Ernst & Young Data Protection Binding Corporate Rules Programme

Transcription

1 Ernst & Young Data Protection Binding Corporate Rules Programme

2 Table of contents Introduction to the data protection binding corporate rules programme... 2 Part I: Background and actions... 3 Part II: The rules... 5 PART III: Appendices Appendix Appendix Appendix Appendix Appendix Appendix Ernst & Young Data Protection Binding Corporate Rules Programme

3 Introduction to the data protection binding corporate rules programme Ernst & Young ( Ernst & Young ) has established a foundation for the privacy of all personal data which is processed by Ernst & Young Member Firms 1 ( Member Firms ) worldwide in its global personal data privacy programme ( global privacy programme ). The global privacy programme comprises a series of policies and procedures and sets out the principles to be applied to the processing of personal data, including the personal data of Ernst & Young s current, past and prospective partners and employees, clients, suppliers, sub-contractors and any other third parties. One of the policies forming part of the global privacy programme is this Data Protection Binding Corporate Rules Programme ( BCR ). This BCR has been created to establish Ernst & Young s approach to compliance with European data protection law and specifically to transfers of personal data between the Member Firms. This BCR applies to all Member Firms and their partners and employees and contains 15 rules ( Rules ). Ernst & Young must comply with and respect this BCR when collecting and using personal data. This BCR applies to all personal data including the personal data of Ernst & Young s current, past and prospective partners and employees, clients, suppliers, sub-contractors and any other third parties wherever it is collected and used as part of the regular business activities of Ernst & Young. Transfers of personal data take place between the Member Firms during the normal course of business and such data may be stored in centralised databases accessible by Member Firms from anywhere in the world. This BCR will also apply where Member Firms process personal data on behalf of other Member Firms. This BCR will be published on the website accessible at 1 Ernst & Young Member Firm means any corporation, partnership or other entity or organisation which is admitted from time to time as members of Ernst & Young Global Limited pursuant to the regulations of Ernst & Young Global Limited. 2 Ernst & Young Data Protection Binding Corporate Rules Programme

4 Part I: Background and actions What is data protection law? Data protection law gives people the right to control how their personal data 2 is used. When Ernst & Young collects and uses the personal data of its current, past and prospective partners and employees, clients, suppliers, sub-contractors and any other third parties this is covered and regulated by data protection law. How does data protection law affect Ernst & Young internationally? Data protection law does not allow the transfer of personal data to countries outside Europe 3 that do not ensure an adequate level of data protection. Some of the countries in which Ernst & Young operates are not regarded by European data protection authorities as providing an adequate level of protection for individuals data privacy rights. What is Ernst & Young doing about it? To avoid breaking the law Ernst & Young must take proper steps to ensure that its use of personal data on an international basis is safe and, hence, lawful. The purpose of this BCR, therefore, is to develop the framework set out in the global privacy programme to satisfy the standards contained in European data protection law and, as a result, provide an adequate level of protection for all personal data used and collected in Europe and transferred from the Member Firms within Europe to Member Firms outside Europe. Although the legal obligations under European law apply only to personal data used and collected in Europe, Ernst & Young will apply this BCR globally, and in all cases where Ernst & Young processes personal data both manually and by automatic means and whether the personal data relates to Ernst & Young s current, past and prospective partners and employees, clients, suppliers, subcontractors and any other third parties. 4 Central to this BCR are 15 Rules based on, and interpreted in accordance with, relevant European data protection standards that must be followed by each partner, employee or contractor when handling personal data. All Member Firms are bound to comply with this BCR as a result of becoming a member of Ernst & Young Global Ltd ( EYG ) by way of signing the joining agreement. By signing the joining agreement Member Firms are subject to comply with all common standards, methodologies and policies of Ernst & Young which are set out in the EYG Regulations. The BCR is part of one of the common standards specifically mentioned in the EYG Regulations. Compliance with the BCR must be confirmed annually by Member Firms to their respective Area Privacy leader. Area Privacy leaders must communicate the results of the Member Firm annual compliance confirmation to the Global Privacy Director. 2 Personal data means any information relating to an identified or identifiable natural person in line with the definition in Directive 95/46/EC. 3 For the purpose of this BCR reference to Europe means the EEA and Switzerland. 4 Processing in European data protection law means any set of operations performed upon personal data whether or not by automatic means. This is interpreted widely to include collecting, storing, organising, destroying, amending, consulting, destroying and disclosure of the personal data. 3 Ernst & Young Data Protection Binding Corporate Rules Programme

5 What does this mean in practice for personal data collected and used in the EEA? European data protection law states that Ernst & Young s partners and employees, clients, suppliers, sub-contractors and any other third parties whose personal data is used and/or collected in Europe by a Member Firm acting as a data controller and transferred to Member Firms outside Europe must be able to benefit from certain rights to enforce the Rules set out in this BCR and these individuals will have the right to: Seek enforcement of compliance with this BCR, including its appendices; Lodge a complaint with a European data protection authority of competent jurisdiction and/or to take action against the Member Firm established in Europe and responsible for exporting the personal data in the courts of the jurisdiction in which that Member Firm is established in order to enforce compliance with this BCR, including its appendices; Make complaints to a Member Firm established in Europe, seek appropriate redress from the Member Firm established in Europe and responsible for exporting the data, including the remedy of any breach of the BCR by any Member Firm outside Europe and, where appropriate, receive compensation from the Member Firm established in Europe and responsible for exporting the personal data for any damage suffered as a result of a breach of this BCR by Ernst & Young in accordance with the determination of a court or other competent authority; and Obtain a copy of this BCR. In the event of a claim being made in which an individual has suffered damage where that individual can demonstrate that it is likely that the damage has occurred because of a breach of the BCR, Ernst & Young has agreed that the burden of proof to show that a Member Firm outside Europe is not responsible for the breach, or that no such breach took place, will rest with the Member Firm responsible for exporting the personal data to the Member Firm outside Europe. Data protection roles and responsibilities Ernst & Young s Global Privacy Director is the person who has overall responsibility for ensuring compliance with the BCR and any other supporting policies and procedures. Area Privacy leaders are responsible for overseeing compliance with this BCR by the Member Firms within their Area on a day to day basis. A description of the roles and responsibilities of the Ernst & Young global privacy team is set out in Appendix 1. Further information If you have any questions regarding the provisions of this BCR, your rights under this BCR or any other data privacy issues you may contact Ernst & Young s Global Privacy Director who will either deal with the matter or forward it to the appropriate person or department within Ernst & Young at the following address: Global Privacy Director Tel: +44 (0) Geraldine.henbest@uk.ey.com Address: Becket House, 1 Lambeth Palace Road, London, SE1 7EU The Global Privacy Director is responsible for ensuring that changes to this BCR are notified to the Member Firms and to individuals whose personal data is processed by Ernst & Young via the data privacy section of the Ernst & Young website at 4 Ernst & Young Data Protection Binding Corporate Rules Programme

6 Part II: The rules The Rules are divided into two sections. Section A addresses the basic principles of European data protection law Ernst & Young must observe when Ernst & Young collects and uses personal data. Section B deals with the practical commitments made by Ernst & Young to the European data protection authorities in connection with this BCR. Section A Rule 1 Compliance with local law Rule 1 Ernst & Young will first and foremost comply with local law where it exists. As an organisation, Ernst & Young will comply with any applicable legislation relating to personal data (e.g. in the United Kingdom, the Data Protection Act 1998) and will ensure that where personal data is collected and used this is done in accordance with applicable local law. Where there is no law or the law does not meet the standards set out by the Rules in this BCR, Ernst & Young s position will be to process personal data adhering to the Rules in this BCR. Rule 2 Ensuring transparency and using personal data for a known purpose only Rule 2A Ernst & Young will explain to individuals, at the time their personal data is collected, how that data will be used. Ernst & Young will ensure that individuals are told in a clear and comprehensive way (usually by means of a fair processing statement) about the uses and disclosures made of their data (including the secondary uses and disclosures of the data), the recipients or categories of recipients of the personal data and the identity of the data controller when such data is obtained by Ernst & Young from the individual, or, if not practicable to do so at the point of collection, as soon as possible after that. Where Ernst & Young obtains an individual's personal data from a source other than that individual, Ernst & Young will provide this information to the individual when their personal data is first recorded or, if it is to be disclosed to a third party, no later than the time when the data is first disclosed. Ernst & Young will follow this Rule 2A unless there is a legitimate basis for not doing so, for example; where it is necessary to safeguard national security or defence, for the prevention or detection of crime, taxation purposes, legal proceedings or where otherwise permitted by law. Rule 2B Ernst & Young will only obtain and use personal data for those purposes which are known to the individual or which are within their expectations and are relevant to Ernst & Young. This rule means that Ernst & Young will identify and make known the purposes for which personal data will be used (including the secondary uses and disclosures of the data) when such data is obtained or, if not practicable to do so at the point of collection, as soon as possible after that, unless there is a legitimate basis for not doing so as described in Rule 2A. 5 Ernst & Young Data Protection Binding Corporate Rules Programme

7 Rule 2C Ernst & Young may only process personal data collected in Europe for a different or new purpose if Ernst & Young has a legitimate basis for doing so, consistent with the applicable law of the European country in which the personal data was collected. If Ernst & Young collects personal data for a specific purpose (as communicated to the individual via the relevant fair processing statement) and subsequently Ernst & Young wishes to use the data for a different or new purpose, the relevant individuals will be made aware of such a change unless: It is within their expectations and they can express their concerns; or There is a legitimate basis for not doing so, as described in Rule 2A above. In certain cases, for example, where the processing is of sensitive personal data, or Ernst & Young is not satisfied that the processing is within the reasonable expectation of an individual, the individual s consent to the new uses or disclosures may be necessary. Rule 3 Ensuring data quality Rule 3A Ernst & Young will keep personal data accurate and up to date. In order to ensure that the personal data held by Ernst & Young is accurate and up to date, Ernst & Young actively encourages individuals to inform Ernst & Young when their personal data changes. Rule 3B Ernst & Young will only keep personal data for as long as is necessary. Personal data will always be retained and/or deleted to the extent required by law, regulation and professional standards and in line with the applicable Ernst & Young global service line and any local retention policies applying to that Member Firm. The Member Firm will dispose of personal data only in a secure manner in accordance with Ernst & Young s global security policies. Rule 3C Ernst & Young will only keep personal data which is relevant to Ernst & Young. Ernst & Young will identify the minimum amount of personal data that is required in order properly to fulfil its purpose. Rule 4 Taking appropriate security measures Rule 4A Ernst & Young will always adhere to its IT Security Policies. Ernst & Young will comply with the requirements contained in Ernst & Young s global security policies as revised and updated from time to time together with any other security procedures relevant to a business area or function. Rule 4B Ernst & Young will ensure that providers of services to Ernst & Young also adopt appropriate and equivalent security measures. European law expressly requires that where a provider of a service to any of the Member Firms has access to the personal data of partners and employees, clients, suppliers, sub-contractors and any other third parties (e.g. a payroll provider), strict contractual obligations, evidenced in writing and dealing with the security of that data are imposed to ensure that such service providers act only on 6 Ernst & Young Data Protection Binding Corporate Rules Programme

8 Ernst & Young s instructions when using that data and that they have in place proportionate technical and organisational security measures to safeguard the personal data. Rule 4C Where a Member Firm processes personal data as a service provider that Member Firm will adhere to Rule 4A and act only on the instructions of the data controller on whose behalf the processing is carried out. Where a service provider is a Member Firm processing personal data on behalf of a data controller (which could be another Member Firm or a third party) the service provider must act only on the instructions of the data controller on whose behalf the processing is carried out and ensure that it has in place proportionate technical and organisational security measures to safeguard the personal data. Rule 5 Honouring individuals rights Rule 5A Ernst & Young will adhere to the Subject Access Request Procedure and will be receptive to any queries or requests made by individuals in connection with their personal data. In accordance with the terms of the Subject Access Request Procedure individuals are entitled (by making a written request to Ernst & Young) to be supplied with a copy of any personal data held about them (including both electronic and paper records). Ernst & Young will follow the steps set out in the Subject Access Request Procedure (see Appendix 2) when dealing with subject access requests. Rule 5B Ernst & Young will amend inaccurate personal data and deal with requests to cease processing personal data in accordance with the Subject Access Request Procedure. In accordance with the terms of the Subject Access Request Procedure individuals are entitled to rectification of personal data which is shown to be inaccurate or incomplete and, in certain circumstances, to object to the processing of their personal data. Ernst & Young will follow the steps set out in the Subject Access Request Procedure (see Appendix 2) in such circumstances. Rule 6 Ensuring adequate protection for overseas transfers Rule 6 Ernst & Young will not transfer personal data to third parties outside Ernst & Young without ensuring adequate protection for the data. In principle, international transfers of personal data to third parties outside the Member Firms are not allowed without appropriate steps being taken, such as contractual clauses, which will protect the personal data being transferred. Rule 7 Safeguarding the use of sensitive personal data Rule 7A Ernst & Young will only use sensitive personal data if it is absolutely necessary to use it. Sensitive personal data is data relating to an individual s racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, health, sex life, criminal convictions, social security files, government identification numbers or financial account numbers. Sensitive Personal Data needs to be handled with additional care, in order to respect local customs and applicable local laws. In particular, each Member Firm should: Avoid collection of sensitive personal data where it is not required for the purposes for which the data is collected or subsequently processed; and 7 Ernst & Young Data Protection Binding Corporate Rules Programme

9 Limit access to sensitive personal data to appropriate persons (by either masking or making anonymous the data, where appropriate, in accordance with the security standards established in Ernst & Young's Global Information Security Policies. Rule 7B Ernst & Young will only use sensitive personal data where the individual s express consent has been obtained unless Ernst & Young has a legitimate basis for doing so consistent with the requirements of applicable data protection laws in accordance with Rule 1. In principle, individuals must expressly agree to the collection and use of sensitive personal data by Ernst & Young unless Ernst & Young has a legitimate basis for doing so. This permission to use sensitive personal data by Ernst & Young must be genuine and freely given. Rule 8 Legitimising direct marketing Rule 8A Ernst & Young will allow customers to opt out of receiving marketing data. One of the data protection rights that individuals have is the right to object to the use of their personal data for direct marketing purposes and Ernst & Young will honour all such opt out requests. Rule 8B Ernst & Young will suppress from marketing initiatives the personal data of individuals who have opted out of receiving marketing data. Ernst & Young will take all necessary steps to prevent the sending of marketing materials to individuals who have opted out. Rule 9 Automated individual decisions Rule 9 Where decisions are made by automated means, individuals will have the right to know the logic involved in the decision and Ernst & Young will take necessary measures to protect the legitimate interests of individuals. There are particular requirements in place under European data protection law to ensure that no evaluation of, or decision about, a data subject which significantly affects them can be based solely on the automated processing of personal data unless measures are taken to protect the legitimate interests of individuals. Section B Rule 10 Training Rule 10 Ernst & Young will provide appropriate training to partners and employees who have permanent or regular access to personal data, who are involved in the collection of personal data or in the development of tools used to process personal data. Member Firms must take reasonable and appropriate steps to communicate with their partners and employees and to provide appropriate training on the requirements of this BCR. The Global Privacy Director will provide foundational training materials in this regard for Member Firms to customize and deliver as appropriate. In addition, partners and employees within a Member Firm should be made aware of their obligations relating to data privacy under the Global Code of Conduct. Communication and training should cover data privacy elements such as: Basic principles 8 Ernst & Young Data Protection Binding Corporate Rules Programme

10 Importance of data privacy Definitions Personal and Sensitive Personal Data Data privacy considerations with respect to information security Consultation and resources Rule 11 Assessment of compliance Rule 11 Ernst & Young will comply with the Data Protection Binding Corporate Rules Programme Assessment of Compliance Protocol set out in Appendix 3. Rule 12 Complaint handling Rule 12 Ernst & Young will comply with the Data Protection Binding Corporate Rules Programme Complaint Handling Procedure set out in Appendix 4. Rule 13 Cooperation with data protection authorities Rule 13 Ernst & Young will comply with the Data Protection Binding Corporate Rules Programme Co-operation Procedure set out in Appendix 5. Rule 14 Update of the rules Rule 14 Ernst & Young will comply with the Data Protection Binding Corporate Rules Programme Updating Procedure set out in Appendix 6. Rule 15 Actions in case of national legislation preventing respect for the BCR programme Rule 15A Ernst & Young will ensure that where it has reason to believe that the legislation applicable to it prevents it from fulfilling its obligations under the BCR Programme and which has a substantial effect on its ability to comply with the BCR Programme, Ernst & Young will promptly inform the Global Privacy Director unless otherwise prohibited by a law enforcement authority. Rule 15B Ernst & Young will ensure that where there is a conflict between the national law and this BCR Programme the Global Privacy Director will take a responsible decision on the action to take and will consult the data protection authority with competent jurisdiction in case of doubt. 9 Ernst & Young Data Protection Binding Corporate Rules Programme

11 PART III: Appendices Appendix 1 Data privacy roles and responsibilities Ernst & Young Global privacy director The Ernst & Young Global Privacy Director is responsible for: Advising the Risk Management Executive Committee and other EYG leaders on data privacy matters; Recommending modifications to the global privacy programme, as regulations and the business environment evolve, and to other Ernst & Young policies, practices or agreements relating to data privacy for Risk Management Executive Committee approval; Maintaining the compliance of Ernst & Young's global systems with applicable data protection rules including the BCR (analysis of systems, definition of actions, ongoing compliance); Co-ordinating a community of Ernst & Young Area Privacy leaders (see below) for the purpose of competency building, collaboration on implementation of and revisions as necessary to the global privacy programme (including the BCR), sharing of leading practices, monitoring of relevant applicable regulations and consistency of communications between Member Firms and their respective local regulators with the global privacy programme; Collaborating with Ernst & Young People, Risk Management, General Counsel, and Global IT teams, service lines and other functions on data privacy matters; With the assistance of the Area Privacy leaders, overseeing the compliance of Member Firms with the global privacy programme (including the BCR); With the assistance of the Area Privacy Leaders, developing and providing communications and uniform training material and support; and With the assistance of the Area Privacy Leaders, providing guidance to Member Firms in implementing and modifying local data privacy policies and compliance programs. Area Privacy leaders Ernst & Young s Area Privacy leaders work with the Ernst & Young Global Privacy Director to evaluate and develop global policy and processes. The Area Privacy leaders will coordinate the implementation of the BCR locally. In particular, they are responsible for the following within their respective Areas: Providing assistance to Sub-Area Privacy Leaders and Local Privacy Leaders to identify, local business, legal and regulatory risks surrounding data privacy issues; Providing assistance to Sub-Area Privacy Leaders and Local Privacy Leaders on local privacy matters, including developing local data privacy policies, as necessary; Developing and implementing consistent solutions on a Global/Area basis to mitigate data privacy risks; Co-ordinating the development and implementation of a data privacy program in their Area that complies with the global privacy programme (including the BCR); Advising the Area General Counsel and Area (and if necessary) country management on data privacy issues; 10 Ernst & Young Data Protection Binding Corporate Rules Programme

12 Escalating to the Area General Counsel and/or the Area (and if necessary) country management any significant compliance issues and plans for their resolution, as well as implications of local data privacy regulations; Advising the Ernst & Young Global Privacy Director of any local data privacy regulations in their Area that may have international or cross-border implications which are not adequately addressed by the global privacy programme (which includes the BCR); Confirming to the Ernst & Young Global Privacy Director, Member Firm compliance with the global privacy programme and, in particular, the BCR; Collaborating with Area People, Risk Management, General Counsel and IT teams, service lines and other functions on data privacy matters; and Periodically monitoring the effectiveness of the Area Privacy functions. Sub Area/local Privacy leaders Each Area may appoint a Sub-Area or local Privacy leader to assist with the coordination and implementation of Global and Area standards locally. The Sub-Area/local Privacy leader remains knowledgeable about the relevant country, region and/or state laws, governmental regulations, professional practice obligations and regulatory guidance which relate to data privacy compliance and are applicable to the Member Firms of the Sub-Area. 11 Ernst & Young Data Protection Binding Corporate Rules Programme

13 Appendix 2 Subject access request procedure 1. Subject access request procedure 1.1 European Data Protection law gives individuals whose personal data is collected and/or used in Europe 5 the right to be informed whether any personal data about them is being processed by an organisation. This is known as the right of subject access. All individuals whose personal data is collected and/or used in Europe and transferred between Ernst & Young entities will benefit from this right in accordance with the terms of this Subject Access Request Procedure. 1.2 This Subject Access Request Procedure explains how Ernst & Young deals with a subject access request relating to such personal data (referred to as valid request in this Procedure). 1.3 Where a subject access request is subject to European data protection law because it is made in respect of personal data collected and/or used in Europe, such a request will be dealt with by Ernst & Young in accordance with this Subject Access Request Procedure. Where the applicable European data protection law differs from any aspect of this Subject Access Request Procedure, the local data protection law will prevail. 1.4 An individual making a valid request to Ernst & Young is entitled to: Be informed whether Ernst & Young holds and is processing personal data about that individual Be given a description of the personal data, the purposes for which they are being held and processed and the recipients or classes of recipient to whom the personal data is, or may be, disclosed by Ernst & Young Communication in intelligible form of the personal data held by Ernst & Young. 1.5 The request must be made in writing, which can include Under normal circumstances no fee will be applied but this will be left to the discretion of the Ernst & Young entity to which the request is made and in accordance with local applicable law. 1.7 Ernst & Young must respond to a valid request within 40 calendar days (or any shorter period as may be stipulated under local law) of receipt of that request. 1.8 Ernst & Young is not obliged to comply with a subject access request unless Ernst & Young is supplied with such information which it may reasonably require in order to confirm the identity of the individual making the request and to locate the information which that person seeks. 2. Procedure 2.1 Receipt of a Subject Access Request If any employee, partner or subcontractor of Ernst & Young receives any request from an individual for their personal data, they must pass the communication to the Local Privacy Leader upon receipt indicating the date on which it was received together with any other information which may assist the Local Privacy Leader to deal with the request The request does not have to be official or mention data protection law to qualify as a subject access request. 2.2 Initial Steps 5 In this Procedure Europe means the EEA plus Switzerland. 12 Ernst & Young Data Protection Binding Corporate Rules Programme

14 2.2.1 The Local Privacy Leader will make an initial assessment of the request to decide whether it is a valid request and whether confirmation of identity, or any further information, is required The Local Privacy Leader will then contact the individual in writing to confirm receipt of the subject access request, seek confirmation of identity or further information, if required, or decline the request if one of the exemptions to subject access applies. 2.3 Exemptions to subject access A valid request may be refused on the following grounds; (a) Where the subject access request is made to a European Ernst & Young Member Firm and relates to the use or collection of personal data by that Member Firm, if the refusal to provide the information is consistent with the data protection law within that jurisdiction, or; (b) Where the subject access request does not fall within 2.3.1(a) because it is made to a non- European Member Firm and: (i) (ii) (iii) If, in the opinion of Ernst & Young compliance with a subject access request would (a) prejudice the essential business interests of Ernst & Young (which includes management planning, management forecasting, corporate finance or negotiations with a data subject),(b) it is necessary to do so to safeguard national or public security, defence, the prevention, investigation, detection and prosecution of criminal offences, or (c) for the protection of the data subject or of the rights and freedoms of others; or If the personal data is held by Ernst & Young in non-automated form and is not or will not become part of a filing system; or Where the personal data does not originate from Europe and the provision of the personal data requires Ernst & Young to use disproportionate effort. 2.4 The Search and the Response The Local Privacy Leader will arrange a search of all relevant electronic and paper filing systems The Local Privacy Leader may refer any complex cases to the Area Privacy Leader or ultimately to the Global Privacy Director for advice, particularly where the request includes information relating to third parties or where the release of personal data may prejudice commercial confidentiality or legal proceedings The information requested will be collated by the Local Privacy Leader into a readily understandable format (internal codes or identification numbers used at Ernst & Young that correspond to personal data shall be translated before being disclosed). A covering letter will be prepared by the Local Privacy Leader which includes information required to be provided in response to a subject access request Where the provision of the information in permanent form is not possible or would involve disproportionate effort there is no obligation to provide a permanent copy of the information. The other information referred to in 1.4 above must still be provided. In such circumstances the individual may be offered the opportunity to have access to the information by inspection or to receive the information in another form. 2.5 Requests for erasure, amendment or cessation of processing of information If a request is received for the deletion of that individual s personal data, such a request must be considered and dealt with as appropriate by the Local Privacy Leader. If a request is received advising of a change in that individual s personal data, such information must be rectified or updated accordingly if Ernst & Young is satisfied that there is a legitimate basis for doing so. 13 Ernst & Young Data Protection Binding Corporate Rules Programme

15 2.5.2 If the request is to cease processing that individuals personal data because the rights and freedoms of the individual are prejudiced by virtue of such processing by Ernst & Young, or on the basis of other compelling legitimate grounds, the matter will be referred by the Local Privacy Leader to the Area Privacy Leader and ultimately to the Global Privacy Director to assess. Where the processing undertaken by Ernst & Young is required by law, the request will not be regarded as valid. 2.6 All queries relating to this procedure are to be addressed to the Local Privacy Leader. 14 Ernst & Young Data Protection Binding Corporate Rules Programme

16 Appendix 3 Data protection binding corporate rules programme assessment of compliance protocol 1. Background The purpose of the Data Protection Binding Corporate Rules Programme ( BCR ) is to safeguard personal data transferred between the Member Firms. The BCR requires approval from the data protection authorities in the European member states from which the personal data is transferred. One of the requirements of the data protection authorities is that Ernst & Young assesses compliance with the BCR and satisfies certain conditions in so doing and this document describes how Ernst & Young deals with such requirements. One of the roles of the Ernst & Young Global Privacy Director and also the Area Privacy Leaders is to provide guidance about the collection and use of personal data subject to the BCR and to assess the collection and use of personal data by the Member Firms for potential privacy-related risks. The collection and use of personal data with the potential for a significant privacy impact is, therefore, subject to detailed review and evaluation on an on-going basis. Accordingly, although this document describes the formal assessment process adopted by Ernst & Young to ensure compliance with the BCR as required by the data protection authorities, this is only one way in which Ernst & Young ensures that the provisions of the BCR are observed and corrective actions taken as required. 2. Approach 2.1 Scope of assessment 2.2 Timing Ernst & Young s Global Risk Management function ( RM ) will be responsible for carrying out assessments of compliance with the BCR and will ensure that such assessments address all aspects of the BCR. The assessments will comprise a review of the performance of particular functions within the business and also an assessment of the Member Firm adopting a risk based approach. RM will be responsible for ensuring that the results of the assessment are brought to the attention of Ernst & Young s Global Privacy Director who will ensure that any actions identified to implement the BCR correctly take place. The Global Privacy Director will ensure that any reports indicating unsatisfactory compliance in relation to the BCR will be brought to the attention of the RM Executive Committee. Review of compliance with the BCR will take place on a regular basis at the instigation of RM. The scope of the compliance assessment will be decided by RM Global Internal Audit in consultation with the Global Privacy Director. 2.3 Auditors 2.4 Report Review of compliance with the BCR will be undertaken by RM and responsibility for compliance with the BCR on a day to day basis will be undertaken by Ernst & Young s Global Privacy Director and the Area Privacy Leaders. Ernst & Young has agreed to provide copies of the results of any assessment of compliance with the BCR to a European data protection authority of competent jurisdiction upon request subject to applicable law and respect for the confidentiality and trade secrets of the information provided. The Global Privacy Director will be responsible for liaising with the European data protection authorities for this purpose. In addition, Ernst & Young has agreed that in 15 Ernst & Young Data Protection Binding Corporate Rules Programme

17 accordance with the provisions of clause 5 of the Co-operation Procedure 6 data protection authorities may assess compliance by Ernst & Young with the BCR. Ernst & Young s Global Privacy Director will also be responsible for liaising with the European data protection authorities for this purpose. 6 Clause 5 states: Where any Member Firm is located within the jurisdiction of a data protection authority based in Europe, Ernst & Young agrees that that data protection authority may audit that Member Firm for the purpose of reviewing compliance with the BCR, in accordance with the applicable law of the country in which the Member Firm is located, or, in the case of a Member Firm located outside Europe, in accordance with the applicable law of the European country from which the personal data is transferred under the BCR, on giving reasonable prior notice and during business hours, with full respect to the confidentiality of the information obtained and to the trade secrets of Ernst & Young. 16 Ernst & Young Data Protection Binding Corporate Rules Programme

18 Appendix 4 Data protection binding corporate rules programme complaint handling procedure Background The Data Protection Binding Corporate Rules Programme ( BCR ) safeguards personal data transferred between Member Firms. The content of the BCR is determined by the data protection authorities in the European member states from which the personal data is transferred and one of their requirements is that Ernst & Young must have a complaint handling procedure in place. The purpose of this procedure is to explain how complaints brought by an individual whose personal data is processed by Ernst & Young under the BCR are dealt with. How individuals can bring complaints: Individuals can bring complaints in writing by contacting the Risk Management function ( RM ), details of which are available via the Ernst & Young intranet, and/or the Global Privacy Director at Becket House, 1 Lambeth Palace Road, London, SE1 7EU or via at geraldine.henbest@uk.ey.com Who handles complaints? The local RM contact will handle all complaints arising under the BCR in conjunction with the Area RM Leader and ultimately the Global Privacy Director and will liaise with colleagues from relevant business and support units as appropriate to deal with complaints. What is the response time? Unless exceptional circumstances apply, the local RM contact will acknowledge receipt of a complaint to the individual concerned within 5 working days, investigating and making a substantive response within one month. If, due to the complexity of the complaint, a substantive response cannot be given within this period, the local RM contact will advise the complainant accordingly and provide a reasonable estimate for the timescale within which a response will be provided which will not exceed six months from the date the complaint was brought. When a complainant disputes a finding If the complainant disputes the response of the local RM contact or any aspect of a finding and notifies the local RM contact accordingly, the matter will be referred to the Sub Area or Area RM contact or ultimately to the Global Privacy Director as appropriate who will review the case and advise the complainant of his or her decision either to accept the original finding or to substitute a new finding. The Sub Area, Area RM contact or Global Privacy Director will respond to the complainant within six months of the referral. As part of the review the Sub Area, Area RM contact or Global Privacy Director may arrange to meet the parties in an attempt to resolve the complaint. If the complaint is upheld, the Ernst & Young Sub Area, Area RM contact or Global Privacy Director will arrange for any necessary steps to be taken as a consequence. Individuals whose personal data is collected and/or used and in accordance with European data protection law have the right to complain to a European data protection authority and/or to lodge an application with a court of competent jurisdiction and this includes where they are not satisfied with the way in which the complaint relating to the BCR has been resolved. Individuals entitled to such rights will be notified accordingly as part of the complaints handling procedure. 17 Ernst & Young Data Protection Binding Corporate Rules Programme

19 Appendix 5 Data protection binding corporate rules programme co-operation procedure 1. This Data Protection Binding Corporate Rules Programme Co-operation Procedure sets out the way in which Ernst & Young will co-operate with the European 7 data protection authorities in relation to the Data Protection Binding Corporate Rules Programme ( BCR ). 2. Where required, Ernst & Young will make the necessary personnel available for dialogue with a European data protection authority in relation to the BCR. 3. Ernst & Young will actively review and consider: Any decisions made by relevant European data protection authorities on any data protection law issues that may affect the BCR; and The views of the Article 29 Working Party as outlined in its published guidance on Binding Corporate Rules. 4. Ernst & Young will provide upon request copies of the results of any assessment of compliance of the BCR to a European data protection authority of competent jurisdiction subject to applicable law and respect for the confidentiality and trade secrets of the information provided. 5. Where any Member Firm is located within the jurisdiction of a data protection authority based in Europe, Ernst & Young agrees that that data protection authority may audit that Member Firm for the purpose of reviewing compliance with the BCR, in accordance with the applicable law of the country in which the Member Firm is located, or, in the case of a Member Firm located outside Europe, in accordance with the applicable law of the European country from which the personal data is transferred under the BCR, on giving reasonable prior notice and during business hours, with full respect to the confidentiality of the information obtained and to the trade secrets of Ernst & Young. 6. Ernst & Young agrees to abide by a formal decision of the applicable data protection authority where a right to appeal is not exercised on any issues related to the interpretation and application of the BCR. 7 References to Europe for the purposes of this document include the EEA and Switzerland. 18 Ernst & Young Data Protection Binding Corporate Rules Programme

20 Appendix 6 Data protection binding corporate rules programme updating procedure 1. This Data Protection Authority Updating Procedure sets out the way in which Ernst & Young will communicate changes to the Data Protection Binding Corporate Rules Programme ( BCR ) to the European 8 data protection authorities, data subjects and to the Member Firms bound by the BCR. 2. Ernst & Young will communicate any material changes to the BCR to the Information Commissioner ( ICO ) and any other relevant European data protection authorities as soon as reasonably practicable. Ernst & Young will communicate changes to the BCR which are administrative in nature or which have occurred as a result of a change of applicable data protection law in any European country, through any legislative, court or supervisory authority measure at least once a year. Ernst & Young will also provide a brief explanation of the reasons for any notified changes to the BCR. 3. Ernst & Young will communicate any changes to the BCR to the Ernst & Young entities bound by the BCR and to the data subjects who benefit from the BCR. Communication internally will be via the Ernst & Young internal communications process which comes from the RM community via the RM Global Managing Partner, cascading down to the Area Privacy Leaders and Area General Counsel s Offices, sub Area Privacy Leaders and sub Area General Counsel's Offices, and Local Privacy Leaders and Local General Counsel s Offices. Such communication includes publication on Ernst & Young s intranet and on Ernst & Young s external site: The BCR contains a change log which sets out the date the BCR is revised and the details of any revisions made. 4. The Global Privacy Director will maintain an up to date list of the Member Firms and will ensure that all new Member Firms are bound by the BCR before a transfer of personal data to them takes place. Ernst & Young will communicate any substantial changes to the list of Ernst & Young entities once a year. Otherwise, Ernst & Young will communicate an up to date list of entities to the ICO and any other relevant European data protection authorities when required. 8 References to Europe for the purposes of this document include the EEA and Switzerland. 19 Ernst & Young Data Protection Binding Corporate Rules Programme

21 EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com YYYY EYGM Limited. All Rights Reserved ey.com