What is HP BCR (Binding Corporate Rules)
HP’s BCR is a corporate privacy compliance framework made up of a binding agreement, business processes and policies, training and guidelines which has been approved by the Data Protection Authorities of most EU Member States. By such approval HP is able to transfer the personal data of its European employees and customers to other members ("HP Personal Data") of the worldwide group of HP companies in compliance with EU data protection law.
1. Data Protection Safeguards
HP Companies processing HP Personal Data must comply with the BCR to ensure that your data is processed fairly and in compliance with applicable law. In particular, HP Companies will;
- Only process your personal data where they have a legal basis for doing so, which may be based on your consent, the performance of a contract you have entered into with HP or is required in connection with the legitimate interests of HP;
- Notify you of the specific purposes for which your data is collected and will not process your data in a way which is incompatible with those purposes; only collect the type and amount of your personal data which is necessary in connection with the purpose for which it is collected;
- Keep your personal data accurate and up to date where necessary and destroy the data once it is no longer needed in line with HP’s Record Retention Policy and applicable law; and
- Put in place security and confidentiality measures to ensure your personal data is protected against unauthorized use or disclosure.
HP Companies may disclose your personal data to third parties, for example, to service providers and suppliers who support the provision of our retail services in the field of customer support and marketing and companies managing employee benefit schemes. HP Companies will not disclose your personal data to third parties unless they have agreed to safeguard your data and conduct the processing of your data in compliance with applicable law. Where the third parties are located in certain countries outside the EU, HP Companies will ensure your personal data is transferred to those countries in compliance with applicable law and protected by BCR, model contracts or any other measure relevant to the specific case.
In limited circumstances you may provide HP Companies with what is defined as sensitive personal data under certain laws. This is data which relates to your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life. HP Companies will only process sensitive personal data in compliance with applicable law, which may require HP Companies to obtain your consent to the processing.
2. Data Subject Rights
If you are a European employee or customer of HP, you have the following rights under EU data protection law:
- The right of access to your personal data processed by HP. HP reserves the right to charge a fee for such access where permitted under applicable law. HP may not be able to disclose certain data to you if it is not permitted to do so by applicable law, for example data which relates to another person.
- The right to have incomplete or inaccurate personal data about you corrected, erased or blocked.
- The right to object to HP processing your personal data and to require HP to stop processing your data where there are legitimate grounds for doing so.
- The right to request that significant decisions about you are not made through the automatic processing of your personal data.
3. Additional Data Subject Rights under HP’s BCR
In addition, if you are a European employee or customer of HP, the BCR give you the following rights, as a third party beneficiary, where you believe your personal data has been transferred to an HP Company located in certain countries outside the EU and processed by that company in breach of the BCR;
- To lodge a complaint with the EU HP Company which transferred your data outside the EU. This can be done by contacting the Privacy Office at "Privacy feedback form" link at end of this text. Any complaint shall be fully investigated by the company with a view to resolving the complaint; and /or
- To lodge a complaint with the Data Protection Authority located in the same country as the European HP Company which transferred your data outside the EU; and/or
- To bring a court action against the EU HP Company which transferred your data outside the EU. In which case the European HP Company shall defend any claim, have the burden of proving that breach of the rules did not take place, and the responsibility to pay any damages awarded to you by the court.
HP’s BCR is part of HP’s continued commitment to the protection of personal data and to be accountable for any mistakes or mishandling of personal data. If you would like any further information on HP’s BCR or wish to exercise any of your rights, please contact the HP Privacy Office at Privacy feedback link below.
Privacy feedback form