December 10, 2020...5:30 pm

Intra Group Data Transfer Agreements

If the Court of Justice follows the A.G.`s advice, this local compliance assessment does not only apply to the United States, but will be required for all third countries for which SCs are used as a transfer vehicle. This could include large industrialized countries such as Brazil, India and perhaps even Britain after Brexit. Thirdly, the standard contractual clauses adopted by the European Commission should apply to transfers when transfers are made within the EEA, unless another authorized mechanism is available. There are different flavours for controller-to-processor transmissions and controller-to-controller transfers. NB Typical contractual clauses are outdated and do not fully comply with the new RGPD regulations. If you would like help with a data exchange agreement or other legal documents, please contact. We currently do not have any internal model within the group, although we see this data exchange agreement between two parties, which has certain characteristics of an internal agreement within the group. First, where transfers are made on a supplier-to-subcontractor basis, section 28 clauses of the RGPD must be included in the contract. In summary, they grant the processing manager a wide range of rights with respect to personal data to the detriment of the subcontractor.

The difficult question is: what will happen to the data shared after the termination? The nature of the release has an impact on the response. For example, data transmitted to the processor on the basis of the controller must be erased or returned in accordance with section 28 processing clauses. When data is transmitted under the standard contractual clauses, these clauses continue to apply despite the termination of the IGA. 1 DEFINS For the purposes of the clauses:a) personal data, special data categories, process/processing, subcontractor, person concerned and supervisory authority have the same meaning as in European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals to the effect of processing personal data and the free movement of such data. (1);b) the data exporter refers to the persons responsible for the transfer of personal data;c) the data importer the subcontractor who agrees to contact the data exporter to obtain personal data for processing on its behalf after the transfer, in accordance with the instructions and terms of the clauses , and are not subject to the third country system providing adequate protection under Article 25, paragraph 1 of Directive 95/46/EC; the importer who agrees to obtain personal data from the data importer or other subcontractor for personal data intended exclusively for processing activities to be carried out on behalf of the data exporter after the transfer, in accordance with its instructions; the provisions of the clauses and the terms of the written sub-mandate; e) applicable data protection legislation, legislation on the protection of fundamental rights and freedoms of individuals and, in particular, their right to privacy with regard to the processing of personal data applicable to a processing officer in the Member State in which the data exporter is established; (f) technical and organizational security measures are measures to protect personal data from unauthorized destruction, modification, disclosure or access, particularly where processing involves the transfer of data through a network, and from any other form of illicit processing. 2 TRANSFERT DETAILs The details of the transfer and, if applicable, the specific categories of personal data are included in Appendix A, which is an integral part of the clauses.