These clauses are governed by the law of the country in which the data exporter is established, with the exception of laws and rules relating to the processing of personal data by the importer of data in accordance with Clause II, point h). Not all data exports are made between a manager and a subcontractor – some transfers are made to another processing manager or between common processing managers, and some transfers can be made for both processing and the person responsible for the shared use and transfer of personal data by the subcontractor. If you are transferring a controller to a processor, you must also meet the RGPD requirements for the use of processors. 11.1 The subcontractor may not transfer or authorize the transfer of data to countries outside the EU and/or the European Economic Area (EEA) without the company`s prior written consent. When personal data processed under this agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the parties ensure that personal data is adequately protected. To do so, contracting parties, unless otherwise agreed, rely on standard contractual clauses approved by the EU for the transfer of personal data. With regard to data transfers from non-EU countries, the RGPD provides for specific situations in which such transfers can be made. In particular, organisations involved in the transfer of personal data from non-EU countries must verify the existence of a european Commission adequacy decision and, if not, provide additional guarantees through contractual agreements. This decision is a finding of the Commission that the legal framework in force in that country, territory, sector or international organisation provides “adequate” protection of the rights and freedoms of individuals for their personal data.
In the case of transfer of personal data within the EU, the RGPD does not impose additional requirements for the direct applicability of the RGPD. However, when a processor hires a subcontractor, the relationship between the processor and the data processor must be resolved by agreement and, in these circumstances, subject to the minimum criteria set out in the RGPD. The person in charge of the processing (Article 28 of the RGPD) determines the purpose and duration of the treatment, the nature and purposes of the treatment, the nature of the personal data and the categories of persons involved, and the obligations and rights of the person in charge of the treatment. Standard contractual clauses. These are standard contracts adopted by the European Commission to facilitate sufficient safeguards for EU controllers when transmitting personal data to a subcontractor or subcontractor from non-EU countries. Under the RGPD, supervisory authorities may also adopt standard clauses. However, these clauses require the Commission`s agreement. If it is covered by a adequacy decision, you can continue with the limited transfer. Of course, you must continue to stick to the rest of the RGPD. This data processing agreement is adapted by the DPA De ProtonMail which is on this page. Organizations can use the following document as part of their compliance with the RGPD. You will find information about personal data at: RGPD: How the definition of personal data has changed.
The judgment of the European Court of Justice on Thursday 16 July 2020 in the Schrems II case held that Privacy Shield was no longer a valid opportunity to transmit personal data outside the EEA. Standard contractual clauses (CSRs) remain valid. For more information, please see our latest statement. Limited transfers from the UK to countries outside the UK, including to the EEA, are subject to the transfer rules under the UK regime. These UK transfer rules will be in line with current RGPD rules. When you download personal data