Binding Corporate Rules
Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside the EEA, in compliance with European data protection law requirements..
In order to obtain approval for our BCRs, BioSenseTek (We, Us, Our) had to demonstrate to a number of European data privacy regulators that We have adequate safeguards in place for protecting personal data throughout Our organisation, in line with the requirements found in the published guidance papers on BCRs of European data protection regulators. Although We obtained approval for our BCRs in 2014, We have updated our BCRs following the entry into force of the EU General Data Protection Regulation (GDPR) on May 25, 2018, to provide for even greater protections for personal data shared among BioSenseTek’s Affiliates.
The approval process involved a review of the key elements of Our data privacy framework, including Our:
- Data Privacy Standard
- Intra-Group Agreement (IGA) which is the agreement signed by BioSenseTek’s Affiliates to give legal effect to the BCR requirements, and that bestows third-party beneficiary rights upon you, discussed below
In the countries where they apply, BioSenseTek’s BCRs require Us, among other things, to
- Use personal data only for specified and lawful purposes
- Collect and use only the minimum amount of personal data required in order to meet our legitimate business needs
- Take steps to ensure that the personal data that We hold is kept accurate and up- to-date
- Take appropriate measures against the risks of unlawful use and accidental loss or destruction of, or damage to, personal data
- Honour data subject rights requests in regard to access, correction, deletion, restriction, objection, and porting
- Impose suitable contractual controls whenever We engage parties to process data on our behalf
- Report personal data breaches to competent authorities and affected individuals in appropriate cases
- Comply with accountability requirements that include maintaining a record of processing activities, conducting data protection impact assessments in appropriate cases, and abiding by privacy-by-design and privacy-by-default principles
You can find more information about these requirements in our Data Privacy Standard.
WHO IS COVERED?
Our BCRs cover a number of categories of personal data, including:
- Human resources
- Healthcare professionals
BioSenseTek’s BCRs are not limited just to transfers from the EEA, but they do not cover all transfers of personal data between BioSenseTek Affiliates
Our BCRs will apply to
- Where an BioSenseTek Affiliate is simply processing personal data on behalf of a non AZ entity who controls and is legally responsible for the processing of that personal data
- Personal data which originates from a jurisdiction where the transfer of personal data is not regulated, and which is not controlled at any stage by an BioSenseTek Affiliate in a regulated jurisdiction
- CCTV footage (because CCTV footage is not ordinarily moved across borders)
- Data about BioSenseTek employees of U.S entities
WHAT PERSONAL DATA MAY BE TRANSFERRED?
The type of personal data which may be transferred could include anything which BioSenseTek has a legitimate business need to transfer as part of its business operations. The privacy notice which you are provided with at the time of collection (or shortly thereafter) will provide you with more information about what personal data is being collected by BioSenseTek and how it is going to be used
WHERE COULD THE PERSONAL DATA BE TRANSFERRED TO?
Whilst We may transfer personal data to any of Our Affiliates, it is likely that most transfers will be to our Affiliates in the U.S, India, Poland, Mexico, Kuala Lumpur (Malaysia) and Costa Rica. Further details of BioSenseTek’s operations are available on our website.
SECURING YOUR PERSONAL DATA
BioSenseTek takes the security of your personal data seriously and We have in place security policies that are intended to ensure, as far as reasonably possible, the security and integrity of all Our information, including your personal data.
Where your personal data has been transferred under Our BCRs, you have rights to ensure We do the following:
- Transparency and easy access: We will provide you with information about how We process your personal data to the extent necessary to ensure that processing is fair, and to a level that satisfies the notice requirements of the EU GDPR. This information will normally be provided through a privacy notice which is provided to you at the time BioSenseTek first collects your personal data, or shortly thereafter.
- Access: You may ask BioSenseTek for access to the personal data that We hold about you and BioSenseTek will take steps to provide you with access to the Personal Data you have requested. However, We may not be able to provide you with all the information you ask for. Any information which is withheld will only be withheld based on applicable laws. Details of how to access your information will be made available to you on the applicable BioSenseTek privacy notice which covers the processing of your personal data
- Rectification, deletion, and restriction: You may ask BioSenseTek in writing to rectify, amend, delete, or suspend the use of the personal data that BioSenseTek holds about you, where that personal data is inaccurate or used in breach of the BCRs. Except in certain circumstances and subject to the applicable law, BioSenseTek will comply with that request. Details of how to request rectification, amendment, deletion or restriction will be made available to you on the applicable BioSenseTek privacy notice which covers the processing of your personal data
- Right of objection: You may object to the collection, retention or use of your Personal Data by BioSenseTek if there are compelling legitimate grounds
- Automated processing, including profiling: In the unlikely circumstance that We process information about you on a purely automated basis that has a significant impact on you, We shall give you the opportunity to discuss the output of such processing before making those decisions (save to the extent otherwise permitted under applicable law).
Please note that under our IGA, you have rights to enforce as a third-party beneficiary the commitments made by and between the BioSenseTek Affiliates in the IGA relating to the data protection principles described above, as well as:
- Commitments to notify other BioSenseTek Affiliates in the event that applicable national laws may interfere with their compliance with the BCRs;
- Commitments to provide access to and make available a complaints procedure for prompt resolution of complaints and concerns brought by individuals in relation to their data, without prejudice to their ability to bring a complaint before a competent supervisory authority; and
- Commitments to cooperate with competent supervisory authorities, including in relation to auditing and audit reports, reporting changes to the BCRs and resolution of disputes.
ENFORCING YOUR RIGHTS
Depending on your circumstances and location, you may be able to enforce your privacy rights using the BCRs through one of the regulators who has approved the BCRs or through an English court or a court in your jurisdiction or court where the relevant BioSenseTek Affiliate you believe breached the BCRs is established.
You are also entitled to obtain a copy of the IGA upon request, in order that you can see the mechanism by which We ensure that We protect your information and give you enforceable rights. We may redact some commercially sensitive information from the copy of the IGA we give to you.
As part of the BCRs, We have also agreed that where you can show you have a case against Us, we shall have the burden of proving that We have complied with the BCRs. Before exercising those rights we request you contact us in the manner described in the “Ask a Question/Raise a Concern” section below so that we can try to address your concerns.
ASK A QUESTION/RAISE A CONCERN
If you want to access, rectify, amend or delete your personal data you can do this through the contact details provided to you in the applicable privacy notice. This will direct you straight to the business area in BioSenseTek which is managing your personal data.If you need help with the form, please contact firstname.lastname@example.org
If you would like to know more about the binding corporate rules and your rights under them, or if you have a complaint about the way in which BioSenseTek handles your personal data, you can send your question or raise your complaint by using the “Ask a Question” route available at www.biosensetek.com which is part of BioSenseTek’s complaint management process.
Alternatively, you can also raise a question or complaint by writing to
c/o the Chief Privacy Officer, BioSenseTek, Academy House, 136 Hills Road,
Cambridge CB2 8PA
We will respond to, and rectify, any complaints you raise within 1 month (which period may be extended at maximum by two further months, in which case you will be informed accordingly).
BioSenseTek is a leading-edged research and design company which focuses on development of bioelectrical / physiological sensor and signal processing instruments.
Certificate of CE
Certificate of TFDA
10 Darnay Rd.,
Morristown, NJ 07960, USA
No. 145, Xinhu 1st Rd.,
Neihu Dist., Taipei City 11494, Taiwan
(+886) 2-8791-2600 (TW)