The GDPR provides a set of new transfer mechanisms, including approved codes of conduct, certification mechanisms, seals and marks as an appropriate safeguard for data transfers. However, they must be provided in conjunction with binding and enforceable commitments of the recipient controller or processor in the third country. Transfers of personal data to a third country are prohibited unless an adequacy decision, appropriate safeguard or derogation can be applied. ‘Third country’ in GDPR terminology often means any country or territory outside the EEA. The new “Privacy Shield”/Safe Harbor mandates are relevant with regards to international data transfers, primarily to the USA.
Under the new GDPR mandates data processors will be required to comply with some obligations regarding the manner in which they process the data controller’s data. Besides implementing appropriate technical and organisational measures to ensure a level of security appropriate to the relevant risks and the ability to restore data promptly and regular testing.
It will still be necessary for the data controller to enter into a written agreement with the processor, but the GDPR is more prescriptive on the content. Article 28 of the GDPR significantly increases the requirements that the agreement must oblige the processor to comply with certain minimum obligations.
What are the examples of the types of requirements that could be included in data sharing/supplier contracts to ensure GDPR compliance on data transfers? The general components of the agreement must contain the following items.
- Have in place appropriate technical (“Privacy Enhancing Technology”) and organisational protective measures (“OPMs”) against unauthorised or unlawful processing, or the accidental loss, destruction, alteration, disclosure, access or unapproved use, sharing or breach of any Personal/Sensitive Data acquired or aggregated by it pursuant to this Agreement;
- Take reasonable steps to ensure the reliability of the Supplier Personnel who have access to the Personal/Sensitive Data and that the organisation has an effective training and ongoing assurance programme;
- Provide the Controller with such information, assistance and cooperation to provide detailed transactional logs regarding PII/Sensitive data, attacks against websites or social media sites, abuses of identity or privileges, validation of PII Data destruction, transfer of Data Controller; these events and the subsequent actions shall be maintained at evidential quality in accordance with applicable standards and maintain the chain-of-custody in support of eDiscovery; these logs and event actions are required to establish the Supplier’s and Supplier’s subcontractor’s compliance with the obligations relating to data protection and Information Governance contained in the applicable data protection legislation; and
- Inform the appropriate Authorities of the relevant members of the controller or Country Authority as soon as reasonably practicable, of any breach of security or any particular risk of which it becomes aware, to the safety and security of any of the Personal/Sensitive Data being processed.
- Inform the affected individuals, by said breach, by the applicable Laws regarding a reporting of events related to compromises to PII Data.
The above issues can prompt the company to conduct a data transfers audit. The first five relevant preliminary questions in connection with the data transfer audit performed by The EUGDPR Institute are:
- Are the transfers of any personal data (overseas) going outside of the EEA?
- To whom and why are you sending the data?
- Is the transferred personal data processed on your behalf?
- Are you sharing personal data with a third party organisation (to be used by them for their purposes?
- If you are sharing personal data within the intra-group – is Binding Corporate Rules an option?
Contact us for training, certification or an audit/assessment of your GDPR journey! (firstname.lastname@example.org)
As ever, ALL VISITORS AND READERS OF THIS BLOG/SITE must have their legal advisors review and advise on any contractual obligation. The EUGDPR Institute is neither a Law Firm nor are we licensed to provide legal advice.