Data Transfer Agreement Gdpr Template

The data processing agreement must be explicit as to what the data processor will actually do. For example, the following aspects of data processing must be specified: the GDPR requires a processor to keep records of its activities. Acceptance of this requirement is implicit in some of the clauses we have seen above. However, many data processing agreements are also included as an explicit requirement for the data processor, as well as the conditions under which these records are to be shared. Twitter`s data processing agreement is a useful example of this. Twitter agrees to „offer you adequate cooperation and support with regard to your obligations with regard to law enforcement requests, data protection breaches, data subjects` rights and requests from supervisory authorities“: while the agreement focuses on the processor, the obligations of the data controller also need to be clarified. International data transfers can be made under certain conditions, even if the third country has received an adequacy decision from the European Commission. The U.S. has not received an adequacy decision, but transfers are allowed if the recipient U.S. company is part of the privacy shield framework. So far, it has adopted two sets of standard contractual clauses for the transfer of data from data controllers in the EU to data controllers established outside the EU or the European Economic Area (EEA). This is because during this relationship, the controllers will share legally protected personal data with data processors and a data protection authority will help the processor agree to process the data adequately. However, you must ensure that you insert a clause that instructs data processors to immediately inform data controllers of personal data protection breaches.

It may be a good idea to include this clause in your privacy policy, for example by asking a processor to process large amounts of special category data. The controller and the processor must also ensure that any person who works (or has access to the data) only processes the data in accordance with the instructions of the controller (as set out in Article 29). Data transfer agreements (whether they are managers of subcontractors, workers to subcontractors, or another combination of parties) are not new, but with the advent of the GDPR, they get an upgrade and require a much higher level of control and detail. You specify your credit card data via a payment service such as PayPal. Here is PayPal the subcontractor. It processes the payment on behalf of the data controller – the e-commerce store. Where a transfer contract is performed separately from the main contract, the interaction with the main contract must be carefully weighed. If provisions that were normally included in a separate transfer contract are indeed included in the main contract, the broader provisions of the main contract must also be taken into account. The legal basis for transfers must be explicitly stated.

This should include the reference to ongoing direct and indirect transfers (if any) and the legal basis for onward transfers. . . .