processing agreement, CGI and any third party engaged by CGI will either destroy or return all Personal Data to the client according to its instructions and Applicable Data Protection Legislation. In case of destruction, CGI will certify to the Data Controller that such deletion took place. In case of a return, CGI will ensure the confidentiality of the Personal Data transferred to the Data Controller by adhering to client’s instructions.
For the avoidance of doubt, nothing in this Policy limits CGI’s right to keep Personal Data for the purpose of existing litigation or to bring or defend future claims, in accordance with applicable legal statutes of limitation applicable to CGI.
5.3 Principles when CGI Processes Sensitive Personal Data
CGI, when acting as a Data Controller, will Process Sensitive Personal Data if and only if it is strictly required.
In such case, CGI shall ensure that at least one of the following conditions is met:
- The Data Subject has given his/her/their prior consent (Art. 9 para. 2 lit. a) GDPR);
- The Processing is required for the purposes of carrying out the obligations and exercising specific rights of the Data Controller or of the Data Subject in the field of employment and social security and social protection law (Art. 9 para. 2 lit. b) GDPR);
- If the Data Subject is not in a position to give his/her/their consent (e.g., for medical reasons), the Processing is necessary to protect the vital interests of the Data Subject or of another person (Art. 9 para. 2 lit. c) GDPR);
- The Processing is required in the context of preventive medicine or medical diagnosis by a health professional under Local Legislation (Art. 9 para. 2 lit. h) GDPR);
- The Data Subject has already manifestly placed the relevant Sensitive Personal Data in the public domain (Art. 9 para. 2 lit. e) GDPR);
- The Processing is essential for the purpose of establishing, exercising or defending legal claims, provided that there are no grounds for assuming the Data Subject has an overriding legitimate interest in ensuring that such Sensitive Personal Data is not Processed (Art. 9 para. 2 lit. f) GDPR); or
- The Processing is explicitly permitted by Local Legislation (Art. 9 para. 4 GDPR in conjunction with the respective Local Legislation) (e.g., registration/protection of minority groups).
Where CGI, as a Data Processor, is required to Process Sensitive Personal Data, CGI will follow the Data Controller’s written instructions and apply the measures agreed to between parties, which shall be at least equivalent to the CGI Security Baseline.
The Data Controller shall ensure a valid legal basis for the Processing performed by CGI.
In any case CGI will Process Sensitive Personal Data in accordance with Applicable Data Protection Legislation and comply with any mandatory specific hosting and Processing conditions.
5.4 Privacy by design/Privacy by default
As demonstrated by the commitments made under this Policy, CGI is committed to providing the appropriate level of protection for the Personal Data it Processes. To ensure that the principles defined in this Policy are effectively considered when CGI processes Personal Data, CGI will identify and address any data protection constraints at the beginning of a new project so that the principles contained herein are reflected in the design of the project and appropriately implemented.
Where CGI acts as Data Processor, the Data Privacy organization, shall review and approve the Privacy aspects of the proposal and/or services developed for a client. Where CGI acts as Data Controller, the Data Privacy organization will have to provide approval of any new CGI internal project prior to the commencement of its development and subsequently implemented.
- 6 – Management of Data Incidents and Breaches
6.1 Incident Management
CGI has a mature, standards-based security incident response and management process designed to handle all phases of a security incident. Members’ responsibilities are clearly defined at all levels. Incident assessment and prioritization standards are followed to ensure appropriate engagement levels and timely resolution. Incident records are maintained and reported to senior management as required. High-priority incidents are managed through CGI’s 24x7 Global Security Operations Centre (SOC), where highly trained, full-time incident response professionals coordinate response efforts. CGI’s Data Privacy team is immediately engaged in the incident management process whenever Personal Data is suspected to be involved.
6.2 Notification of Personal Data Breach
Whether acting as a Data Controller or as a Data Processor, if CGI reasonably believes that a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed has occurred, CGI will provide security incident notification and status updates to the relevant Data Protection Authority, to Data Subjects and/or to the Data Controller, in accordance with Applicable Data Protection Legislation or any other local applicable laws.
Similarly, and for the sake of clarity, in the event a Personal Data breach is identified by a third party engaged by CGI, the third party will have to inform CGI as agreed upon in the relevant agreement. All other third parties may reach out to email@example.com to report a potential or suspected breach.
- 7 – Who do we share your Personal Data with?
As part of CGI operations, we may collect your Personal Data and disclose them to:
- CGI Legal Entities if and where you can benefit from our full range of solutions and services as part of our global delivery model;
- third parties engaged by CGI and providing goods to CGI or performing services on our behalf (e.g. suppliers, subcontractors and freelancers);
- certain regulated professionals (e.g. banks, lawyers, notaries and auditors)
CGI will disclose your Personal Data if the disclosure is reasonably necessary to protect CGI’s rights and pursue available remedies, enforce CGI’s terms and conditions, investigate fraud, or protect CGI’s operations or users.
CGI may also disclose your Personal Data to administrative, judicial or governmental authorities, state agencies or public bodies, strictly in accordance with Applicable Data Protection Legislation and Local Legislation, and after careful review, the legality of any order to disclose data. CGI will challenge the order if there are grounds under the law of the country of destination to do so and inform you about a possible order in accordance with Local Legislation.
- 8 – Transfer of Personal Data
Transfer of EU Personal Data shall refer to Personal Data of EU residents or Data Subjects located within the EU being Processed (e.g. accessed, sent, used, viewed, copied, deleted) in a third country outside the EEA.
8.1 Within CGI
CGI acting as a Data Controller or Data Processor will Transfer EU Personal Data in accordance with the Applicable Data Protection Legislation and in accordance with CGIs’ Binding Corporate Rules (“BCR”), approved under GDPR by the French Supervisory Authority on July 22nd, 2021. This means that your rights as Data Subject remain the same no matter where your Personal Data is Processed.
Should you require any information on CGI’s BCRs, please consult https://www.cgi.com/en/privacy/binding-corporate-rules or the Register of the European Data Protection Board.
When CGI acts as Data Processor, prior specific or general consent regarding the respective transfer (Artt. 44 et seq. GDPR) agreed upon is required in writing from the Data Controller before such transfer may be initiated.
Transfers of non-EU Personal Data shall take place in accordance with the Applicable Data Protection Legislation.
8.2 To third parties
Whenever CGI relies on third parties to Process Personal Data, CGI ensures that such third parties provide an adequate level of protection to the Personal Data they Process as per Applicable Data Protection Legislation.On a regular basis, CGI conducts due diligence and third party privacy and security risks assessments with all third parties engaged by CGI, to establish their corporate capabilities and maturity with respect to security and data protection, before entering into a data processing agreement according to Art. 28 para. 3 GDPR or Art. 26 GDPR, where necessary. Whenever such Processing involves countries outside the EU or EEA, agreements regarding the respective transfer mechanism (Artt. 44 et seq. GDPR) will be reached.
- 9 – What are your rights and how can you exercise them?
Data subjects have several rights under the Applicable Data Protection Legislation to request access to their Personal Data held by CGI and/or information about how CGI Processes their Personal Data. If you have any questions regarding the Processing of your Personal Data, please send your formal request to firstname.lastname@example.org.
When acting as a Data Processor, upon request, CGI will provide its clients with relevant information enabling such clients to comply with their own obligations toward Data Subjects. Unless otherwise indicated in any contractual agreement, CGI shall not be required to inform Data Subjects directly thereof, as this remains the responsibility of the Data Controller.
As per Applicable Data Protection Legislation, where CGI acts as the Data Controller, you generally have the following rights:
- to access to and obtain a copy of your Personal Data;
- to rectify or delete any of your inaccurate or incomplete Personal Data;
- to object on legitimate grounds to the Processing of your Personal Data at any time, unless such Processing is required by Applicable Data Protection Legislation or any Local Legislation;
- to restrict the Processing of your Personal Data that is no longer accurate or necessary;
- to receive your Personal Data in a structured, commonly used and machine-readable format;
- to withdraw your consent given for the Processing of your Personal Data
- to lodge a complaint with a competent supervisory authority: for CGI Suomi Oy the primary competent supervisory authority is: Tietosuojavaltuutetun toimisto, PL 800, 00531 Helsinki.
CGI will generally not subject your Personal Data to profiling according to Art. 22 GDPR.
CGI will act in accordance with the Applicable Data Protection Legislation and other relevant legal and contractual obligations in the search for and provision of relevant Personal Data. CGI will require Data Processors that Process Personal Data to do the same. CGI may need to ask you further questions in relation to your Personal Data or to verify your identity.
Upon termination of employment contracts for whatever reason, CGI shall maintain the Personal Data of former employees for such time as shall be permissible in accordance with applicable laws and regulations and necessary for the provision of appropriate ongoing benefits and services (for example, Member share schemes and pension administration).
- 10 – Compliance with the Policy
10.1 Compliance by Members
Members acknowledge the requirements and annually confirm acceptance of this Policy. In addition to this Policy, Members must also comply with other applicable confidentiality and privacy obligations, including those set out in any Applicable Data Protection Legislation, their employment agreements and CGI policies, processes and standards or client’s instructions.
Members must follow any mandatory CGI’s privacy training and awareness programs. These include, among other topics, mandatory web-based data privacy, information security, anti-corruption, and records management training, communication campaigns and specific trainings adapted to the different functions within the organization.
These trainings and awareness programs are regularly updated to reflect changes to the Applicable Data Protection Legislation.
10.2 Compliance by any third party engaged by CGI
In the event that any third party Processes Personal Data on behalf of CGI, such third party shall:
- ensure that its personnel accessing CGI confidential information and Processing Personal Data on behalf of CGI, complete all CGI compliance mandatory trainings (including Security and Data Privacy awareness e-learnings) in the 30 days following the effective date of the agreement signed between CGI and the third party;
- comply with this Policy and CGI’s security policies and standards in addition to any other security controls included within contractual agreements between CGI and its clients and/or partners.
- process Personal Data in accordance with CGI's documented instructions and for no other purpose than the one expressly defined in writing by CGI, unless it is required to do so under any mandatory law. In such case, the third party shall inform immediately CGI of this legal obligation prior to processing.
- implement and maintain appropriate technical, organizational and contractual measures to ensure appropriate level of protection of Personal Data and to prevent any unauthorized or unlawful processing of Personal Data and any accidental loss, destruction or damage to Personal Data. These measures shall (i) take into account the highest standards and the risks posed by the Processing activities, (ii) be designed to implement the data protection principles in an effective manner and provide the Processing activities with the necessary safeguards in order to meet the requirements of the Applicable Data Protection Legislation.
- notify, to the extent permitted by law, CGI of any request for disclosure of CGI Personal Data that it receives from a third party, public authority or court, as well as of any action and/or measure regarding the processing of CGI Personal Data that is under investigation by the authorities; comply with any request from CGI for access, rectification, blocking, restoration, deletion and objection of CGI Personal Data and ensure portability and the right to be forgotten of CGI Personal Data;
- notify CGI immediately of any changes that may affect the Processing of CGI Personal Data;
- actively cooperate with CGI to assess and document the compliance of CGI's Personal Data Processing, including providing CGI with any information that CGI may need or require to comply with Applicable Data Protection Legislation (including any information required for the Transfer Impact Assessment (TIA));
- immediately inform CGI in writing if, in its opinion, any instruction from CGI regarding the Processing of CGI's Personal Data constitutes a violation of the Applicable Data Protection Legislation.
- 11 – Record of Processing activities
CGI maintains records of Processing activities carried out as a Data Controller or as Data Processor. CGI will make sure that any new Processing of Personal Data is recorded in the Data Processing Inventory with relevant information regarding the context of each Processing of Personal Data. CGI shall make a record(s) of Processing available to the supervisory authority on request.
- 12 –Changes to this Policy
This Policy may be amended from time to time to comply with Applicable Data Protection Legislation and Local Legislation. CGI will ensure that Data Subjects are notified of any material changes to the Policy promptly, through an “update” on CGI.com, by email or other appropriate method of communication. Should you require a status update, you may raise a request by sending an email to email@example.com.
- 13 – Data Privacy Organization - Questions
CGI has designated a Chief Privacy Officer overseeing CGI’s global data protection strategy, enterprise-wide data protection policies and procedures, and data protection regulatory compliance, and a network of Privacy Business Partners.
CGI Suomi Oy has also appointed a Data Protection Officer, following Applicable Data Protection Legislation.
In case of questions or concerns related to the interpretation or operation of this Policy, please send an email to firstname.lastname@example.org or contact the Data Protection Officer at CGI Suomi Oy, Tietosuojavastaava, PL 38, 00381 Helsinki.