Binding Corporate Rules

Binding Corporate RulesEach DSV Group Member acting as Data Controller or Data Processor will maintain a record of all categories of processing activities involving Personal Data. The records will be available via the DSV Group’s privacy management system “PACTIUS Privacy” or any subsequent similar tool adopted by DSV A/S . For Data Controllers, the records shall contain the following information: x the name and contact details of the Data Controller and, where applicable, the joint Controller, the Data Controller’s representative and t he GPR; x the purposes of the Processing; x a description of the categories of Data Subjects and of the categories of Personal Data; x the categories of recipients to whom the Personal Data have been or will be disclosed including recipients in third countries or international organizations; x where applicable, transfers of Personal Data to a third country or an international organization, including the identification of that third country or international organisation, and the documentation for suitable safeguards according to the Regulation; x where possible the envisaged time limits for erasure of the different categories of Personal Data; x where possible, a general description of the technical and organizational security measures. For Data Processors, the records shall contain the following information: x the name and contact details of the Data Processor or Data Processors and of each Data Controller on behalf of which the Data Processor is acting, and, where applicable, of the Data Controller’s or the Data Processor's representative, and the GPR; x the categories of Processing carried out on behalf of each Data Controller; x where applicable, transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards; x where possible, a general description of the technical and organizational security measures. The records of processing activities will be kept in writing, including electronic form and will be made available to the Supervisory Authority(-ies) upon request. 8.2 Data protection impact assessments Where a type of Processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the DSV Group Member acting as Data Controller shall, prior to the Processing, carry out an assessment of the impact of the envisaged Processing operations on the protection of Personal Data (data protection impact assessment). The data protection impact assessment shall in particular be required in case of: 11Page 2