Under the Privacy Shield, when personal data is transmitted to a third party acting as a controller, the participant must ”enter into a contract with the third party responsible that provides that such data may only be processed for limited and specified purposes, consistent with the consent given by the individual”. Where the third party acts as a representative and not as a controller, the Privacy Shield participant must ensure for himself that the data transfer is only carried out for limited and specific purposes. Whether the data transfer is a controller or an agent, the data should be afforded the same level of protection as required by the Privacy Shield Principles. The specific commitments of the GDPR processor are listed below and should be included in the agreement between the controller and the processor (or the processor and the processor). The transfer of personal data to another controller is only permitted if certain conditions apply, as well as for transfers to a data processor established outside the EEA. Similarly, the delegation agreement must define the legal basis for transfers, direct and indirect and onward. The legal basis for transfers must be explicitly stated. This should include the reference to ongoing direct and indirect transfers (if any) and the legal basis for onward transfers. Privacy Shield certified bodies should use the additional nine months to carefully review all their contracts with third parties to ensure that they comply with the principle of transmission and assess the ability of their third parties to protect personal data in accordance with the Privacy Shield. Due to the very specific requirements of the Privacy Shield, it is necessary, in most cases, to amend the provision and service agreements of a data protection organization in order to comply with the principles set out in the Privacy Shield. An agreement between the controller and the controller must take into account the following data transmissions: you should consider (especially if you are a controller) direct transfers and indirect transfers (redirects) both current and future. Direct transmission takes place when the recipient of the information with which the exporter concludes a contract is established outside the EEA.
An indirect transfer would take place if the contract beneficiary had its registered office in the EEA but was entrusted with other subcontractors or subcontractors outside the EEA, including group companies. As in the case of the Safe Harbor, the principle of transmission of privacy protection requires that when a U.S. company certified under the Privacy Shield transfers data to third parties, such as for example. B a service provider, it can only do so if the third party complies with the appropriate data protection principles. However, the requirements have been extended beyond the safe harbor. The delegation agreement must reflect the relevant mandatory requirements of the GDPR. Before you start checking or designing the contract, you need to establish the IT relationship between the parties, for example. B if the data are transmitted to the controller, controller, processor or processor, or a combination of the above data. Data transfer agreements (whether they are managers of subcontractors, workers to subcontractors, or another combination of parties) are not new, but with the advent of the GDPR, they get an upgrade and require a much higher level of control and detail. What needs to be included in the agreement depends precisely on the use of a derogation, an adequacy decision or another transfer mechanism to legitimize the transfer of personal data. For some transfer mechanisms, it may be appropriate to include the mechanism in the agreement itself, for example.
B when SSCs are used for the controller of the subcontractor. They should also refer to other relevant agreements. Where personal data is transferred or retrieved outside the EEA, the delegation agreement between the parties must take into account not only the very lawfulness of the transfer, but also the processing of personal data in general and contain all related GDPR requirements. . . .