International Data Transfer Agreements

Personal data is transferred from a controller in the United Kingdom to another controller in the United Kingdom via a server in Australia. There is no intention that personal data will be accessed or manipulated while it is located in Australia. Therefore, there is no restricted transmission. The legal basis for transfers must be explicitly stated. This should include the reference to ongoing direct and indirect transfers (if any) and the legal basis for onward transfers. EU data protection regulations apply to the European Economic Area (EEA), which includes all EU and non-EU countries, Iceland, Liechtenstein and Norway. Latin American countries have not yet harmonized their data protection laws or developed a unified approach to cross-border data transfers. The transfer agreement must reflect the relevant binding requirements of the GDPR. Before you start reviewing or drafting the contract, you need to establish the data processing relationship between the parties. B for example if the data are a joint controller for the controller, the controller for the processor or the processor for the sub-processor or a combination of the above data.

While the rules for international data transfers may seem complicated and difficult to navigate at first glance, the impact of GDPR is likely to be positive for businesses. The GDPR provides a solution tailored to different types of organizations. Large organisations with a complex network of processing activities are more likely to opt for BCRs due to their increased legal certainty and global impact, while organisations with a more limited network of international remittances may opt for the introduction of model clauses. BCRs and model clauses are certainly the most important appropriate safeguards for international transfers, but it is important to note that the GDPR also offers other solutions: when personal data is transferred or accessed outside the EEA, the transfer agreement between the parties must not only take into account the legality of the transfer itself, but also take into account the processing of personal data in general and all of them contain related requirements of the GDPR. For example, for data exports to a subcontractor or subcontractor, the GDPR sets out detailed requirements that an agreement must include in addition to transfer management. The requirement to include mandatory details in transfer agreements is an important change introduced by the GDPR. You should not rely on this exception for systematic transfers. Instead, you should consider one of the appropriate safety precautions. You should only use it in certain situations, and each time you should convince yourself that the transfer is necessary for an important reason of public interest. Such an agreement or legal instrument could also be concluded with an international organization.

For more information on international data transfers, please contact Annika Sponselee or Nicole Vreeman using the contact details below. With the new CLAs, companies will have to agree on instructions for processors that can relate to the service provider`s standard technical specifications. In addition, companies must document “transfer impact assessments” under Clause 14 in order to implement the requirements announced by the Court of Justice of the European Union in its “Schrems II” decision and extended by the European Data Protection Board in its final recommendations of 18 June. Several German data protection authorities have started to audit German companies with questionnaires and ask questions such as: “If you have come to the conclusion that the recipient can indeed ensure compliance with the contractual obligations arising from the CBCs, please describe in detail the reasons for this conclusion and provide appropriate evidence.” Service providers located outside the EEA should proactively prepare information for such assessments in order to make their offers legally usable for EEA customers. 6 Philip Gordon, et al., “Schrems II” and transfers of HR data: Action steps for US multinationals, International Association of Privacy Professionals, July 22, 2020 (available at Exception 1. Has the individual given explicit consent to the limited transfer? Each company is a separate controller, as it processes personal data for its own purposes and makes its own decisions. For example, registers of companies, associations, land registers or public vehicle registers.

The entire registry cannot be transferred, nor can entire categories of personal data. When you make a restricted transfer from one controller to another controller, you can choose which sets of clauses to use, depending on which one best suits your business agreements. Exception 6: You must make the restricted transfer to protect a person`s vital interests. He does not need to be physically or legally able to give consent. The new CCTs offer much-needed flexibility in the processing of data transfer agreements. Existing CTCs only had versions for controller-to-controller data transfers, such as. B transfers of subsidiaries from the EU to the United States. . .