The data processing agreement must be explicit as to what the data processor will actually do. For example, the following aspects of data processing must be specified: the GDPR requires a processor to keep records of its activities. Acceptance of this requirement is implicit in some of the clauses we have seen above. However, many data processing agreements are also included as an explicit requirement for the data processor, as well as the conditions under which these records are to be shared. Twitter`s data processing agreement is a useful example of this. Twitter agrees to „offer you adequate cooperation and support with regard to your obligations with regard to law enforcement requests, data protection breaches, data subjects` rights and requests from supervisory authorities“: while the agreement focuses on the processor, the obligations of the data controller also need to be clarified. International data transfers can be made under certain conditions, even if the third country has received an adequacy decision from the European Commission. The U.S. has not received an adequacy decision, but transfers are allowed if the recipient U.S. company is part of the privacy shield framework. So far, it has adopted two sets of standard contractual clauses for the transfer of data from data controllers in the EU to data controllers established outside the EU or the European Economic Area (EEA). This is because during this relationship, the controllers will share legally protected personal data with data processors and a data protection authority will help the processor agree to process the data adequately. However, you must ensure that you insert a clause that instructs data processors to immediately inform data controllers of personal data protection breaches.
This should include the reference to ongoing direct and indirect transfers (if any) and the legal basis for onward transfers. . . .