The transmission of personal data to another processor is only permitted if certain conditions apply, as well as for transfers to a data processor outside the EEA. Similarly, the transfer contract must define the legal basis for direct and indirect transfers as well as subsequent transfers. When personal data is transferred or accessed outside the EEA, the transfer agreement between the parties must not only take into account the legality of the transfer, but must also take into account the processing of personal data in general and take into account all related PDMP requirements. For example, for data exports to a processor or subcontractor, the RGPD sets out detailed requirements that an agreement must include in addition to dealing with transmission. The requirement to include mandatory information in transfer agreements is a significant change made by the RGPD. The RGPD anticipates that a processing manager should use only one subcontractor with sufficient safeguards to implement appropriate technical and organizational measures to ensure that the treatment complies with the requirements of the RGPD and that the rights of the individual concerned are respected. As a result, processors should apply the duty of care prior to intervention on the transformers being considered, including indirect transfers. This should include an assessment of data transfers, especially since indirect transmissions are, in the first place, invisible. When a transfer agreement is executed separately with the main service agreement, interaction with the main agreement must be carefully considered. If provisions that would normally be included in a separate delegation contract are indeed included in the main agreement, the broader provisions of the main agreement should be taken into account. Data transmission agreements (whether they are processor controllers, subprocessor processors or another combination of parts) are not new, but with the advent of the RGPD, they get an upgrade and require much greater scrutiny and detail.
In each scenario, the parties should understand and record the underlying personal data that is transferred in order to know their own responsibilities and the responsibilities of the third party concerned that are expressed in the transfer agreement. Consider providing services from subcontractor to controller (or subprocessing to processor). The descriptions in the agreement should accurately reflect the processing of the data. According to the RGPD (as in the old European data protection system), the default position is that EU personal data cannot be transferred or accessed outside the EEA unless certain conditions are met. For example, if the European Commission has made a decision on a suitability for a given country; or if appropriate security measures have been put in place, such as mandatory business rules (C.B), standard contractual clauses (CSR) or Privacy Shield certification; or where exceptions apply to certain situations (narrowly interpreted). The delegation agreement should define the conditions on which it is based and, if necessary, include the appropriate adequacy mechanism in the agreement itself, for example with regard to the use of standard clauses. A person responsible for the processing of the subcontractor`s data transfer agreement must take care of this: under the RGPD, the subcontractor`s (and subcontractor`s) data transmission agreements must contain certain specific data provisions and descriptions and, in general, the obligations and rights of the processing manager must be expressed in the agreement. You should consider (especially if you are a controller) direct and indirect transfers (redirects) for both current and future transfers. A direct transfer is made when the recipient of the information with which the exporter issues a contract is established outside the EEA.