AXA Group is committed to maintaining the privacy of data obtained in the course of its business activities and complying with applicable laws and regulations regarding the processing of Personal Data and Special categories of Data.
AXA Group has a global Data Privacy Organization/Governance with (i) a Data Privacy governance model approved by Management Committee, (ii) a Group Data Privacy Officer, (iii) a Group Data Privacy Steering Committee, (iv) a worldwide network of Data Privacy Officers coordinated by the Group Data Privacy Officer and (v) a Group Data Privacy Standard.
AXA Group decided to adopt a set of Binding Corporate Rules (“BCR”) in order to set up adequate safeguards to ensure that Personal Data is protected while transferred within the AXA Group from an AXA Company based in a Regulated Jurisdiction (as defined in Article I below) to an AXA Company located in another jurisdiction where that transfer is not otherwise permitted by applicable law, and any subsequent onward transfer of that data that is not otherwise permitted by applicable law.
As used in the BCR, in its appendices and the Intra Group Agreement, the following terms and expressions, when written with a capital letter, shall have the following meanings set out below:
“AXA BCR Steering Committee” is a committee specifically dedicated to BCR consisting of AXA Group senior management representatives and Data Privacy Officers of selected BCR AXA Companies.
“AXA Companies” means AXA, Société Anonyme with a Board of Directors having its principal offices at 25, avenue Matignon, 75008 Paris, registered on the Commercial Registry of Paris under the number 572 093 920; and (i) any other company controlled by, or controlling AXA, with a company being considered as controlling another: (a) when it holds directly or indirectly a portion of the capital according to it the majority of the voting rights in general meetings of shareholders of this company; (b) when it holds solely the majority of the voting rights in this company by virtue of an agreement concluded with other partners or shareholders and which is not contrary to the interest of the company; (c) when it determines de facto, by voting rights which it holds, the decisions in the general meetings of shareholders of this company; (d) in any event, when it holds, directly or indirectly, a portion of voting rights greater than 40% and when no other partner or shareholder holds directly or indirectly a portion which is greater than its own; (ii) any economic interest group in which AXA and/or one or more other Companies of the AXA Group participates for at least 50% in operating costs; (iii) in the cases where the law applicable to a company limits voting rights or control (such as defined here in above), this company will be deemed to be a company of the AXA Group, if the voting rights in general shareholders’ meetings or the control held by a Company of the AXA Group reaches the maximum amount fixed by said applicable law; and (iv) all AXA Companies constitute the “AXA Group”.
“AXA Employees” are all the employees of the AXA Companies including directors, trainees, apprentices and assimilated status.
“AXA Group” means, together, AXA SA and all AXA Companies.
“BCR AXA Companies” are all AXA Companies which have signed the Intra-Group Agreement in their capacity either as Data Exporters or as Data Importers.
“BCR AXA Hubs” means the main transversal or/and local AXA Companies or other AXA organizations which participate in the implementation of the BCR in collaboration with the GDPO in order to protect Personal Data within AXA Group and for the transfer of Personal Data from member states of the European Economic Area (“EEA”) within EEA and outside EEA.
“Binding Corporate Rules” or “BCR” means the present Binding Corporate Rules entered into by and between AXA SA and all other BCR AXA Companies.
“Controller” means a BCR AXA Company which, alone or jointly with others, determines the purpose(s), conditions and means of the Processing of Personal Data.
“Data Breach" means a breach of security leading to the accidental, or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
“Data Exporter” means any Controller located in a Regulated Jurisdiction or Processor located in a Regulated Jurisdiction processing Personal Data on behalf of a Controller which transfers Personal Data outside the Regulated Jurisdiction in which it is located (whether via a Processor or third party processor or not) and has signed the Intra Group Agreement.
“Data Importer” means any Controller or Processor processing Personal Data on behalf of a Controller who receives Personal Data from the Data Exporter under a Relevant Transfer or Onward Transfer and who has signed the Intra Group Agreement.
“Data Privacy Officer” or “DPO” means the person in AXA Companies responsible for coordinating with the GDPO and for ensuring the AXA Companies’ compliance with the Binding Corporate Rules and applicable local legal / regulatory requirements.
“Data Subject” means any natural person, who can be identified, directly or indirectly, by means reasonably likely to be used by any natural or legal person, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
“European Data Protection Board” means the body of the Union composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor.
“EEA” or “European Economic Area” means the European Economic Area that combines the countries of the European Union and member countries of EFTA (European Free Trade Association). As of 2012, EEA includes Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.
“EEA Data Exporter” means any Controller located in EEA or Processor located in EEA processing Personal Data on behalf of a Controller which transfers Personal Data outside the EEA (whether via a Processor or third party Processor or not) and has signed the Intra Group Agreement.
“EEA Data Subject” means any Data Subject who was a resident of an EEA member state at the time when his/her Personal Data was collected.
“EU Model Clauses” are the standard contractual clauses issued by European Commission which offer sufficient safeguards as required by European Regulation for the transfer of personal data to third countries which do not ensure an adequate level of data protection according to European Commission.
“European Regulation” means the current and future applicable rules and regulations related to data privacy applicable in the EEA countries.
“Group Data Privacy Officer” or “GDPO” means the person in charge of the overall supervision of these Binding Corporate Rules through a network of Data Privacy Officers.
“Intra Group Agreement” or “IGA” means the BCR agreement as attached in Appendix 1 and any BCR Acceptation agreement (referred to in Schedule 2 of Appendix 1) of the AXA Group Binding Corporate Rules to be signed or signed by BCR AXA Companies.
“Onward Transfer” means the onward transfer of Personal Data previously exported pursuant either to a Relevant Transfer or to a transfer into the EU-U.S. Privacy Shield, in each case:
“Personal Data” means any data relating to an individual (natural person) who is or can be identified either from the data or from the data in conjunction with other information.
“Processing” means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, separating, crossing, merging, modification, provisioning, usage, disclosure, dissemination, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means a BCR AXA Company which processes Personal Data on behalf of a Controller.
“Regulated Jurisdiction” means any jurisdiction in the EEA and Andorra, Switzerland, Faeroe Islands, Guernsey, Isle of Man and Jersey.
“Regulated Jurisdiction Data Subject” means any Data Subject who was a resident of a Regulated Jurisdiction at the time when his/her Personal Data was collected.
“Relevant Transfer” means a transfer of Personal Data (to the extent such Personal Data has not previously been the subject of a Relevant Transfer or Onward Transfer):
“Special categories of Data” means such data as described in Article IV section 2.
“Supervisory Authority” or “Data Protection Authority” or “DPA” means the administrative authority officially in charge of Personal Data protection in each Regulated Jurisdiction in which AXA Group is present (for example in France, this authority is the Commission Nationale de l’Informatique et des Libertés ; in Spain, it is the Agencia Espanola de Proteccion de Datos, etc.). For the avoidance of doubt, the term “Supervisory Authority” includes any replacement or successor of a Data Protection Authority.
“Third Party” shall mean any natural or legal person (including AXA Companies/BCR AXA Companies), public authority, agency or any other body other than the Data Subject, the Controller, the Processor and the persons who, under the direct authority of the Controller or the Processor, are authorized to process the Personal Data of a Data Subject.
The purpose of the BCR is to ensure an adequate level of protection to the Personal Data subject to a Relevant Transfer or Onward Transfer from an AXA Company based in a Regulated Jurisdiction to an AXA Company based in another jurisdiction.
AXA Group is present in more than 50 countries and more than 150 000 AXA Employees and distributors of AXA are committed to serving millions of clients.
The present BCR exclusively apply to Relevant Transfers from Data Exporters located in a Regulated Jurisdiction to Data Importers located in another jurisdiction, as well as to Onward Transfers, and the recourse against breaches under the Third Party Beneficiary Rights, Complaint and Liability provisions of these BCR (as set out in Articles VII, VIII and IX of these BCR) are limited to Regulated Jurisdiction Data Subjects.
Although BCR AXA Companies may have processes required for BCR implemented everywhere, BCR AXA Companies do not provide BCR guarantees for Personal Data that is not subject to a data privacy law in a Regulated Jurisdiction, i.e. which is not transferred from a Regulated Jurisdiction e.g.:
The present BCR binds all AXA Companies which have signed an Intra-Group Agreement setting out and expressing their acceptance of the BCR as listed in Schedule 1 to Appendix 1 or accessing to the Intra-Group Agreement. Each AXA Company signing an IGA becomes a BCR AXA Company as of the date of signature or (if later) any effective date set out in the applicable IGA.
In accordance with applicable labour law, the present BCR are made binding and enforceable upon the AXA Employees of all of the BCR AXA Companies through any of the following at each BCR AXA Company:
In accordance with applicable labour law, its own internal rules and employment contracts, each of the BCR AXA Companies may take disciplinary actions towards any of its own AXA Employees, in particular in the event of:
The purpose(s) of the Personal Data transfers and the Processing carried out after the transfers are servicing and facilitating AXA's business activities.
AXA’s areas of expertise are reflected in a range of products and services adapted to the needs of each client in three major business lines: property-casualty insurance, life & savings, and asset management:
Servicing AXA's business activities includes:
All types and categories of Personal Data processed by the BCR AXA Companies in the course of their business activities shall fall within the scope of these BCR. Such types and categories shall include: Personal Data collected from customers, prospective customers, claimants, AXA Employees, job applicants, agents, suppliers and other third parties.
The categories of Personal Data processed by the BCR AXA companies required or capable of locally collecting them in accordance with the applicable legislation include:
The BCR cover both automated and manual types of Processing.
For any Processing of Personal Data within the scope defined in ARTICLE III - SCOPE, the Processing principles set out hereinafter shall be respected.
Each of the BCR AXA Companies warrants and covenants that it complies with the obligations required by applicable law and the competent local Data Protection Authority for the original Processing of Personal Data, which is subsequently transferred under a Relevant Transfer or Onward Transfer under the BCR.
Each of the BCR AXA Companies undertakes that the Processing of Personal Data carried out under their control, including data transfers, will continue to be carried out in accordance with the provisions of these BCR and in particular with the following minimum general data protection principles:
Personal Data should only be processed if such Processing is based on a legal basis, including, for example, if:
If the Personal Data Processing is based solely on automated processing of data, including profiling, and produces legal effects concerning him or her or significantly affects him or her, the Data Subjects have the right not to be subject to such a decision, unless such Processing:
provided there are suitable measures to safeguard his or her legitimate interests, such as arrangements allowing him or her to obtain human intervention, to express his or her point of view and to contest the decision.
Each Controller will maintain a record of all categories of processing activities carried out on Personal Data of EEA Data Subjects and will make the record available to the coordinating Data Protection Authority and any other relevant Data Protection Authorities upon request.
Each Controller will conduct Data Protection Impact Assessments when required for processing operations likely to result in a high risk to the rights and freedoms of EEA Data Subjects. Where a Data Protection Impact Assessment indicates that the processing would result in a high risk in the absence of measures taken by the BCR AXA Company to mitigate the risk, the coordinating Data Protection Authority or any other relevant Data Protection Authority should be consulted.
For the purposes of these BCR, Special categories of Data shall include any Personal Data relating to:
- The racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the Data Subject;
- Whether the Data Subject is a member of a trade union;
- The physical or mental health or condition or sex life or sexual orientation of the Data Subject, genetic data, biometric data for the purpose of uniquely identifying a natural person;
- Specific data deemed within Special categories of Data under applicable law and regulation (e.g. medical data);
- The commission or alleged commission of any criminal conviction and offence by the Data Subject; or
- Any proceedings for an offence committed or alleged to have been committed by the Data Subject, the disposal of such proceedings or the sentence of any courts in such proceedings.
The list above shall in no event be regarded as setting out exhaustively Special categories of Data as local legislation may include additional categories which shall, in such cases and where applicable, be regarded as Special categories of Data by the Data Exporter and the Data Importer.
Processing of Special categories of Data is prohibited unless:
Where Processing is carried out by a subcontractor on a Data Importer’s behalf, the latter shall obtain the prior written authorization of the Data Exporter, choose a subcontractor providing sufficient guarantees to implement appropriate technical security measures and organizational measures to ensure the Processing will be carried out in accordance with the BCR, and the Data Importer must ensure that the subcontractor will comply with those measures. The Data Importer who chooses the subcontractor shall ensure that the subcontractor will agree to such technical security measures and organizational measures in writing by executing a contract in line with European Regulation stipulating in particular that the subcontractor shall act only on instructions from the Data Importer.
No Personal Data may be transferred to a Data Importer based in a country outside the EEA (or in the case of exports from another Regulated Jurisdiction, that Regulated Jurisdiction), until the Data Exporter has determined that the Data Importer is bound:
-by these BCR, or,
-by other measures which allow the transfer of Personal Data according to applicable law (e.g., EU Model Clauses).
As reflected in the concepts of “Relevant Transfer” and “Onward Transfer” the BCR apply only to transfers that are not already covered by other measures which allow the transfers unless otherwise agreed in writing between the Data Exporter and the Data Importer.
For all transfers to a third party company outside of the EEA (in the case of exports from the EEA, and otherwise outside of the relevant Regulated Jurisdiction) not bound by this BCR, each Data Importer must undertake to:
-when transferring to a processor, sign a data processing agreement with the third party processor to provide adequate protection of processed data according to European standards, for instance by using the applicable EU Model Clauses proposed by the European Commission or by any agreement which takes up at least an equivalent obligation; or
-to undertake all other necessary safeguards required for the transfer of Personal Data in accordance with applicable law (e.g., EU Model Clauses).
In the event of a Data Breach of Personal Data of Regulated Jurisdiction Data Subjects, the concerned BCR AXA Companies shall notify without undue delay the Data Breach to the DPO(s) of affected BCR AXA Companies, and when more than 1 000 Regulated Jurisdiction Data Subjects are concerned also to the GDPO.
The BCR AXA Companies who are Controller involved in a Data Breach likely to result in a high risk to the rights and freedoms of the Regulated Jurisdiction Data Subjects shall also directly notify Regulated Jurisdiction Data Subjects.
Any notification of a Data Breach shall be documented and must comprise at least:
-the facts relating to the Data Breach,
-the likely consequences of the Data Breach,
-the remedial action taken to address the Data breach including, where appropriate, measures to mitigate its possible adverse effects.
Such documentation shall be made available to the coordinating Data Protection Authority and any other relevant Data Protection Authorities upon request.
In the event of a Processing of Personal Data by Data Importer, Regulated Jurisdiction Data Subjects are entitled, upon written request, to:
in each case save to the extent permitted by the data privacy law in the Regulated Jurisdiction in which the Regulated Jurisdiction Data Subject was resident at the time his/her personal data was collected.
BCR AXA Companies undertake to implement training programs on the protection of Personal Data for AXA Employees involved in the Processing of Personal Data and development of tools used to process Personal Data with regard to the principles contained in this BCR.
The general principles for training and awareness will be elaborated centrally and practical examples will be shared, while the final development and implementation of the training and awareness sessions (e-learning, face-to-face…) will be performed by each BCR AXA Company in line with applicable laws and processes.
Each BCR AXA Company shall define how it carries out the control of the level of training successfully completed. In addition, each BCR AXA Company will determine the periodicity of training refreshers, the training on the protection of Personal Data of newly hired AXA Employees as part of their induction session upon joining a BCR AXA Company, as well as the training especially devoted to AXA Employees who are more intimately involved with critical aspects of Personal Data.
The informing of Regulated Jurisdiction Data Subjects which do not have access to AXA’s Intranet website such as clients, assimilated individuals (claimants, victims of accidents, and other beneficiaries of an insurance policy who did not subscribe to it), job applicants and suppliers about the BCR is effected by publishing the public facing BCR version on AXA’s public Internet website.
The informing of Regulated Jurisdiction Data Subjects which have access to AXA’s Intranet website such as AXA Employees and assimilated individuals (agents, representatives…) about the BCR is effected by publishing the public facing BCR version on AXA’s Intranet website.
Additional optional ways of informing clients, providers and AXA Employees at each BCR AXA Company may include: providing information to clients within a letter/notice about several subjects, providing information to clients through an agency – e.g. through agent access to intranet, and providing information to AXA Employees through works councils or other competent employee representative bodies. It is not possible (as excessively difficult and costly) to send a dedicated letter to all clients in many cases, such as claimants, victims of accidents, or beneficiaries of policy who are not insured or subscribing to it.
It is the intent of all the Data Exporters to grant Regulated Jurisdiction Data Subjects third party beneficiary rights under these BCR in respect of Relevant Transfers and Onward Transfers. Accordingly, it is expressly acknowledged and accepted by each Data Exporter that Regulated Jurisdiction Data Subjects shall be entitled to exercise their rights in respect of Relevant Transfers and Onward Transfers pursuant to the provisions of Articles IV.1, IV.2, IV.4, IV 5, V, VII, VIII, IX, X, XII.3 and XIII of these BCR and that failure by any Data Exporter to comply with its obligations under these Articles in these circumstances shall potentially give rise to remedy and, where appropriate and to the extent provided by applicable law, compensation rights (as the case may be in consideration of the breach committed and the damage suffered) for the Regulated Jurisdiction Data Subject affected.
It is expressly specified that the rights granted to Third Parties as set out above are strictly limited to Regulated Jurisdiction Data Subjects in respect of Relevant transfers and Onward Transfers and shall in no event be extended or be interpreted as extending to non-Regulated Jurisdiction Data Subjects or other transfers of personal data.
A responsibility as a BCR AXA Company is to have an internal complaint handling process. In the event of a dispute, Regulated Jurisdiction Data Subjects may lodge, in accordance with the relevant local procedure, a complaint about any unlawful or inappropriate Processing of their Personal Data that is incompatible with these BCR in any fashion, to :
For avoidance of doubt, it is understood that if the Regulated Jurisdiction Data Subject is not satisfied by the replies of the Data Privacy Officer, it has the right to lodge a complaint before the relevant Data Protection Authority and/or the competent jurisdictions of the country as per above paragraph.
Each BCR AXA Company will have on its internet website practical tools allowing Regulated Jurisdiction Data Subjects to lodge their complaints, including at least one of below:
Unless it proves particularly difficult to find the necessary information to conduct the investigation, complaints must be investigated within one (1) month of the date on which the complaint is lodged. In case of particular difficulty and taking into account the complexity and number of the requests, that one (1) month period may be extended at maximum by two (2) further months, in which case, Regulated Jurisdiction Data Subjects will be informed accordingly.
Each BCR AXA Company shall bear the sole responsibility for the breaches of the BCR which fall under its responsibility towards, as the case may be, other BCR AXA Companies, competent Regulated Jurisdiction Data Protection Authorities and Regulated Jurisdiction Data Subjects in each case, to the extent provided under applicable law and regulation.
To the extent provided under applicable law and regulation and subject to Articles IX(2) and IX(3), each Data Exporter is individually liable for any harm a Regulated Jurisdiction Data Subject may suffer due to any breach of the BCR committed by itself or by a Data Importer having received the Personal Data transferred from a Regulated Jurisdiction pursuant to a Relevant Transfer or Onward Transfer originating from the related Data Exporter.
To the extent provided under applicable law and regulation and subject to Articles IX(2) and IX(3), where EEA Data Subject Personal Data originates from an EEA Data Exporter, each EEA Data Exporter is individually liable for any harm an EEA Data Subject may suffer due to any breach of the BCR committed by itself or by a Data Importer having received the Personal Data transferred from the EEA pursuant to a Relevant Transfer or Onward Transfer originating from the related EEA Data Exporter.
Subject to Articles IX(2) and (3), each BCR AXA Company shall be responsible for the loss or damage as a result of its own breach of the BCR to the extent provided under applicable law and regulation. No BCR AXA Company shall be liable for the breach committed by any other BCR AXA Company, except in the case of a breach by Data Importer where the Data Exporter may compensate the Regulated Jurisdiction Data Subject first (subject to Articles IX(2) and (3)), and then seek reimbursement from the Data Importer; e.g. if a Data Importer is in breach with BCR and the Data Exporter pays damages to the Regulated Jurisdiction Data Subject with regards to such breach, then the Data Importer shall be bound to reimburse the Data Exporter. Similarly, if a Data Exporter is in breach with BCR and the Data Importer pays damages to the Regulated Jurisdiction Data Subject with regards to such breach, then the Data Exporter shall be bound to reimburse the Data Importer.
The Data Exporter whose liability is incurred as a result of a breach by a Data Importer may take the necessary actions to remedy these acts by the Data Importers and, in consideration of the breach and of the damage suffered by the Regulated Jurisdiction Data Subject, to pay compensation to the Regulated Jurisdiction Data Subject in accordance with the applicable law and local standards. Thereafter, Data Exporter may seek recourse against the Data Importer for the breach of the BCR. The Data Exporter may be either partially or fully exonerated if it can prove that it is not responsible for the cause of such harm.
A Regulated Jurisdiction Data Subject is entitled to appropriate compensation for damages caused by a Data Importer relating to Personal Data transferred by the Data Exporter in consideration of the breach in accordance with the applicable law and local standards and in accordance with the (proven) damage suffered. To the extent permitted by applicable jurisdiction, a Regulated Jurisdiction Data Subject is entitled to bring the claim before the Data Protection Authority or the competent jurisdictions of the country in which the Data Exporter is based. Where the latter is not based in the EEA but processes EEA Data Subject Personal Data in the EEA, the competent jurisdiction shall be in the country where such processing takes place. Where EEA Data Subject Personal Data originates from an EEA Data Exporter, the competent jurisdiction shall be the place of establishment of the first EEA Data Exporter.
The following provisions apply only in circumstances where a Data Importer is acting as a Controller and set out the only circumstances when a claim may be brought by a Regulated Jurisdiction Data Subject against such a Data Importer.
In situations where complaints are lodged alleging that the Data Importer has failed in its obligations of the BCR, the Regulated Jurisdiction Data Subject must first request that the relevant Data Exporter take reasonable steps in order to investigate the case and (if there is a breach) remedy the damage resulting from the alleged breach and suffered by the Regulated Jurisdiction Data Subject and to assert its rights against the Data Importer breaching the BCR. Should the Data Exporter fail to take such steps within a reasonable time (normally 1 month), the Regulated Jurisdiction Data Subject shall then be entitled to assert its rights against the Data Importer directly. A Regulated Jurisdiction Data Subject is also entitled to take action directly against a Data Exporter who has failed to make reasonable efforts to determine whether the Data Importer is capable of satisfying its obligations under these BCR to the extent provided for and in accordance with applicable law.
The following provisions apply only in circumstances where a Data Importer is acting as a Processor and set out the only circumstances when a claim may be brought by a Regulated Jurisdiction Data Subject against such a Data Importer or its sub-processor.
If a Regulated Jurisdiction Data Subject is not able to bring a claim for compensation against the Data Exporter, arising out of a breach by the Data Importer or his sub-processor of any of their obligations under this BCR, because the Data Exporter has factually disappeared or ceased to exist in law or has become insolvent, the Data Importer agrees that the Regulated Jurisdiction Data Subject may issue a claim against the Data Importer as if it were the Data Exporter, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract of by operation of law, in which case the Regulated Jurisdiction Data Subject can enforce its rights against such entity. The Data Importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
If a Regulated Jurisdiction Data Subject is not able to bring a claim against the Data Exporter or the Data Importer, arising out of a breach by a sub-processor BCR AXA Company of any of their obligations under this BCR because both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor BCR AXA Company agrees that the Regulated Jurisdiction Data Subject may issue a claim against the data sub-processor BCR AXA Company with regard to its own processing operations as if it were the Data Exporter or the Data Importer, unless any successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law, in which case the Regulated Jurisdiction Data Subject can enforce its rights against such entity. The liability of the sub-processor BCR AXA Company shall be limited to its own Personal Data Processing operation.
The BCR AXA Companies will cooperate with their competent Data Protection Authority on any issues regarding the interpretation of the BCR, to the extent consistent with applicable law, regulations and without waiving any defences and/or rights of appeal available to the Controller:
-by making the necessary personnel available for dialogue with the Data Protection Authorities,
-by actively reviewing, considering any decisions made by the Data Protection Authorities and the views of the European Data Protection Board in respect of the BCR,
-by communicating any material changes to the BCR to their respective Data Protection Authorities,
-by answering requests for information or complaints from the Data Protection Authorities
-by applying relevant recommendations or advice from their competent Data Protection Authorities relating to compliance by the BCR AXA Companies to the BCR .
BCR AXA Companies agree to abide by a formal decision of the competent Data Protection Authority regarding the interpretation and application of these BCR, to the extent consistent with applicable law, or regulations and without waiving any defences and/or rights of appeal available to the Controller.
BCR AXA Companies must always comply with applicable local laws. Where there is no data protection law, Personal Data will be processed according to the BCR. Where local law provides for a higher level of protection for Personal Data than the BCR, then local law will be followed. Where local law provides for a lower level of protection for Personal Data than the BCR, the BCR will be followed.
In the event a BCR AXA Company has reason to believe that the applicable legal/regulatory requirements prevent the BCR AXA Company from complying with the BCR, the BCR AXA Company shall promptly inform its DPO, and the DPO shall inform the Data Exporter DPO and the GDPO.
To the extent certain parts of these BCRs conflict with applicable legal/regulatory requirements, the applicable legal/regulatory requirements shall prevail until the respective conflicts have been resolved in a manner appropriately consistent with all applicable legal requirements. GDPO and/or DPO may contact the competent Data Protection Authority to discuss potential solutions.
When a BCR AXA Company receives a legally binding request for disclosure of Personal Data by a law enforcement authority or state security body, likely to have adverse effect on the guarantees provided by the BCR, the competent Data Protection Authority shall be informed by the DPO or the GDPO, unless otherwise prohibited under applicable local laws. The information to the DPA must comprise information about the data requested, the requesting body and the legal basis for the disclosure.
Where notification of requests for disclosure is prohibited under applicable local laws, the requested BCR AXA Company will use its best efforts to waive this prohibition. If, despite its best efforts the prohibition cannot be waived, the requested BCR AXA Company must provide annual general information to the competent Data Protection Authority on the requests it received.
In any case, disclosure of Personal Data by a BCR AXA Company to any public authority must comply with the processing principles detailed in article IV and cannot be massive, disproportionate and indiscriminate in a manner that would go beyond what is necessary in a democratic society.
The BCR shall come into force on the 15th of January 2014 for an unlimited period of time.
The BCR shall become enforceable upon each BCR AXA Company on the effective date of the IGA it enters into with regards to these BCR. The BCR shall cease to be enforceable upon a designated BCR AXA Company as soon as either (i) the BCR are terminated by written notice by GDPO to the coordinating DPA (the CNIL) and each BCR AXA Company; or (ii) the IGA it has entered into has been terminated under the conditions defined in the IGA.
This BCR (including any BCR Agreements) shall be governed by and construed in accordance with French law.
Any dispute arising between the Data Importer and the Data Exporter under this BCR Agreement shall be settled by the competent jurisdiction of the country of the Data Exporter unless otherwise provided by local laws.
Any other dispute arising between the BCR AXA Companies under the BCR (including any BCR Agreements) shall be settled by the courts of Paris of competent jurisdiction unless otherwise provided by a mandatory requirement of applicable laws.
To the extent permitted by applicable jurisdiction and the third party rights provisions of this BCR, a Regulated Jurisdiction Data Subject is entitled to bring a claim against a BCR AXA Company either
The GDPO shall ensure regular review and update of the BCR, for example as a consequence of major changes in the corporate structure and in the regulatory environment.
All BCR AXA Companies expressly acknowledge and agree that:
-Substantial modifications to these BCRs, which significantly increase the obligations of the BCR AXA Companies, may be adopted in a decision by the AXA BCR Steering Committee after one (1) month consultation by email of the BCR AXA Companies through the DPOs emails known by the GDPO; and
-Non-substantial modifications to these BCR, which are all others modifications, may be adopted in a decision by the AXA BCR Steering Committee without the need to consult with any of the BCR AXA Companies.
The GDPO will be in charge of listing the BCR AXA Companies and to keep track of and record any updates to the BCR and the BCR AXA Companies. The GDPO shall communicate such updated BCR AXA Companies and any material changes to the BCR to the coordinating Data Protection Authority every year and, in addition, any other relevant Data Protection Authorities upon request. The GDPO shall promptly communicate any changes which would materially affect the level of protection offered by the BCR or significantly affect the BCR to the coordinating Data Protection Authority. The DPO shall communicate such updated public facing version of the BCR to Regulated Jurisdiction Data Subject upon request.