Support Centre
Data Transfers
workspace-icon
Back

Data Transfers

International Data Transfers

International data transfers are essential for global organizations operating in an increasingly digital economy. There are various complexities to consider when transferring data between countries, including local laws and practices, international agreements, as well as specific safeguards.

The global data transfer landscape was particularly affected by the Court of Justice of the European Union's (CJEU) anticipated judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (the Schrems II Case). In particular, the CJEU declared the European Commission's EU-US Privacy Shield Decision invalid, and, whilst, the CJEU upheld the use of Standard Contractual Clauses (SCCs), it provided clarity around the considerations that organizations and authorities should bear in mind if utilized as the transfer mechanism of choice.

Following the invalidation of the Privacy Shield, the European Commission and the US agreed in principle on a new European Union - U.S. Data Privacy Framework (EU-US DPF) in March 2022. Six months later, on October 7, 2022, the White House announced that President, Joseph Biden, had signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, outlined the steps that the US would take to implement its commitments under the EU-US DPF.

Fast forward to July 10, 2023, the European Commission voted to adopt its adequacy decision for the EU-US DPF, concluding that the US provides a level of protection essentially equivalent to that of the EU for personal data transferred under the EU-US DPF from a controller or a processor in the EU to certified organizations in the US. The adequacy decision has the effect that personal data transfers from controllers and processors in the EU to certified organizations in the US may take place without the need to obtain any further authorization.

However, many intricacies still remain when it comes to selecting an appropriate data transfer mechanism, which is why OneTrust DataGuidance has collated all relevant information related to data transfers, including a Comparison on global Data Transfer Requirements and another on Third Country Assessments which can be used to assess third countries and identify applicable laws, authorities, oversight and redress mechanisms in place when carrying out your Transfer Impact Assessments.

How Does OneTrust Help with Data Transfer Challenges?

With our Transfer Solutions, controllers can leverage OneTrust Vendor Risk Management, Vendorpedia Exchange, Data Mapping, and DataGuidance to identify and validate data transfers.

  • OneTrust Data Mapping: Identify data transfers and the mechanisms they rely upon
  • OneTrust Vendor Risk Management: Assess vendors that rely on SCCs with pre-built validation templates and manage contract updates as well as vendor on-boarding and off-boarding
  • OneTrust Vendorpedia Exchange: Leverage pre-completed vendor assessments and chasing services
  • OneTrust DataGuidance Regulatory Research: Stay up to date on the latest Schrems II guidance

Processors can also find the support that they need to operationalize the Schrems II decision. OneTrust Schrems II Solutions help processors implement holistic privacy programs, allowing them to track the relevant guidance and implement compensating controls for GDPR equivalency.

See all Data Transfer News
25 April 2024

EU: EDPB publishes procedural rules regarding complaints submission under the redress mechanism of Data Privacy Framework

On April 24, 2024, the European Data Protection Board (EDPB) published Rules of Procedure and Information Note on the Data Protection Framework redress mechanism for national security purposes (the Rules of Procedure), as well as a Template Complaint Form to the U.S.

Data Subject Rights, Supervisory Authority, Adequate Protection, Data Transfers, International Agreements, Third Countries
25 April 2024

EU: EDPB publishes Rules of Procedure for EU DPAs Panel under Data Privacy Framework

On April 24, 2024, the European Data Protection Board (EDPB) published Rules of Procedure for the 'Informal Panel of EU DPAs' according to the EU-US Data Privacy Framework (DPF).

Supervisory Authority, Adequate Protection, Data Transfers, International Agreements, Third Countries
25 April 2024

USA: Protecting Americans' Data from Foreign Adversaries Act signed by President

On April 24, 2024, President Biden signed House Resolution 815 Making emergency supplemental appropriations for the fiscal year ending September 30, 2024, and for other purposes.

Biometric Data, Children's Data, Genetic Data, Privacy Law Reform, Data Transfers, Third Countries, Vendor Management
24 April 2024

USA: Peace through Strength Act including provisions on foreign adversaries passes House of Representatives

On April 20, 2024, House Resolution 8038 for the 21st Century Peace through Strength Act passed the U.S. House of Representatives, following its introduction, on April 17, 2024.

Biometric Data, Children's Data, Genetic Data, Privacy Law Reform, Data Transfers, Third Countries, Vendor Management
22 April 2024

EU: EDPB issues opinion on draft decision of LDI NRW regarding the EU Cloud Service Data Protection (Auditor) certification criteria

On April 19, 2024, the European Data Protection Board (EDPB) published Opinion 7/2024 on the draft decision of the German North Rhine Westphalia Supervisory Authority regarding the EU Cloud Service Data Protection (Auditor) certification criteria.

Certification, Supervisory Authority, Data Transfers
19 April 2024

EU: EDPB sets out priorities for 2024-2027 and DPF redress mechanisms

On April 18, 2024, the European Data Protection Board (EDPB) published its strategy for 2024-2027. In particular, the EDPB clarified that its four priorities are:

Supervisory Authority, Artificial Intelligence, Data Transfers
18 April 2024

DIFC: Commissioner joins Global CAPE

On April 18, 2024, the Dubai International Financial Centre (DIFC) Data Protection Commissioner's Office (the Commissioner) announced via LinkedIn that it had been accepted as a participant in the Global Cooperation Arrangement for Privacy Enforcement (Global CA

APEC CBPRs, Data Transfers, International Agreements
17 April 2024

USA: White House publishes statement of administration policy on Fourth Amendment Is Not For Sale Act

On April 16, 2024, the White House Office of Management and Budget (OMB) published a statement of administration policy for House Resolution 4639 for the Fourth Amendment Is Not For Sale Act (HR 4639).

Privacy Law Reform, Data Transfers
15 April 2024

Japan: PPC publishes updated international strategy

On March 27, 2024, the Personal Information Protection Commission (PPC) published its updated international strategy.

The PPC outlined several initiatives in the international strategy, including:

Supervisory Authority, APEC CBPRs, Data Transfers
09 April 2024

Poland: Ministry of Digitization announces public pre-consultation for the implementation of the Data Act

On April 4, 2024, the Ministry of Digitization announced that it had started work on the implementation of Regulation (EU) 2023/2854 of December 13, 2023, on harmonized rules on fair access to and use of data (Data Act) into Polish law.

Privacy Law Reform, Data Transfers
09 April 2024

Bulgaria: CPDP fines administrator BGN 10,000 for unlawful data processing

On February 9, 2023, the Commission for Personal Data Protection (CPDP) published its decision in complaint No. PPN-01-197/14.03.2022 in which it imposed a fine of BGN 10,000 (approx. $5,550) on an unnamed administrator for violations of the General Data Protection Regulation (GDPR), following a complaint submitted by an individual.

Enforcement Actions, Fines, Privacy Law Principles, Data Transfers
09 April 2024

EU: European Parliament publishes analysis of newly proposed rules to strengthen GDPR enforcement in cross-border cases

On April 8, 2024, the European Parliament published a briefing titled 'An analysis of the newly proposed rules to strengthen GDPR enforcement in cross-border cases.' In this briefing, the European Parliament highlights a number of shortcomings, arguing that the Euro

Privacy Law Reform, Supervisory Authority, Data Transfers, Third Countries
08 April 2024

International: NPC and DIFC sign MoU on data protection

On April 8, 2024, the Philippine National Privacy Commission (NPC) announced that it had signed a Memorandum of Understanding (MoU) with the Dubai International Financial Centre (DIFC).

Supervisory Authority, Data Transfers, International Agreements
05 April 2024

Denmark: Datatilsynet updates guidance on transfers to third countries

On April 4, 2024, the Danish data protection authority (Datatilsynet) announced that it had updated its guidance on the transfer of personal data to third countries.

Data Transfers, Third Countries
04 April 2024

California: Bill on opt-out rights in relation to mergers recommended for passage

On April 3, 2024, Assembly Bill (AB) 1824 for California Consumer Privacy Act of 2018: opt-out right: mergers was recommended for passage and re-referred to the Committee on Appropriations on the same day.

Data Subject Rights, Privacy Law Reform, Data Transfers, Vendor Management
28 March 2024

USA: Bill Protecting Americans' Data from Foreign Adversaries proceeds to Senate

On March 21, 2024, House Bill 7520 for the Protecting Americans' Data from Foreign Adversaries Act of 2024 proceeded to the U.S. Senate following its passage, on March 20, 2024, by the U.S. House of Representatives.

Biometric Data, Children's Data, Genetic Data, Privacy Law Reform, Data Transfers, Third Countries, Vendor Management
See all Data Transfer Insights
Apr 2024

Hong Kong, China: Standard Contract for Cross-boundary Flow of Personal Information within the Guangdong–Hong Kong–Macao Greater Bay Area

In this Insight article, Ada Chung Lai-Ling, Privacy Commissioner for Personal Data, Hong Kong, explores the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (the GBA SC), including its scope and adoption.

Privacy Law Concepts, Data Transfers
Mar 2024

China: New regulations on promoting and regulating cross-border data flows

The Cyberspace Administration of China (CAC) published the Regulations on Promoting and Regulating Cross-border Data Flows (only available in Chinese here) (the Regulations) on March 22, 2024, following their initial request for public comment in October 2023.

Data Transfers
Mar 2024

Malawi: Overview of the Data Protection Bill – key takeaways

The Parliament of Malawi introduced the Data Protection Bill on December 7, 2023, which provides a comprehensive legal framework for data protection in compliance with internationally accepted principles of da

Data Subject Rights, Privacy Law Concepts, Privacy Law Principles, Privacy Law Reform, Data Transfers
Mar 2024

India: Digital Personal Data Protection Act, 2023 part three – data transfers

Part one of this series on India's Digital Personal Data Protection Act, 2023 (the Act) looked into the Act's scope and application and

Privacy Law Concepts, Data Transfers
Mar 2024

USA: EO on preventing access to sensitive personal and government related data – breaking down the impact on transfers for businesses

On February 28, 2024, the White House published Executive Order 14117 on Preventing Access to Amer

Biometric Data, Genetic Data, Data Transfers
Feb 2024

EU: The Data Act - what you need to know

On January 11, 2024, the European Commission issued a press release marking the entry into force of the Regulation on Harmonised Rules on Fair Access to and Use of Data (the Data Act) on the same date, as part of the European Union's (EU) digital strategy.

Data Subject Rights, Privacy Law Concepts, Privacy Law Principles, Privacy Law Reform, Internet of Things, Data Transfers, Vendor Management
Feb 2024

International: The UK-US Data Bridge - what is it and how can organizations use it?

From October 12, 2023, businesses have been able to use the new UK-US Data Bridge, a partial adequacy decision covering in-scope US organizations that have self-certified under the UK-US Data Bridge, to make transfers of personal data from the UK to the US.

Adequate Protection, Binding Corporate Rules, Data Transfers, International Agreements, Privacy Shield, Standard Contractual Clauses
Jan 2024

International: Regional governance frameworks for Africa

Data is valuable. It has led nations to develop regulatory laws and frameworks actively dedicated to its governance. In Africa, there are several conventions and laws on data protection and regulation.

Privacy Law Concepts, Privacy Law Principles, Standards and Frameworks, Data Transfers
Jan 2024

UK: International data transfer regulation and its effects on UK businesses

Post-Brexit, the UK General Data Protection Regulation (UK GDPR) applies instead of the EU General Data Protection Regulation (EU GDPR) to businesses in the UK and in relation to non-UK businesses' handling of UK individuals' information in certain circumstances. 

Binding Corporate Rules, Data Transfers, International Agreements, Standard Contractual Clauses
Dec 2023

Qatar: An overview of the developments on the QFC Data Protection Regulations and Rules

The Qatar Financial Centre (QFC) as an independent regulatory jurisdiction has undergone a transformative journey to safeguard personal data in the developing landscape of finance and technology sectors over the years.

Privacy Law Principles, Privacy Law Reform, Transparency, Data Transfers, Standard Contractual Clauses
Dec 2023

China: Recent developments in cross-border data transfer requirements

On October 15, 2023, the public comment period closed for the Cyberspace Administration of China's (CAC) draft Provisions on Regulating and Promoting Cross-Border Data Flows (the Draft Provisions). In this Insight article, Kate M. Growley, Evan Y.

Data Transfers, Standard Contractual Clauses
Dec 2023

International: EU-US data transfers under the DPF - Analysis and best practices

On July 10, 2023, the European Commission adopted its adequacy decision for the US with regards to international data transfers, conditional to the use of the EU-US Trans-Atlantic Data Privacy Framework (DPF) which offers additional guarantees.

Adequate Protection, Data Transfers, International Agreements, Standard Contractual Clauses

Data Transfer Requirements

Request a jurisdiction

Data Transfer Requirements

  • There is a law/restriction/exemption in place.
  • Click to view information for additional detail.
  • There is no law/requirement/exemption in place.
    title
  • Law
  • Restriction
  • Exemptions
  • Localisation Requirement
  • Regulatory Guidelines
  • Transfers Note
  • Afghanistan

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No Transfers Note currently available.

  • Albania

    • Law on the Protection of Personal Data No. 9887 of 10 March 2008 (as amended) ('the Law')

    • According to Article 8(1) of the Law, data transfers to countries outside of the EU/EEA, to third countries which have not been deemed adequate by decision of the Office of the Information and Data Protection Commissioner ('IDP'), are restricted.

    • According to Article 8(2) of the Law, data transfers are permitted when: 

      1. it is authorised by international acts ratified by the Republic of Albania and are directly applicable;
      2. the data subject has given his/her consent for the international transfer;
      3. the transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken in addressing the data subject’s request, or the transfer is necessary for the conclusion or performance of a contract between the controller and a third party, in the interest of the data subject;
      4. it is a legal obligation of the controller;
      5. it is necessary for protecting vital interests of the data subject;
      6. it is necessary or constitutes a legal requirement over an important public interest or for exercising and protecting a legal right; or
      7. the transfer is done from a register that is open for consultation and provides information to the general public.

      In cases other than those provided above, the international transfer of personal data with a state that does not have an adequate level of data protection, shall be carried out upon an authorisation from the KMDP. Consideration is also given to states which have ratified Convention 108.

    • No further information.

    • Guidelines on international data transfers issued by the Office of the Information and Data Protection Commissioner ('IDP') (only available in Albanian here).

    • No Transfers Note currently available.

  • Alberta

    • The Personal Information Protection Act (Statutes of Alberta 2003 chapter P-6.5) ('AB PIPA')

    • AB PIPA does not specifically regulate data transfers. However, it does regulate 'disclosure', which, according the the Official Guidelines, involves 'sharing personal information with another entity.' According to Section 19 of AB PIPA, an organisation may disclose personal information only: 

      1. for purposes that are reasonable for meeting the purposes for which the information is disclosed; or 
      2. with the consent of the individual.

    • According to Section 20 of AB PIPA, an organisation may disclose personal information about an individual without their consent if: 

      1. a reasonable person would consider that the disclosure of the information is clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent; 
      2. the disclosure of the information is required by law; 
      3. to a public body, debt collection agency or other organisations; 
      4. the disclosure is for the purposes of contacting the next of kind or a friend of an injured, ill or deceased individual; the disclosure of the information is reasonable for the purposes of an investigation or legal proceeding or for the purposes of the prevention, detection or suppression of, fraud, and the information is disclosed to an organisation that is permitted or otherwise empowered to carry out any of those purposes; 
      5. the disclosure of the information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public;
      6. the information is publicly available, as prescribed or otherwise determined by the regulations; or 
      7. the disclosure is in accordance with Section 20.1, 21 or 22 (see below). 

      Under Section 21(1) of AB PIPA, an organisation may disclose personal employee information about an individual without the consent of the individual if the information is disclosed solely for the purposes of (a) establishing, managing or terminating an employment or volunteer-work relationship, or (b) managing a post-employment or post-volunteer-work relationship, between the organisation and the individual. The disclosure must also be reasonable for the particular purpose for which it is being disclosed, and, in the case of an individual who is a current employee of the organisation, the organisation has, before disclosing the information, provided the individual with reasonable notification that his/her personal information is going to be disclosed and of the purposes for which the information is going to be disclosed. 

      Additionally, it can disclosure personal information about an individual who is a current or former employee of the organisation to a potential or current employer of the individual without the consent of the individual if: 

      1. the personal information that is being disclosed was collected by the organisation as personal employee information; and 
      2. the disclosure is reasonable for the purpose of assisting that employer to determine the individual's eligibility or suitability for a position with that employer. According to Section 22, personal information may be disclosed for the purposes of a business transaction, if: 
        1. the parties have entered into an agreement under which the collection, use and disclosure of the information is restricted to those purposes that relate to the business transaction; and 
        2. the information is necessary: for the parties to determine whether to proceed with the business transaction; and if the determination is to proceed with the business transaction, for the parties to carry out and complete the business transaction.

    • No further information.

    • Official Guidelines on the general application of AB PIPA issued by the Office of the Information and Privacy Commissioner in November 2008 and Official Guidelines on collection, use and disclosure of personal information under AB PIPA issued by the Office of the Information and Privacy Commissioner of Alberta in 2009.

    • Please see Canada - Data Transfers Note

  • Algeria

    • Law No. 18-07 of 25 Ramadhan 1439 Corresponding to June 10, 2018 Relating to the Protection of Individuals in the Processing of Personal Data (only available in French here) ('the Law')

    • Data controllers cannot transfer data abroad unless it has obtained authorisation from the Algerian data protection authority and the recipient country provides an adequate level of protection for the persons affected by the transfer. In addition, it is prohibited to transfer personal data if such transfer poses a danger for the vital interests of the State or public security (Article 44 of the Law). 

    • In cases where the recipient country is not recognised as providing adequate protection and the Algerian data protection authority has not authorised the transfer, as required by Article 44 of the Law, the data controller can transfer personal data if:

      • the data subject has expressly consented to such transfer;
      • the transfer is necessary for, among others, protecting the health of the data subject, safeguarding the public interest or the execution of a contract between the data subject and the data controller;
      • the transfer takes place pursuant to a bilateral or multilateral agreement to which Algeria is party; or 
      • under the authorisation from the Algerian data protection authority, the processing falls under Article 2 of the Law.

    • No further information.

    • No further information.

    • No Transfers Note currently available.

  • Andorra

    • Qualified Act 15/2003, of 18 December, of Personal Data Protection ('the Act')

    • According to Articles 35 and 36 of the Act, data transfers to countries outside of the EU/EEA, to third countries which have not been deemed adequate by either the European Commission or the Andorran data protection authority ('APDA'), are restricted.

    • According to Article 37, data transfers are permited when: 

      1. made with the unequivocal consent of the interested party; 
      2. made in accordance with international conventions of which the Principality Andorra is a party; 
      3. made for the purposes of international legal assistance, or for the recognition, exercise or defence of a right in the context of legal proceedings; 
      4. made for medical prevention or diagnosis, health care, social prevention or diagnosis or for the vital interest of the interested party; 
      5. made for the purpose of bank remittances or transfers of money; 
      6. necessary for the establishment, execution, fulfilment or control of legal relationships or contractual obligations between the interested party and the file manager; 
      7. necessary to preserve the public interest; or 
      8. concerned with data taken from public registries or is made in compliance with the functions and purposes of the public registries.

    • No further information.

    • Guidelines on international transfers issued by the Andorran data protection authority ('APDA') (only available in Catalan here).

    • No Transfers Note currently available.

  • Angola

    • Law No. 22/11 on the Protection of Personal Data ('the Law') (only available in Portuguese here).

      Please note that the Agency for the Protection of Personal Data has not yet been established.

    • According to Section 33 of the Law, data transfers are prohibited to countries that do not ensure an adequate level of protection. The adequacy must be assessed by the National Database Protection Agency ('APD').

    • According to Section 34 of the Law, data transfers are permitted when: 

      1. The data subject has given his/her unequivocal, express and written consent; 
      2. The transfer is required by an international treaty to which the Republic of Angola is a party; 
      3. The transfer is necessary for humanitarian reasons; 
      4. The transfer is necessary for the performance of contract of for precontractual measures; 
      5. The transfer is necessary for the performance of a contract between the data controller and a third party, which is in the interest of the data subject; 
      6. The transfer is necessary for legal obligations or for legal actions; 
      7. The data subject cannot give his/her consent and the transfer is necessary for his/her vital interest; 
      8. The data are included in a publicly available source; and 
      9. If the recipients are bound by contractual agreements to ensure the same level of protection. Data transfers are also allowed when a company has internal rules ensuring the protection of data.

    • No further information.

    • The APD has not yet released any guidelines on data transfers specifically. However, in its guidance on data processing notifications, the APD highlights that, regarding data transfers, organisations must indicate whether the data is sent outside of Angola. If so, organisations must indicate the country, entity, data type and the respective legal basis.

    • No Transfers Note currently available.

  • Antigua and Barbuda

    • Data Protection Act, 2013 ('the Act')

    • Under Section 2 of the Act, disclosure of personal data by transmission, transfer, dissemination or otherwise making it available falls under the concept of processing. Section 5(1) further states that personal data cannot be processed unless the data subejct has given his/her consent.

    • According to Section 5(2) of the Act, data may be processed without consent for the following purposes: 

      1. for the performance of a contract to which the data subject is a party; 
      2. for the taking of steps at the request of the data subject with a view to entering into a contract; 
      3. for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract; 
      4. in order to protect the vital interests of the data subject; 
      5. for the administration of justice; or 
      6. for the exercise of any functions conferred on a person by or under any law.

       

      Moreover, such processing is subject, under Section 5(3) of the Act, to the requirement that it is processed for a lawful purpose directly related to an activity of the data user, that it is necessary for or directly related to that purpose, and that the personal data is adequate but not excessive in relation to that purpose.

    • International Foundations Act 

      According to Article 36 of the International Foundations Act 2007, the minutes of each council meeting shall be kept at the registered office of the foundation and shall be open to inspection by the founder, any foundation council member, any beneficiary, the Court or the Financial Services Regulatory Commission.

    • No further information.

    • No Transfers Note is currently available.

  • Argentina

    • Personal Data Protection Act, Act No. 25.326 of 2000 ('the Act') (only available in Spanish here) and Decree No. 1558/2001 Regulating Act No. 25.326 ('the Decree')(only available in Spanish here).

      Please note that a draft data protection amendment bill is currently being reviewed by the Government (only available in Spanish here).

    • Section 12(1) of the Act states that the transfer of any type of personal information to countries or international or supranational entities that do not provide adequate levels of protection is prohibited. 

    • Under Section 12(2) of the Act, the prohibition does not apply in the following circumstances:

      1. international judicial cooperation;
      2. exchange of medical information, when so required for the treatment of the affected party, or for an epidemiological survey, provided that the data has been anonymised;
      3. stock exchange or banking transfers, to the extent thereof, and in pursuance of the applicable laws;
      4. when the transfer is arranged within the framework of international treaties which the Argentine Republic is a signatory to; or
      5. when the transfer is made for international cooperation purposes between intelligence agencies in the fight against organised crime, terrorism and drug-trafficking.

       

      In addition, Section 12 of the Decree authorises transfers where express consent has been granted by the data subject. It also states that consent is not required when data is transferred from a public registry that is legally constituted to provide information to the public and is open for consultation by the general public or by any person who can demonstrate a legitimate interest, provided that the legal and regulatory conditions for consultation are complied with in each particular case.

      The Argentinian data protection authority's ('AAIP') Regulation 60 – E/2016 on international data transfers listing the countries to which transfers are permitted (only available in Spanish here) ('the International Transfers Regulation'). Moreover, the International Transfers Regulation contains two model contracts that can be used for international data transfers to countries that do not provide adequate levels of protection; one must be used for transfers between data controllers, and the other must be used for transfers to data processors.

    • No further information.

    • Resolution No. 4/2019 on the application and interpretation of the Act (only available in Spanish here);
      Resolution No. 60 – E/2016 on model clauses for international transfers of personal data (only available in Spanish here) ('the International Transfers Resolution');
      Resolution No. 159/2018 on guidelines for binding corporate rules ('BCRs') for international data transfers within the group of multinational companies (only available in Spanish here) ('the BCRs Resolution'); and
      Resolution No. 198/2023 approving the Ibero-American Data Protection Network’s Standard Contractual Clauses (only available in Spanish here) ('the REDIPD SCCs Resolution’).

    • Argentina - Data Transfers Note

  • Armenia

    • Law of the Republic of Armenia of 13 June 2015 No. 49-ZR on the Protection of Personal Data ('the Law')

    • Article 26 and 27 of the Law state that personal data may be transferred to a third party or to another state with the data subject's consent, where it is required for by law and the state has an adequate level of data protection, or where the transfer of data stems from the purposes of processing personal data and/or is necessary for the implementation of these processes. The transfer of biometric or special category personal data needs to be notified to the Personal Data Protection Agency ('the Agency').

    • Article 26(2) of the Law states that special category personal data can be transferred to third parties without the data subject's consent, where the data processor is considered a processor of special category personal data prescribed by law or an interstate agreement, the transfer of such information is directly provided for by law and has an adequate level of protection, or the transfer od data is to protect the life, health, or freedom of the data subject. 

      Moreover, according to Article 27(3) of the Law, personal data can be transferred to a state not providing adequate data protection by the permission of the Agency, where the personal data are transferred on the basis of an agreement with appropriate safeguards approved by the Agency as providing adequate protection.

    • Government Decree No. 1521-N of 26 December 2013 on Approving Minimum Requirements for Official Websites of the Internet Network (only available in Armenian here) establishes data localisation requirements for the official websites of governmental agencies.

    • No further information.

    • Armenia - Data Transfers Note

  • Aruba

    • National Ordinance of May 19, 2011 Laying Down New Rules for the Protection of Privacy in Connection with the Recording and Dissemination of Personal Data ('the Ordinance') (only available in Dutch here).

    • DataGuidance confirmed with Daniel Rasmijn, Attorney at HBN Law, that data transfers must comply with the conditions contained in Article 9 of the Ordinance if they are to be lawful:

      1. the transfer is necessary in connection with the purpose of the data recording;
      2. insofar as necessary based on legislation;
      3. if the data subject has granted their consent;
      4. in the interest of academic research, statistics or other urgent reasons, if certain specific conditions are met.

      Moreover, Article 24(2) of the Ordinance establishes a prohibition to transfer data from Aruba to a foreign country if the Ordinance is not applicable and the Minister of Justice has declared that such a transfer would be harmful to the privacy of data subjects.

    • DataGuidance also confirmed with Daniel Rasmijn that there are no exemptions that allow an international data transfer once the Minister has declared that it would harm privacy rights.

    • No further information.

    • No further information.

    • No Transfers Note is currently available. 

  • Australia

    • Privacy Act 1988 No. 119, 1988 (as amended) ('the Act')

    • Principle 8 of the Act provides that the cross-border use or disclosure of data can happen only when the entity, which wants to transfer the data, has taken such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles ('APP') (other than Australian Privacy Principle 1) in relation to the information. In addition APP entities that disclose personal information outside Australia are liable under The Notifiable Data Breaches scheme, and must notify eligible data breaches while the information is under the APP entity control.

    • According to Principle of 8 of the Act, an entity does not have to take the reasonable steps when: 

      1. The recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; 
      2. The entity expressly informs the individual that if he/she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure; after being so informed, the individual consents to the disclosure; 
      3. The disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; 
      4. A permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the disclosure of the information by an entity covered by the APP; 
      5. The entity is an agency and the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party; or 
      6. The entity is an agency and both of the following apply: the entity reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; the recipient is a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body.

    • There are currently no statutory localisation or residence requirements for personal information. However, certain health information cannot leave certain States (e.g. NSW, Victoria and ACT) unless the discloser is satisfied they are going to a place with similar health information privacy laws. In particular, Section 77(1) of the Personally Controlled Electronic Health Records Act 2012 ('PCEHR') notes that operators which are subject to PCEHR are not required to hold or take records outside Australia.

      Exemptions

      Such operators are exempted from this restriction, provided that the records do not include personal information in relation to a consumer or participant in the PCEHR system or identifying information of an individual or entity.

      A mandatory comprehensive credit reporting regime is currently being considered in the form of the National Consumer Credit Protection Amendment (Mandatory Credit Reporting and Other Measures) Bill 2019, which includes a localisation requirement. 

    • APP Guidelines (Chapters 3, 6 and, 8)

       

       

    • Australia - Data Transfers Note

  • Azerbaijan

    • Law of 11 May 2010 No. 998-IIIQ on Personal Data (only available in Azerbaijani here) ('the Personal Data Law')

    • According to the Law, Article 14 of the Personal Data Law cross border transmissions of personal data are prohibited in the following cases:

      • when creating a threat to the national security of the Republic of Azerbaijan;
      • if the legislation of the country where the personal data is transmitted does not provide legal protection of such data at the level established by the legislation of the Azerbaijan Republic;
      • in cases where the subject agrees to the cross-border transfer of personal data, as well as the transfer of personal data is necessary to protect the life and health of the subject, the cross-border transfer of personal data may be carried out regardless of their level of legal protection; and
      • in the case of cross-border transmission of personal data, the security of this data is ensured by the owner or operator. 

    • Not applicable. 

    • Not applicable. 

    • Not applicable. 

    • No Transfers Note currently available.

  • Bahrain

    • Law No. (30) of the Year 2018 Issuing a Law on the Protection of Personal Data (only available in Arabic here) ('the Act') 

    • Under Article 12 of the Act, data transfers outside Bahrain are prohibited, unless:

      1. the relevant country or territory provides adequate protection of personal data, based on the assessment of the competent authority; or
      2. the competent authority permits the transfer, having assessed the circumstances.

    • Under Article 13 of the Act, data transfers to a country or territory that does not provide adequate protection of personal data is permitted if:

      1. the individual gave their consent;
      2. the personal data originates from public registers; or
      3. the data transfer is necessary for the following purposes: fulfilment of a contract; protection of vital interests of the individual; implementation of a legal obligation; or legal claim purposes.

    • Central Bank Business Standards

      According to Central Bank of Bahrain ('CBB') Volume 1 Business Standards, OM 6.3.1 ('the Rule'), conventional bank licensees must maintain the following records in original form or in hard copy at their premises in Bahrain: 

      1. internal policies, procedures, and operating manuals; 
      2. corporate records, including minutes of shareholders, directors, and management meetings; 
      3. correspondence with the CBB and records relevant to monitoring compliance with CBB requirements;
      4. reports prepared by the conventional bank licensee's internal and external auditors; and 
      5. employee training manuals and records.

       

      According to Article 60 of the Central Bank of Bahrain and Financial Institutions Law (the Law'), records referred to in Article 59 of the Law shall be kept for at least 10 years at the Licencee's main office in the Kingdom of Bahrain or at such other places as the Central Bank may approve. Records shall be kept in such a format, as the CBB may deem suitable.

    • No further information.

    • No Transfers Note currently available.

  • Bolivia

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No Transfers Note is currently available. 

  • British Columbia

    • The Personal Information Protection Act (Statutes of British Columbia 2003, c. 63) ('BC PIPA')

    • BC PIPA does not specifically regulate data transfers. However, it does regulate 'disclosure', which, according the the Official Guidelines, involves 'showing, sending or giving some other organisation, government or individual the personal information in question.' An organisation may disclose personal information only: 

      1. for purposes that a reasonable person would consider are appropriate in the circumstances and that the data subject has been notified of in advance, as per Section 17 of BC PIPA; or
      2. with the consent of the individual, as per Section 6(1) of BC PIPA.

    • According to Section 18 of BC PIPA, an organisation may disclose personal information about an individual without their consent if: 

      1. the disclosure of the information is clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way; 
      2. the disclosure is necessary for the medical treatment of the individual and the individual does not have the legal capacity to give consent; 
      3. it is reasonable to expect that the disclosure with the consent of the individual would compromise an investigation or proceeding and the disclosure is reasonable for purposes related to an investigation or a proceeding;
      4. the information is collected from certain public events; the disclosure is necessary to determine a suitability  to receive an honour, award or similar benefit, including an honorary degree, scholarship or bursary, or to be selected for an athletic or artistic purpose;
      5. the disclosure is necessary in order to collect a debt owed to the organisation or for the organisation to repay an individual money owed to them by the organisation;
      6. the personal information is disclosed in accordance with a provision of a treaty that British Columbia or Canada is a party to and that authorises or requires its disclosure;
      7. the disclosure is for the purpose of complying with a subpoena, warrant or order issued or made by a court, person or body with jurisdiction to compel the production of personal information;
      8. the disclosure is to a public body or a law enforcement agency in Canada, concerning an offence under the laws of Canada or a province, to assist in an investigation, or in the making of a decision to undertake an investigation, to determine whether the offence has taken place, or to prepare for the laying of a charge or the prosecution of the offence;
      9. there are reasonable grounds to believe that compelling circumstances exist that affect the health or safety of any individual and if notice of disclosure is mailed to the last known address of the individual to whom the personal information relates;
      10. the disclosure is for the purpose of contacting next of kin or a friend of an injured, ill or deceased individual;
      11. the disclosure is to a lawyer who is representing the organisation; the disclosure is to an archival institution if the collection of the personal information is reasonable for research or archival purposes; or
      12. the disclosure is required or authorised by law.

      Additionally, under Section 19 of BC PIPA, an organisation may disclose employee personal information without the consent of the individual where the disclosure is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organisation and the individual, as long as it notifies the individual of the disclose, and the purposes for the dislcosure, beforehand.

      Moreover, according to Section 20 of BC PIPA, an organisation may disclose personal information about its employees, customers, directors, officers or shareholders without their consent, to a prospective party to a business transaction that involves substantial assets other than the data subjects' personal information. This applies if the personal information is necessary for the prospective party to determine whether to proceed with the business transaction, and the organisation and prospective party have entered into an agreement that requires the prospective party to use or disclose the personal information solely for purposes related to the prospective business transaction.

      According to Sections 21 and 22 of BC PIPA, an organisation may disclose information without consent, for research, statistical, archival or historial purposes, in certain circumstances.

    • Under Section 30 of the Freedom of Information and Protection of Privacy Act, RSBC 1996 c 165 a public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless one of the following applies:

      1. if the individual the information is about has identified the information and has consented, in the prescribed manner, to it being stored in or accessed from, as applicable, another jurisdiction;
      2. if it is stored in or accessed from another jurisdiction for the purpose of disclosure allowed under this Act;
      3. if it was disclosed under Section 33.1 (1) (i.1).

    • Official Guidelines on the general application of BC PIPA issued by the Office of the Information and Privacy Commissioner in October 2015. 

    • Canada - Data Transfers Note

  • California

    • California Consumer Privacy Act of 2018 ('CCPA')

    • Not applicable.

    • Not applicable.

    • Certain public procurement contracts might impose domestic data storage as a requirement. In addition, contractors working in certain industries may be subject to certain localisation or other restrictions. For example, the U.S. Department of Defense ('DOD') requires cloud computing service providers that provide services to the DoD to store data relating to the DoD within U.S. territory, unless otherwise authorised in writing by the DoD.

    • Not applicable.

    • California - Data Transfers Note

  • COPPA

    • Children's Online Privacy Protection Rule 1999 (16 C.F.R. Part 312) ('COPPA Rule')

    • COPPA does not contain any explicit cross-border data transfer restrictions. 

      However, §312.4 requires a website operator to provide notice and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children.

      Moreover, §312.8 requires an operator to take reasonable steps to release children's personal information only to service providers and third parties who are capable of maintaining the confidentiality, security and integrity of such information, and who provide assurances that they will maintain the information in such a manner.

    • § 312.5(c) provides verifiable parental consent is not required prior to the collection, use, or disclosure of personal information from a child: 

      1. where the sole purpose of collecting the name or online contact information of the parent or child is to provide notice and obtain parental consent; 
      2. where the purpose of collecting a parent's online contact information is to provide voluntary notice to, and subsequently update the parent about, the child's participation in a website or online service that does not otherwise collect, use, or disclose children's personal information. In such cases, the parent's online contact information may not be used or disclosed for any other purpose; 
      3. where the sole purpose of collecting online contact information from a child is to respond directly on a one-time basis to a specific request from the child, and where such information is not used to re-contact the child or for any other purpose, is not disclosed, and is deleted by the operator from its records promptly after responding to the child's request; 
      4. where the purpose of collecting a child's and a parent's online contact information is to respond directly more than once to the child's specific request, and where such information is not used for any other purpose, disclosed, or combined with any other information collected from the child. In such cases, the operator must make reasonable efforts to ensure that the parent receives notice. 
      5. where the purpose of collecting a child's and a parent's name and online contact information, is to protect the safety of a child, and where such information is not used or disclosed for any purpose unrelated to the child's safety;
      6. where the purpose of collecting a child's name and online contact information is to (i) protect the security or integrity of its website or online service; (ii) take precautions against liability; (iii) respond to judicial process; or (iv) to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety; and where such information is not be used for any other purpose;
      7. where an operator collects a persistent identifier and no other personal information and such identifier is used for the sole purpose of providing support for the internal operations of the website or online service;
      8. where an operator collects a persistent identifier and no other personal information from a user who affirmatively interacts with the operator and whose previous registration with that operator indicates that such user is not a child. 

      According to § 312.6, disclosures made in good faith and following reasonable procedures in responding to a request for disclosure of personal information to the parent of a child are allowed.

    • No further information.

    • Complying with COPPA: Frequently Asked Questions issued by the Federal Trade Commission.

    • No Transfers Note currently available.

  • Iraq

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No further information.

    • No Transfers Note currently available.

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Third Country Assessments

Request a jurisdiction

Schrems II - Third Country Assessment

  • There is a requirement in place.
  • Click to view information for additional detail.
  • There is no requirement in place.
    Applicable Law
  • Human rights law
  • Authority access law
  • Legal bases for access
  • Other limits on access
    Authority Functions
  • Authorities
  • Oversight mechanisms
  • Legal remedies data subjects
  • Legal remedies organisations
    title
  • Overseas subjects
  • International commitments
  • Further information
  • Albania
  • Algeria
  • Argentina
  • Armenia
  • Australia
  • Azerbaijan
  • Bahrain
  • Bangladesh
  • Bosnia & Herzegovina
  • Brazil
  • California
  • Canada Federal
  • Cayman Islands
  • Colorado
  • DRC
  • Israel
  • Jamaica

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

The below document is a copy of the SCCs for the transfer of personal data to third countries adopted by the European Commission on 4 June 2021. The four modules as defined by the Commission are:

  • Module 1: Controller to Controller
  • Module 2: Controller to Processor
  • Module 3: Processor to Processor
  • Module 4: Processor to Controller

SECTION I

Clause 1

Purpose and scope

(a)        The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

(b)       The Parties:

(i)        the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

(ii)       the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’) have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(c)        These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d)       The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a)        These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b)       These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a)        Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i)        Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii)       Clause 8.5 (e) and Clause 8.9(b);

(iii)      N/A

(iv)      Clause 12(a) and (d);

(v)       Clause 13;

(vi)      Clause 15.1(c), (d) and (e);

(vii)     Clause 16(e);

(viii)    Clause 18(a) and (b).

(b)       Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a)        Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b)       These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c)        These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 – Optional

Docking clause

(a)        An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

(b)       Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c)        The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1       Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B. It may only process the personal data for another purpose:

(i)        where it has obtained the data subject’s prior consent;

(ii)       where necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iii)      where necessary in order to protect the vital interests of the data subject or of another natural person.

8.2       Transparency

(a)        In order to enable data subjects to effectively exercise their rights pursuant to Clause 10, the data importer shall inform them, either directly or through the data exporter:

(i)        of its identity and contact details;

(ii)       of the categories of personal data processed;

(iii)      of the right to obtain a copy of these Clauses;

(iv)      where it intends to onward transfer the personal data to any third party/ies, of the recipient or categories of recipients (as appropriate with a view to providing meaningful information), the purpose of such onward transfer and the ground therefore pursuant to Clause 8.7.

(b)       Paragraph (a) shall not apply where the data subject already has the information, including when such information has already been provided by the data exporter, or providing the information proves impossible or would involve a disproportionate effort for the data importer. In the latter case, the data importer shall, to the extent possible, make the information publicly available.

(c)        On request, the Parties shall make a copy of these Clauses, including the Appendix as completed by them, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the Parties may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.

(d)       Paragraphs (a) to (c) are without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.3       Accuracy and data minimisation

(a)        Each Party shall ensure that the personal data is accurate and, where necessary, kept up to date. The data importer shall take every reasonable step to ensure that personal data that is inaccurate, having regard to the purpose(s) of processing, is erased or rectified without delay.

(b)       If one of the Parties becomes aware that the personal data it has transferred or received is inaccurate, or has become outdated, it shall inform the other Party without undue delay.

(c)        The data importer shall ensure that the personal data is adequate, relevant and limited to what is necessary in relation to the purpose(s) of processing.

8.4       Storage limitation

The data importer shall retain the personal data for no longer than necessary for the purpose(s) for which it is processed. It shall put in place appropriate technical or organisational measures to ensure compliance with this obligation, including erasure or anonymisation of the data and all back-ups at the end of the retention period.

8.5       Security of processing

(a)        The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the personal data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.

(b)       The Parties have agreed on the technical and organisational measures set out in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(c)        The data importer shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(d)       In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the personal data breach, including measures to mitigate its possible adverse effects.

(e)        In case of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the data importer shall without undue delay notify both the data exporter and the competent supervisory authority pursuant to Clause 13. Such notification shall contain i) a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), ii) its likely consequences, iii) the measures taken or proposed to address the breach, and iv) the details of a contact point from whom more information can be obtained. To the extent it is not possible for the data importer to provide all the information at the same time, it may do so in phases without undue further delay.

(f)        In case of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, the data importer shall also notify without undue delay the data subjects concerned of the personal data breach and its nature, if necessary in cooperation with the data exporter, together with the information referred to in paragraph (e), points ii) to iv), unless the data importer has implemented measures to significantly reduce the risk to the rights or freedoms of natural persons, or notification would involve disproportionate efforts. In the latter case, the data importer shall instead issue a public communication or take a similar measure to inform the public of the personal data breach.

(g)       The data importer shall document all relevant facts relating to the personal data breach, including its effects and any remedial action taken, and keep a record thereof.

8.6       Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences (hereinafter ‘sensitive data’), the data importer shall apply specific restrictions and/or additional safeguards adapted to the specific nature of the data and the risks involved. This may include restricting the personnel permitted to access the personal data, additional security measures (such as pseudonymisation) and/or additional restrictions with respect to further disclosure.

8.7       Onward transfers

The data importer shall not disclose the personal data to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) unless the third party is or agrees to be bound by these Clauses, under the appropriate Module. Otherwise, an onward transfer by the data importer may only take place if:

(i)        it is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii)       the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 with respect to the processing in question;

(iii)      the third party enters into a binding instrument with the data importer ensuring the same level of data protection as under these Clauses, and the data importer provides a copy of these safeguards to the data exporter;

(iv)      it is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings;

(v)       it is necessary in order to protect the vital interests of the data subject or of another natural person; or

(vi)      where none of the other conditions apply, the data importer has obtained the explicit consent of the data subject for an onward transfer in a specific situation, after having informed him/her of its purpose(s), the identity of the recipient and the possible risks of such transfer to him/her due to the lack of appropriate data protection safeguards. In this case, the data importer shall inform the data exporter and, at the request of the latter, shall transmit to it a copy of the information provided to the data subject.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.8       Processing under the authority of the data importer      

The data importer shall ensure that any person acting under its authority, including a processor, processes the data only on its instructions.

8.9       Documentation and compliance

(a)        Each Party shall be able to demonstrate compliance with its obligations under these Clauses. In particular, the data importer shall keep appropriate documentation of the processing activities carried out under its responsibility.

(b)       The data importer shall make such documentation available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

N/A

Clause 10

Data subject rights

 (a)       The data importer, where relevant with the assistance of the data exporter, shall deal with any enquiries and requests it receives from a data subject relating to the processing of his/her personal data and the exercise of his/her rights under these Clauses without undue delay and at the latest within one month of the receipt of the enquiry or request. The data importer shall take appropriate measures to facilitate such enquiries, requests and the exercise of data subject rights. Any information provided to the data subject shall be in an intelligible and easily accessible form, using clear and plain language.

(b)       In particular, upon request by the data subject the data importer shall, free of charge:

(i)        provide confirmation to the data subject as to whether personal data concerning him/her is being processed and, where this is the case, a copy of the data relating to him/her and the information in Annex I; if personal data has been or will be onward transferred, provide information on recipients or categories of recipients (as appropriate with a view to providing meaningful information) to which the personal data has been or will be onward transferred, the purpose of such onward transfers and their ground pursuant to Clause 8.7; and provide information on the right to lodge a complaint with a supervisory authority in accordance with Clause 12(c)(i);

(ii)       rectify inaccurate or incomplete data concerning the data subject;

(iii)      erase personal data concerning the data subject if such data is being or has been processed in violation of any of these Clauses ensuring third-party beneficiary rights, or if the data subject withdraws the consent on which the processing is based.

(c)        Where the data importer processes the personal data for direct marketing purposes, it shall cease processing for such purposes if the data subject objects to it.

(d)       The data importer shall not make a decision based solely on the automated processing of the personal data transferred (hereinafter ‘automated decision’), which would produce legal effects concerning the data subject or similarly significantly affect him/her, unless with the explicit consent of the data subject or if authorised to do so under the laws of the country of destination, provided that such laws lays down suitable measures to safeguard the data subject’s rights and legitimate interests. In this case, the data importer shall, where necessary in cooperation with the data exporter:

(i)        inform the data subject about the envisaged automated decision, the envisaged consequences and the logic involved; and

(ii)       implement suitable safeguards, at least by enabling the data subject to contest the decision, express his/her point of view and obtain review by a human being.

(e)        Where requests from a data subject are excessive, in particular because of their repetitive character, the data importer may either charge a reasonable fee taking into account the administrative costs of granting the request or refuse to act on the request.

(f)        The data importer may refuse a data subject’s request if such refusal is allowed under the laws of the country of destination and is necessary and proportionate in a democratic society to protect one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679.

(g)       If the data importer intends to refuse a data subject’s request, it shall inform the data subject of the reasons for the refusal and the possibility of lodging a complaint with the competent supervisory authority and/or seeking judicial redress.

Clause 11

Redress

(a)        The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

[OPTION: The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolution body at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.]

 (b)      In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c)        Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i)        lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii)       refer the dispute to the competent courts within the meaning of Clause 18.

(d)       The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e)        The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f)        The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b)       Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.

(c)        Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(d)       The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(e)        The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

Clause 13

Supervision

  1. [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

(b)       The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b)       The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i)        the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii)       the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii)      any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c)        The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d)       The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e)        The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f)        Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

(a)        The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i)        receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii)       becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

 (b)      If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c)        Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d)       The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e)        Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2     Review of legality and data minimisation

(a)        The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b)       The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

(c)        The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a)       The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b)       In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c)        The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i)        the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii)       the data importer is in substantial or persistent breach of these Clauses; or

(iii)      the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d)       Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e)        Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of ­­­­______ (specify Member State).

Clause 18

Choice of forum and jurisdiction

(a)       Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b)       The Parties agree that those shall be the courts of _____ (specify Member State).

(c)        A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d)       The Parties agree to submit themselves to the jurisdiction of such courts.

SECTION I

Clause 1

Purpose and scope

(a)        The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of data to a third country.

(b)       The Parties:

(i)        the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

(ii)       the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’) have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(c)        These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d)       The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a)        These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b)       These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a)        Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i)        Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii)       Clause 8.1(b), 8.9(a), (c), (d) and (e);

(iii)      Clause 9(a), (c), (d) and (e);

(iv)      Clause 12(a), (d) and (f);

(v)       Clause 13;

(vi)      Clause 15.1(c), (d) and (e);

(vii)     Clause 16(e);

(viii)    Clause 18(a) and (b).

(b)       Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a)        Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b)       These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c)        These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 – Optional

Docking clause

(a)        An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

(b)       Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c)        The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

(a)        The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b)       The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

(a)        The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b)       The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c)        In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d)       The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i)        the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii)       the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii)      the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv)      the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

(a)        The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b)       The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

(c)        The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d)       The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e)        The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

(a)        OPTION 1: SPECIFIC PRIOR AUTHORISATION The data importer shall not sub-contract any of its processing activities performed on behalf of the data exporter under these Clauses to a sub-processor without the data exporter’s prior specific written authorisation. The data importer shall submit the request for specific authorisation at least [Specify time period] prior to the engagement of the sub-processor, together with the information necessary to enable the data exporter to decide on the authorisation. The list of sub-processors already authorised by the data exporter can be found in Annex III. The Parties shall keep Annex III up to date.

OPTION 2: GENERAL WRITTEN AUTHORISATION The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least [Specify time period] in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

(b)       Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c)        The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d)       The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.

(e)        The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

(a)        The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b)       The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c)        In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

(a)        The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

[OPTION: The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolution body at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.]

 (b)      In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c)        Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i)        lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii)       refer the dispute to the competent courts within the meaning of Clause 18.

(d)       The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e)        The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f)        The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a)        Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b)       The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c)        Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d)       The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e)        Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f)        The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(g)       The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

  1. [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

(b)       The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

 (a)       The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b)       The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i)        the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii)       the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii)      any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c)        The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d)       The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e)        The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f)        Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1     Notification

(a)        The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i)        receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii)       becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

 (b)      If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c)        Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d)       The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e)        Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2     Review of legality and data minimisation

(a)        The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b)       The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

(c)        The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a)        The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b)       In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c)        The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i)        the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii)       the data importer is in substantial or persistent breach of these Clauses; or

(iii)      the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d)       Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e)        Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

[OPTION 1: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of _______ (specify Member State).]

[OPTION 2: These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of _______ (specify Member State).]

Clause 18

Choice of forum and jurisdiction

(a)        Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b)       The Parties agree that those shall be the courts of _____ (specify Member State).

(c)        A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d)       The Parties agree to submit themselves to the jurisdiction of such courts.

SECTION I

Clause 1

Purpose and scope

(a)        The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

(b)       The Parties:

(i)        the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

(ii)       the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(c)        These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d)       The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a)        These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b)       These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a)        Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i)        Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii)       Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g);

(iii)      Clause 9(a), (c), (d) and (e);

(iv)      Clause 12(a), (d) and (f);

(v)       Clause 13;

(vi)      Clause 15.1(c), (d) and (e);

(vii)     Clause 16(e);

(viii)    Clause 18(a) and (b).

(b)       Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a)        Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b)       These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c)        These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 – Optional

Docking clause

(a)        An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

(b)       Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c)        The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

(a)        The data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing.

(b)       The data importer shall process the personal data only on documented instructions from the controller, as communicated to the data importer by the data exporter, and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the instructions from the controller. The controller or data exporter may give further documented instructions regarding the data processing throughout the duration of the contract.

(c)        The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller.

(d)       The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under Union or Member State law between the controller and the data exporter.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B., unless on further instructions from the controller, as communicated to the data importer by the data exporter, or from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to rectify or erase the data.

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

(a)        The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b)       The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c)        In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d)       The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards set out in Annex I.B.

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the controller, as communicated to the data importer by the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i)        the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii)       the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679;

(iii)      the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv)      the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

(a)        The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under these Clauses.

(b)       The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the controller.

(c)        The data importer shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter, which shall provide it to the controller.

(d)       The data importer shall allow for and contribute to audits by the data exporter of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer.

(e)        Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller.

(f)        The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(g)       The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

(a)        OPTION 1: SPECIFIC PRIOR AUTHORISATION The data importer shall not sub-contract any of its processing activities performed on behalf of the data exporter under these Clauses to a sub-processor without the prior specific written authorisation of the controller. The data importer shall submit the request for specific authorisation at least [Specify time period] prior to the engagement of the sub-processor, together with the information necessary to enable the controller to decide on the authorisation. It shall inform the data exporter of such engagement. The list of sub-processors already authorised by the controller can be found in Annex III. The Parties shall keep Annex III up to date.

OPTION 2: GENERAL WRITTEN AUTHORISATION The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least [Specify time period] in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).

(b)       Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c)        The data importer shall provide, at the data exporter’s or controller’s request, a copy of such a sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d)       The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.

(e)        The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

(a)        The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorised to do so by the controller.

(b)       The data importer shall assist, where appropriate in cooperation with the data exporter, the controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c)        In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter.

Clause 11

Redress

(a)        The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

[OPTION: The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolution body at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.]

 (b)      In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c)        Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i)        lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii)       refer the dispute to the competent courts within the meaning of Clause 18.

(d)       The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e)        The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f)        The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a)        Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b)       The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c)        Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d)       The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e)        Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f)        The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(g)       The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

  1. [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

(b)       The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(a)        The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b)       The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i)        the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii)       the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii)      any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c)        The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d)       The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e)        The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). The data exporter shall forward the notification to the controller.

(f)        Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation, if appropriate in consultation with the controller. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the controller or the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

(a)        The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i)        receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii)       becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

The data exporter shall forward the notification to the controller.

  1. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
  2. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). The data exporter shall forward the information to the controller.
  3. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
  4. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimization

(a)        The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b)       The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. The data exporter shall make the assessment available to the controller.

(c)        The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a)        The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b)       In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c)        The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i)        the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii)       the data importer is in substantial or persistent breach of these Clauses; or

(iii)      the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority and the controller of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d)       Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e)        Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

[OPTION 1: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of _______ (specify Member State).]

[OPTION 2: These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of _______ (specify Member State).]

Clause 18

Choice of forum and jurisdiction

(a)        Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b)       The Parties agree that those shall be the courts of _____ (specify Member State).

(c)        A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d)       The Parties agree to submit themselves to the jurisdiction of such courts.

SECTION I

Clause 1

Purpose and scope

(a)        The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

(b)       The Parties:

(i)        the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

(ii)       the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’) have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(c)        These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d)       The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a)        These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b)       These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a)        Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i)        Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii)       Clause 8.1 (b) and Clause 8.3(b);

(iii)      N/A

(iv)      N/A

(v)       Clause 13;

(vi)      Clause 15.1(c), (d) and (e);

(vii)     Clause 16(e);

(viii)    Clause 18.

(b)       Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a)        Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b)       These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c)        These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 – Optional

Docking clause

(a)        An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

(b)       Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c)        The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

(a)     The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.

(b)     The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.

(c)     The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.

(d)     After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.

8.2 Security of processing

(a)     The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.

(b)     The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.

(c)     The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.3 Documentation and compliance

(a)     The Parties shall be able to demonstrate compliance with these Clauses.

(b)       The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.

Clause 9

Use of sub-processors

N/A

Clause 10

Data subject rights

The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.

Clause 11

Redress

(a)     The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

[OPTION: The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolution body at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.]

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b)       Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.

(c)        Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(d)       The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(e)        The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

Clause 13

Supervision

N/A

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(where the EU where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)

(a)        The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b)       The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i)        the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii)       the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii)      any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c)        The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d)       The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e)        The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f)        Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

(where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)

15.1     Notification

(a)        The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i)        receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii)       becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

 (b)      If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c)        Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d)       The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e)        Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2     Review of legality and data minimisation

(a)        The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b)       The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

(c)        The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a)        The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b)       In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c)        The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i)        the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii)       the data importer is in substantial or persistent breach of these Clauses; or

(iii)      the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d)       Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e)        Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of _______ (specify country).

Clause 18

Choice of forum and jurisdiction

Any dispute arising from these Clauses shall be resolved by the courts of ________ (specify country).

APPENDIX

EXPLANATORY NOTE:

It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.

ANNEX I

  1. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Name: ___________________________________________

Address: _________________________________________

Contact person’s name, position and contact details: _________________________

___________________________________________________________________

Activities relevant to the data transferred under these Clauses:

___________________________________________________________________

___________________________________________________________________

Signature and date: ___________________________________________________

Role (controller/processor):

2. …

   

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

Name: ___________________________________________

Address: _________________________________________

Contact person’s name, position and contact details: _________________________

___________________________________________________________________

Activities relevant to the data transferred under these Clauses:

___________________________________________________________________

___________________________________________________________________

Signature and date: ___________________________________________________

Role (controller/processor):

2. …

 

 

  1. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Categories of personal data transferred

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Nature of the processing

Purpose(s) of the data transfer and further processing

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

  1. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

 

EXPLANATORY NOTE:

The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Modules 1, 2 and 3

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

[Examples of possible measures:

Measures of pseudonymisation and encryption of personal data

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Measures for user identification and authorisation

Measures for the protection of data during transmission

Measures for the protection of data during storage

Measures for ensuring physical security of locations at which personal data are processed

Measures for ensuring events logging

Measures for ensuring system configuration, including default configuration

Measures for internal IT and IT security governance and management

Measures for certification/assurance of processes and products

Measures for ensuring data minimisation

Measures for ensuring data quality

Measures for ensuring limited data retention

Measures for ensuring accountability

Measures for allowing data portability and ensuring erasure]

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

EXPLANATORY NOTE:

This Annex must be completed in case of the specific authorisation of sub-processors (Clause 9(a), Option 1).

ANNEX III LIST OF SUB-PROCESSORS

Modules 2 and 3

The controller has authorised the use of the following sub-processors:

1.         Name: …

Address: …

Contact person’s name, position and contact details: …

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): …

2.         …

Mechanisms for Data Transfers under the GDPR:

The European Commission describes adequacy decisions as follows:

'The European Commission has the power to determine, on the basis of Article 45 of General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') whether a country outside the EU offers an adequate level of data protection.

The adoption of an adequacy decision involves:

  • a proposal from the European Commission;
  • an opinion of the European Data Protection Board;
  • an approval from representatives of EU countries; and
  • the adoption of the decision by the European Commission.

At any time, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation.

The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.'

The following jurisdictions have thus far been recognised as providing adequate protection for personal data (i.e. are party to an adequacy decision):

  • Andorra
  • Argentina
  • Canada (commercial organisations)
  • Faroe Islands
  • Guernsey
  • Israel
  • Isle of Man
  • Japan (private sector)
  • Jersey
  • New Zealand
  • Republic of Korea
  • Switzerland
  • Uruguay
  • UK (under GDPR and LED)
  • United States (commercial organisations participating in the EU-US Data Privacy Framework)

Appropriate safeguards include standard contractual clauses ('SCCs') adopted by the Commission and SCCs adopted by a supervisory authority and approved by the Commission (Article 46(2)(c) and (d) of the GDPR). These SCCs may be included in a contract with another party as a means of providing protection for personal data. While the CJEU Decision ruled that SCCs were valid, it also noted that they do not on their own necessarily provide an adequate level of protection. This means that an assessment of the transfer should be made and that supplementary measures may need to be utilised alongside standard SCCs in order to ensure there is adequate ongoing protection.

The assessment is the responsibility of the exporter and importer and should determine whether the third country provides adequate protection. Since the CJEU Decision emphasised surveillance laws and public authority access to personal data in the US, guidance on assessments has tended to similarly highlight public authority access to data. Supplementary measures may involve amendments to the standard SCCs, or technical/organisational security measures such as encryption, however further guidance on this matter is expected from the EDPB and supervisory authorities.

Prior to the CJEU Decision, the Commission issued the following decisions on EU controller to non-EU or EEA controller and EU controller to non-EU or EEA processor SCCs:

Finalised new SCCs

The Commission released, on 12 November 2020, revised SCCs for public consultation.

On 4 June 2021, the Commission announced that it had adopted two sets of new SCCs having taken into account the Schrems II judgment, the joint opinion of the European Data Protection Board and the European Data Protection Supervisor, feedback from stakeholders during the public consultation and the opinion of Member States' representatives. The new SCCs consist of:

  1. SCCs between controllers and processors; and
  2. SCCs for the transfer of personal data to third countries.

For further information, see the Schrems II Portal.

Binding corporate rules ('BCRs') are considered an appropriate safeguard under Article 46 of the GDPR.

BCRs are approved by the competent supervisory authority in accordance with the consistency mechanism set out in Article 63 of the GDPR, provided that they (Article 47(1) of the GDPR):

  • are legally binding and apply to and are enforced by every member concerned in the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;
  • expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and
  • fulfil the requirements laid down in Article 47(2) of the GDPR.

Processes for approving BCRs can be time consuming, however they have proved to be a popular mechanism for large multinational organisations and are becoming more common around the world.

Article 47(2) of the GDPR establishes information a BCR must specify, see EU - GDPR - Data Transfers.

The CJEU Decision, however, impacts BCRs in a similar manner to SCCs. BCRs are required to meet the same threshold for the ongoing adequate protection of personal data as SCCs. Therefore, the EDPB has noted that jurisdiction assessments and supplementary measures may be required for BCRs in the same fashion as they are for SCCs.

For further general BCR information see the following procedural documents endorsed by the EDPB:

The Commission provides an overview list of certain companies for which the EU BCR cooperation procedures is closed, last updated on 25 May 2018, and the EDPB provides a register of selected BCRs since 2019.

Article 40 of the GDPR sets out provisions for codes of conduct. Codes of conduct are voluntary tools developed by associations or other representative bodies that cover certain data protection issues and tend to apply within sectors. International data transfers is one of the topics that a code of conduct as recognised under the GDPR can cover. Codes of conduct must be approved by a supervisory authority, and supervisory authorities are also tasked with generally encouraging the use of codes of conduct.

There are several requirements for the information contained in a code of conduct, including that a mechnism is established for monitoring compliance. Article 41 of the GDPR details how a body may be accredited by a supervisory authority to monitor compliance with a code conduct. Organisations do not need to be subject to the GDPR in order to be an adherent to a code of conduct.

A code of conduct for international data transfers will need to ensure that relevant provisions on cross-border transfers, such as ongoing adequate protection of personal data, are complied with. Similarly to BCRs, the CJEU Decision impacts codes of conduct used for cross-border transfers as it sets a new threshold for what should be considered in assessing adequate protection.

For further information on codes of conduct, see the General Data Protection Regulation Portal.

Article 42 of the GDPR establishes processes for certification. Certification functions in a similar manner to codes of conduct, in that it too is a voluntary system that is monitored or regulated through an accredited body and is used by organisations as a means of demonstrating compliance. Article 43 of the GDPR sets out provisions for accreditation of certification bodies. Certification must be renewed at least every 3 years, and all certification mechanisms and data protection seals and marks are collected in a register by the European Data Protection Board ('EDPB'). Supervisory authorities within Member States as well as the EDPB have been steadily issuing guidance, opionions, and decisions on certification (see here).

Similarly to BCRs and codes of conduct, the CJEU Decision impacts certification mechanisms by setting a new threshold for cross-border data transfers.

Further to the above, in October 2022, the EDPB adopted Opinion 28/2022 on the Europrivacy Criteria of Certification regarding their Approval by the Board as European Data Protection Seal pursuant to Article 42(5) of the GDPR, which marks the approval of the very first European Data Protection Seal by the EDPB. For further information on the Europrivacy seal, see also the European Parliament's statement here.

For further information on certification mechanisms see:

Article 49 of the GDPR establishes that in the absence of an adequacy decision, or of appropriate safeguards pursuant to Article 46, including BCRs, SCCs, codes of conduct or certification, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

  • the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; 
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request; 
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; 
  • the transfer is necessary for important reasons of public interest; 
  • the transfer is necessary for the establishment, exercise or defence of legal claims; 
  • the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
  • the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case. 

The EDPB has noted that, 'derogations under Article 49 are exemptions from the general principle that personal data may only be transferred to third countries if an adequate level of protection is provided for in the third country or if appropriate safeguards have been adduced and the data subjects enjoy enforceable and effective rights in order to continue to benefit from their fundamental rights and safeguards. Due to this fact and in accordance with the principles inherent in European law, the derogations must be interpreted restrictively so that the exception does not become the rule.'

The EDPB also stresses that the derogations under Article 49 are for specific situations and should be 'occasional' and 'not repetitive'. As such, Article 49 derogations should not be utilised as a mechanism for recurring international data transfers.

In regard to consent, the EDPB has further specified that consent must be:

In relation to other derogations, the EDPB emphasises the importance of a 'necessity test' and the complexities of assessing whether a transfer can be considered necessary. In general terms, the EDPB strongly encourages the use of other mechanisms than Article 49 derogations wherever possible.

Following the CJEU Decision, several EU Member State supervisory authorities noted that transfers to the US, or to other third countries deemed not to provide adequate protection, were still possible under Article 49 derogations, at least on a temporary basis. However, these authorities also tend to note that Article 49 should not be relied upon for repeating or regular transfers.

For further information on Article 49, see the EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback