Piano's Binding Corporate Rules
Piano has adopted the Binding Corporate Rules (“BCR”) to comply with EU rules on international personal data transfers. BCR help both Piano’s clients and Piano affiliated companies to transfer personal data outside the EU/EEA in strict compliance with EU General Data Protection Regulation (the “GDPR”). This website contains any information related to BCR, including:
Introduction to BCR and answers to frequently asked questions about BCR;
The text of the approved BCR;
List of Piano BCR members relying on BCR and list of 3rd countries where BCR members are established;
Complaint form of data subjects whose personal data is processed by Piano.
In case you have any questions about BCR, you can also contact our Group Data Protection Officer directly via privacy@piano.io.
1. Introduction to BCR (FAQ)
What are BCR?
BCR is a set of binding internal rules that form part of a single document sometimes called as “BCR policy”. In principle, BCR explain how Piano handles personal data when it leaves the EU/EEA. The purpose of BCR is to ensure that when personal data leaves EU/EEA, Piano will maintain the same level of personal data protection as would apply to it in the EU. In other words, even if some of Piano affiliated companies are not directly subject to GDPR and EU law, they must comply with BCR. Therefore, BCR serve as a “long arm” of the EU data protection principles and standards.
What are international data transfers?
Flow of personal data within EU/EEA is not restricted and cannot be restricted due to the internal market rules. However, any exporting of personal data outside EU/EEA is. This is based on the premise, that not all countries have legislation and respect for basic human rights like does the EU/EEA. The global presence of Piano affiliated companies and our technological vendors means we must comply with strict rules every time we process personal data originating from EU/EEA jurisdictions. These rules are governed by Article 45 – 49 GDPR, case-law of CJEU and EU courts (see mainly “Schrems II” ruling) as well as relevant guidelines. In essence, these rules provide that personal data cannot be transferred outside EU/EEA unless certain transfer guarantees are in place (such as BCR) and even then the exporter must adopt additional / supplementary measures on a case-by-case basis.
Why Piano adopted BCR?
Before using BCR, Piano has been using so-called EU standard contractual clauses. However, BCR are widely regarded as the highest commitment in terms of international data protection transfers, mainly due to regulatory approval process and mandatory parts of BCR. As part of our global commitment to privacy and data protection, BCR make using of Piano products easier for our clients from regulatory perspective. In addition, relying on the same standard, BCR make everyday compliance with different data protection laws easier also for us internally.
Who reviewed our BCR?
Our BCR have been reviewed by the European Data Protection Board and by number of EU data protection supervisory authorities including French, Polish, Latvian and Romanian supervisory authorities. Only after several rounds of reviews, our BCR were finally approved by the lead supervisory authority on {date} 2022. BCR approval proceedings took more than 2 years. During the process, it has been established that Piano Group’s lead supervisory authority is the Office for Personal Data Protection of the Slovak Republic. You can find the final decision approving our BCR here.
How are BCR enforceable?
BCR contain so-called 3rd party beneficiary clause (see clause 4 of BCR) that can be relied upon by: (i) our clients using Piano products; and (ii) any individual whose personal data is subject to Piano’s personal data transfers. This clause allows to enforce key obligations of Piano under BCR against any BCR member in any applicable jurisdiction. Therefore, although BCR are effectively internal rules (or policy) that we follow, they can also be enforced against us externally. If you would like to enforce BCR or related rights, feel free to use the complaint form below.
Why we have two sets of BCR?
Piano has adopted two types of BCR.
Type of BCR | Scope | Referred to as |
---|---|---|
Processor type BCR for client / publisher purposes | When our clients (publishers) use Piano products, we process personal data on their behalf as their processors under Article 28 GDPR. This processing concerns mainly visitors and users of publishers’ websites. | “BCR – P” |
Controller type BCR for internal purposes | When we process personal data for our own organizational needs we act as joint controllers under Article 26 GDPR. This processing concerns mainly Piano employees and personnel. | “BCR – C” |
What is the lead supervisory authority?
The lead supervisory authority is the data protection office that approves BCR for the whole group. This is usually the data protection office in the EU member state, where the group has its main establishment. Groups with main establishment located outside of EU can delegate such responsibilities to its other EU establishments. In case of Piano, Piano Slovakia, s.r.o. has been appointed as the EU establishment with delegated data protection responsibilities. Therefore, the lead supervisory authority of the Piano Group is Office for Personal Data Protection of the Slovak Republic. This means that Piano Slovakia accepted:
the liability for any breaches of BCRs by any BCR Member not established in the EU (including the liability to pay compensation for any material or non-material damages resulting from the violation of the BCRs by such BCR Members) - Piano Slovakia shall be exempt from that liability only if it proves that that BCR Member is not responsible for the event giving rise to the damage;
that in case BCR Member not established in the EU violates BCRs, the courts or other competent supervisory authority in the EU will have jurisdiction over the dispute and the data subject will have the rights and remedies against Piano Slovakia as if the violation had been caused by Piano Slovakia instead of the BCR Member outside the EU;
that the burden of proof to demonstrate that the BCR Member outside the EU is not liable for any violation of BCRs which has resulted in the data subject claiming damages will lie on Piano Slovakia, not on the data subject; and
to take the necessary action to remedy the acts of other BCR Members outside of the EU.
What specific safeguards do BCRs provide (legal)?
Piano has implemented the following measures within the BCRs:
Data Protection Officer (“DPO”) responsible for Piano Group
You may contact our DPO at privacy@piano.io.
Training program
Employees, directors and staff of Piano Group who have permanent or regular access to personal data or are involved in the collection of data or in the development of tools used to process personal data regularly attend appropriate training on the BCRs, data protection and security. DPO develops and oversees a suitable training program at Piano Group.
Audit program
Piano Group conduct regular data protection audits to ensure verification of compliance with BCRs, including audit of all relevant IT systems, databases, security policies and, if applicable, the physical record systems of Piano Group. Such audits may cover wider overall data protection compliance of Piano Group where verification of compliance with BCRs is only part of the audit, or such audits can be focused solely on BCRs. Such audits shall be:
conducted on annual basis;
conducted by either internal or external data protection auditors;
covering all aspects of BCRs including methods of ensuring that corrective actions will take place.
Moreover, the Slovak Supervisory Authority is authorized to conduct audit or inspection of any BCR Member.
Internal network
BCR provide a framework for the internal network of selected roles (CEO, DPO, DPEs and other Piano personnel) that is further defined and described in the Group Policy. Such internal network is group-wide and is independent from any other organizational structure in place. At Piano Group, a team of DPEs reports to the DPO while the DPO can issue a binding instructing to DPEs in any data protection compliance aspect. CEO remains the ultimate decision-maker while the DPO retains its independent status by being afforded to record and store his differing opinions.
Monitoring of local law
Each BCR Member continuously monitors the existing and future local law of the country where such BCR Member is established to analyze whether the local law is not contrary to the GDPR or whether any local law would not have a substantial adverse effect on the guarantees provided by BCRs. Any legally binding request from public authorities to access or actual access to personal data processed by Piano Group must be immediately notified to Piano Slovakia and the DPO. If Piano Group provides personal data to a public authority, such provision will not involve a massive and disproportionate volume of personal data and will not be discriminatory in such a way as to go beyond what is necessary in a democratic society.
Reporting to Slovak Supervisory Authority (“SA”)
If a legal requirement to a BCR Member established in a third country is likely to have a substantial adverse effect on the guarantees provided by BCRs, the problem should be reported to the Slovak SA by the DPO. If in specific cases the suspension and/or notification are prohibited, the BCR Member will use its best efforts to obtain the right to waive this prohibition in order to communicate as much information as it can and as soon as possible and be able to demonstrate that it did so. If, in the above cases, despite having used its best efforts, the Piano Group is not in a position to notify the Slovak SA, the Piano Group commits to annually provide general information on the requests it received to the Slovak SA (e.g. number of applications for disclosure, type of data requested or requester if possible).
Proportionality
Without regard to the above, in any case, transfers of personal data by the Piano Group to any public authority cannot be massive, disproportionate, and indiscriminate in a manner that would go beyond what is necessary in a democratic society.
Records of processing activities
Each BCR Member maintains records of processing activities pursuant to the Article 30 (1) of the GDPR in writing (including electronic form) which shall be made available to the Slovak SA or SA concerned upon request.
DPIA and prior consultation
Where feasible, Piano Group shall conduct DPIA covering / on behalf of all BCR Members and/or taking into the account the cross-border processing pursuant to the Article 35 of the GDPR. Where the DPIA indicates that the processing would result in a high risk in the absence of measures taken by Piano to mitigate the risk, the Slovak SA, prior to processing, should be consulted in line with Article 36 of the GDPR.
Data protection by design
BCR Members shall implement appropriate technical and organizational measures designed to implement data protection principles and to facilitate compliance with the requirements set up by BCRs in practice.
Data protection by default
BCR Members shall implement appropriate technical and organizational measures designed to data protection by default to only process personal data in an extent that is necessary for the given purpose of processing. This obligation applies to the amount of personal data collected, the extent of their processing, the duration of their storage and their availability.
Data protection principles
BCR Members observe the basic data protection principles stated in Article 5 of the GDPR.
Legal basis
BCR Members shall only process personal data based on one or more legal bases under Article 6 GDPR. Where special categories of personal data are processed, conditions under Article 9 GDPR must be complied with in addition to Article 6 GDPR.
Processors and transfers
Piano Software, Inc., USA is the only BCR Member authorized to conclude data processing agreement pursuant to the Articles 28 or 26 of the GDPR with third parties (and hence transfer personal data outside the Piano Group) also on behalf and for the benefit of the whole Piano Group. Other BCR Member needs an explicit prior consent from Piano Software, Inc. if they wish to use other processors, sub-processor or joint controllers for processing of personal data covered by the Group Data Processing Agreement.
Security
Each BCR Member is under obligation to maintain adequate level of security pursuant to the Article 32 GDPR.
Breaches
Any personal data breach pursuant to the Article 4 (12) of the GDPR must be immediately (without undue delay) notified by any BCR Member or any Piano Group personnel to the DPO. Any personal data breaches at Piano Group are evaluated, documented and further reported by the DPO in line with the Group Policy. Any personal data breach documentation shall be made available to the competent SA upon request in line with Article 33 and 34 of the GDPR. In line with the Group Policy, the DPO is responsible for notification of the SA and data subjects when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
2. The text of BCR
You can find the approved text of both BCR here:
EDPB decision links:
The above version of BCR corresponds to the first approved version of BCR from 31. December 2022. Any other update or changes to these BCR must be prior approved by the regulator except for design, appearance, formatting or grammatical changes or updates of BCR which do not require any regulatory approval. Historical versions of the BCR: None as of yet.
3. List of BCR Members and 3rd countries
The following entities belonging to Piano Group have contractually acceded to BCR as the BCR Members. By doing so, these BCR Members accepted the obligation to comply with the BCR including with the Group Data Processing Agreement that forms inseparable part both BCR (see Annex C).
BCR Member | Country |
---|---|
Piano Software, Inc., 111 S Independence Mall East, Suite 950, Philadelphia, PA 19106, United States, ID No.: 4151404 | United States (third country) |
Piano Software, s. r. o., Štefánikova 14, 811 05 Bratislava, Slovak Republic, Company ID No.: 46 103 406 | Slovakia (EU) |
Newzmate Sp. z o.o., ul. Mazowiecka 11 lokal 49, 00-052, Warsaw, Mazowieckie, Poland, ID No.: 360486660 | Poland (EU) |
Piano Software B.V., Keizersgracht 555, 1017 Amsterdam, The Netherlands, ID No.: 75524171 | The Netherlands (EU) |
Piano Software Norway NUF, Drammensveien 165, 0277, Norway, ID No.: 923 967 850 | Norway (EEA) |
Piano Co. Ltd, 2F Harajuku Jingu-no-mori Building, 1-14-34, Shibuya-ku, Tokyo, Japan, ID No. 1011001071838 | Japan (third country) |
Piano Software Singapore PTE. Ltd., 16 Raffles quay #33-03 Hong Leong building Singapore (048581), ID No. 202031085R | Singapore (third country) |
Applied Technologies Internet SAS, 85 avenue J F Kennedy 33700 Mérignac, France Trade and Companies Register of Bordeaux as number 403 261 258 | France (EU) |
Applied Technologies Internet GmbH, Leonrodstrasse 52-58, 80636 Munich, Germany Trade and Companies Register of Munich as number HRB 194384 | Germany (EU) |
AT Internet holding SAS, 4 Rue de Marivaux 75002 Paris, France Trade and Companies Register of Paris B 893 718 106 | France (EU) |
AT Internet LTD, 23 Copenhagen Street, London, N1 0JB, United Kingdom, ID No. 06740401 | UK (third country) |
This list of BCR Member can be updated from time to time due to organizational changes and well as because further Piano entities may accede as BCR Members. See Section 2.2 and 2.3 of BCR which regulate the update process. You can find list of competent EU supervisory authorities here.
4. Complaint form
About this compliant form
This complaint form can be used by any individual / person that believes his or her personal data are processed by any BCR Member under BCR. BCRs require Piano to adopt a specific complaint handling mechanism as a means of additional safeguard for privacy and data protection principles. Data subjects are free to use this complaint form, but they are also free to draft the complaint and deliver it to Piano Software as they see fit. This complaint form is therefore not mandatory.
When to use complaint?
You can use the complaint whenever you like. For example:
when you feel that Piano Software’s BCR Members do not comply with text of the BCRs or applicable data protection laws when processing your personal data;
if you would like to enforce any 3rd party beneficiary clauses against any BCR Member as per Section 4 of BCR; or also
if you would like to enforce any data subject right pursuant to Articles 15 to 22 GDPR.
The more you explain the above in your complaint, the more effectively will be your complaint dealt with by us. Therefore, in your complaint, please explain in detail why you are lodging the complaint, on what grounds and what specific rights are you enforcing, if any.
Where to complain?
You can fill out and submit below form. You are also free to draft your own complaint and deliver it to Piano Software’s group Data Protection Officer by email at privacy@piano.io or in writing by post to Piano Software, Group DPO, Piano Software, s.r.o., Štefánikova 14, 811 05 Bratislava, Slovak Republic.
How will your complaint be handled by us?
Your complaint will be handled internally by our group Data Protection Officer typically within 1-month period. In limited circumstances this period can be prolonged by another 2-months considering the complexity and overall number of the requests. In any case, you will receive a final response, prolongation notification or request for additional information within the original 1-month period, by email or post, depending on your selected preferences. Please note that when we receive data subject request in relation to operations we conduct as processors (on behalf of our clients), we are normally obliged to forward such request to our clients, and we do not respond directly. Each complaint is dealt with individually by our privacy and data protection professionals in light of your specific circumstances. Complaints are handled by our group Data Protection Officer with relevant regional data protection officers and relevant data protection executives. We do not use software or automated tools to handle similar requests or complaints. Before we provide a final response to your complaint, we might need to verify your identity or request additional information from you that is needed for handling the complaint. Until this additional information is provided to us, we cannot provide the final response. In this light, please provide as much detail to your compliant as necessary.
What are the consequences in case of rejection of compliant?
If we reject your complaint, this practically means we will not change the way how your personal data is handled or generally how we operated before the complaint. If we unduly rejected your complaint, you would still have legal options to enforce your compliant against us.
What are the consequences in case the complaint is considered as justified?
If we consider your complaint justified, we will adopt measures to comply with these BCRs or the Applicable Data Protection Law, as requested. We will also confirm in a response to you, what measures have been adopted to comply with your complaint.
What are the consequences if you are not satisfied by our reply?
If you are not satisfied with our reply or with how we handled your complaint (or generally at any time), you have right to:
lodge a claim before any competent court;
lodge a complaint before any competent supervisory authority.
The fact that Piano Software Group has its lead supervisory authority in Slovakia (Office for Personal Data Protection of the Slovak Republic, web: https://dataprotection.gov.sk/uoou/en) does not prevent data subjects to lodge complaints before other supervisory authorities. As per Article 77 GDPR, every data subject has the right to lodge a complaint with a supervisory authority, in particular in:
the Member State of his or her habitual residence;
place of work or;
place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.
The list of competent supervisory authorities in the EU/EEA can be found at the website of EU Commission (https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm) or here (https://edpb.europa.eu/about-edpb/about-edpb/members_en). As per Article 79 GDPR, every data subject has the right to an effective judicial remedy where he or she considers that his or her rights under the GDPR have been infringed. Such court claim can be brought before the courts of the Member State where:
Piano Software Group has an establishment (see the list of BCR Members); or where
the data subject has his or her habitual residence.
What rights do you have under GDPR?
If you use this complaint mechanism to enforce your data subject rights under GDPR, we list below a basic overview of these rights. Please note, that most of these rights are not absolute and certain conditions must be met in most cases for such rights to apply. Two of the most automatic rights where no additional conditions need to be met are:
right to withdraw your consent with processing personal data under Article 7 or 8 GDPR;
right to object against direct marketing including the profiling under Article 21 (2) GDPR.
In both cases, we must automatically stop the relevant processing of your personal data based on such requests without further conditions. In addition, you have following rights under GDPR:
Right to access to your personal data under Article 15 GDPR, including (i) confirmation as to whether we process your personal together with all relevant information under Article 15 (1) GDPR; (ii) right to be informed about transfers of personal data and appropriate safeguards under Article 15 (2) GDPR; and (iii) right to receive copy of personal data undergoing processing under Article 15 (3) GDPR;
Right to rectification of incorrect personal data under Article 16 GDPR;
Right to erasure (right to be forgotten) under Article 17 GDPR;
Right to restriction of processing under Article 18 GDPR;
Notification obligation regarding rectification or erasure of personal data or restriction of processing under Article 19 GDPR;
Right to portability of personal data in a structured, commonly used and machine-readable format under Article 20 GDPR;
Right to object against legitimate interests, public interest, direct marketing and profiling under Article 21 GDPR;
Right not to be subject to an automated individual decision making under Article 22 GDPR.
In addition, you have right to be notified about certain data protection breaches under Article 37 GDPR and we shall seek your views within certain data protection impact assessments under Article 35 GDPR. However, these provisions are drafted as our direct obligation, not data subject rights.
* Country refers to location where establishment of the BCR Member is located. One BCR Member might have more than one establishment. Although usually the establishment is where the registered seat of the company is located, the term establishment might also cover location of the corporate presence, office, store, branch or desk of a company other than its registered seat.
Notifications should be sent to the following:
Piano Software, Inc.
111 S Independence Mall East, Suite 950
Philadelphia, PA 19106
Email: security@piano.io