EXECUTIVE SUMMARY
INTRODUCTION
Complying with data privacy laws is part of MAGAZINE DIRECTORY’S Business
Ethics. We implement recognized standards or legal
arrangements, such as Binding Corporate Rules (BCR) within our business practices.
We regularly add new content to the BCR and consider relevant legal changes
to assess how they affect our Controller BCR. This will often result in BCR content changes.
SCOPE
This document defines obligations MAGAZINE DIRECTORY has with regards to data processing in
scope of the BCR and explains how we comply with those responsibilities across
Participating Entities through our global data privacy program by addressing ethical
aspects and legal compliance, accountability, opportunities, and risk.
Our BCR apply to all personal data processed by MAGAZINE DIRECTORY Participating Entities as a
Data Controller or Data Processor for our own purposes. It does not apply to MAGAZINE DIRECTORY
entities acting as a Data Processor for services we provide to clients.
The BCR does not override any applicable national data privacy laws and regulations
in countries where we operate.
MAGAZINE DIRECTORY’S BCR COMMITMENTS
MAGAZINE DIRECTORY’s data privacy obligations under the BCR are defined as a set of
Commitments which establish our data privacy responsibilities and safeguards in
relation to key requirements such as fair and lawful processing, data minimization,
security, and retention. The associated Annexes provide information on how we
uphold these Commitments. In particular, Annex 1 explains our compliance measures
including privacy by design and data protection impact assessments and how we
cooperate with the supervisory authorities.
The table in Annex 2 sets out (i) information about the categories of individuals, (ii) the
categories of personal data we may process about them; and (iii) a description of the
purposes for which we process personal information.
A key component of the BCR is the data privacy rights given to individuals in relation
to their personal information. These rights are explained in section Four of the
Commitments. Annex 3 of the BCR sets out the process for individuals to exercise their
rights, the procedure MAGAZINE DIRECTORY follows to facilitate these rights and the process for
individuals to make data privacy complaints as well as how they can contact
MAGAZINE DIRECTORY.
HOW IS THE BCR BINDING?
MAGAZINE DIRECTORY’s BCR is made binding on all Participating Entities using an Intercompany
Agreement called the MAGAZINE DIRECTORY Privacy Agreement (MDPA). All MAGAZINE DIRECTORY Participating Entities and their employees are bound by the BCR, irrespective of geographic
location, and abide by the same internal rules for processing personal data. It also
means that individuals’ rights stay the same no matter where individuals’ personal data
is processed by MAGAZINE DIRECTORY.
MANAGING THE BCR
Annex 1 provides an overview of how MAGAZINE DIRECTORY manages its BCR. Day to day
responsibility for managing the BCR lies with the Global Data Privacy team. Other
MAGAZINE DIRECTORY functions have responsibility for matters such as auditing and security.
If you have any queries about the BCR, please direct them to MAGAZINE DIRECTORY’s Data Privacy
Officer: DataPrivacyOfficer@magazinedirectory.org
Table of Contents
Introduction…………………………………………………………………………………………………………………………………….6
Purpose………………………………………………………………………………………………………………………………………….6
Legal background……………………………………………………………………………………………………………………………6
MAGAZINE DIRECTORY’s BCR………………………………………………………………………………………………………….6
Applicability and Scope…………………………………………………………………………………………………………………….7
Applicability…………………………………………………………………………………………………………………………………….7
Scope……………………………………………………………………………………………………………………………………………..7
MAGAZINE DIRECTORY Entities and Affiliates……………………………………………………………………………………7
Categories of individuals, categories of personal data and processing, purposes, recipients, countries….8
MAGAZINE DIRECTORY’S BCR Commitments……………………………………………………………………………………8
One – Being ethical: Processing personal data ethically including in a manner consistent with our Code of Business Ethics (COBE)……………………………………………………………………………………………………………………8
Two – Being lawful: Defining purposes and limiting use of personal data to those purposes ………………… 8
Three – Being fair and transparent: Providing Notice, Consent and Choice ………………………………………….9
The information MAGAZINE DIRECTORY provides……………………………………………………………………………..9
Collecting Information Indirectly………………………………………………………………………………………………………10
Using personal data for new purposes…………………………………………………………………………………………… 10
Exceptions when collecting personal data indirectly………………………………………………………………………… 10
Four – Respecting Individuals’ Rights……………………………………………………………………………………………….11
The right to be informed………………………………………………………………………………………………………………….11
The right to access their personal data processed by MAGAZINE DIRECTORY…………………………………….11
The right to rectification………………………………………………………………………………………………………………… 12
The right to erasure (also known as the ‘right to be forgotten’)…………………………………………………………..12
The right to restrict processing……………………………………………………………………………………………………….13
The right to data portability……………………………………………………………………………………………………………..13
The right to object………………………………………………………………………………………………………………………….14
Rights in relation to automated decision making and profiling……………………………………………………………14
Rights in relation to making complaints with supervisory authorities and bringing court actions ………….15
Five – Following the rules on processing sensitive data……………………………………………………………………..15
Six – How we minimize data collection, keep data accurate, up to date and follow retention schedules ..16
Seven – Protecting personal data…………………………………………………………………………………………………….17
General Arrangements……………………………………………………………………………………………………………………17
Measures to control access…………………………………………………………………………………………………………….17
Personal Data breaches………………………………………………………………………………………………………………….17
Arrangements with vendors, suppliers and other third parties……………………………………………………………17
Eight – Ensuring compliance with cross-border transfer requirements………………………………………………..19
Nine – MAGAZINE DIRECTORY’s compliance with its BCR…………………………………………………………………19
Consequences of Non-Compliance…………………………………………………………………………………………………20
Publication of the BCR……………………………………………………………………………………………………………………20
Contact Information……………………………………………………………………………………………………………………….20
Annex 1: How MAGAZINE DIRECTORY complies with its BCR Commitments……………………………………….21
Preamble……………………………………………………………………………………………………………………………………….21
Managing Data Privacy and Information Security………………………………………………………………………………21
Managing the BCR…………………………………………………………………………………………………………………………22
Cooperating with the Supervisory Authorities…………………………………………………………………………………..22
General Cooperation procedures…………………………………………………………………………………………………….22
Reporting matters to the Competent Supervisory Authority………………………………………………………………22
How MAGAZINE DIRECTORY supervises data privacy compliance…………………………………………………….23
Accountability………………………………………………………………………………………………………………………………..23
Training…………………………………………………………………………………………………………………………………………24
Record keeping and evidence…………………………………………………………………………………………………………24
Compliance with local laws…………………………………………………………………………………………………………….24
Privacy by Design – Building privacy into our projects, tools and applications…………………………………….24
Privacy by Default………………………………………………………………………………………………………………………….25
Data Protection Impact Assessments and privacy reviews………………………………………………………………..25
Audits…………………………………………………………………………………………………………………………………………..26
Liability………………………………………………………………………………………………………………………………………….26
Employee violations of these BCR, MAGAZINE DIRECTORY policies or procedures and raising concerns………………………………………………………………………………………………………………………………………26
Annex 2: Categories of individuals, categories of personal data and processing, purposes, recipients, countries……………………………………………………………………………………………………………………………………….27
Type……………………………………………………………………………………………………………………………………………..28
Explanation……………………………………………………………………………………………………………………………………28
Categories of individuals………………………………………………………………………………………………………………..28
Annex 3: Individuals Rights Requests and Complaint Handling Procedure………………………………………….34
Table of Contents…………………………………………………………………………………………………………………………..34
1.Purpose………………………………………………………………………………………………………………………………………35
2.Who handles IRRs and Complaints?………………………………………………………………………………………………35
3.Making a request………………………………………………………………………………………………………………………..35
4.Submitting a request…………………………………………………………………………………………………………………..35
4.1. What is a request?……………………………………………………………………………………………………………………35
4.2. What do individuals need to know?…………………………………………………………………………………………..36
5.How MAGAZINE DIRECTORY manages a request…………………………………………………………………………..37
5.1. Assigning Case Owners……………………………………………………………………………………………………………37
5.2. Request management………………………………………………………………………………………………………………37
5.3. Additional Considerations………………………………………………………………………………………………………..39
6.Escalation options………………………………………………………………………………………………………………………39
7.How does MAGAZINE DIRECTORY manage complaints?………………………………………………………………..40
8.Record Keeping, reports and further action…………………………………………………………………………………..40
Annex 4: Definitions……………………………………………………………………………………………………………………….41
Annex 5: MAGAZINE DIRECTORY Privacy Agreement……………………………………………………………………….41
Annex 6: Supporting Documentation and Resources…………………………………………………………………………41
General:………………………………………………………………………………………………………………………………………..42
Policies & Standards:……………………………………………………………………………………………………………………..42
Internal Guidelines and Global Templates………………………………………………………………………………………..42
Annex 7: Revision History……………………………………………………………………………………………………………….43
Introduction
Purpose
The purpose of this document is to:
• explain MAGAZINE DIRECTORY’s data privacy obligations and commitments;
• define MAGAZINE DIRECTORY employees’ responsibilities and accountability for data privacy;
• describe individuals’ rights under the Binding Corporate Rules (BCR)
• explain how MAGAZINE DIRECTORY handles complaints and/or queries relating to personal data processing;
• provide information on how to contact MAGAZINE DIRECTORY regarding data privacy.
Legal background
Data privacy laws govern how MAGAZINE DIRECTORY handles personal data in many of the countries where we operate. Those laws define our legal status and obligations. Where MAGAZINE DIRECTORY determines the purpose, means and conditions of processing personal data, we are a decision maker, generally referred to as a “data controller.” Where we act as a service provider on behalf of others – typically our clients – we are a “data processor”.
There are strict European Data Privacy Laws on transferring personal data outside the European Economic Area (EEA) to another country. These laws apply to all transfers of personal data outside the EEA, including internal transfers of data within a group of companies. Such transfers are generally only allowed if a substantially equivalent level of protection has been put in place using mechanisms which have been approved by European Regulators unless certain exemptions apply.
MAGAZINE DIRECTORY’s BCR
To comply with these European requirements, MAGAZINE DIRECTORY has implemented a set of data privacy rules known as Binding Corporate Rules (BCR). These are legally binding, and MAGAZINE DIRECTORY must integrate the requirements within our operation practices.
They are made up of:
a) a set of the BCR Commitments and associated Annexes:
- Annex 1: How MAGAZINE DIRECTORY complies with its BCR;
- Annex 2: Categories of individuals, categories of personal data, processing, purposes recipients, countries;
- Annex 3: Individual rights requests and complaint handling procedure;
- Annex 4: Definitions;
- Annex 5: Intercompany Agreement-(MAGAZINE DIRECTORY Privacy Agreement), which sets out MAGAZINE DIRECTORY’s data privacy obligations, the safeguards we have established to meet those obligations, how we manage individuals’ rights and complaints under the BCR and how to contact us.
b) they are supported by a set of supplementary documents which are not formally part of the BCR:
- Annex 6: MAGAZINE DIRECTORY Supporting Documentation;
- Annex 7: Revision History.
The BCR reflect the standards contained in European Data Privacy Laws and have been approved by most data privacy Regulators in Europe. Having the BCR means that all our group entities which sign up to it must comply with the same internal set of rules – that there are appropriate and uniform data privacy safeguards in place across our organization. It also means that individuals’ rights stay the same no matter where individuals’ personal data is processed by MAGAZINE DIRECTORY.
MAGAZINE DIRECTORY has a global data privacy program to manage these commitments and to address ethical and legal compliance, accountability, opportunities and risk. All MAGAZINE DIRECTORY Participating Entities and employees bound by these BCR, irrespective of geographic location, abide by the same rules for processing personal data.
You can find an explanation of the data privacy terms used in this document in Annex 4, Definitions.
Applicability and Scope
Applicability
MAGAZINE DIRECTORY’s BCR apply to all personal data processed by MAGAZINE DIRECTORY Participating Entities as a Data Controller for our own purposes such as recruitment, employment or marketing. We process personal data about a wide range of individuals including graduates, potential recruits, employees, alumni, prospective and existing clients, contacts, children, and adolescents (see Annex 2 for more information about purposes and categories of individuals).
The BCR Commitments:
(a.) require all MAGAZINE DIRECTORY Participating Entities and employees who collect, use and store personal data to understand the rules and their responsibilities when processing personal data;
(b.) require all MAGAZINE DIRECTORY employees to understand how to respect and manage individuals’ rights in relation to their data; and
(c.) govern the circumstances in which one MAGAZINE DIRECTORY entity processes personal data on behalf of another MAGAZINE DIRECTORY entity.
Scope
Please note that these BCR do not apply to MAGAZINE DIRECTORY as a Data Processor for services we provide to clients. For client-provided personal data, MAGAZINE DIRECTORY has a Client Data Protection (CDP) program with separate policies and procedures to implement data privacy requirements applicable to client-owned data. There is a dedicated CDP team responsible for providing guidance and controls.
This document is without prejudice and does not override any applicable national data privacy laws and regulations in countries where we operate.
MAGAZINE DIRECTORY entities and affiliates
MAGAZINE DIRECTORY has offices and operations throughout the world. Personal data may be transferred or be accessible throughout MAGAZINE DIRECTORY’s global business and between its entities and affiliates. For a full list of our entities which are signed up to the BCR and their locations, click here.
Categories of individuals, categories of personal data and processing, purposes, recipients, countries
The table in Annex 2 sets out information about (i) the categories of individuals, (ii) the categories of personal data we may process about them; and (iii) a description of the purposes for which we process personal information. Our data privacy notices and data privacy statements are where we provide specific information to individuals, for example, our privacy statement on the magazinedirectory.org site.
MAGAZINE DIRECTORY’s BCR Commitments
To protect personal data, MAGAZINE DIRECTORY and our employees comply with these commitments which are appropriately reflected in our core Data Privacy Policy (known as Policy 90), procedures, controls and guidance. MAGAZINE DIRECTORY’s BCR Participating Entities and employees who access, collect, delete, retrieve, store, or otherwise use personal data for any purpose, are “processing” that data and are responsible for understanding how data privacy impacts their role and their use of personal data using the data privacy resources MAGAZINE DIRECTORY provides.
One – Being ethical: Processing personal data ethically including in a manner consistent with our Code of Business Ethics (COBE)
It is our employees’ overarching responsibility to be ethical and comply with data privacy laws by complying with these BCR Commitments, the applicable Data Privacy Policy, (any related policies, procedures and guidance) and by acting with integrity and processing personal data in a way which is consistent with MAGAZINE DIRECTORY’s core values and COBE.
Two – Being lawful: Defining purposes and limiting use of personal data to those purposes
MAGAZINE DIRECTORY processes personal data for specified and lawful purposes which are clearly explained to individuals when we process their data. Lawful Processing means that MAGAZINE DIRECTORY will not process personal data, unless one of the following conditions applies:
(i) the individual concerned has consented to the processing;
(ii) MAGAZINE DIRECTORY processes the data to:
(1) perform, or take steps with a view to enter into, a contract with the individual concerned;
(2) comply with a legal obligation which MAGAZINE DIRECTORY is subject to;
(3) protect the vital interests of individuals in a `life or death’ situation; or
(4) perform a task in the public interest or to exercise official authority;
(iii) MAGAZINE DIRECTORY needs to carry out such processing to pursue MAGAZINE DIRECTORY’s Legitimate Interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual concerned; or
(iv) in circumstances permitted by applicable data privacy laws.
MAGAZINE DIRECTORY will not use personal data for new purposes without following our internal procedures to verify that such processing can take place lawfully by taking the following into account:
(i) links between the current purposes and the further respective processing purposes;
(ii) the context of the original data collection, with a particular focus on the relationship between MAGAZINE DIRECTORY and individuals;
(iii) the nature of the personal data, in particular, if the data in question is sensitive personal data;
(iv) possible consequences for individuals if their data are processed further; and
(v) appropriate safeguards which may include encryption or pseudonymization.
Three – Being fair and transparent: Providing Notice, Consent and Choice
MAGAZINE DIRECTORY provides individuals with information (for example, in a data privacy notice or privacy statement) to explain how their data will be processed by MAGAZINE DIRECTORY to ensure fair and lawful processing. The information is made easily accessible to individuals and is provided in a clear, transparent manner using plain and intelligible language.
The information MAGAZINE DIRECTORY provides
An individual has the right to know about MAGAZINE DIRECTORY’s processing of their personal data and to verify whether that processing is lawful. The information MAGAZINE DIRECTORY will provide to individuals shall include the following:
a) the name of the relevant Data Controller and their contact details;
b) the contact details of the Data Privacy Officer or designated data privacy contact;
c) the purposes for which we intend to use such data including the legal basis for processing the data (where we have relied on the legal basis, we will explain what that legal basis is);
d) the recipients or categories of recipients of the data;
e) any relevant information about international transfers of the data, in particular; the existence/absence of an adequacy decision/safeguards in place and where to obtain a copy of a relevant decision, if available;
f) the retention period and/or any relevant retention criteria;
g) information about the individuals’ rights (e.g., access, rectification, erasure, restriction, objection and portability);
h) information about any automated decisions/profiling including the logic involved and significance of such processing for the individual;
i) the individual’s right to withdraw consent, if applicable;
j) the right to lodge a complaint with the supervisory authority;
k) the consequences of failing to supply data where the processes relate to a statutory or contractual requirement; and
l) any additional information MAGAZINE DIRECTORY deems necessary to process the data fairly and lawfully.
Where MAGAZINE DIRECTORY has already provided this information, we will not continually provide it as part of each subsequent interaction with the individual, unless failure to do so would infringe these rights.
Collecting Information Indirectly
Where collecting personal data about an individual indirectly (for example, from a publicly available source), MAGAZINE DIRECTORY will inform the individual that MAGAZINE DIRECTORY is holding the data and what it intends to do with the data after obtaining it. MAGAZINE DIRECTORY will also provide individuals with any additional information necessary to process the data fairly, transparently and lawfully. This information will include the categories specified above (Commitment 3 a-l).
MAGAZINE DIRECTORY will provide this information as part of the initial communication with the individual or where a disclosure is being made to another recipient before or when the first disclosure is made, but at the latest within one month of obtaining the data.
Using personal data for new purposes
MAGAZINE DIRECTORY will make sure that information to individuals is also provided where existing personal data is going to be used in a new way, or for incompatible purposes prior to the commencement of such processing.
Exceptions when collecting personal data indirectly
When we collect information indirectly, there are some exceptions. The information referred to in Commitment 3 categories a-l will not be provided to the individual by MAGAZINE DIRECTORY, if:
a) the individual already has the information; or
b) the effort involved would be disproportionate; or
c) there are laws or professional secrecy obligations which MAGAZINE DIRECTORY is subject to which require obtaining or disclosing the data or that require the data and information about the data, remain confidential.
In determining what does or does not constitute a ‘disproportionate effort,’ MAGAZINE DIRECTORY will balance the amount of effort required against the amount, if any, of a prejudicial effect to the individual if such information was not provided to them.
Four – Respecting Individuals’ Rights
Individuals have rights in relation to their personal data processed by MAGAZINE DIRECTORY. We
respect these rights and have processes in place to recognize and respond to
individuals wishing to exercise these rights. Our employees have guidance to follow
when handling individuals’ rights requests. The rights include:
The right to be informed
This right has been covered in detail above [See Three – Being fair and transparent].
The right to access their personal data processed by MAGAZINE DIRECTORY
- An individual has the right to request access to the personal data we process about them. When MAGAZINE DIRECTORY receives such a request, we will first take reasonable steps to:
a. identify the individual making the request;
b. decide whether MAGAZINE DIRECTORY is processing their personal data; and
c. ask for specific information to help locate that data.
2. MAGAZINE DIRECTORY will provide the individual with the following information:
a. whether data is held and if so, the relevant purpose, together with an indication of the source[s] of the data if known;
b. the categories of personal data;
c. the recipients of the data, including recipients located in other countries and details of the appropriate safeguards in place for the transfer of their data to other countries;
d. any automated decision-making or profiling applied to the personal data and the significance of such processing;
e. how long the data will be retained or the retention criteria;
MAGAZINE DIRECTORY will also make the individuals aware of their rights to request rectification, erasure, restrictions on use of the data by MAGAZINE DIRECTORY or the right to object and their right to lodge a complaint with a supervisory authority.
3. MAGAZINE DIRECTORY will provide a copy of this information within one month of receiving an individual’s request, or within any specific period (if one month or less but no more than one month) that may be required by local law in any country. MEDIA DIRECTORY will generally provide the information in a commonly used electronic format unless there is a compelling reason to provide it in another format.
4. MEDIA DIRECTORY may, however, refuse to provide an individual with information where disclosure of that information would reveal information about another individual (in which case, MEDIA DIRECTORY will provide as much of the information as possible without revealing information about the other individual). MEDIA DIRECTORY may decide that it is reasonable to provide the information without the other individual’s agreement or may decide, given the circumstances, to obtain the consent of the individual to release the information. In addition, in some countries localized guidance may provide other legitimate reasons which we would need to take into consideration, for refusing an individual’s request for access, in accordance with local data protection law.
5. Where MEDIA DIRECTORY refuses to comply with a request, we will explain our reasons for doing so to the individual and inform them of their right to complain to a supervisory authority and/or seek judicial remedy within one month of receiving our refusal to comply with the request.
The right to rectification
An individual may request that MEDIA DIRECTORY rectify their personal data if the data is inaccurate or incomplete.
a) If MEDIA DIRECTORY has disclosed the data to a recipient, we will inform the recipient of the request where feasible to do so. An individual may request information about the recipients from MEDIA DIRECTORY.
b) If MEDIA DIRECTORY agrees that the data is incorrect or incomplete, we will delete, correct or amend the data.
c) If we do not agree that the data is incorrect or incomplete, MEDIA DIRECTORY will inform the individual and explain their right to complain to a supervisory authority and to seek judicial remedy.
d) MEDIA DIRECTORY will keep a record that the individual considers the data to be inaccurate or incomplete.
The right to erasure (also known as the ‘right to be forgotten’)
MEDIA DIRECTORY will abide by a request from an individual to erase their personal data under the following conditions as specified within privacy laws:
a) the personal data is no longer necessary for the purpose for which they were collected or otherwise processed; or
b) an individual withdraws consent and there are no other legal grounds for processing; or
c) an individual objects to the processing and we have no overriding Legitimate Interests for continuing to process their data; or
d) the personal data is being unlawfully processed; or
e) the data must be erased to comply with a legal obligation applicable to MEDIA DIRECTORY as a data controller; or
f) the personal data is processed in relation to the offer of information society services to a child.
There are circumstances when MEDIA DIRECTORY can refuse an erasure request; these include:
a) exercising the right of freedom of expression and information;
b) complying with a legal obligation applicable to MEDIA DIRECTORY as a data controller or for the performance of a public interest task or exercise of official authority;
c) for public health reasons or for purposes in the public interest;
d) for archiving purposes in the public interest, scientific research, historical research or statistical purposes; or
e) for the establishment, exercise or defence of legal claims.
MEDIA DIRECTORY will inform any recipients about the erasure request unless this would require a disproportionate effort. Where MEDIA DIRECTORY has made the data public, it will take reasonable steps, (taking into account cost and technology), to inform other recipients of the data to erase links to, copies or replication of those personal data.
MEDIA DIRECTORY will comply with any legally specified timeframes within data privacy laws for complying with such requests.
The right to restrict processing
MEDIA DIRECTORY will agree to restrict processing of an individual’s data if one of the following applies:
a) When an individual contests the accuracy of the data, MEDIA DIRECTORY will restrict using the data until the accuracy can be verified;
b) The processing is unlawful and the individual requests a restriction of use rather than erasure of their data;
c) MEDIA DIRECTORY no longer needs to process the personal data, but the individual requires the data to establish, exercise or defend a legal claim; or
d) In circumstances where an individual has objected to the processing (which was necessary for purposes in the public interest or MEDIA DIRECTORY’s Legitimate Interests) and MEDIA DIRECTORY is considering whether MEDIA DIRECTORY’s interests override the interests of the individual.
If there is a restriction on processing, MEDIA DIRECTORY has the right to retain the data we will refrain from processing for unlawful purposes but may continue to use the data for legitimate purposes.
MEDIA DIRECTORY will inform any recipients of the personal data about the restriction unless it is disproportionate to do so. An individual can request information about the identity of the recipients from MEDIA DIRECTORY. If MEDIA DIRECTORY lifts the restriction on processing, the individual will be informed.
The right to data portability
An individual has the right to request portability of personal data which they provided to MEDIA DIRECTORY, if:
a) the processing is based on the individual’s consent or for the performance of a contract, and
b) the processing is automated.
This right only applies to data an individual has provided to MEDIA DIRECTORY.
If the personal data includes data about other individuals, MEDIA DIRECTORY will take steps to ensure providing the information would not affect the rights and freedoms of other individuals.
MEDIA DIRECTORY will:
a) provide the information free of charge and in a structured, commonly used and machine-readable format,
b) transfer the information directly to another data controller at the request of the individual, where technically feasible,
c) respond to the request within one month,
d) notify the individual within one month of receiving the request if we cannot respond within one month, explaining the reasons for the delay,
e) respond within 2 months where a response has been delayed,
f) inform an individual within one month of receiving their request if we cannot respond to such a request and make them aware of their right to make a complaint to the supervisory authority and/or seek judicial review.
The right to object
An individual has the right to object (under certain circumstances) to processing of their data by MEDIA DIRECTORY. MEDIA DIRECTORY will abide by any valid request from an individual who objects to the processing of their data by MEDIA DIRECTORY.
Direct marketing objections – MEDIA DIRECTORY has systems and processes in place to record an individual’s request not to use their data for direct marketing purposes and for profiling as it relates to direct marketing.
Objecting to scientific or historical purposes – MEDIA DIRECTORY has systems and processes in place to manage an individual’s request to object to their data being used for scientific research, historical research or statistical purposes.
Under certain circumstances, there may be grounds for MEDIA DIRECTORY to continue certain types of processing where we can demonstrate that our Legitimate Interests override the rights of an individual or in instances where the processing is necessary for the establishment, exercise or defense of legal claims.
MEDIA DIRECTORY will respond to an individual’s request within the specified timeframe. Where we cannot process an objection, a notification explaining the reasons why will be sent.
Rights in relation to automated decision making and profiling
An automated decision is when a decision is made about an individual using technology specifically designed for decision-making purposes. This includes profiling individuals. Under some data privacy laws, such as the General Data Protection Regulation (GDPR), an individual has the right not to be subjected to solely automated decisions which produce legal effects or otherwise similarly significantly affect them. An individual has the right to ask for a review of the decision, offer their opinion and challenge the decision.
The right does not apply, where the decision is:
• made with the explicit consent of an individual;
• for the purposes of a contract; or
• authorized by law.
Where consent or contracts are relied upon, there must be suitable safeguards such as human intervention to review the decision in order to protect the individual. There are restrictions on making automated decisions using sensitive personal data and children’s data.
MEDIA DIRECTORY will comply with the relevant requirements when making automated decisions and will institute any additional safeguards to protect individuals’ rights where required to do so.
Rights in relation to making complaints with supervisory authorities and bringing court actions
Individuals have the right to come directly to MEDIA DIRECTORY for resolution of their complaint, to register a complaint directly with the relevant supervisory authority – this is a choice between the supervisory authority in the EU Member State where the individual habitually resides, their place of work or place of the alleged infringement. Individuals also have the right to make a claim against MEDIA DIRECTORY before the competent court of the EU Member State where they habitually reside or where MEDIA DIRECTORY has an establishment. We encourage and welcome individuals to come to MEDIA DIRECTORY first to seek resolution of any complaint. For more information on our complaint handling procedure, review Annex 3 or to find a full list of Member State supervisory authorities please click here.
Five – Following the rules on processing sensitive data
Certain categories of personal data referred to as “sensitive” or “special” are subject to additional legal requirements because they carry higher risks for an individual if misused or processed incorrectly. The definition of sensitive data varies by country but can include:
Ethnic or racial origin, political opinions, religious or other similar (philosophical) beliefs, trade union and similar memberships, physical/mental health or disability details (including pregnancy or maternity information), gender identity or expression, sexual orientation, biometrics and genetics data, criminal or civil offenses; geo-location data, communications data, financial data, government, social security and similar IDs.
Where MEDIA DIRECTORY collects these types of data we will only do so, if:
(i) the individual concerned has given their explicit consent that we may do so, based on a full understanding of why the data is being collected, or
(ii) MAGAZINE DIRECTORY needs to do so to meet our obligations or exercise our rights under employment, social security and social protection law, or
(iii) in exceptional circumstances such as where the processing is necessary to protect the vital interests of the individual concerned, or
(iv) the processing relates to personal data which are manifestly made public by the individual, or
(v) the processing is necessary for the establishment, exercise or defence of legal claims, or
(vi) the processing is for reasons of substantial public interest, or
(vii) it is necessary to process the data for the purposes of preventative or occupational medicine, for the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or the management of health/social care systems and services mandated by law or in relation to a contract with a health professional subject to suitable safeguards, or
(viii) in circumstances permitted by applicable data privacy laws.
MAGAZINE DIRECTORY will not use personal data, including sensitive personal data, for new purposes without following our internal procedures to verify that such processing can take place lawfully.
MAGAZINE DIRECTORY will always treat any collection, use or storage of sensitive data with more scrutiny as such data requires additional privacy, legal and security safeguards. MAGAZINE DIRECTORY will not process sensitive data without following our internal procedures to verify that such processing can take place. These procedures include conducting a Privacy Review and Data Protection Impact Assessment (DPIA), when required, and following any recommendations to institute additional protective measures for sensitive data recommended by our internal data privacy and security teams. MAGAZINE DIRECTORY will consult with the Competent Supervisory Authority, where required to do so.
MAGAZINE DIRECTORY may in exceptional circumstances, rely on consent given on behalf of the individual, for example, by a company employee or on behalf of a family member or dependent where this is permitted by law. In these circumstances and where relevant to do so, MEDIA DIRECTORY will provide sufficient information for the employee to provide to family members.
Six – How we minimize data collection, keep data accurate, up to date and follow retention schedules
MAGAZINE DIRECTORY has procedures in place to only collect personal data that is relevant and reasonably required to achieve a specific purpose. Where feasible and appropriate, we consider using anonymous, pseudonymized or aggregated data instead of personal data.
MAGAZINE DIRECTORY has controls, procedures and systems to verify that personal data is accurate, up to date and relevant to achieve a specific purpose. Relevant guidance is made available to our employees for amending data, which is inaccurate, when required.
MAGAZINE DIRECTORY does not retain personal data for longer than necessary. We maintain specific records management and retention policies and procedures, so that personal data are deleted after a reasonable time according to the purposes they were obtained, or in accordance with legal/regulatory specified retention requirements.
When MAGAZINE DIRECTORY no longer needs to retain, there are procedures for the secure disposal of personal data.
Seven – Protecting personal data
General arrangements
MAGAZINE DIRECTORY maintains organizational, physical and technical security arrangements for all the personal data it holds. MAGAZINE DIRECTORY has protocols, controls and relevant policies, procedures and guidance to maintain these arrangements; taking into account the risks associated with the categories of personal data and the processing we undertake.
Measures to control access
There are protocols in place to prevent unauthorized access and where appropriate, we have access control procedures to limit access to personal data; to authorized individuals. Where relevant, we observe restrictions on disclosures applicable under relevant laws, contractual arrangements or relevant to MAGAZINE DIRECTORY’s processing; including when we share data with vendors, suppliers and partner organizations.
Personal Data breaches
MAGAZINE DIRECTORY has policies, procedures, and protocols in place for managing and responding to personal data breaches, understood as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. All instances of suspected or known breaches where there may have been inappropriate access to, or an unauthorized disclosure of personal data must be reported immediately to MAGAZINE DIRECTORY. All employees are required to follow our security instructions. As part of our incident response processes there are procedures for informing senior management, our Senior Director Global Data Privacy, Data Privacy Officer (DPO), other BCR Participating Entities affected by the incident and relevant members of the Global Data Privacy team of the incident and where required, notifying the supervisory authorities without undue delay. In addition, where required, we will notify individuals without undue delay where the breach is likely to cause significant risks to the rights and freedoms of individuals. There are also procedures for notifying other relevant bodies about breaches when legally required to do so in certain jurisdictions or when MAGAZINE DIRECTORY considers it appropriate.
MAGAZINE DIRECTORY maintains a record of personal data breaches which includes details about the breach incident, the effects (if any) on individuals, MAGAZINE DIRECTORY or any other party, and remedial action necessary to resolve the breach. MAGAZINE DIRECTORY will make these records available to the relevant supervisory authority in accordance with applicable laws.
Arrangements with vendors, suppliers and other third parties
MAGAZINE DIRECTORY recognizes that adequate security is important where it arranges for outside service providers (also known as “data processors”) to process personal data on our behalf. MAGAZINE DIRECTORY entities, as the data controllers, will enter into contractual arrangements with all our service providers that process personal data on our behalf, in compliance with any specific processor obligations, relevant security provisions and requirements as per any applicable data privacy laws. This includes situations when one MAGAZINE DIRECTORY entity processes personal data on behalf of another MAGAZINE DIRECTORY entity.
These contractual arrangements will include:
(i) a requirement to process personal data based solely on the instructions of the MAGAZINE DIRECTORY entity which is the Data Controller;
(ii) the rights and obligations of the Data Controller;
(iii) the scope of processing (duration, nature, purpose and the categories of personal data);
(iv) an obligation on the Data Processor (and where relevant, Data Sub- Processor) to:
a. implement appropriate technical and organizational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular, where the processing involves the transmission of data over a network, and against all other unlawful forms of processing and security requirements under applicable laws;
b. provide full cooperation and assistance to the MAGAZINE DIRECTORY entity to allow individuals to exercise their rights under the BCR;
c. provide full cooperation to the MAGAZINE DIRECTORY entity so it can demonstrate its compliance obligations – this includes the right of audit and inspection;
d. make all reasonable efforts to maintain the personal data so that they are accurate and up to date, at all times;
e. return or delete the data at the request of the MAGAZINE DIRECTORY entity, unless required to retain some or part of the data to meet other legal obligations; and
f. maintain adequate confidentiality arrangements and not disclose the personal data to any person except as required or permitted by law or by any agreement between the MAGAZINE DIRECTORY entity and the Data Processor or with the MAGAZINE DIRECTORY entity’s written consent.
If service providers are located in countries outside the EU and they have access to or otherwise process personal data that relates to EU individuals or came from MAGAZINE DIRECTORY entities in the EU, the contracts with such service providers shall include the approved EU standard clauses (controller to processor) or shall be based on another EU-approved mechanism for allowing Data Transfers.
Eight – Ensuring compliance with cross-border transfer requirements
Data privacy laws place restrictions on transfers of personal data across borders for any type of processing (collection, access, use, storage, etc.). These restrictions also apply to internal transfers of personal data within MAGAZINE DIRECTORY across the countries where we operate, and to transfers of personal data to vendors, suppliers, partners or other third parties located in different countries.
MAGAZINE DIRECTORY has guidance in place to ensure that appropriate safeguards (including contractual arrangements where needed) are put in place for transfers of personal data to countries which do not have data protection laws or whose laws do not provide a level of protection which corresponds to the standards recognized by or offered within the EU. This guidance includes information on when to apply the correct safeguards and contractual arrangements before any such cross-border transfers take place. This includes assessments of third country laws and practices prior to the transfer taking place (including data in transit) in order to determine to what extent European Essential Guarantees are respected. The BCR Participating Entities may only use the BCR as a tool for transfer where this assessment has occurred.
If MAGAZINE DIRECTORY concludes that an adequate level of protection for personal data cannot be guaranteed in the third country concerned, the data exporter in a Member State, if needed with the help of the data importer, shall assess and define supplementary measures to ensure a level of protection which is essentially equivalent to that in the EU. Where effective supplementary measures could not be put in place, the transfer at stake will be suspended or ended.
MAGAZINE DIRECTORY has a uniform approach towards the handling of personal data requests that are massive, disproportionate, and indiscriminate from public authorities directed to any MAGAZINE DIRECTORY entity by any public authority or body, whether such personal data relates to MAGAZINE DIRECTORY employees, contractors, service providers, MAGAZINE DIRECTORY clients or their customers, for example according to local surveillance laws or regulations.
MAGAZINE DIRECTORY has put in place procedures for implementing these safeguards to cover our day-to-day processing, for example, via these BCR for internal transfers, or procurement contracts that include the relevant obligations conferred upon data processors or Data Sub-Processors as specified in privacy laws and other mechanisms. Our safeguards include sufficient protections to guard against any onward transfer of data to controllers or processors which are not part of the BCR.
Nine – Accenture’s compliance with its BCR
(a) MAGAZINE DIRECTORY has internal arrangements to:
(i) facilitate and monitor compliance with our BCR Commitments, as described in Annex 1: How MAGAZINE DIRECTORY complies with its BCR Commitments;
(ii) allow individuals to effectively exercise their rights guaranteed under the BCR and consider and respond to complaints by individuals as described in Annex 3: Individuals’ Rights Requests and Complaint Handling Procedures; and
(iii) cooperate and liaise with the supervisory authorities in relation to the BCR.
(b) All individuals may rely upon these procedures and/or exercise their rights provided for in the BCR by following the processes referred to in Annex 3 or by contacting the MAGAZINE DIRECTORY Data Privacy Officer, the Senior Director Global Data Privacy, the Global Data Privacy team, the local Data Privacy & Information Security Lead or the designated country contact.
(c) If an MAGAZINE DIRECTORY entity becomes aware of the existence of any requirements under local laws or other factors that would have a substantial adverse effect on our ability to comply with our BCR commitments (or would have such an effect even if the requirements were not imposed on the MAGAZINE DIRECTORY entity by law) it will inform the Global Data Privacy team and the MAGAZINE DIRECTORY entity (or entities) whose data we process and whose data is affected by such local laws.
Consequences of Non-Compliance
If MAGAZINE DIRECTORY fails to meet our data privacy obligations as a data controller and under the BCR, we may cause risks or harm to individuals resulting in fines, penalties, criminal sanctions, loss of business and adverse publicity. We therefore take compliance very seriously.
Publication of the BCR
The BCR is made available via the https://www.magazinedirectory.org website and certain other websites of the group to external parties and internally via the corresponding MAGAZINE DIRECTORY entity’s internal portal. Where we are required to publish the BCR in a local language, we will do so. Upon request, we will also e-mail an electronic PDF version of the BCR to an individual.
Contact Information
Questions relating to the BCR should be sent to the Global Data Privacy team –dpo@magazinedirectory.org.
Annex 1: How Accenture complies with its BCR Commitments
Preamble
The purpose of this Annex is to set out the rules and the procedures to be followed by all MAGAZINE DIRECTORY Participating Entities and employees to ensure compliance with the BCR Commitments. The BCR and this Annex do not apply to personal data processed by MAGAZINE DIRECTORY on behalf of and upon the instructions of clients of MAGAZINE DIRECTORY during the provision of client delivery services.
Managing Data Privacy and Information Security
MAGAZINE DIRECTORY has a Global Data Privacy Team led by the Senior Director, Global Data Privacy that defines, oversees, maintains and updates the data privacy program.
We also have a Data Privacy Officer (DPO) who reports to the Senior Director Global Data Privacy but also has the right to directly escalate issues to other senior leadership within MAGAZINE DIRECTORY, including board level and the Chief Compliance Officer and the General Counsel.
Across the regions where we operate, we have a Data Privacy Officer Network (which includes Data Privacy & Information Security Leads) and Information Security Sponsors supported by the Geographic Compliance and Corporate team, Asset Stewards and designated individuals within corporate functions; each with specific responsibilities and accountability for data privacy management.
The responsibilities for different aspects of data privacy compliance and monitoring are shared across the team to oversee and ensure compliance with the BCR and applicable data privacy laws and regulations at global, regional and country level.
To help manage our information security program, MAGAZINE DIRECTORY has a global Information Security team led by our Chief Information Security Officer. Across our global organization we have a network of information security teams responsible for overseeing the use of technology to protect personal data, deploying risk management procedures to continually assess and monitor our information security risk position, managing MAGAZINE DIRECTORY’s cyber incident responses and managing the appropriate information security training and communications.
MAGAZINE DIRECTORY regularly reports (and where necessary, by exception) on information security and data privacy matters to our Board of Directors, Global Management Committee and Chief Compliance Officer and General Counsel.
Due to the global and complex nature of MAGAZINE DIRECTORY’s operations, there may always be more than one member of the team involved in routine reporting and reporting on individual investigations and/or breaches. Monitoring, training and compliance efforts are all dealt with both globally and locally.
Managing the BCR
Day-to-day responsibilities for managing the BCR sits with the Global Data Privacy team. This includes routine monitoring and reporting. Routine auditing of the BCR is managed separately by other functions such as our internal audit and compliance monitoring teams.
Collectively, their duties are to:
a) be responsible for maintaining the BCR and ensuring they are modified when required to do so to reflect regulatory changes, alterations to the MAGAZINE DIRECTORY group structure or any other changes which should be reflected within the BCR;
b) maintain a full list of the BCR members and ensure this list is up to date;
c) develop audit controls for the BCR;
d) monitor compliance with the BCR;
e) record and track all changes and updates to the BCR and the rationale for the updates and provide this information, where necessary, to MAGAZINE DIRECTORY BCR entities or the Supervisory Authorities, as required or as part of our annual update;
f) communicate with the Competent Supervisory Authority and BCR entities, if a proposed change to the BCR either affects the level of protection offered by the BCR or significantly affects the BCR, in particular, its binding nature; and
g) communicate any other relevant matters to the Competent Supervisory Authority or other supervisory authorities where necessary.
Cooperating with the Supervisory Authorities
General Cooperation procedures
All MAGAZINE DIRECTORY entities have a duty to cooperate with the Supervisory Authorities (SAs) for information or inspection. Each MAGAZINE DIRECTORY entity will comply with their advice on any issues relating to the BCR, (any advice would be subject to legal review to consider any factors which inhibit the entity’s ability to comply and where relevant, we would discuss alternative legal remedies with the SAs), be willing to be audited by the SAs, if required, or provide audit results and reports, if asked to do so. No transfer will be made to an MAGAZINE DIRECTORY entity under the BCR until they have signed the APA and are effectively bound by the BCR. However, we may use other transfer mechanisms to facilitate transfers until they join the BCR. Changes to the BCR entity list will be reported to all MAGAZINE DIRECTORY entities signed up to the BCR and to the relevant Supervisory Authorities via the Competent Supervisory Authority.
Reporting matters to the Competent Supervisory Authority
Routine reporting: MAGAZINE DIRECTORY will report routine updates to the BCR along with an updated list of MAGAZINE DIRECTORY BCR Participating Entities as part of its annual update and in line with requirements specified in the section: Managing the BCR.
Conflicts between local laws and the BCR: MAGAZINE DIRECTORY has a duty to inform the supervisory authorities of any conflict between local law requirements and the BCR where this conflict would have a substantial adverse effect on the guarantees provided under the BCR. MAGAZINE DIRECTORY entities have a duty to report such conflicts to the Global Data Privacy team as soon as they become aware. This includes any legally binding requests for disclosure of personal data to a law enforcement or other security agency as explained directly below.
Disclosure and transfer requests: All MAGAZINE DIRECTORY entities agree that transfers of personal data to any public authority or body cannot be massive, disproportionate, and indiscriminate.
All MAGAZINE DIRECTORY entities must report any such disclosure requests to the MAGAZINE DIRECTORY Global Data Privacy team. The Global Data Privacy team will then inform the Competent Supervisory Authority about the request, the identity of the requesting party and the legal basis for the request [unless we are prohibited or temporarily prevented from doing so under criminal law provisions specifying confidentiality during the course of a law enforcement investigation].
All MAGAZINE DIRECTORY entities must endeavor to have the prohibition on notification waived as soon as possible to provide the SA with as much information as possible to be able to evidence their efforts to do so. All MAGAZINE DIRECTORY entities must keep a record of these disclosure requests it receives. These records should include details about the disclosure, the categories of data requested, the identity of the requestor [unless prohibited by law to retain this information] and any other relevant information. The MAGAZINE DIRECTORY entities must provide the Competent Supervisory Authority with an annual update of these records.
How MAGAZINE DIRECTORY supervises data privacy compliance
Accountability
Everyone who works for or on behalf of MAGAZINE DIRECTORY is:
(i) responsible and accountable for processing personal data ethically and lawfully;
(ii) expected to comply with MAGAZINE DIRECTORY’s policies and Data Privacy Guidance when processing personal data; and
(iii) expected to understand the data privacy requirements which have relevance to the personal data they process on behalf of MAGAZINE DIRECTORY using our policies, guidance and training material.
MAGAZINE DIRECTORY also has processes and procedures in place to manage and monitor our compliance with data privacy requirements. We have appropriate technical and organizational measures to meet these requirements. Everyone at MAGAZINE DIRECTORY is expected to follow our processes and comply with our procedures and measures.
Training
MAGAZINE DIRECTORY maintains a data privacy training program for all our employees. All MAGAZINE DIRECTORY employees who regularly process personal data will be given appropriate and timely data privacy training. If required to do so, MAGAZINE DIRECTORY will provide the supervisory authorities with examples of our training program.
Record keeping and evidence
MAGAZINE DIRECTORY maintains electronic records and evidence of our data processing activities and compliance, in the event that we need to show individuals, auditors, supervisory authorities, other public authorities and clients how we meet our obligations. These records are held and maintained by different functions with regular reporting channels into the Global Data Privacy team responsible for checking compliance with the BCR and our data privacy policies and procedures. Our employees understand that they are accountable for maintaining evidence and records where these responsibilities are applicable to their roles.
Compliance with local laws
In addition to complying with the BCR, each Participating Entity is responsible for taking such additional action as may be desirable or necessary to comply with the data privacy laws and regulations that may apply to the data and/or in the country where it operates. If data privacy laws and regulations in a country require higher level of protection for personal data, they will take precedence over the BCR.
Upon the request of another MAGAZINE DIRECTORY entity or the MAGAZINE DIRECTORY Global Data Privacy team, an MAGAZINE DIRECTORY entity will supply a copy of such laws and regulations to the requesting party. In addition, to the extent that an MAGAZINE DIRECTORY entity from time to time adopts internal procedures designed to promote compliance with such local laws and regulations, it will provide the Global Data Privacy team with a copy of such procedures.
In the event a conflict arises in the future due to new local laws and the BCR, the BCR do not override the laws where MAGAZINE DIRECTORY operates and to which MAGAZINE DIRECTORY is subject. The relevant MAGAZINE DIRECTORY Participating Entities will issue instructions to its employees on how to proceed in the interim period until the conflict is resolved.
Privacy by Design – Building privacy into our projects, tools and applications
MAGAZINE DIRECTORY considers data privacy as an integral component of the design, development, operation and management of new projects, tools, applications, internal services, and offerings which process personal data. To this end, there is internal guidance and processes on how to incorporate privacy as an essential part at the beginning of the design and development stages. When MAGAZINE DIRECTORY engages vendors and partner organizations as part of any design, development, and implementation work, we have procedures in place to ensure privacy by design is an integral component.
Privacy by Default
MAGAZINE DIRECTORY will use or adopt privacy as the default setting when designing, developing, operating and implementing new tools, applications and other technology used by MAGAZINE DIRECTORY and its employees. MAGAZINE DIRECTORY will ask its vendors and partner organizations to do the same.
Privacy Reviews, Transfer Impact Assessments and Data Protection Impact Assessments
Privacy reviews and Data Protection Impact Assessments (DPIA) are assessment tools used by MAGAZINE DIRECTORY group to assess privacy and security risks as part of our risk mitigation procedures. MAGAZINE DIRECTORY has a process to initiate privacy reviews to assess our own practices, service offerings, technology to mitigate risks and allow for privacy integration through measures such as privacy by design or adopting privacy as the default setting. The privacy review may also identify the need for a DPIA.
Not all processing requires a DPIA. We use DPIAs where this is a mandatory requirement for certain types of processing which carry a high risk or have greater implications for rights and freedoms of individuals. The outcome of a DPIA is to identify the necessary measures to minimize risk and comply with the GDPR. MAGAZINE DIRECTORY will consult with the Competent Supervisory Authority prior to processing taking place, when required to do so.
MAGAZINE DIRECTORY has internal processes in place to manage privacy reviews and DPIAs. All entities are required to act on the outcome of a DPIA or review to help mitigate any privacy risks, including implementing additional measures to mitigate those risks.
Transfer Impact Assessments (TIA)
When MAGAZINE DIRECTORY acts as a Data Exporter of personal data from the EEA, Switzerland and the UK to another country that was not found to be adequate, MAGAZINE DIRECTORY performs a Transfer Impact Assessments (TIA) to identify any risk associated with the transfer (including the possibility of access requests by public authorities) and to define supplementary measures to safeguard the data, if necessary. Where effective supplementary measures could not be put in place the transfers at stake will be suspended or ended.
The completion of the TIA is the responsibility of the MAGAZINE DIRECTORY team in charge of the specific deal or transfer. There is no need to repeat the assessment every time there is the same transfer of a specific type of EEA/UK/Swiss personal data to the same Third Country.
The TIA and, where needed, the decision on what supplementary measures to implement are documented and centrally stored within MAGAZINE DIRECTORY and internally accessible. These are made available to the Competent Supervisory Authority on request.
Audits
MAGAZINE DIRECTORY has a privacy compliance audit program. The purpose of the audits is to assess our compliance with our internal procedures and practices, applicable data privacy laws and the BCR.
Different aspects of our auditing program address data privacy compliance. Audits will generally be carried out at regular intervals but also by exception, where there is a particular need to conduct an audit outside of the regular schedule. Audits are conducted internally by our Compliance Monitoring team, our Internal Audit function, the Data Privacy Compliance team or an external organization, specializing in audits.
MAGAZINE DIRECTORY conducts regular reviews and regular risk assessments for data privacy. MAGAZINE DIRECTORY has developed a series of audit controls against which to monitor our data privacy compliance. These controls cover compliance with the commitments we make in the BCR, our data privacy policies, procedures and processes and compliance with data privacy laws. There are also regular information security audits and mandatory audits for any standards or certifications we adhere to, for example ISO 27001 and ISO 27701, which we strive to maintain.
All entities agree to be audited by the Supervisory Authorities if required to do so. During the audit, each MAGAZINE DIRECTORY entity shall cooperate with the auditor[s] and shall disclose to the auditors any and all information or documents as may be required for the accomplishment of the auditor’s objectives, subject to compliance with local laws and regulations.
The results of all the audits relating to the processing of personal data shall be made available to the Senior Director Global Data Privacy, the Data Protection Officer and any other relevant MAGAZINE DIRECTORY function and market leadership. Upon request, the results will be made available to supervisory authorities.
Audit follow up procedures will include a corrective action plan based on the audit findings and procedures for ensuring the corrective action is implemented.
Liability
MAGAZINE DIRECTORY has addressed liability within APA which includes provisions which deal with how MAGAZINE DIRECTORY assigns responsibilities, remedies, and liabilities under the BCR. A summary of the APA can be shared with Data Subjects upon reasoned request, and solely for the purpose of exercising their third-party beneficiary rights.
Employee violations of these BCR, Accenture policies or procedures and raising concerns
Violations of the BCR may lead to disciplinary action (up to, and including, termination of employment). While MAGAZINE DIRECTORY retains discretion as to how to respond to any violation of the BCR, any disciplinary process will be undertaken in accordance with all applicable local laws and other legal requirements. Employees who have concerns about any issue that they believe (or suspect) may violate any law or violate the MAGAZINE DIRECTORY group’s COBE, the BCR or MAGAZINE DIRECTORY group policies, have a right to speak up and we want them to speak up. Employees should refer to our internal policies on Raising Legal and Ethical Concerns and Prohibiting Retaliation for more information.
Annex 2: Categories of individuals, categories of personal data and processing, purposes, recipients, countries
This table sets out the types of individuals we may process personal data about, the categories of personal data we may process about them, and the purposes for which we process personal information. This table is intended to be a generic summary. It does NOT mean we process this data about all these types of individuals.
| Type | Explanation |
| Categories of individuals | 1. MAGAZINE DIRECTORY employees (past and present) – includes permanent and contracting staff [temporary or casual workers, freelancers, contractors, trainees]. 2. Non-employee workers including volunteers, assignees, advisors, consultants, agents and other professional experts, secondees, apprentices, interns, alumni, other third parties. 3. Individuals identified by the aforementioned data subjects as dependents and beneficiaries, including insured spouses and partners, children, guardians and parents, family members and contact persons for emergencies. 4. Job applicants, candidates and pre-hires. 5. Client contacts, current and past contacts and prospects – including employees, officers, agents, consultants and other professional experts. 6. Vendor, supplier contacts. 7. Members of the press and other organizations (including charities, educational institutions, Regulators, business intermediaries, etc.). 8. Website users and complainants, correspondents and enquirers. 9. Individuals attending our events. 10. Shareholders. 11. Alumni. 12. Children and adolescents via our Corporate Citizenship, intern and outreach programs. 13. Other third parties. |
| Categories of personal data and processing | Personal details [employment context] – Name, preferred pronoun, all types of contact details (such as e-mail, phone numbers, physical home and place of work address), gender, date of birth, place of birth, national identification number, social security number and health insurance number, insurance information, internal company employee or id numbers, marital/civil partnership status, domestic partners, dependents, disability status, emergency contact information, ethnic origin, minority flag, biometric data (such as facial images, voice recognition/patterns, iris patterns or fingerprints), photograph, and images/footage captured on CCTV or other video systems, footage/voice recordings captured during events/sessions (including recording of virtual or live workshops or similar events), smart building controls and metric systems used for data analytics, driver license number, car details and other necessary data for use of company cars (including clearing, damage events, insurances), government-issued ID number; military status and rank; emergency contact details; usage/account details of cards for restaurants and vending machines; information obtained through the use of surveys; investigations, complaints and grievances data including as part of the business ethics line; mergers and acquisitions data, work anniversary. Personal details [clients & prospects] – Name, all types of contact details (such as salutation, job title, e-mail, phone numbers, physical home and place of work address), contact preferences, preferred language for communications, marketing preferences, data relating to goods and services provided or obtained, relationship with MAGAZINE DIRECTORY |
| [prospect, client, alumni now client]; data related to events [invitations, attendance, relevant costs]. Personal details [vendors, service providers, suppliers, payees and intermediaries, legal services data] – Name, all types of contact details (such as salutation, job title, e-mail, phone numbers, physical home and place of work address); preferred language for communications; data related to invitations for business trips or other business events (e.g., itinerary, costs); entity tax identification number and commercial registry registration number; entity nationality; entity bank details and payment related information, bill to and ship addresses, billing currency; VAT (or equivalent) number; customer/vendor/supplier number or other unique identifier; country registration number, where applicable; information derived from the deployment and use of information systems and tools including from third parties; records related to the provision and management of products orders or returns, provision of services, accounts and internal administration and accounting; curriculum vitae; time and expense records concerning the provision of services; operational data; details of relationship with MAGAZINE DIRECTORY. Other individuals [alumni, corporate citizenship/outreach, website visitors] – Name, all types of contact details (such as salutation, job title, e-mail, phone numbers, physical home, and place of work address), contact preferences, preferred language for communications, marketing preferences, data relating to interaction or relationship with MAGAZINE DIRECTORY -enquiry, complaint, site visit, application for award, grant, educational initiative, competition. Documentation required under immigration laws – Citizenship, passport data, professional work visa, details of residency or work permit (a physical copy and/or an electronic copy). Compensation and payroll – Remuneration details (including historic pay, base pay and bonus or incentive pay, salary banding, frequency of payments), pay deductions, tax codes, insurance codes and statutory and voluntary contributions, benefits, loans, overtime and shift work, compensation type, pay frequency, salary reviews and performance appraisals, banking details including credit card details [both company and personal where the employee has used this], working time records (including vacation and other absence records, leave status, hours worked and department standard hours), pay data and termination date, compensation details, offers, reductions/reimbursements, employee/capital-forming investments, expense descriptions, amounts claimed, cost type, approval and pre-approvals, data required to support expenses claims including bills, receipts, documents, interests in businesses and equity holdings. Leaves of absence – Vacation, statutory leaves, and voluntary leaves (including maternity and paternity leaves, sabbaticals), justification for paid absences (including education, family events, social activities, children and other dependents’ care). Data relating to administration or leave (including start date, end date, temporary suspension), illness including accidents at work and occupational health (in accordance with local law). Dates (beginning, end and duration). | |
| Pension records – Monthly pension, yearly pension, capital sums, deferred compensation sums, type of pension plan; other data relatedcto pension fund (including enlistment and discharges, contribution data and insurance period in the statutory Social Security). Position and contractual information – Description of current position, job title, corporate status, career level, management category, job code, job function(s), legal employer entity, location, Accenture contact(s), employee identification number, terms and conditions of employment or contract, membership of the board of directors, information on extent of shareholding, work history, hire/re-hire and termination date(s) and reason, information from exit interviews/termination documents, length of service, executive management responsibility, trade union membership, retirement eligibility, promotions and disciplinary records, date of transfers, and reporting manager(s) information. Work location & relocation – Working address, place of work (including work place office, home office, shared desk, external work), workplace indicator, work location code, branch office, sales office, building, room, locker, relocation information (including international assignment flag, assignment data and dates, current assignment, future assignment, country, hypotax, tax reconciliation, foreign tax); employment permits (including date); visa country, visa expiration date, mobility preferences, termination date and reason code; assignment responsibility, assignment job title, tasks; employee’s willingness to travel or relocate. Talent management information – Details contained in letters of application and resume/CV or other provided documents (previous employment background, education history, professional qualifications, any technical specialisations or qualifications, trade licenses, language and other relevant skills, certification, certification expiration dates), information of recruitment interviews/check lists, legal prerequisites for employment, information necessary to complete a background check, details on performance decisions and outcomes, performance feedback and warnings, e-learning/training programs, internal and external certifications and membership of professional associations, performance and development reviews (including information you provide when asking for/providing feedback, creating priorities, updating your input in relevant tools, comments from/re.counsellors/counselees), willingness to relocate, driver’s license and car ownership information, assessment information and information used to populate employee biographies. Management records – Details of any shares of common stock or directorships, stock purchase plans, stock purchase eligibility and contribution, stock options information. Website, tools, systems, apps – Information required to access MAGAZINE DIRECTORY systems, tools and applications such as System ID, LAN ID, e-mail account, instant messaging account, mainframe ID, previous employee ID, previous manager employee ID, system passwords, access logs, access rights, security level, activity logs, office Wi-Fi | |
| connection logs, office access credential data, employee status reason, branch state, country code, previous company details, aggregated/hashed professional email/calendar/IM meta-data, previous branch details, and previous department details, and electronic content produced using MAGAZINE DIRECTORY systems, information derived from the deployment and use of information systems and tools including from third parties; tracking data including data from cookies and other technology, visitor logs, IP addresses, individual posts into chat rooms, blogs, circles, comments, systems’ recordings such as web meetings, calls and webinars. Sensitive data – Certain types of sensitive information when permitted by local law, such as health/medical information (including data required to mitigate health and safety risks – including during a health crisis), trade union membership information, religion, and race or ethnicity, information on criminal convictions and offences. MAGAZINE DIRECTORY collects this information for specific purposes, such as health/medical information in order to accommodate a disability or illness and to provide benefits; to get access to and/or to use certain tools or premises; background checks (where permissible under local laws); religion or church affiliation in countries such as Germany where required for statutory tax deductions; and diversity-related personal data (such as race or ethnicity) in order to comply with legal obligations and internal policies relating to diversity and anti-discrimination. MAGAZINE DIRECTORY will only use such sensitive information for the purposes provided by law. Advertising. marketing and public relations – Promoting and providing products and services to actual and potential customers; advertising, marketing and PR related activities; communications; compliance; business operations; research, complaints and enquiries handling; management of business relationships and other activities; other services. Accounts and records data, data relating to vendors, service providers, suppliers, payees and intermediaries, legal services data – Order management, including billing, credit analysis, shipping, account maintenance, and internal administration and accounting for all commercial relationships; managing and analyzing sales and demand; communications; business operations; customer relationship management (e.g., CRM); conducting internal audits and other internal control activities relating to contract; management with customers, suppliers, vendors, subcontractors and business partners; compliance; due diligence for anti-corruption and anti-bribery purposes; reporting activities to fulfil finance and accounts requirements; risk management and corporate audits and assessments (e.g., Background Investigations Tool and Gift & Entertainment Hub) Internal investigations (e.g., Business Ethics Helpline); internal investigations; legal filing and reporting; purchase order and payment; computer system security, including ensuring adequate level of protection of the personal data stored therein; other services on an ad-hoc basis. Data relating to mergers, ventures and acquisitions – Management and employment information, compensation and payroll data, business | |
| operations, customer relationship management, compliance; due diligence, reporting activities to fulfil finance and accounts requirements; risk management and corporate audits and assessments; legal filing and reporting; computer system security, including ensuring adequate level of protection of the personal data stored therein. | |
| Scheduling Talent Acquisition / Recruitment Management and administration of employees Facilitating communication (including in case of emergencies) Operating and managing MAGAZINE DIRECTORY’s business operations Employee engagement, performance management and professional development Financial planning, payroll, fund management and accounting Share plan management and operations Business and market development Advertising, marketing and public relations Building and managing external relationships Maintaining relationships with former employees and alumni relations Planning and delivery of business integration capabilities Research and development Compliance, audit and insurance purposes, including supplier and customer due diligence Internal and external investigations including liaison with law enforcement/other government agencies where required to do so by law Litigation management Client, supplier and business intermediary/partner management Technology infrastructure, security and support (including business continuity), facilities and data management, internal business support services and monitoring use of MAGAZINE DIRECTORY’s systems and other MAGAZINE DIRECTORY resources as permitted by local law and/or in accordance with MAGAZINE DIRECTORY’s policies Travel management Knowledge management Corporate Citizenship and outreach programs Complying with legal requirements Reporting to data privacy supervisory authorities – routine reporting and breach notification Liaising with regulators/government departments for routine reporting requirements under law – tax, social security, benefits, national ID programs Mergers & Acquisitions – this includes due diligence and information relevant to potential ventures, joint ventures, mergers and acquisitions Social listening – Identifying and assessing what is being said about MAGAZINE DIRECTORY and our clients on social media (only publicly accessible content) | |
| Undertaking data analytics, including analysis of our applicant pool in order to better understand who is applying to positions at MAGAZINE DIRECTORY and how to attract and keep top talent Other purposes not incompatible with the ones listed above or other purposes required and/or permitted by law or regulation | |
| Recipients | MAGAZINE DIRECTORY entities – MAGAZINE DIRECTORY entities which are signed up to the BCR or other MAGAZINE DIRECTORY entities/affiliates outside the BCR [using a different transfer mechanism]. Professional advisors – Accountants, auditors, lawyers, insurers, bankers, and other outside professional advisors in all of the countries in which MAGAZINE DIRECTORY operates. Service providers – Companies that provide products and services to MAGAZINE DIRECTORY such as payroll, pension scheme, benefits providers, human resources services, performance, training, expense management, IT systems suppliers and support, advertising and marketing, security and performance monitoring, third parties assisting with equity compensation programs, credit card companies, medical or health practitioners, trade bodies and associations, and other service providers. Public and governmental authorities – Entities that regulate or have jurisdiction over MAGAZINE DIRECTORY such as regulatory authorities, law enforcement, public bodies, and judicial bodies. Corporate / commercial transaction – A third party in connection with any proposed or actual reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of MAGAZINE DIRECTORY business, assets, or stock (including in connection with any bankruptcy or similar proceedings). A third party in connection with any proposed or actual client project. Corporate citizenship – Corporate citizenship partners/organizations where necessary (e.g., to obtain documentation related a gift or a tax statement). |
| Countries to which transfers may be made | Many of our global systems are operated from the US, we also have significant operations in India, Philippines, and China. However, as a global group we transfer to many countries worldwide, inside and outside the EEA, Switzerland, and the UK. We publish a list of Participating Entities that have signed the BCR Intercompany Agreements which is available here. |
Annex 3: Individuals Rights Requests and Complaint Handling Procedure
Table of Contents
1. Purpose
2. Who handles IRRs and Complaints?
3. Making a request?
4. Submitting a request
4.1. What is a request?
4.2. What do individuals need to know?
5. How Accenture manages a request
5.1. Assigning Case Owners
5.2. Request management
5.3. Additional Considerations
6. Escalation options
7. How does Accenture manage complaints?
8. Record Keeping, reports and further action
| Owner | Global Data Privacy team | Effective Date of this Version: | 2023 |
| Sponsoring Organization: | Legal | Supersedes the Version Dated: | 2022 |
| Applies to: | All MAGAZINE DIRECTORY BCR Participating Entities and employees | Original Effective Date: | 2009 |
1.Purpose
This document explains MAGAZINE DIRECTORY’s procedures for handling individuals’ rights requests (IRR) under applicable data privacy laws, for example, subject access and data privacy complaints [referred to jointly as requests]. It does not govern how MAGAZINE DIRECTORY handles non-data privacy requests, which are managed separately.
This procedure applies where MAGAZINE DIRECTORY is a data controller and to all MAGAZINE DIRECTORY entities which are signed up to MAGAZINE DIRECTORY’s Binding Corporate Rules (BCR).
2.Who handles IRRs and Complaints?
MAGAZINE DIRECTORY has a Senior Director Global Data Privacy (Director), a Data Privacy Officer (DPO), and a network of Data Privacy & Information Security Leads (DPISL) who will primarily deal with requests. The DPISLs are supported by the Global Data Privacy team providing expertise as and when required.
3.Making a request
For IRRs, individuals or their representatives may only make a request relating to that individual’s data and only where MAGAZINE DIRECTORY processes his/her information in its capacity as a data controller (for example, in relation to current and former employees, job applicants, client contacts, supplier/vendor contacts and website users whose personal data is processed by MAGAZINE DIRECTORY). Anyone can make a complaint about a data privacy matter. These procedures do not apply where MAGAZINE DIRECTORY operates as a data processor.
4. Submitting a request
4.1. What is a request?
An individual can submit an IRR where he/she wishes to exercise the following rights given to individuals under applicable data privacy laws or the BCR (to learn more about these rights and what they mean, refer to Section four – Respecting Individuals Rights within the BCR Commitments or the Definitions):
• Right of Access;
• Right to Rectification;
• Right to Restrict Processing;
• Right to Erasure;
• Right to Data Portability;
• Right to Object;
• Rights in relation to automated decision making and profiling;
• Rights in relation to making data privacy complaints or submit a data privacy complaint where the individual considers:
• a breach of the applicable data privacy laws or regulations has taken place; or
• there is non-compliance with the BCR.
An individual can exercise his/her rights regardless of whether he/she makes a complaint to MAGAZINE DIRECTORY or a supervisory authority.
4.2. What do individuals need to know?
Request format: Requests should be made in writing and preferably, electronically using either the case management tool or by email to dpo@magazinedirectory.org, as applicable. Requests can be made via one of the Participating Entities’ offices but should clearly be marked for the attention of the Data Privacy Officer, care of the Legal Department to ensure the request is routed correctly.
Request type: Individuals can submit more than one request at a time and should consider submitting them together along with details of their requested outcome.
Identity verification: Individuals will usually be asked to verify their identity providing suitable identification documentation when this is necessary.
Personal information required by MAGAZINE DIRECTORY: Individuals will be asked to provide some of their personal data necessary to deal with their request (unless this has already been provided as part of an initial communication), for example:
a) Contact details
b) Information necessary to facilitate the request, for example:
o the data to be corrected or deleted
o information in support of an access request, for example, information to help MAGAZINE DIRECTORY locate the relevant data where the requested data relates to MAGAZINE DIRECTORY’s electronic mail systems
c) their preferred outcome or resolution
Self-service options: In some instances, individuals (both internal and external) will be able to partially manage their requests themselves, for example, setting their marketing preferences through self-service tools, where available.
Appointing a representative: Individuals may choose to appoint a representative to act on their behalf and MAGAZINE DIRECTORY may need to seek additional information to verify this appointment before proceeding with the request and/or disclosing any information.
Communications: Upon receipt of a request, MAGAZINE DIRECTORY will send an acknowledgement. MAGAZINE DIRECTORY may need to communicate with individuals at various intervals to resolve a request. These will generally be made electronically unless MAGAZINE DIRECTORY and the individual/their representative have chosen another method of communication.
Closing a request: MAGAZINE DIRECTORY will inform individuals when their request has been dealt with and the relevant outcome. Section 5.2 provides an overview of how we respond. A request will be considered closed, provided individuals require no further action.
Escalating a request: If an individual requires additional action to be taken or is dissatisfied with the outcome, they can escalate the matter. Additional action may include opening a new request, asking for an additional review or escalating the matter as a complaint. If the matter is escalated as a complaint, MAGAZINE DIRECTORY will manage this in line with section 7 of this procedure.
5. How MAGAZINE DIRECTORY manages a request
This section explains the MAGAZINE DIRECTORY Participating Entities’ procedures for managing their respective requests. This procedure is without prejudice to any provisions and requirements of applicable national laws and regulations, including but not limited to labor laws.
5.1. Assigning Case Owners
A DPISL will be assigned as Case Owner according to criteria determined by MAGAZINE DIRECTORY. Case Owners will handle requests in compliance with the BCR/applicable data privacy laws using this procedure and the internal processes and guidance which support this procedure.
Certain situations may warrant an exception to the appointment of a particular Case Owner, for example, where there is a dispute or conflict of interest. In these instances, MAGAZINE DIRECTORY has procedures in place to appoint an alternative Case Owner.
5.2. Request management
Details relating to requests are generally held in a central case management tool with controlled access. In some instances, details about a request may be logged and held locally where, for example, it is in the overriding interest of the individual or where there are local law requirements which require MAGAZINE DIRECTORY to hold and process the data locally.
Case Owners generally follow the same process for handling all request types which can be summarized as follows:
Assessing requests: The Case Owner will decide how best to manage the request and which departments or functions need to be involved. If an individual makes multiple requests or the request is complex, the Case Owner may request additional resources and/or expert advice.
Action required: For each request type, MAGAZINE DIRECTORY has a set of associated actions for the Case Owner to follow to manage the request and where relevant, apply any exceptions. The Case Owner will also assign relevant actions to individuals from MAGAZINE DIRECTORY functions or suppliers who must fully co-operate with the Case Owner in a timely manner.
Documenting decisions: For record keeping purposes, we maintain a record of relevant decisions which are documented within the Case Management Tool.
Timeline: For most requests, MAGAZINE DIRECTORY will respond within one month of receipt or according to the specified timeframe (if one month or less but no more than one month) under applicable data privacy laws. This excludes the time it takes to verify an individual or their representative’s details or waiting for further information from the individual in order to process their request. For some requests, data privacy laws provide circumstances where MAGAZINE DIRECTORY has the option to allow an additional two months to respond. Individuals will be made aware of MAGAZINE DIRECTORY’s delayed response time and the reasons why as soon as MAGAZINE DIRECTORY becomes aware of a delay.
Responding to an individual about their request: Where the request has been dealt with, the individual will be informed and supplied with any relevant information/evidence relevant to the request. IRRs are generally resolved as follows:
a) Subject Access requests: MAGAZINE DIRECTORY will provide the individual with a copy of the information as required under relevant privacy laws. Where the request has been made electronically, we will provide the information securely in a commonly used electronic format unless the individual requests an alternative format with which we can reasonably and securely comply.
b) Data portability requests: MAGAZINE DIRECTORY will provide the information in a structured, commonly used and machine-readable format and securely transfer the information directly to another data controller at the request of the individual, where this is technically feasible.
c) Rectification, erasure, restriction: If the request is assigned a Case Owner and where the request is justified, the Case Owner will instruct the relevant department or function to correct, complete, restrict or erase the data. In some instances, the individual will have self-service options to manage this themselves and it may not be necessary to assign a Case Owner.
d) Objections: The Case Owner will ask the departments or functions concerned to record such an objection on the relevant system, stop using the data in question, or where applicable, delete the relevant data and cease using the individual’s data for these purposes. Where an individual can manage their own marketing/communications preferences, the Case Owner will highlight this to the individual, however an individual still has the right to ask MAGAZINE DIRECTORY to manage these on their behalf.
e) Automated Decisions: The Case Owner will report back to the individual on the outcome of their investigation, including an explanation of the decision and where applicable, be given the opportunity to offer their opinion and/or challenge the decision.
Refusing a request: There may be exceptions within applicable privacy/other laws where MAGAZINE DIRECTORY has legal grounds to reject or only partially comply with a request. For example:
• the information requested is subject to legal proceedings or is part of an ongoing law enforcement investigation and MAGAZINE DIRECTORY is prohibited from disclosing the information, or
• MAGAZINE DIRECTORY has received a request to erase an individual’s information, but MAGAZINE DIRECTORY is obliged to retain the information in compliance with overriding legal requirements such as employment or tax law.
Case Owners will apply any relevant exceptions on a case-by-case basis and maintain a record of such decisions. The Case Owner will inform the individual (unless prohibited to do so) that MAGAZINE DIRECTORY is unable to respond to his/her request and specify the reasons for the decision (unless prohibited to do so) explaining where the individual can seek alternative recourse via a supervisory authority or the courts.
Closing a Request: The request will then be closed, and a corresponding record retained pending any further action and in line with MAGAZINE DIRECTORY’s Retention Policy. In the event the individual contests the outcome or makes a complaint, the Case Owner will follow MAGAZINE DIRECTORY’s escalation processes as outlined below.
Escalating a Request: The Case Owner will explain to an individual that in the event they are dissatisfied with the outcome, they may consider the escalation options explained in section 6 of this procedure.
5.3. Additional Considerations
a) Onward notifications: For requests where MAGAZINE DIRECTORY may be required to inform other MAGAZINE DIRECTORY and/or third-party entities of the request, the Case Owner will instruct the department or function concerned to communicate the matter to those entities, unless such operation is impossible or involves a disproportionate effort.
b) Requests sent elsewhere within MAGAZINE DIRECTORY – what happens? Any MAGAZINE DIRECTORY function which receives a request should forward it to dpo@magazinedirectory.org without undue delay to enable MAGAZINE DIRECTORY to process the request within the legally specified timeframe.
If a request is not referred to the appropriate team at all or with enough time to manage the request within the specified timeframe. As soon as it becomes aware, MAGAZINE DIRECTORY will look to take appropriate action to prevent this from happening again.
6.Escalation options
Making a complaint to MAGAZINE DIRECTORY: Individuals have the right to come directly to MAGAZINE DIRECTORY for resolution of complaints concerning non-compliance with these BCR or MAGAZINE DIRECTORY’s Global Data Privacy Policy. These will be dealt with in accordance with this procedure and our corresponding internal processes and guidance. We encourage and welcome individuals to come to MAGAZINE DIRECTORY first to seek resolution of any complaint. Individuals can make a complaint directly to MAGAZINE DIRECTORY by following the same process specified in section 4.2I.
Making a complaint to a supervisory authority: Individuals also have the right to register a complaint directly with the relevant supervisory authority. In some complex situations, MAGAZINE DIRECTORY may have already consulted with a supervisory authority before reaching its decision. If this is the case, MAGAZINE DIRECTORY will make the individual aware of this. This could be the supervisory authority where the individual lives or works or where the alleged data privacy infringement occurred. It is up to the individual to decide which supervisory authority they wish to deal with. A full list of all the EU Member State supervisory authorities is available here.
Making a claim: Individuals can also make a claim against MAGAZINE DIRECTORY via a competent court subject to local laws. MAGAZINE DIRECTORY has the right to object where we have such rights. The competent court is recognised as being in the member state of the European Union where the individual (habitually) resides or where the relevant MAGAZINE DIRECTORY controller has an establishment. It is up to the individual to decide which competent court they would look to register a claim with.
7. How does Accenture manage complaints?
General procedure: Complaints are generally managed by MAGAZINE DIRECTORY in the same way as IRRs and in line with the process referred to in section 5.2.
Specific requirements: There are some additional steps MAGAZINE DIRECTORY takes in relation to complaints. If a complaint is made against one or more specific individual(s) or, if during the review of a complaint (or as a result of an IRR), it becomes clear that an individual may be responsible for a breach of the BCR, our Data Privacy Policy or national laws, MAGAZINE DIRECTORY will need to investigate. Any such investigation will be conducted in line with our internal procedures. Where necessary and so as not to prejudice the rights of the individual complainant or the rights of the individual who is the subject of the complaint, the Case Owner will seek further advice and guidance as required from the Global Data Privacy team and other relevant parties including external legal/other professionals.
Individuals who are implicated in a data privacy investigation will be notified with a copy of any relevant procedures. This notification will not be made where it would prejudice the conduct and the outcome of the investigation.
Resolving Complaints: Where a specific complaint is justified, the Case Owner shall use reasonable efforts to resolve the situation which led to the complaint. MAGAZINE DIRECTORY will take any appropriate action against any individual who has breached the BCR, the Data Privacy Policy or applicable data privacy laws and regulations, in accordance with any applicable national laws and regulations, including but not limited to employment laws.
8. Record Keeping, reports and further action
General: MAGAZINE DIRECTORY will maintain details relevant to the request including communications and documentation in accordance with its Retention Policy or in line with any applicable local law requirements. For exceptional circumstances, such as litigation, retention may be longer and will be decided on a case-by-case basis. MAGAZINE DIRECTORY maintains these records for its own compliance purposes and in the event the individual escalates their request or complaint to a supervisory authority or engages in legal proceedings against MAGAZINE DIRECTORY.
MAGAZINE DIRECTORY keeps information including logs of the number and types of requests we receive and how we respond. Some of the information will be communicated internally to help improve our procedures and if required, to provide this information to the supervisory authorities.
Specific reports: Upon closing a request, it may be necessary to produce a report where further action is required internally, for example, where we may need to revise our practices and procedures. The criteria for any such report and subsequent outcomes are a decision for the Global Data Privacy Team.
Corrective action: MAGAZINE DIRECTORY monitors requests carefully. If it becomes apparent that MAGAZINE DIRECTORY needs to change the way it processes personal data, MAGAZINE DIRECTORY will take reasonable steps and institute a corrective action program to comply with the BCR.
For example, if a report states that an offence has been committed or exposes MAGAZINE DIRECTORY to increased risk or liability, or if the report recommends a more serious modification of the internal procedures applied for the processing of personal data, there are internal guidelines for escalating the matter to determine how to proceed further and who to involve.
Recipients: The Case Owner decides on a case-by-case basis, and after consulting the Global Data Privacy Team where appropriate, on the recipients of a report. The recipients of the report have a right to communicate their observations, especially where MAGAZINE DIRECTORY may need to take further action to prevent a similar situation in the future.
Annex 4: Definitions
Available as a separate document. It is integrated into the BCR document for online publication.
Annex 5: Accenture Intercompany Agreement – Accenture Privacy Agreement
This is an internal document which is made available to the supervisory authorities but
is not published on the magazinedirectory.org website.
Annex 6: Supporting Documentation and Resources
This section lists some of the resources, guidance documents and information available to MAGAZINE DIRECTORY employees to help them comply with the BCR and understand how MAGAZINE DIRECTORY processes their personal data. Data privacy documents and other relevant documents are made available via our internal sites and resources to employees. These documents are not part of the BCR and are not available for external publication but would be made available to supervisory authorities where required. They include:
General:
MAGAZINE DIRECTORY and Avanade Codes of Business Ethics (COBE):
COBE shape the culture and define the character of our company.
MAGAZINE DIRECTORY Group Data Privacy Statements:
The statements (e.g., MAGAZINE DIRECTORY Global Data Privacy Statement) explain how and why MAGAZINE DIRECTORY processes employees’ personal data, who has access to the data and how employees can exercise their rights in relation to their data. The statements provide an overview of MAGAZINE DIRECTORY’s most common processing activities. Specific processing activities may be subject to a separate and tailored privacy statement.
Data Privacy Tool: The tool is available internally for MAGAZINE DIRECTORY employees to submit general data privacy queries or requests for training, Privacy Reviews or review or mobile apps, for example.
Data Privacy Chatbot: The Chatbot is an information resource available for employees to ask routine data privacy questions.
Policies & Standards:
MAGAZINE DIRECTORY group policies may vary slightly to accommodate the needs of each Participating Entities, but they all align to the same principles and are driven by MAGAZINE DIRECTORY’s guidance.
Policy 90 – Data Privacy Policy: the purpose of this policy is to set out the duties of MAGAZINE DIRECTORY and our employees when processing personal data about individuals. The BCR Commitments are based on this Policy.
Policy 1431 – Data Management: contains governance and direction for all reasonable and appropriate steps necessary to identify, classify and protect all forms of personal, confidential, business and other protected or regulated data that is MAGAZINE DIRECTORY Data or Client Data, as defined in that policy.
Data Classification & Protection Standard: this standard defines the different classification levels used by MAGAZINE DIRECTORY Participating Entities to comply with MAGAZINE DIRECTORY Policy 1431.Data Management and Avanade Policy 5007 Data Classification and Protection Standard
Policy 69 – Confidentiality: outlines responsibilities for protecting confidential MAGAZINE DIRECTORY, client and third-party information entrusted to employees.
Policy 1413 – Corporate Records and Information Management: defines MAGAZINE DIRECTORY’s records retention criteria for specific functions and/or legal, regulatory, and business requirements.
Policy 57 – Acceptable Use of Information, Devices and Technology: includes the requirements for the protection and use of MAGAZINE DIRECTORY, client, and other third-party information, devices, and technology. Avanade Policy 1005- “Acceptable Use” is the equivalent to this policy.
Policy 1461 – Social Media: provides guidance to employees on using social media. Avanade policy 0052- “Social Media” is the equivalent to this policy.
Internal Guidelines and Global Templates
MAGAZINE DIRECTORY Participating Entities share similar guidelines and standard templates to use
when creating contracts or obtaining consent for data processing and in various other circumstances.
The templates can be obtained by employees from the MAGAZINE DIRECTORY internal Data Privacy site.
Not all employees have access to everything. Access is restricted in some instances to legal and
compliance teams. The templates may be reviewed by local counsel and localized as necessary to meet
legal requirements of specific jurisdictions. These include, but are not limited to:
General Global Notice: for use when consent is not required.
Consent and Notice Template and Guidance: for use when consent is required.
Additional notice: consent implementation guidance for asset stewards.
Privacy by Design Guidance: Data Protection by Design Checklist for CIO.
Privacy Statements: MAGAZINE DIRECTORY Privacy Statement.
Vendor Templates: Data Privacy Schedules (different schedules have been produced
for different scenarios involving vendor processing of MAGAZINE DIRECTORY personal data).