Binding Corporate Rules for Intra-group Transfers of Personal Data
1. Introduction
CHRISTIAN LOUBOUTIN is committed to ensure a high level of protection of Personal Data throughout the Group and to comply with applicable laws and regulations regarding the Processing of the Personal Data of its Employees, customers, suppliers and other business partners.
The adoption and the implementation of Binding Corporate Rules (BCRs) within the CHRISTIAN LOUBOUTIN Group aims at regulating intra-group data transfers relating to Personal Data outside the EEA, in accordance with the provisions of Regulation (EU) 2016/679 (the General Data Protection Regulation or "GDPR") and the 2002/58/EC Directive (together, and with any other applicable European regulations applicable to the processing and protection of Personal Data) the "European Data Protection Regulations".
Under the provisions of this legal framework, any transfer of Personal Data outside the EEA shall be framed by specific safeguards in order to ensure that the use of Personal Data made by the group is compliant with European data protection principles. We perceive our BCRs as an essential tool to effectively promote our culture on data privacy within the CHRISTIAN LOUBOUTIN Group. These BCRs will also foster data protection compliance and ease the management of Personal Data within the whole Group. CHRISTIAN LOUBOUTIN and its Employees are responsible for protecting and respecting Personal Data that they process and to which they have access.
With regard to the scope of our BCRs, the Companies of CHRISTIAN LOUBOUTIN Group which adhere to the BCRs and their Employees shall comply with the following provisions as well as with applicable local laws and regulations. Consistent with this aim, CHRISTIAN LOUBOUTIN Group has set up an effective governance structure to manage its data protection and privacy obligations.
Without prejudice to Article 4 of the BCRs, the present BCRs will apply to the transfer of Personal Data between the CHRISTIAN LOUBOUTIN Companies in accordance with Article 49 and 50 of the GDPR and/or any other applicable law and to any subsequent onward transfer that is not otherwise permitted by applicable law.
At local levels, each Local data controller will either have to sign the present BCRs, or will sign further a BCRs intra-group agreement (Appendix 4). In any case, the respective CHRISTIAN LOUBOUTIN Companies shall take all necessary steps to ensure compliance with the provisions of the BCRs. Compliance with these provisions and procedures will especially rely on data privacy training programs of CHRISTIAN LOUBOUTIN’s personnel and auditing activities.
Would a violation of the BCRs be established, any corrective measures (legal, technical or organizational) as well as any appropriate sanction (against the Local data controller and/ or a local Employee, if allowed under the respective local law) may be imposed on the recommendation of the Head Controller and the Global Data Protection Officer.
2. Definitions and data protection principles
2.1 Definitions
The terms and expressions used in the BCRs and its appendices, which are written with a capital letter, shall have the meaning set out below, provided that these terms and expressions shall be interpreted in accordance with the European Data Protection Regulations.
"Applicable Data Protection Law" shall mean the data protection legislation of the country in which the Data Controller is established.
"Automated individual decision-making" shall mean a decision which significantly affects a person or produces legal effects concerning him/her and which is based solely on automated Processing of Personal Data, including profiling, which produces legal effects concerning the Data Subject or similarly significantly affects him or her.
"CHRISTIAN LOUBOUTIN Group" shall mean CHRISTIAN LOUBOUTIN SAS, a French Société par Actions Simplifiée, having its principal offices at 19, rue Jean-Jacques Rousseau 75001 Paris, registered on the Commercial Registry of Paris under the number 380742650, and any other company controlled by CHRISTIAN LOUBOUTIN SAS, with a company being considered as controlling another: (a) when it holds directly or indirectly a portion of the capital which provides the majority of the voting rights in general meetings of shareholders of this company; (b) when it holds solely the majority of the voting rights in this company by virtue of an agreement concluded with other partners or shareholders and which is not contrary to the interest of the company; (c) when it determines de facto, by voting rights which it holds, the decisions in the general meetings of shareholders of this company; (d) when it is a partner or shareholder of this company and holds the power to nominate or to revoke the majority of members of the administrative, management or supervisory bodies or (e) in any event, when it holds, directly or indirectly, a portion of voting rights greater than 40% and when no other partner or shareholder holds directly or indirectly a portion which is greater than its own.
"CHRISTIAN LOUBOUTIN Companies" or "Company" shall mean all Companies part of the CHRISTIAN LOUBOUTIN Group which have signed the present BCRs intra-group agreement (Appendix 4) in their capacity to be bound to the BCRs either as Local Data Exporters or as Local Data Importers.
"CHRISTIAN LOUBOUTIN Data Privacy Office" shall mean the team located within the Head Controller who is in charge, within the CHRISTIAN LOUBOUTIN Group at worldwide level, for managing business awareness and compliance with applicable data protection law and applicable privacy policies, procedures and guidelines, that are implemented within the CHRISTIAN LOUBOUTIN Group and in particular, the BCRs.
"Consent" of a Data Subject means any freely given, specific, informed and unambiguous indication, through a statement or clear affirmative action, of the Data Subject’s agreement to the Processing of his or her Personal Data.
"Controller" shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data.
"Data Protection Authority" shall mean an independent body which is in charge of: (i) monitoring the Processing of Personal Data within its jurisdiction (country, region or international organization), (ii) providing advice to the competent bodies with regard to legislative and administrative measures relating to the Processing of Personal Data, and (iii) hearing complaints lodged by Data subjects with regard to the protection of their data protection rights.
"Data Subject" shall mean an identified or identifiable natural person to whom specific Personal Data relates. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Data Transfer" shall mean any transfer of Personal Data from a Company to another Company. A transfer can be carried out via any communication, copy, transfer or disclosure of Personal Data through a network, including remote access to a database or transfer from one medium to another, whatever the type of medium (for instance from a computer hard disk to a server).
"EEA or European Economic Area" shall mean the countries of the European Union and countries members of EFTA (European Free Trade Association).
"Employees" are all people which perform, or performed in the past, duties for the CHRISTIAN LOUBOUTIN Group, in exchange for wages or a salary, according to an employment contract (where applicable or required by law) or any other assimilated agreement (such as internship agreement) and under a subordination relationship. This also includes directors, trainees, apprentices, contingent workers and assimilated status.
"General Data Protection Regulation" (or "GDPR") shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC.
"Global Data Protection Officer" shall mean the senior level manager who is responsible, within the CHRISTIAN LOUBOUTIN Group at a global level, for managing business awareness and compliance with Applicable Data Protection Law and CHRISTIAN LOUBOUTIN privacy policies, procedures and guidelines, especially the BCRs. CHRISTIAN LOUBOUTIN’s Global Data Protection Officer reports directly to or is part of the Management Board.
"Head Controller" or "CHRISTIAN LOUBOUTIN SAS" shall mean CHRISTIAN LOUBOUTIN SAS, a French Société par Actions Simplifiée, having its principal offices at 19, rue Jean-Jacques Rousseau 75001 Paris, registered on the Commercial Registry of Paris under the number 380742650. The Head Controller, CHRISTIAN LOUBOUTIN SAS, is the ultimate parent of all companies of the CHRISTIAN LOUBOUTIN Group. The Head Controller shall have delegated data protection responsibilities and be in charge of the application for formal BCRs and of the relationships with the coordinating Data Protection Authorities.
"Joint-Controller" shall mean two or more Controllers which jointly determine the purpose(s) and the means of the Processing.
"Leading Supervisory Authority" shall mean the Commission Nationale de l’Informatique et des Libertés or the "CNIL".
"Local data controller" shall mean the Company of the CHRISTIAN LOUBOUTIN Group which alone or jointly with others determines the purposes and means of the Processing of Personal Data; where the purposes and means of Processing are determined by national or EU laws or regulations, the Controller or the specific criteria for the Controller’s nomination may be designated by national or Community law.
"Local Data Exporter" shall mean the Company of the CHRISTIAN LOUBOUTIN Group which transfers the Personal Data outside of its country of origin to the Local Data Importer.
"Local Data Importer" shall mean the Company of the CHRISTIAN LOUBOUTIN Group which agrees to receive Personal Data from the Local Data Exporter for further Processing.
"Personal Data" shall mean any information relating to an identified or identifiable natural person ("Data Subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, identification number, location data, an online identifier or to one or more factors specific to his physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Personal Data Concerning Health" shall mean Personal Data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
"Personal Data Breach" shall mean a breach of security leading to the accidental or unlawful, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data that has been transmitted, stored or otherwise processed.
"Processing of Personal Data" shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, restriction, erasure or destruction.
"Processor" shall mean a natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of a Controller.
"Profiling" shall mean any form of automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
"Pseudonymisation" shall mean the Processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.
"Recipient" shall mean a natural or legal person, public authority, agency or another body to which the Personal Data are disclosed, whether a Third Party or not. However public authorities which may receive Personal Data in the framework of a particular inquiry shall not be regarded as Recipients.
"Records of Processing Activities" shall mean the records of all the information set forth in Article 30 of the GDPR which each Controller or his representative and each Processor shall maintain with regard to all processing activities under his responsibility.
"Special Categories of Personal Data" shall mean Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, Personal Data Concerning Health or a natural person’s sex life or sexual orientation.
"Supervisory Authority" or "Authorities" shall mean an independent body which is in charge of: (i) monitoring the Processing of Personal Data within its jurisdiction (country, region, or international organization), (ii), providing advice to the competent bodies with regard to legislative and administrative measures relating to the Processing of Personal Data, and (iii) hearing complaints lodged by Data Subjects with regard to the protection of their data protection rights.
"Supplier" shall mean a term used by CHRISTIAN LOUBOUTIN to refer to the majority of its Processors. A Supplier is an entity, under a contract, that may process Personal Data as instructed by a CHRISTIAN LOUBOUTIN Company, such as a payroll provider.
"Third Party" shall mean a natural or legal person, public authority, agency or any other body other than the Data Subject, the Controller, the Processor and the persons who, under the direct authority of the Controller or the Processor, are authorized to process the data.
"Technical and Organizational Security Measures" shall mean measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing, in accordance with article 5.5 of the BCRs.
"2002/58/EC Directive" shall mean Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the Processing of Personal Data and the protection of privacy in the electronic communications sector (as amended).
2.2 Data protection principles
Within the scope of these BCRs (see paragraph 4), any transfer of Personal Data to a third country which does not ensure an adequate level of protection as defined by European Data Protection Regulations shall always comply with the following data protection principles, defined in specific paragraphs of the BCRs and/or in Appendix 1.
- Fairness and transparency of the Processing
- Lawfulness of Processing
- Purpose limitation.
- Data minimization.
- Limited storage periods.
- Data quality.
- Data protection by design.
- Data protection by default.
- Lawful basis for Processing Personal Data and Processing Special Categories of Personal Data.
- Security of Personal Data.
- Onward transfers to organizations not bound by BCRs
- Accountability
N.B: Each Local data controller shall be responsible for, and be able to demonstrate compliance with the present data protection principles (accountability).
3. Purpose of the BCRs
The purpose of these BCRs is to ensure an adequate level of protection for transfers of Personal Data within the CHRISTIAN LOUBOUTIN Group.
4. Scope of the BCRs
4.1 Geographical scope
The present BCRs shall apply to the transfers of Personal Data between Companies of the CHRISTIAN LOUBOUTIN Group established throughout the world and which have signed the present BCRs, or a BCRs intra-group agreement (Appendix 4). Appendix 2 includes a list of CHRISTIAN LOUBOUTIN Companies that are bound by the BCRs.
4.2 Material scope
The nature and purposes of the Personal Data being transferred within the scope of the BCRs are detailed in Appendix 3.
4.3 Scope of companies covered
The purpose of these BCRs is to frame intra-group transfers of Personal Data between the CHRISTIAN LOUBOUTIN Companies listed in Appendix 2, which act either as Local Data Exporters or as Local Data Importers.
CHRISTIAN LOUBOUTIN Companies listed in Appendix 2 undertake to abide by these BCRs upon signature of the present BCRs as of the date hereof or upon the signature of a BCRs intra-group agreement (Appendix 4).
5. Effectiveness of the BCRs
5.1.Transparency and right of information
To make the data Processing fair, Personal Data shall always be collected and further processed in a transparent manner. Thus:
- A Data Subject has the right to be provided with an easy access to the BCRs information relating to his/her Personal Data. Therefore, a Data Subject shall always be able to obtain, upon request, a copy of the BCRs from the CHRISTIAN LOUBOUTIN Global Data Protection Officer. Information on access to the BCRs will be provided on CHRISTIAN LOUBOUTIN’s Internet website.
- Furthermore, some awareness programs shall be made available to the Data Subjects, with a view to shed light on the BCRs or any related matter, such as submitting an access request to their Personal Data (see paragraph 5.2) or submitting a claim (see paragraph 5.4).
- Data Subjects are entitled to be informed of the Processing of their Personal Data. Consistent with this aim, Global Data Protection Officer shall provide, when appropriate, templates of information notices to every Local data controller within the CHRISTIAN LOUBOUTIN Group.
- Where, with regard to an existing Processing, Data is processed for a new purpose or transferred to a new category of Recipients arises, the appropriate information notice shall be consequently modified and the relevant Data Subjects informed of such modification.
- The CHRISTIAN LOUBOUTIN Group will provide a Data Subject with at least the following information, except where the Data Subject already has such information:
- the identity and contact details of the Local data controller or of his representative, if any, and, when appropriate, the place in which the Local Data Importer is based outside the EEA;
- the contact details of the Global Data Protection Officer;
- the purposes of the Processing for which the Personal Data are processed as well as the legal basis for the Processing;
- the legitimate interests pursued by the Local data controller or by a Third Party (when the Processing is based on this ground);
- the Recipients or categories of Recipients of the Personal Data, if any;
- where applicable, the fact that the Local data controller intends to transfer Personal Data to a third country, the existence or absence of an adequacy decision by the European Commission or the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have made available;
- the period for which the Personal Data will be stored (or the criteria used to determine that period);
- the existence of the right, to be exercised with the Local data controller, to obtain access to and request rectification or erasure of Personal Data or a restriction of the Processing or to object to Processing, as well as the right to data portability where such right is applicable;
- where the Processing is based on the Data Subject’s Consent (either as lawful basis for the Processing or for Processing of Special Categories of Personal Data), the existence of the right to withdraw Consent at any time, without affecting the lawfulness of Processing based on Consent before withdrawal;
- the right to lodge a complaint with a Supervisory Authority;
- whether the provision of Personal Data is statutory or contractual, whether the Data Subject is obliged to provide the Personal Data and the possible consequences of failure to provide such data;
- the existence of Automated Decision, including profiling, meaningful information about the logic therefor, as well as the significance and the envisaged consequences of such Processing for the Data Subject;
- the intention to further process the Personal Data for a purpose other than that for which it was collected;
- the source of the Personal Data and, if applicable, whether it came from a publicly accessible source (where Personal Data has not been obtained directly from the Data Subject).
Where the data has not been directly obtained from the Data Subjects, CHRISTIAN LOUBOUTIN will provide such information to the relevant Data Subjects within a reasonable period after obtaining the Personal Data, but at the latest within one month, taking into consideration the specific circumstances under which the Personal Data are processed; if the Personal Data are to be used for communication with the Data Subject, such information will be provided at the latest at the time of the first communication to that Data Subject; or if a disclosure to a Third Party is envisaged, no later than the time when the data is first disclosed.
Pursuant to Article 14(5) of the GDPR, which applies where the Personal Data have not been directly obtained from the Data Subjects and notwithstanding any specific provision set out in national legislations, this disclosure of information to the Data Subject will exceptionally not apply (i) where the Data Subject already has the information, (ii) where the provision of such information proves impossible or would involve a disproportionate effort or (iii) if obtaining or disclosure is expressly required by law to which the Data Controller is subject and which provides appropriate measures to protect the Data Subject’s legitimate interests or (iv) where the Personal Data must remain confidential subject to an obligation of professional secrecy regulated by law (including a statutory obligation of secrecy). - Information must be complete and not only summarized.
5.2 Rights of access, rectification, erasure, restriction of processing, to object to the processing and to data portability processing
- Every Data Subject has the right (after having established his identity and made a specific request to CHRISTIAN LOUBOUTIN) to:
- obtain without constraint at reasonable intervals and without excessive delay or expense:
- confirmation as to whether his/her Personal Data relating to the Data Subject is being processed;
- if the former is the case, at least, information as to the purposes of the Processing, the categories of Personal Data is disclosed where possible the envisaged period for which the existence of the right to request from CHRISTIAN LOUBOUTIN rectification or erasure of Personal Data or restriction of Processing of Personal Data concerning the Data Subject or to object to such Processing, the right to lodge a complaint with a Supervisory Authority, any available information as to their source (where Personal Data are not collected directly from the Data Subject); the existence of Automated Decision, including Profiling and, at least, meaningful information about the logic therefore, as well as the significance and the envisaged consequences of such Processing for the Data Subject;
- where Personal Data are transferred to a third country, information about the appropriate safeguards used for the Data Transfer;
- communication to the Data Subject in an intelligible form of the Personal Data undergoing Processing;
- Obtain, without undue delay, the rectification of any inaccurate Personal DataTaking into account the purposes of the Processing, the Data Subject has the right to have incomplete Personal Data completed, including by means of providing a supplementary statement;
- Obtain without undue delay, the erasure of any Personal Data where one of the following grounds applies:i) where the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; ii) where the Data Subject withdraws Consent on which the Processing is based and there are no other legal grounds or overriding legitimate grounds for the Processing; iii) the Data Subject objects to the Processing in accordance with point g. below when there are no overriding legitimate grounds for the Processing or the Data Subject objects to the Processing for the purposes of direct marketing in accordance with point h. below; iv) the Personal Data has been unlawfully processed; v) the Personal Data has to be erased for compliance with a legal obligation to which CHRISTIAN LOUBOUTIN is subject; vi) the Personal Data has been collected in relation to the offer of information society services; which cover any service, normally provided for remuneration, at a distance, by means of electronic equipment for the processing and storage of data. Where CHRISTIAN LOUBOUTIN has made the Personal Data processed public and is obliged to erase it, CHRISTIAN LOUBOUTIN will take reasonable steps, including technical measures, to inform any Controllers processing the Personal Data concerned that the Data Subject has requested the erasure of any links to, or copy or replication of, such Personal Data (taking account of available technology and the cost of implementation) and request that such Controllers comply with the request;
Exceptions to this right to erasure apply i) when the Processing is necessary for exercising the right of freedom of expression and information; ii) for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller; iii) for reasons of public interest in the area of public health; for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; for the establishment, exercise or defense of legal claims; - Obtain restriction of Processing was one of the following grounds applies: i) when the accuracy of the Personal Data is contested (for the period necessary to verify the accuracy of the data), ii) when the Processing is unlawful and the Data Subject requests the restriction of use of his/her Personal Data, iii) when CHRISTIAN LOUBOUTIN no longer needs the Personal Data for the Processing but they are required by the Data Subject for the establishment, exercise or defense of legal claims and iv) when the Data Subject has objected to a Processing CHRISTIAN LOUBOUTIN has based on the legitimate interest of CHRISTIAN LOUBOUTIN (for the period necessary to verify whether the legitimate grounds of CHRISTIAN LOUBOUTIN override those of the Data Subjects, if applicable);
- Have CHRISTIAN LOUBOUTIN communicate to each Recipient to whom the Personal Data have been disclosed any rectification, erasure or restriction carried out in compliance with (b), (c), (d), unless this proves impossible or involves a disproportionate effort. The Controller shall inform the Data Subject about the Recipients if the Data Subject requests such information;
- Exercise his/her right to data portability and obtain from CHRISTIAN LOUBOUTIN the right to receive communication of his/her Personal Data which he/she has provided to CHRISTIAN LOUBOUTIN, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another Controller without hindrance from CHRISTIAN LOUBOUTIN, when the Processing is based on Consent or on a contract and the Processing is carried out by automated means;
- Object at any time for compelling legitimate grounds relating to the Data Subject’s particular situation to the Processing of Personal Data based on the legitimate interest of CHRISTIAN LOUBOUTIN ;
- Object, at any time of the Processing, free of charge and without having to state legitimate grounds, to the Processing of Personal Data for the purposes of direct marketing (including Profiling to the extent that it is related to such direct marketing).
- obtain without constraint at reasonable intervals and without excessive delay or expense:
- In order to enable Data Subjects to exercise efficiently their rights, specific guidelines and procedures shall be in place within the CHRISTIAN LOUBOUTIN Group, at local levels, to ensure the exercise of the rights specified above. In particular, CHRISTIAN LOUBOUTIN’s Employees who collect, process or have access to Personal Data shall be trained to recognize a Data Subject’s request for access, rectification, erasure, restriction, objection or portability. Each request shall be acknowledged and handled according to the local procedure in place. A specific answer shall be given to the Data Subject within a reasonable period of time (i.e., no later than one month- That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. CHRISTIAN LOUBOUTIN shall inform the Data Subject of any extension within one month of receipt of the request together with the reasons for the delay).). If the request is found legitimate, CHRISTIAN LOUBOUTIN shall take necessary steps to handle the matter in due time. If the request is denied, the Data Subject shall be informed in writing or by email about the reason for and the fact that the Data Subject may follow the internal complaint mechanism specified in paragraph 5.4.
- Global Data Officer, shall be available to both Local data controllers and Data Subjects to assist them in relation to Data Subjects’ requests when necessary
5.3 Automated individual decision-making, including profiling
- Subject to Applicable Data Protection Law, every Data Subject has the right not to be subject to a decision based solely on automated Processing, including Profiling, which produces legal effects with regard to such Data Subject or significantly affects him/her.
The above does not apply if the decision:
- is necessary for the entering into, or performance of, a contract between the Data Subject and CHRISTIAN LOUBOUTIN;
- is authorized by any Applicable Data Protection Law to which CHRISTIAN LOUBOUTIN is subject and which also lays down suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests;
- or is based on the Data Subject's explicit Consent.
5.4 Internal complaint mechanism
- If a Data Subject reasonably believes that there has been a violation of these BCRs or that the Data Subject’s Personal Data is processed in a way that is incompatible with these BCRs, the Data Subject may lodge, in accordance with the Christian Louboutin Complaint Management Procedure, a complaint to obtain adequate correction measures and, where appropriate, adequate compensation (see paragraph 6.3). Therefore:
- Specific guidelines and procedures shall be in place within the CHRISTIAN LOUBOUTIN Group, at local level, to ensure the consistency of the complaint mechanism and to ensure sufficient information is provided to the Data Subjects about these procedures. The complaints shall be dealt with by the Global Data Protection Officer. When a complaint is registered, it must be acknowledged and handled within a reasonable period of time (i.e., closed out no later than one month from the receipt of the request. That period may be extended by one further month where necessary, taking into account the complexity and number of the requests. CHRISTIAN LOUBOUTIN shall inform the Data Subject of any extension within one month of receipt of the request together with the reasons for the delay).
- All CHRISTIAN LOUBOUTIN’s representatives and Employees shall, at local level, do their best efforts to help the Local data controller to settle a complaint (see paragraph 6.3).
- All data protection complaints received by any Employee shall be communicated to the Global Data Protection Officer without any delay.
- Each CHRISTIAN LOUBOUTIN Company shall make available on an online environment, especially on www.christianlouboutin.com, practical tools or procedures allowing Data Subjects to lodge their complaints, including at least one of the below:
- Web link to complaint form
- Email address
- Telephone number
- Postal address.
For the avoidance of doubt, it is understood that if the Data Subject is not satisfied by the replies of the Global Data Protection Officer or if the Data Subject prefers to bypass the available internal complaint mechanism, where GDPR is applicable, the Data Subject has the right to lodge a complaint i) before the competent Supervisory Authority in the EU Member State of the habitual residence of the Data Subject, of his place of work or of the place of the alleged infringement) and/or ii) before the competent court of the Member State where the Local data controller or Processor has an establishment or where the Data Subject has his habitual residence (see article 6.3 below).
Prior to referring a case to the relevant Data Protection Authority or competent jurisdiction, the Data Subject shall be informed of the possibility to solve a claim through the internal complaint mechanism described above prior to referring a case to the relevant Supervisory Authority or competent jurisdiction.
5.5 Security and confidentiality / Relationships with processors that are members of the group
5.5.1 General security and confidentiality principles
It is a CHRISTIAN LOUBOUTIN priority to ensure that:
- Each Local data controller shall implement appropriate technical and organizational measures to protect Personal Data Breaches, taking into consideration state-of-the-art technology and the cost of implementation, the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects. Furthermore, the implemented measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected. Furthermore, the implemented measures shall ensure (i) a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected, including, where appropriate, the Pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing. Consequently, appropriate information security policies and procedures shall be designed and implemented within the CHRISTIAN LOUBOUTIN Group to set up all appropriate physical and logistical measures. These policies and procedures shall be regularly audited (see paragraph 5.8).
- Special Categories of Personal Data shall be processed with enhanced and specific security measures.
- Access to Personal Data is limited to Recipients for the sole purpose of performing their professional duties. Disciplinary sanctions may occur if a CHRISTIAN LOUBOUTIN’s Employee fails to comply with the appropriate information security policies and procedures.
- In case of Personal Data breach (see Christian Louboutin Internal notification of a breach of Personal Data ):
- Notify any Personal Data breach to the Global Data Protection Officer without undue delay;
- Document any Personal Data breach (comprising the facts relating to the Personal Data breach, its effect and the remedial actions taken) and make available the documentation to the Supervisory Authorities on request;
- Notify the Personal Data breach to the competent Supervisory Authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the Personal Data breach is unlikely to result in a risk to the rights and freedoms of natural persons;
- Notify to the Data Subjects where the Personal Data Breach is likely to result in a high risk to their rights and freedoms.
5.5.2 Relationships with Processors that are members of the CHRISTIAN LOUBOUTIN Group
Where a Local data controller requests that another Company of CHRISTIAN LOUBOUTIN undertakes Processing of Personal Data (the Appointed Processor) on its behalf (for a short term period as well as for a long term period, depending on the case), the following safeguards shall be followed:
- Where the data Processing is carried out, the Local data controller shall i) choose an Appointed Processor providing sufficient guarantees in respect of the Technical and Organizational Security Measures governing the Processing to be carried out, and ii) must ensure compliance with those measures. Any Company of CHRISTIAN LOUBOUTIN which is bound by the BCRs by signing the present BCRs as of the date hereof or the signature of the BCRs intra-group agreement in Appendix 4 undertakes to provide those sufficient guarantees and to comply with all safeguards contained herein when acting as an Appointed Processor on behalf of a Local data controller.
- The Local data controller may decide to use CHRISTIAN LOUBOUTIN Companies as an appointed Processor and/or sub-processor for the purpose of Processing the type of Personal Data and categories of Data Subjects as described in Appendix 3 of the BCRs, but strictly for the subject matters and durations specified by the Local data controller and in compliance with the provisions listed below.
- The Appointed Processor must process the Personal Data only on documented instructions from the Local Data Controller, unless the Appointed Processor is required to do the Processing by law, in which case the Processor shall promptly notify the Local Data Controller (unless such notification is explicitly prohibited by law or important grounds of public interest).
- The Appointed Processor (and/or sub-processor) undertakes:
- To ensure that persons authorized to process the Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality;
- To implement Technical and Organizational Security Measures to sufficiently protect the Personal Data against a Personal Data Breach;
- To make all information necessary to demonstrate compliance with these obligations available to the Data Controller and allow and contribute to audits of its Processing activities, including inspections conducted the Local data controller or another auditor mandated by the Local data controller;
- To respect the conditions for engaging another Processor (see below);
- Not to disclose Personal Data to other Companies within the CHRISTIAN LOUBOUTIN Group for sub-Processing without informing the Local data controller and to any Third Party outside the CHRISTIAN LOUBOUTIN Group without the prior explicit consent of the Local data controller (see also paragraph 5.6 below regarding transfers of data outside of the CHRISTIAN LOUBOUTIN Group). Third Party all of the same data protection obligations as set out herein by way of a contract. Where that Third Party fails to fulfil its data protection obligations under such contract, the Appointed Processor shall remain fully liable to the Local data controller for the performance of the Third Party's obligations;
- To Comply with the Local data controller’s security and confidentiality instructions;
- To use Personal Data only as necessary to carry out the obligations in connection with the performance of the services entrusted by the Local data controller;
- Not to sell, assign, rent and more generally transfer the Personal Data of the Local data controller for any reason without prior written approval of the Local data controller;
- To inform the Local data controller if in his opinion an instruction infringes Applicable Data Protection Laws;
- To implement procedures for managing Personal Data Breaches and to notify the Local data controller without undue delay after becoming aware of a Personal Data Breach;
- To assist the Local data controller, taking into account the nature of the Processing, by putting in place the appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Local data controller's obligation to respond to requests for exercising the Data Subject's rights as indicated in paragraph 5.2 above;
- To assist the Local data controller in ensuring compliance with its obligations as regards the security of Personal Data, the notification of a Personal Data Breach, the data protection impact assessment and the prior consultation of the Global Data Protection Officer (where necessary);
- Upon completion of the work to be done, the Appointed Processor shall undertake to erase all the Personal Data transferred (including any existing copies) or, if any legal data retention requirement is applicable, to keep it recorded, provided that appropriate Technical and Organizational Security Measures are taken to protect Personal Data against any unlawful form of Processing.
- The Local data controller agrees that a CHRISTIAN LOUBOUTIN Companies acting as Processor may use another Company within the CHRISTIAN LOUBOUTIN Companies for sub-Processing. In this case, the initial Processor undertakes to inform the Local data controller of any intended changes concerning the Processors, to give the Local data controller the opportunity to object to such change.
- If a Processor determines the purposes and means of Processing, such Processor shall be considered to be the Controller in respect of that Processing.
- The Appointed Processor must maintain a Record of Processing Activities carried out on behalf of the Local data controller.
- The Appointed Processor will be held liable for any damage caused by Processing where it has not complied with obligations of the BCRs specifically applicable to a Processors or where it has acted outside or contrary to lawful instructions of the Local data controller (except if it proves that it is not in any way responsible for the event giving rise to the damage).
- Where both a Controller and a Processor (or more than one Controller or Processor), are involved in the same Processing and where they are responsible for any damage caused by Processing, each of the Controller and Processor shall be liable for the entire damage in order to ensure effective compensation of Data Subjects. Where a Controller or Processor has paid full compensation for the damage suffered, that Controller or Processor shall be entitled to claim back from the other Controllers or Processors involved in the same Processing that part of the compensation corresponding to their part of responsibility for the damage.
- The Appointed Processor shall indemnify the Local data controller for any loss, damage or claim arising as a result of a Processor’s failure to meet its obligations under this section, particularly with regard to the Processing of the Personal Data or the implementation of the Technical and Organizational Security Measures, subject to contrary provisions included in specific BCRs intra-group agreements concluded by the CHRISTIAN LOUBOUTIN Companies.
5.5.3. Relationships between joint controllers that are members of the CHRISTIAN LOUBOUTIN Group
Where two or more Controllers within the CHRISTIAN LOUBOUTIN Group jointly determine the purposes and means of Processing, they shall be Joint Controllers and they undertake the following:
- To clearly describe and document the Processing operation carried out by each Joint-Controller concerning the Personal Data Processing concerned;
- To implement the Personal Data Processing in compliance with the GDPR requirements and as reflected in the Records of Processing Activities and other documentation related to the Personal Data Processing (such as the data protection impact assessment);
- To agree to inform each other before implementing any changes on the Personal Data Processing in order to analyze the impact of such change on the compliance of the Personal Data Processing and agree on the measures and conditions of implementation of said modification (e.g. modification of information notice), where so required;
- To communicate to the Data Subjects upon request the essence of this arrangement and shall agree on the means used for this communication;
- To decide which Joint-Controller will be in charge of the providing the information notice of to the Data Subject and of collection of Consent (when required) of the Data Subjects. On that matter, the Joint Controllers agree that the Joint Controller who will carry out the collection of the Data Subject will be in charge of these requirements;
- That in case of request or claim of a Data Subjects, the Joint-Controller who has received the claim undertakes to inform the other Joint-Controller and to handle the request on behalf of the other Joint-Controller in compliance with the paragraph 5.4 (Internal complaint mechanism) and to keep the other Joint-Controller informed of the answers provided to the Data Subjects. The other Joint-Controller undertakes to provide reasonable assistance and cooperation, to allow the Joint-Controller to respond to requests or claims presented by Data Subjects;
- That the Joint-Controller who is in charge of the collection of the Personal Data is in charge to establish and update (if needed) the Records of Processing Activities on behalf of all Joint-Controllers and to communicate this Records to other Joint-Controller upon request. The other Joint-Controller undertakes to provide with reasonable assistance and cooperation, to allow the establishment of the Records;
- That the Joint-Controller who is in charge of the collection of the Personal Data is in charge to determine that a data protection impact assessment is required and if it is the case to:
- Inform the other Joint-Controller of this fact and complete a data protection impact assessment;
- Inform the other Joint-Controller with i) the result of the evaluation of the data protection impact assessment, ii) the proposed allocation of responsibilities of each Joint Controller with regard to the actions to be implemented and iii) whether or not prior consultation with the Supervisory Authority if necessary;
- The other Joint-Controller undertakes to provide reasonable assistance and cooperation concerning the performance and completion of the data protection impact assessment and to explicitly validate the decision/results of the data protection impact assessment, including an agreement by the Joint-Controllers to consult a Supervisory Authority;
- That the Joint-Controller who is in charge of the collection of the Personal Data is in charge of conducting a data protection compliance assessment of the Personal Data Processing (where a data protection impact assessment is not necessary) and informing the other Joint-Controller with i) the result of the compliance assessment and ii) the proposed allocation of responsibilities of each Joint Controller with regard to the actions to be implemented. The other Joint-Controller undertakes to provide with reasonable assistance and cooperation concerning the performance and completion of the compliance assessment and to explicitly validate the decision/results in relation with the data protection compliance assessment including concerning the data retention periods to be implemented;
- To preserve the security of the Personal Data Processing and to prevent against Personal Data Breach as provided by paragraph 5.5.2;
- That the Joint Controller whose information system has been the victim of the Personal Data Breach ("the Affected Party") will have to inform the other Joint-Controller and undertake to comply with paragraph 5.5.1(e.g., notification to the appointed data protection officer, etc.). The Joint-Controllers commit to agree on the content of the notification to be sent to Supervisory Authority and to the Data Subjects in a timeframe compatible with the GDPR requirements. In case, the Personal Data Breach occurs in the Information System of a Processor (within or outside of the CHRISTIAN LOUBOUTIN Group), the Parties agree that the Joint-Controller who has initiate the involvement of this Processor will be in charge with the Personal Data Breach management;
- To comply with article 5.5.2 in case of sub-contracting within the CHRISTIAN LOUBOUTIN Group. In that case the Joint-Controller would have also to inform the other Joint-Controller;
- To comply with article 5.6 in case of Transfers to Processor and Controller outside the CHRISTIAN LOUBOUTIN Group. In that case the Joint-Controller would have to obtain the prior written consent of the other Party. In addition, in case of sub-contracting outside the CHRISTIAN LOUBOUTIN Group, the Joint-Controller who initiates the involvement of the Processor will be in charge of the negotiation of the written agreement with the Processor or Controller which will be concluded on behalf of all the Joint Controllers (see also for more detail paragraph 5.5.2);
- To document its respective obligations in relation with the Personal Data Processing as described in this paragraph and to make available upon request to the other Joint Controller within a reasonable time all the information and other documents requested as necessary to demonstrate compliance with its obligation;
- To be audited by the other Joint-Controller in order to verify as to whether the other Joint-Controller complies with its obligations;
- The Joint-Controllers are jointly responsible for any damage caused by Processing and each Joint-Controller shall be held liable for the entire damage in order to ensure effective compensation of the Data Subject. Where one Joint-Controller has paid full compensation for the damage suffered, that Joint-Controller shall be entitled to claim back from the other Joint-Controller involved in the same Processing that part of the compensation corresponding to their part of responsibility for the damage.
5.6 Restrictions on transfers and onward transfers to external processors and controllers
Where a Local data controller requests that a Third Party other than a CHRISTIAN LOUBOUTIN Company undertake Processing of Personal Data as a Processor or a Controller (an External Processor or an External Controller), the following safeguards shall be followed:
- External Processors located inside the EEA or in a country recognized by the EU Commission as ensuring an adequate level of protection shall be bound by a written agreement stipulating that the Processor shall act only on instructions from the Local data controller and shall be responsible for the implementation of the adequate security and confidentiality measures (see paragraph 5.4). The Global Data Protection Officer, shall be able to provide templates of the appropriate clauses to a Local data controller within the CHRISTIAN LOUBOUTIN Group.
- All transfers of Personal Data from the EEA to External Controllers located outside of the EEA in a country not recognized by the EU Commission as ensuring an adequate level of protection must respect the European rules on cross-border data flows (Articles 46 and 49 of the GDPR), for instance by making use of the EU Standard Contractual Clauses approved by the EU Commission, standard data protection clauses adopted by a Supervisory Authority and approved by the EU Commission, an approved code of conduct, an approved certification mechanism, contractual clauses between a CHRISTIAN LOUBOUTIN Company and the External Controller subject to authorization from the competent Supervisory Authority or derogations for specific situations. In addition, for Joint-Controllers relationship, a written agreement has to be concluded with any External Joint-Controllers (located within or outside of the EEA) stipulating that they shall, in a transparent manner, determine their respective responsibilities for compliance with the obligations under the GDPR, in particular as regards the exercising of the rights of the Data Subject (see paragraph 5.2) and their respective duties to provide the information to said Data Subject, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the Controllers are determined by the European Union or Member State law to which the Controllers are subject. Global Data Protection Officer, shall be able to provide templates of the appropriate clauses to a Local data controller within the CHRISTIAN LOUBOUTIN Group.
- All transfers of Personal Data from the EEA to External Processors located outside of the EEA in a country not recognized by the EU Commission as ensuring an adequate level of protection must respect the rules relating to the Processors (Articles 28 and 49 of the GDPR) in addition to the rules on cross-border data flows (Articles 46 and 49 of the GDPR).
5.7. Training programs
Any CHRISTIAN LOUBOUTIN Employee, and in particular new Employees, who collects, processes or has access to Personal Data or who is involved in the development of tools used to process Personal Data shall be provided with training programs in order to improve their practical skills and knowledge that relate to data protection and data protection issues, and in particular with:
- BCRs and all related guidelines, procedures or policies shall be made available to every Employee.
- Access to the BCRs and all related guidelines, procedures or policies shall be granted to every new Employee of CHRISTIAN LOUBOUTIN. Internal notices shall also be transmitted within the CHRISTIAN LOUBOUTIN Group to raise awareness of the BCRs.
- New Employees who collect, process, or have access to Personal Data shall follow a Data Privacy training program. These trainings shall be organized in accordance with the Data Privacy training program.
- At local levels, Global Data Protection Officer shall enhance the data privacy training programs described above by adding any relevant local data protection requirement.
5.8. Audit program
- Data protection audits shall be carried out on a regular basis (subject to more stringent local laws, at least one audit every 3 years) by internal or external accredited audit teams to ensure that the BCRs and all related policies, procedures or guidelines are updated and applied.
- In order to select appropriately the relevant CHRISTIAN LOUBOUTIN’s Companies to audit, the Global Data Protection Officer will provide each Local data controller with a questionnaire addressing privacy matters in order for them to carry out an internal control process. Based on the results, CHRISTIAN LOUBOUTIN shall decide to perform an audit or not.
- Data protection audits shall cover all aspects of the BCRs and all related policies, procedures or guidelines, including methods of ensuring that corrective measures will take place. However, the scope of each audit can be strengthened to limited aspects of the BCRs and/or the related policies, procedures or guidelines, including methods of ensuring that corrective measures will take place.
- Data protection audits shall be decided directly by the Global Data Protection Officer either upon his/her own initiative or upon specific request of the Head Controller, a Local data controller, the Global Data Protection Officer. The results of all audits shall be communicated to the Head Controller’s board of directors, and the Local data controller and the Global Data Protection Officer.
- The relevant Supervisory Authority shall have access to the results of the audit upon request. Each Local data controller shall accept to be audited by a competent Supervisory Authority if required under applicable law.
- Based on the audit results and the reports mentioned in section 6.2 below, the Head Controller and/or the Global Data Privacy Officer shall decide any appropriate legal, Technical or Organizational Security Measures in order to improve data protection management within the CHRISTIAN LOUBOUTIN Group, both at global and local levels.
6. Bindingness of the BCRs
6.1. Internal binding nature
The present BCRs bind all CHRISTIAN LOUBOUTIN Companies which have signed the present BCRs or the BCRs intra-group agreement (Appendix 4) setting out and expressing their acceptance of the BCRs.
Each CHRISTIAN LOUBOUTIN Company that signs the present BCRs or the BCRs intra-group agreement is responsible for administering and overseeing the implementation of these BCRs, including making these BCRs binding upon the Employees.
Pursuant to applicable local labor law, the BCRs are made binding towards the Employees either through work employment contracts or through collective agreements or through compliance with relevant company policies in which the BCRs have been incorporated.
6.2. Compliance and supervision of compliance
CHRISTIAN LOUBOUTIN has established a data protection network with responsibility to monitor compliance with the BCR composed of Global Data Protection Officer at the level of the Head Controller, appointed in compliance with Article 37 of the GDPR. The Global Data Protection Officer shall directly report to the highest management level, according to Article 38-3 of the GDPR.
At local level, Global Data Protection Officer shall be responsible for the implementation of the BCRs. Thus:
- Global Data Protection Officers shall inform and advise the Local data controllers and the Employees who carry out Processing of their obligations;
- Global Data Protection Officers shall take all reasonable steps to make sure that Local data controllers comply with the provisions of the BCRs. To this end, a "BCR compliance check list" shall be used at local levels to make compliance checks. Data Protection audits ultimately decided by the Global Data Protection Officer may focus on how these compliance checks are made at the local level.
- Global Data Protection Officer, shall be at the disposal of Local data controllers, Processors that are members of the CHRISTIAN LOUBOUTIN Group and Data Subjects to provide any help with regard to a data protection issues, especially the BCRs, when necessary.
- Global Data Protection Officer or Contact must provide advice where requested as regards the conduct of any data protection impact assessment and monitor its performance where required (see Data Protection Impact Assessment methodology).
- Global Data Protection Officer, shall report every year to the Head Controller about all the actions and measures taken with regard to data protection issues (data privacy training programs, Record of Processing activities implemented, management of complaints, etc.), especially the implementation of the BCRs.
- Global Data Protection Officer, shall provide, when appropriate, any appropriate templates (i.e. notices of information, clauses, etc.) to each Local data controller within the CHRISTIAN LOUBOUTIN Group for any purpose related to a data protection issue.
- Global Data Protection Officer, shall provide advice, where requested, with regard to the conduct of any data protection impact assessment and the monitoring of its performance where required;
- Global Data Protection Officer, shall cooperate with the Supervisory Authorities and act as the contact point for the Supervisory Authorities on issues relating to Processing.
Furthermore, in terms of supervision of compliance, specific measures shall be taken to ensure the right implementation of the BCRs:
- The Global Data Protection Officer shall regularly report to the Head Controller about the implementation of the BCRs within each Local data controller and within each Processor that is a member of the CHRISTIAN LOUBOUTIN Group.
- The results of all reports made by the Global Data Protection Officer shall be communicated to the Head Controller (especially to the Head Controller’s management), and the Local data controller.
- Based on the audit results (see section 5.8 above) and the reports mentioned above, the Head Controller (especially the Head Controller’s executive board), the Global Data Protection Officer, the relevant Local data controller(s) shall decide on any appropriate measure in order to improve data protection management within the CHRISTIAN LOUBOUTIN Group, both at global and/or local levels. Any measure that would be decided by one of the relevant stakeholders shall be taken in cooperation with the others who shall be duly informed about such decision, when appropriate.
- The Global Data Protection Officer will liaise with the Lead Supervisory Authority pursuant to Article 56 of the GDPR.
6.3. Third party beneficiary rights
- 1.A Data Subject who claims to have suffered damage as a direct result of a violation of the provisions of the BCRs listed below and/or Appendix 1 of these BCRs, and who either is not satisfied with the resolution of their complaint, as described in paragraph 5.4, or desires to bypass the internal complaint mechanism and bring their complaint directly to the competent Supervisory Authority, may seek to enforce their third party beneficiary rights before the competent Supervisory Authority or before the competent courts according to the principles and terms as set out below. The BCRs complaint handling procedure shall support Data Subjects’ ability to address any data protection complaint internally. Data Subjects are however free to lodge a complaint directly with the competent Supervisory Authority or the competent courts as provided by Applicable Data Protection Laws.
- 2.A Data Subject shall have the right to enforce, as a third-party beneficiary, the provisions of the BCRs related to:
- Data protection principles, in particular
- Purpose limitation, data quality, and data minimization (see paragraph 2.2 and Appendix 1)
- Lawfulness of processing of Personal Data (including as to the processing of Special Categories of Personal Data (see paragraph 2.2 and Appendix 1)
- Fairness and transparency principle, and right to information and easy access to BCRs (see paragraphs 2.2 and 5.1 and Appendix 1)
- Limited storage (see paragraph 2.2 and Appendix 1)
- Data protection by design and by default (see paragraph 2.2 and Appendix 1)
- Security and confidentiality principles (see paragraph 5.5)
- Rights of access, rectification, erasure, restriction of Processing, objection to Processing and right to data portability (see paragraph 2.2 and Appendix 1)
- Rights in case Automated individual decisions-making (see paragraph 2.2. and Appendix 1)
- Restrictions on onward transfers outside of the CHRISTIAN LOUBOUTIN Group of companies (see paragraph 5.6)
- National legislation preventing respect of BCRs (see paragraph 7.2)
- Right to complain through the internal complaint mechanism (see paragraph 5.4)
- Cooperation duties with Supervisory Authorities (see paragraph 6.6)
- Liability and jurisdiction provisions (see paragraphs 6.3 and 6.4)
- Data protection principles, in particular
As a rule, regarding jurisdiction for any claim, each Data Subject shall have the right to take its case, at its best convenience
-
- - with the competent Supervisory Authority. Where GDPR is applicable, it is up to the Data Subject to choose between the Supervisory Authority in the Member State of his habitual residence, place of work or place of the alleged infringement,
- - or before the competent court. Where the GDPR is applicable, it will be the choice for the Data Subject to act before the courts of the EU Member State where the Local data controller or Processor has an establishment or where the Data Subject has his or her habitual residence.
- In accordance with above, each Data Subject who has suffered damage shall be entitled to obtain redress and, where appropriate receive compensation as may be ordered by the appropriate court or competent Supervisory Authority (e.g., judicial remedies) or as decided according to the internal complaint mechanism, if used.
- The BCRs shall always be readily available to every Data Subject, in the conditions described in paragraph 5.1.
- CHRISTIAN LOUBOUTIN Companies bound by the BCRs shall abide by a decision of a competent court or a competent Supervisory Authority which is final and against which no further appeal is possible.
6.4. Liability
Each CHRISTIAN LOUBOUTIN Company located within the EU which violates the BCRs and causes damages to Data Subjects shall be liable and shall take the necessary remedial actions unless the CHRISTIAN LOUBOUTIN Company concerned can demonstrate that such damages cannot be attributed to it and its providers for any breach of the BCRs.
CHRISTIAN LOUBOUTIN SAS accepts responsibility for and agrees to take the necessary actions to remedy the acts of other CHRISTIAN LOUBOUTIN Companies located outside the EU and to pay compensation for any material and non-material damages resulting from the violation of the BCR by such CHRISTIAN LOUBOUTIN Companies, unless CHRISTIAN LOUBOUTIN SAS can demonstrate that such damages cannot be attributed to a CHRISTIAN LOUBOUTIN Company located outside the EU or to its providers.
Where GDPR is applicable, if a CHRISTIAN LOUBOUTIN Company located outside of the EU violates the BCR, the courts and other competent authorities in the EU will have jurisdiction and the Data Subjects will have the rights and remedies against CHRISTIAN LOUBOUTIN SAS as if the violation has been caused by CHRISTIAN LOUBOUTIN SAS.
CHRISTIAN LOUBOUTIN SAS reserves the rights to pursue remedies against the CHRISTIAN LOUBOUTIN Companies located outside the EU which violated the BCR.
All CHRISTIAN LOUBOUTIN Companies shall have sufficient financial resources at their disposal to cover the payment of compensation for breach of the BCR. Liability as between the parties shall be limited to actual damage suffered. Indirect (i.e., consequential damages such as reputational damages) or punitive damages (i.e., damages intended to punish a party for its outrageous conduct) shall be explicitly excluded.
The above liabilities shall not be affected by any action CHRISTIAN LOUBOUTIN may take against its providers or other third parties potentially involved in the Processing of information.
6.5. Sanctions
Would a violation of the BCRs, either by Local data controller representatives or Employees, be identified, any appropriate disciplinary sanction or judicial action may be imposed, in accordance with local law, on the initiative of the Head Controller, the Global Data Protection Officer and the Local data controller.
Thus, the Global Data Protection Officer and each Local data controller shall pay specific attention to any audit results (see paragraph 5.8) establishing non-compliance by representatives or Employees, especially in case of non-compliance with the data protection principles or any of the applicable guidelines, procedures and policies related to the implementation of the BCRs.
6.6. Mutual assistance and cooperation with supervisory authorities
CHRISTIAN LOUBOUTIN Companies bound by the BCRs commit to a full cooperation with the EEA Supervisory Authorities, particularly by responding within a reasonable time frame to their requests concerning the interpretation and application of the BCRs and their advice and recommendations in this respect, provided they are consistent with applicable law.
CHRISTIAN LOUBOUTIN Companies bound by the BCRs commit to accept audits from the competent EEA Supervisory Authorities and provide the results upon request.
Furthermore, members of CHRISTIAN LOUBOUTIN Companies bound by the BCRs shall cooperate and assist each other to handle a request or complaint from a Data Subject (see paragraph 5.3) or an inquiry by a Supervisory Authority, under supervision of the Global Data Protection Officer.
Each competent Supervisory Authority has the power to supervise the implementation of the BCRs.
7 Final provisions
7.1. Relationships between national laws and the BCRs
CHRISTIAN LOUBOUTIN SAS undertakes that the CHRISTIAN LOUBOUTIN Companies and Employees of the CHRISTIAN LOUBOUTIN Group shall comply with the provisions of the BCRs, as well as with the provisions of the Applicable Data Protection Laws.
Where the local Applicable Data Protection Laws require a higher level of protection for Personal Data, they will take precedence over the BCRs. When in doubt, the concerned CHRISTIAN LOUBOUTIN Company may consult the competent Supervisory Authorities and/or the Lead Supervisory Authority
7.2. Actions in case of national legislation preventing respect of BCRs
If a Local data controller has reason to believe that legislation applicable to the Local data controller prevents the Local data controller from fulfilling its obligations under the BCRs and that it has a substantial effect on the guarantees provided by the BCRs, the Local data controller will promptly inform the Global Data Protection Officer (except where prohibited by a law enforcement authority, such as prohibition under criminal law to preserve the confidentiality of a law enforcement investigation). The Global Data Protection Officer shall take a responsible decision on which appropriate actions to be undertaken in case there are conflict between local Applicable Data Protection Law and the commitments in the BCRs.
In case of doubt and where a major conflict exists between local applicable Data Protection Law and the BCRs, the Global Data Protection Officer and President of CHRISTIAN LOUBOUTIN SAS shall consult the competent Supervisory Authorities, and are responsible for making a decision regarding the conflict.
More particularly, where any legal requirement a Local data controller is subject to in a third country is likely to have a substantial adverse effect on the guarantees provided by the BCRs, the problem should be reported to the competent Supervisory Authorities. This includes any legally binding request for disclosure of the Personal data by a law enforcement authority or state security body. In such a case, the competent Supervisory Authorities should be clearly informed about the request, including information about the Personal Data requested, the requesting body, and the legal basis for the disclosure (unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation).
If in specific cases the suspension and/or notification are prohibited, the requested Local data controller will use its best efforts to obtain the right to waive this prohibition in order to communicate as much information as it can and as soon as possible, and be able to demonstrate that it did so.
If, in the above cases, despite having used its best efforts, the requested Local data controller is not in a position to notify the competent Supervisory Authorities, this Data Controller commits to annually providing general information on the requests it received to the competent Supervisory Authorities (e.g. number of applications for disclosure, type of Personal Data requested, requester if possible, etc.).
In any case, Transfers of Personal Data by a Local data controller to any public authority cannot be massive, disproportionate and indiscriminate in a manner that would go beyond what is necessary in a democratic society.
7.3. Updates of the BCRs
In case of changes in laws, in CHRISTIAN LOUBOUTIN procedures or in the scope of the BCRs, the terms of the BCRs may be updated on the initiative of the Head Controller, in coordination with the Global Data Protection Officer.
Any update of the BCRs shall be recorded and kept by the Global Data Protection Officer. The Global Data Protection Officer keeps an updated list of the members of the CHRISTIAN LOUBOUTIN Group. These changes shall also be communicated to CHRISTIAN LOUBOUTIN BCRs Companies.
No transfer based on the BCRs shall be made to a new CHRISTIAN LOUBOUTIN Company until this new Company is effectively bound by the BCRs and can deliver compliance to the same.
CHRISTIAN LOUBOUTIN undertakes that any update of the BCRs or of the list of BCR member will be provided to the competent Supervisory Authorities through the Leading Supervisory Authority, with a brief explanation of the reasons justifying the update. In particular:
- any changes which would affect the level of protection offered by the BCRs or will significantly affect the BCRs will be provided to the Leading Supervisory Authority promptly, which will consider whether this affects the approval previously issued for the BCR;
- Other modifications will be provided to the Leading Supervisory Authority once a year, if applicable.
In addition, CHRISTIAN LOUBOUTIN undertakes to provide the necessary information about any updates to the BCRs to the Data Subjects upon request.
7.4. Entry into effect and termination
The BCRs shall take effect upon the date of their signature by CHRISTIAN LOUBOUTIN SAS and the CHRISTIAN LOUBOUTIN Companies signing the present BCRs as of the date hereof and, as a consequence, are legally bound. As regard the CHRISTIAN LOUBOUTIN Companies which have not signed the present BCRs as of the date hereof and which further decide to abide by the present BCRs, the BCRS shall take effect and be binding upon the date of signature of the BCRs intra-group agreement by the respective CHRISTIAN LOUBOUTIN Company.
Each Company of CHRISTIAN LOUBOUTIN recognizes to be bound by the BCRs, from the date of signature present BCRs or, as the case may be, from the signature of Appendix 4 of the BCRs intra-group agreement and without any other formalities, with respect to other CHRISTIAN LOUBOUTIN Companies already bound or about to be bound from the date of their signature, notwithstanding the date and place of signature of a BCRs intra-group agreement by each other Company of CHRISTIAN LOUBOUTIN involved, and provided that the terms of the BCRs are strictly identical between each other. Except if a Company of CHRISTIAN LOUBOUTIN is able to prove that its signed BCRs intra-group agreement is not strictly identical to the ones signed by other entities, it expressly and irrevocably disclaims challenging the evidence that it is bound by the terms of the BCRs.
In the event that a Local Data Exporter or a Local Data Importer would be found in substantial or persistent breach of the terms of the BCRs, the Head Controller may temporarily suspend the transfer of Personal Data until the breach is remedied. Should the breach not be remedied in due time, the Head Controller shall take the initiative to terminate the BCRs intra-group agreement with respect to that specific Local Data Exporter or Local Data Importer. In such a case, the Local Data Exporter or Local Data Importer shall take every necessary step in order to comply with the European rules on transborder cross-border data flows (Articles 46 of the GDPR), for instance by using the EU Standard Contractual Clauses approved by the EU Commission.
7.5. Applicable law / jurisdiction
The provisions of the BCRs shall be governed by the Applicable Data Protection Laws.
In accordance with paragraph 6.4, jurisdiction shall be attributed to the courts of the Local Data Importer or Local Data Exporter.
7.6. Interpretation of terms
In case of discrepancies between the BCRs and the Appendices, the main body of the BCRs shall prevail. In case of discrepancies between the BCRs including its Appendices and other global or local CHRISTIAN LOUBOUTIN policies, CHRISTIAN LOUBOUTIN procedures or CHRISTIAN LOUBOUTIN guidelines, the BCRs shall prevail. In case of discrepancies or inconsistency, the terms of the BCRs shall always be interpreted and governed by the provisions of the GDPR and 2002/58/EC Directive, as amended, if applicable.
Appendices
- Appendix 1 – Data Protection Principles
- Appendix 2 – List of the countries where CHRISTIAN LOUBOUTIN Companies are bound by the BCRs
APPENDIX 1: DATA PROTECTION PRINCIPLES
Within the scope of the BCRs, any transfer of Personal Data to a third country which does not ensure an adequate level of protection shall always comply with the following data protection principles, set out by the GDPR.
FAIRNESS & TRANSPARENCY
Fairness requires that the data subject be informed of the existence of the Processing operation and its purposes.
Any information and communication relating to the processing of the Data Subjects’ Personal Data shall be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. That principle concerns, in particular, information to the Data Subjects on the identity of the controller and the purposes of the Processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of Personal Data concerning them which are being processed.
The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the Data Subject, the information may be provided orally, provided that the identity of the Data Subject is proven by other means.
PURPOSE LIMITATION
Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.
Further Processing of data for archiving purposes in the public interest scientific or historical research purposes or statistical purposes shall not be considered as incompatible, provided implementation of appropriate safeguards for the rights and freedom of the Data Subjects and in particular technical and organizational measures in order to ensure data minimization.
DATA MINIMIZATION, LIMITED STORAGE PERIODS AND DATA QUALITY
Data minimization:Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are collected and/or processed.
Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the data were collected or for which they are processed.
Limited storage periods:Personal Data may be stored for longer periods insofar as long as it is processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes and subject to implementation of the appropriate technical and organizational measures in order to safeguard the rights and freedoms of the Data Subject.
Lawfulness, fairness and transparency: Personal Data shall be processed fairly, lawfully and in a transparent manner in relation to the Data Subject.
Accuracy: Personal Data shall be accurate and, where necessary, kept up to date.
DATA PROTECTION BY DESIGN AND BY DEFAULT:
Data protection by design: the Local data controller shall implement, both at the time of the determination of the means for Processing and at the time of the Processing itself, appropriate technical and organizational measures (such as Pseudonymization) designed to implement the data-protection principles (such as data minimization) in an effective manner and to integrate the necessary safeguards into the Processing.
Data protection by default: the Local data controller must implement appropriate technical and organizational measures to ensure that, by default, only Personal Data which is necessary for each specified purpose of the Processing is processed.
LAWFULNESS OF PROCESSING OF PERSONAL DATAp>
Personal Data shall be processed only if:
- the Data Subject has given its Consent to the Processing for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the Local data controller is subject;
- Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Local data controller;
- Processing is necessary for the purposes of the legitimate interests pursued by the Local data controller or by the Third Party except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a child.
LAWFULNESS OF PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA
Special Categories of Personal Data, especially Personal Data Concerning Health, shall be processed only if:
- the Data Subject has given its explicit Consent to such Processing , for one or more specified purposes, except where the applicable laws prohibit it;
- the Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Controller and the Data Subject in the field of employment and social security and social protection law in so far as it is authorized by European Union or national law or a collective agreement providing for adequate safeguards for the fundamental rights and the interests of the Data Subjects;
- the Processing is necessary to protect the vital interests of the Data Subject or of another person where the Data Subject is physically or legally incapable of giving its Consent;
- the Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the Processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the Personal Data is not disclosed outside the body without the Consent of the Data Subjects;
- the Processing relates to Special Categories of Personal Data which is manifestly made public by the Data Subject;
- the Processing of Special Categories of Personal Data is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
- the Processing of the Special Categories of Personal Data is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of national law or pursuant to contract with a health professional and subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.
Other Specific Categories of Personal Data may be subject to local data protection requirements provided by national law. In particular, Processing of data relating to criminal convictions and offences or related security measures may be carried out only under the control of official authority, or when the Processing is authorized by national law providing for appropriate safeguards for the rights and freedoms of Data Subjects. In addition, national law may further determine the specific conditions for the Processing of a national identification number or any other identifier of general application. In that case the national identification number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the Data Subject pursuant to the national law.
SECURITY OF PERSONAL DATA
Appropriate technical and organizational measures shall be implemented to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure of or access to and against all other unlawful forms of Processing (see paragraph 5.5).
ONWARD TRANSFERS TO ORGANIZATIONS NOT BOUND BY BCRS
When Personal Data is intended to be transferred to a non-Louboutin Company, adequate safeguards have to be implemented (see paragraph 5.6).
The Local data controller shall be responsible for, and be able to demonstrate compliance with the present data protection principles (accountability).
ACCOUNTABILITY
The Local data controller shall be responsible for, and be able to demonstrate compliance with the present data protection principles (accountability).
Where appropriate, the Local data controller must implement appropriate data protection policies.
In order to demonstrate compliance, BCR members need to maintain a record of all categories of processing activities carried out in line with the requirements as set out in Article 30.1. of the GDPR.
In order to enhance compliance and when required, data protection impact assessments should be carried out for processing operations that are likely to result in a high risk to the rights and freedoms of natural persons (GDPR Article 35). Where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the Local data controller to mitigate the risk, the competent Supervisory Authority, prior to the processing, should be consulted (GDPR Art.36).
APPENDIX 2: LIST OF THE COUNTRIES WHERE CHRISTIAN LOUBOUTIN COMPANIES ARE BOUND BY THE BCRs
Each Company of the CHRISTIAN LOUBOUTIN Group will be bound by the BCRs after signing the present BCRs or after signing the BCRs intra-group agreement in appendix 4. Currently the BCRs are applicable in all the countries listed below. For the sake of transparency, the CHRISTIAN LOUBOUTIN Group will publish on its website a state of progress of the countries where CHRISTIAN LOUBOUTIN’s Companies are bound by the BCRs.
Head controller | CHRISTIAN LOUBOUTIN SAS |
---|---|
Registered address | 19, rue Jean-Jacques Rousseau 75001 Paris |
Legal representative | Alexis Mourot |
CHRISTIAN LOUBOUTIN Global Data Privacy Officer | Xavier Ragot |
1. CHRISTIAN LOUBOUTIN Companies located in the EEA
- Austria
- Belgium
- Denmark
- France
- Germany
- Ireland
- Italy
- Luxembourg
- The Netherlands
- Spain
- United Kingdom
- Cesk Republik
2. Local CHRISTIAN LOUBOUTIN Companies located outside the EEA
- Brazil
- Canada
- Mexico
- Monaco
- Switzerland
- United States Of America
3. Global Data Protection Officer
The Employee acting as Group General Counsel in CHRISTIAN LOUBOUTIN Group.
Currently CHRISTIAN LOUBOUTIN Group Global Data Protection Officer’s contact are:
Xavier RAGOT
19 rue Jean Jacques Rousseau, 75 001 Paris
dpo.global@christianlouboutin.com