BINDING CORPORATE RULES (BCRs)

1. Introduction

These Binding Corporate Rules (“BCRs”) set out the principles and commitments under which Scuba Schools International (SNSI) and its affiliated entities (“SNSI Group”) process and protect Personal Data transferred globally in the course of our business operations. The BCRs have been approved by the relevant European Economic Area (“EEA”) and UK Data Protection Authorities, confirming that they provide an adequate level of protection for Personal Data in accordance with applicable data protection laws, including the General Data Protection Regulation (“GDPR”).

2. Scope

2.1. Applicability: The BCRs apply to all entities within the SNSI Group that process Personal Data originating from the EEA or the UK.
2.2. Data Transfers: These BCRs govern the transfer of Personal Data between SNSI Group entities, as well as to external third parties to the extent specified herein.

3. Definitions

  • “Controller”: The SNSI Group entity that determines the purposes and means of the processing of Personal Data.
  • “Processor”: Any SNSI Group entity or third party that processes Personal Data on behalf of a Controller.
  • “Data Subject”: An identified or identifiable natural person to whom the Personal Data relates.
  • “Personal Data”: Any information relating to a Data Subject, as defined under the GDPR.
  • “Processing”: Any operation or set of operations performed on Personal Data, whether or not by automated means.

4. Data Protection Principles

SNSI Group adheres to the following data protection principles when Processing Personal Data:

  1. Lawfulness, Fairness, and Transparency: We process Personal Data in a lawful manner, ensuring Data Subjects are informed of how their data is collected, used, and shared.
  2. Purpose Limitation: We collect Personal Data for specified, explicit, and legitimate purposes, and do not process it in a way incompatible with those purposes.
  3. Data Minimization: We process only the minimum Personal Data necessary for the specified purposes.
  4. Accuracy: We take steps to ensure Personal Data is accurate and, where necessary, kept up to date.
  5. Storage Limitation: We retain Personal Data only as long as necessary for the purposes for which it was collected or as required by law.
  6. Integrity and Confidentiality: We implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
  7. Accountability: SNSI Group entities are responsible for compliance with these BCRs and can demonstrate their adherence upon request.

5. Rights of Data Subjects

5.1. Access, Rectification, and Erasure: SNSI Group entities respect Data Subjects’ rights to access, correct, or delete their Personal Data in line with applicable laws.
5.2. Restriction of Processing and Objection: Where legally permissible, Data Subjects may request to restrict or object to certain processing activities.
5.3. Data Portability: Where technically feasible, SNSI Group entities provide Personal Data in a structured, commonly used, and machine-readable format, enabling Data Subjects to transfer it to another entity if required.

6. Third-Party Beneficiary Rights

Data Subjects may enforce the BCRs as third-party beneficiaries for certain provisions, particularly those concerning Data Subjects’ rights under applicable data protection laws. This includes the right to lodge a complaint with the relevant supervisory authority or pursue legal remedies.

7. Subprocessing and Onward Transfers

7.1. Use of Subprocessors: SNSI Group may engage third-party subprocessors to facilitate specific processing activities. Each subprocessor is bound by contractual obligations consistent with these BCRs.
7.2. Onward Transfers: When transferring Personal Data to any external third party or to a country outside the EEA/UK not recognized as providing an adequate level of protection, SNSI Group ensures that appropriate safeguards (e.g., Standard Contractual Clauses) are in place.

8. Security Measures

SNSI Group implements appropriate technical and organizational measures to protect Personal Data from unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include data encryption, access controls, secure networks, intrusion detection systems, and regular security assessments.

9. Compliance and Accountability

9.1. Corporate Oversight: SNSI Group maintains a data protection governance framework overseen by dedicated personnel (e.g., a Data Protection Officer or Privacy Counsel) to ensure compliance.
9.2. Training and Awareness: SNSI Group provides periodic data protection training to employees handling Personal Data.
9.3. Record-Keeping: SNSI Group entities maintain records of Processing activities as required by applicable laws.

10. Audits

SNSI Group conducts or commissions periodic audits to verify compliance with these BCRs, either through internal auditing procedures or external auditors. The results of these audits may be shared with competent supervisory authorities upon request.

11. Complaints Procedure

Data Subjects may submit any questions, concerns, or complaints regarding the Processing of their Personal Data under these BCRs to our dedicated privacy contact point. SNSI Group will investigate and respond to all complaints within a reasonable timeframe and cooperate with supervisory authorities as needed.

12. Cooperation with Authorities

SNSI Group will cooperate with supervisory authorities in monitoring compliance with these BCRs, including responding to requests and recommendations promptly. SNSI Group will abide by the advice of supervisory authorities regarding the interpretation and application of these BCRs.

13. Liability and Enforcement

Each SNSI Group entity is responsible for compliance with these BCRs. In the event of any breach of the BCRs that results in harm to a Data Subject, SNSI Group may be held liable in accordance with applicable law. Where a Data Subject can demonstrate that they have suffered damage as a direct result of a breach of these BCRs by SNSI Group, SNSI Group will honor its obligations under relevant data protection laws.

14. Updates and Amendments

SNSI Group may update or amend these BCRs at any time to reflect changes in our practices or legal requirements. Any material changes will be communicated through our standard communication channels and published on our website. Where necessary, SNSI Group will obtain renewed approval from the relevant supervisory authorities.

15. Contact Information

If you have any questions about these BCRs or wish to exercise your data protection rights, please contact our Privacy Team at:
Email: [email protected]
Address: Florida – United States
Phone: +390586080642