CROSS-BORDER TRANSFER ADVISORY MEMORANDUM (the “Memorandum”)
Please carefully read this Memorandum and ensure that you understand the same. If you wish to use the Services, please indicate your Explicit Consent to the cross-border transfer of your Personal Data to Third Countries (as defined below) and indicate your agreement to the Cross-Border-Transfer Consent form by ticking the box presented to you when logging on to the Bimmatch platform.
If you have any questions regarding this Memorandum, please contact us at the following email address firstname.lastname@example.org and we will reply to you as promptly as possible.
DATA PROTECTION LAW AND CROSS-BORDER TRANSFERS.
Data Protection Laws, and in particular the new GDPR (Articles 44-49), stipulate that cross-border transfer of Personal Data outside the EU/EEA may only take place in certain circumstances including where:
Personal Data is transferred to an Adequate Jurisdiction i.e. a list of designated countries in respect of which a finding of adequacy has been made by the EU Commission (Article 45). The current list of adequate jurisdictions is: Andorra, Argentina, Canada (for organizations that are subject to Canada’s PIPEDA law), the Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. (This list of countries together with the EU and EEA are collectively referred to as the “Designated Countries”)*; or
Appropriate safeguards are in place such as EU Standard Contractual Clauses or if the recipient is a US company same is registered under the EU – US Privacy Shield (Article 46); or
The Data subject has explicitly consented to the transfer of Personal Data (having been informed of the risks) under Article 49 (1) (a) or one of the other derogations under Article 49 apply.
*) The basis for this principle is that the Designated Countries provide sufficient protection for the rights and freedoms of data subjects and their Personal Data without the need for further safeguards.
A country that is not a Designated Country is referred to as a Third Country. Transfers of Personal Data to Third Countries require that either safeguards must be in place or alternatively the data subject must explicitly consent to the transfer of their Personal Data to said Third Country.
HOW IS YOUR PERSONAL DATA SHARED CROSS-BORDER WHEN USING THE BIMMATCH PLATFORM AND THE SERVICES?
We particularly draw your attention to the fact that when you access and use the Services your Personal Data may be visible and accessible to Users, Customers and/or Manufacturers some of whom are based in Third Countries. This can happen in the following ways:
when you download a BIM item from a Manufacturer in a Third Country; and/or
when you are invited or given access to Customer Services on the Bimmatch platform by a Manufacturer and/or Customer located in a Third Country; and/or
your Personal Data may on occasion also be visible to other Users of the Bimmatch platform as is the case with any other Bimmatch platform Services Customers when you are invited or given access to its Customer Services on the Bimmatch platform;
possibly where the representative, employee or otherwise of a Customer/Manufacturer based in a Designated Country accesses the Services from a Third Country;
when being designated the role as a ‘sales representative’ by a Manufacturer by whom you have been invited, your Personal Data will be visible on the Bimmatch platform to other Users in a designated geographical area and in relation to the relevant Manufacturer´s BIM Objects.
THE PURPOSE OF THE TRANSFER OF PERSONAL DATA CROSS-BORDER WHEN USING THE SERVICES UNDER THE Bimmatch platform.
Bimmatch’s services which connect our Users and Manufacturers across the globe, require by their very nature for data to flow from the European Union (EU) to other countries globally. Users and Customers located all over the world both within and outside the EU access and use the Bimmatch platform and the Services.
We aim to offer our Users access to a wide range of BIM Objects uploaded by Manufacturers located all over the world and to make connections with other Users and Customers/Manufacturers. In addition, our Manufacturers can connect with and contact Users globally. Also, our Users can connect with and contact Manufacturers globally.
This global movement of personal data is a necessary and intrinsic part of providing the Services. Without the global element, we simply cannot offer our Users and Manufacturers the Services as intended.
WHAT TYPES OF PERSONAL DATA ARE TO BE PROCESSED
We do not collect Sensitive Personal Data for cross-border transfer.
CATEGORIES OF RECIPIENTS:
Other Users Manufacturers or Customers.
RISKS OF CROSS-BORDER TRANSFER OF PERSONAL DATA.
The Data Protection Laws and in particular the new GDPR provide rigorously high standards regarding the protection of Personal Data.
The cross-border transfer of your Personal Data to Third Countries may result in lower standards of protection and certain risks including (but not limited to) the following:
Certain Third Countries either do not have national or local data protection laws or if they do, such laws do not respect your right to privacy and the protection of your Personal Data to the same high standards as in the Designated Countries. This may therefore put your Personal Data at risk of loss, misuse or compromise;
Certain Third Countries may through explicit national laws or through the lack of a prohibitive policy allow for State or other monitoring of personal data to varying degrees;
Certain Third Countries may not provide sufficient or adequate regulatory fines or sanctions in the event of a Personal Data breach or a breach of privacy;
Certain Third Countries may not provide sufficient recourse for the data subject in the event of a Personal Data breach where damages or other compensation in the event of any such breach may not be available.
OUR APPROACH-YOUR DECISION
WHAT DO WE DO?
Where we transfer your Personal Data within our group or to our subcontractors, data processors or sub-processors we take steps to ensure that mechanisms are in place including where necessary the use of EU Standard Contractual Clauses.
As regards the cross-border transfer of your Personal Data to our Manufacturers and other Customers, we are communicating with Manufacturers and other Customers located in Third Countries informing them of the applicable provisions of the Data Protection Laws and the safeguards or measures which they may need to implement if they access EU Personal Data on the Bimmatch platform.
Notwithstanding the above, as it is your Personal Data we want to feel that you ultimately make the choices in respect of the use of same. Therefore as we (i) cannot guarantee that your Personal Data will not be transferred cross-border on occasion; and (ii) we cannot guarantee or know for certain if the Customers or others who access your Personal Data have implemented appropriate safeguards at given time; and (iii) as other Users on the Bimmatch platform located in Third Countries may on occasion access your Personal Data, we think it appropriate that in accordance with Article 49 (1) (a) of the GDPR that you specifically consent to the cross-border transfer of your Personal Data prior to accessing or using the Services by ticking the box attached to the Cross-Border Transfer Consent form where presented to you on the Bimmatch platform.
Please also note that:
It is your Personal Data and you are of course free to give OR REFUSE to give your explicit consent. Please do not access or use the Services if you do not wish to consent.
Please be further advised that you are free at any time to WITHDRAW your consent to the cross-border transfer of your Personal Data. You may do so by sending us an email to the following address email@example.com. In such circumstances, you will then not be able to continue to use the Services.