The lead supervisory authority is the data protection office that approves BCR for the whole group. This is usually the data protection office in the EU member state, where the group has its main establishment. Groups with main establishment located outside of EU can delegate such responsibilities to its other EU establishments. In case of Piano, Piano Slovakia, s.r.o. has been appointed as the EU establishment with delegated data protection responsibilities. Therefore, the lead supervisory authority of the Piano Group is Office for Personal Data Protection of the Slovak Republic. This means that Piano Slovakia accepted:
the liability for any breaches of BCRs by any BCR Member not established in the EU (including the liability to pay compensation for any material or non-material damages resulting from the violation of the BCRs by such BCR Members) - Piano Slovakia shall be exempt from that liability only if it proves that that BCR Member is not responsible for the event giving rise to the damage;
that in case BCR Member not established in the EU violates BCRs, the courts or other competent supervisory authority in the EU will have jurisdiction over the dispute and the data subject will have the rights and remedies against Piano Slovakia as if the violation had been caused by Piano Slovakia instead of the BCR Member outside the EU;
that the burden of proof to demonstrate that the BCR Member outside the EU is not liable for any violation of BCRs which has resulted in the data subject claiming damages will lie on Piano Slovakia, not on the data subject; and
to take the necessary action to remedy the acts of other BCR Members outside of the EU.
What specific safeguards do BCRs provide (legal)?Piano has implemented the following measures within the BCRs:
Data Protection Officer (“DPO”) responsible for Piano Group
You may contact our DPO at privacy@piano.io.
Training program
Employees, directors and staff of Piano Group who have permanent or regular access to personal data or are involved in the collection of data or in the development of tools used to process personal data regularly attend appropriate training on the BCRs, data protection and security. DPO develops and oversees a suitable training program at Piano Group.
Audit program
Piano Group conduct regular data protection audits to ensure verification of compliance with BCRs, including audit of all relevant IT systems, databases, security policies and, if applicable, the physical record systems of Piano Group. Such audits may cover wider overall data protection compliance of Piano Group where verification of compliance with BCRs is only part of the audit, or such audits can be focused solely on BCRs. Such audits shall be:
conducted on annual basis;
conducted by either internal or external data protection auditors;
covering all aspects of BCRs including methods of ensuring that corrective actions will take place.
Moreover, the Slovak Supervisory Authority is authorized to conduct audit or inspection of any BCR Member.
Internal network
BCR provide a framework for the internal network of selected roles (CEO, DPO, DPEs and other Piano personnel) that is further defined and described in the Group Policy. Such internal network is group-wide and is independent from any other organizational structure in place. At Piano Group, a team of DPEs reports to the DPO while the DPO can issue a binding instructing to DPEs in any data protection compliance aspect. CEO remains the ultimate decision-maker while the DPO retains its independent status by being afforded to record and store his differing opinions.
Monitoring of local law
Each BCR Member continuously monitors the existing and future local law of the country where such BCR Member is established to analyze whether the local law is not contrary to the GDPR or whether any local law would not have a substantial adverse effect on the guarantees provided by BCRs. Any legally binding request from public authorities to access or actual access to personal data processed by Piano Group must be immediately notified to Piano Slovakia and the DPO. If Piano Group provides personal data to a public authority, such provision will not involve a massive and disproportionate volume of personal data and will not be discriminatory in such a way as to go beyond what is necessary in a democratic society.
Reporting to Slovak Supervisory Authority (“SA”)
If a legal requirement to a BCR Member established in a third country is likely to have a substantial adverse effect on the guarantees provided by BCRs, the problem should be reported to the Slovak SA by the DPO. If in specific cases the suspension and/or notification are prohibited, the BCR Member will use its best efforts to obtain the right to waive this prohibition in order to communicate as much information as it can and as soon as possible and be able to demonstrate that it did so. If, in the above cases, despite having used its best efforts, the Piano Group is not in a position to notify the Slovak SA, the Piano Group commits to annually provide general information on the requests it received to the Slovak SA (e.g. number of applications for disclosure, type of data requested or requester if possible).
Proportionality
Without regard to the above, in any case, transfers of personal data by the Piano Group to any public authority cannot be massive, disproportionate, and indiscriminate in a manner that would go beyond what is necessary in a democratic society.
Records of processing activities
Each BCR Member maintains records of processing activities pursuant to the Article 30 (1) of the GDPR in writing (including electronic form) which shall be made available to the Slovak SA or SA concerned upon request.
DPIA and prior consultation
Where feasible, Piano Group shall conduct DPIA covering / on behalf of all BCR Members and/or taking into the account the cross-border processing pursuant to the Article 35 of the GDPR. Where the DPIA indicates that the processing would result in a high risk in the absence of measures taken by Piano to mitigate the risk, the Slovak SA, prior to processing, should be consulted in line with Article 36 of the GDPR.
Data protection by design
BCR Members shall implement appropriate technical and organizational measures designed to implement data protection principles and to facilitate compliance with the requirements set up by BCRs in practice.
Data protection by default
BCR Members shall implement appropriate technical and organizational measures designed to data protection by default to only process personal data in an extent that is necessary for the given purpose of processing. This obligation applies to the amount of personal data collected, the extent of their processing, the duration of their storage and their availability.
Data protection principles
BCR Members observe the basic data protection principles stated in Article 5 of the GDPR.
Legal basis
BCR Members shall only process personal data based on one or more legal bases under Article 6 GDPR. Where special categories of personal data are processed, conditions under Article 9 GDPR must be complied with in addition to Article 6 GDPR.
Processors and transfers
Piano Software, Inc., USA is the only BCR Member authorized to conclude data processing agreement pursuant to the Articles 28 or 26 of the GDPR with third parties (and hence transfer personal data outside the Piano Group) also on behalf and for the benefit of the whole Piano Group. Other BCR Member needs an explicit prior consent from Piano Software, Inc. if they wish to use other processors, sub-processor or joint controllers for processing of personal data covered by the Group Data Processing Agreement.
Security
Each BCR Member is under obligation to maintain adequate level of security pursuant to the Article 32 GDPR.
Breaches
Any personal data breach pursuant to the Article 4 (12) of the GDPR must be immediately (without undue delay) notified by any BCR Member or any Piano Group personnel to the DPO. Any personal data breaches at Piano Group are evaluated, documented and further reported by the DPO in line with the Group Policy. Any personal data breach documentation shall be made available to the competent SA upon request in line with Article 33 and 34 of the GDPR. In line with the Group Policy, the DPO is responsible for notification of the SA and data subjects when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
2. The text of BCRYou can find the approved text of both BCR here:
EDPB decision links:
The above version of BCR corresponds to the first approved version of BCR from 31. December 2022. Any other update or changes to these BCR must be prior approved by the regulator except for design, appearance, formatting or grammatical changes or updates of BCR which do not require any regulatory approval. Historical versions of the BCR: None as of yet.
3. List of BCR Members and 3rd countriesThe following entities belonging to Piano Group have contractually acceded to BCR as the BCR Members. By doing so, these BCR Members accepted the obligation to comply with the BCR including with the Group Data Processing Agreement that forms inseparable part both BCR (see Annex C).