Cross Border Data Transfer
Scope, purpose and users
This Cross Border Data Transfer Procedure (hereinafter referred to as “Procedure”) is established in order to create a common approach throughout Client Technologies (hereinafter referred to as the “Client Technologies”) regarding all instances of transfers of personal data to a third country (hereinafter referred to “Cross Border Data Transfer” or “CBDT”).
All Customers, Contractors, Job Applicants, Employees, Beneficiaries (from CSR) and Third Parties working for or acting on behalf of the Client Technologies must to be aware of, and follow this procedure when considering transferring data outside European Economic Area (EEA).
- Cross Border Data Transfer (CBDT) – Transfer of personal data by controllers established in the European Union (EU) to recipients established outside the territory of the EU/EEA who act either as controllers or as processors.
- Data Exporter – The controller who transfers the personal data.
- Data Importer – The processor established in a third country who agrees to receive, from the data exporter, personal data intended for processing on the data exporter’s behalf after the transfer, in accordance with exporter instructions and the terms of applicable laws, and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- DPA – Data Protection Authority.
- DTA – Data Transfer Agreement.
- European Union and European Economic Area countries – The area set up by the EEA agreement, comprising the 28 Member States of the European Union and the three countries of EFTA (the European Free Trade Association), which are bound by the Agreement on the European Economic Area (EEA). The 28 Member States are Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. The three EFTA countries which are also bound by the Data Protection Directive, through being part of the EEA, are Iceland, Liechtenstein and Norway.
- GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
- Third Country – Any country other than the EU and EEA Member States.
The rules set up in this Procedure apply to cross-border transfers, which fall under the applicability of the EU GDPR. In this section, the applicability and the extraterritorial reach of the GDPR is explained.
This document is applicable to the Client Technologies entities under its direct or indirect control, excluding joint ventures.
It is important to highlight the extraterritorial applicability of the GDPR. The GDPR and consequently this Procedure applies to the processing of personal data in the context of the activities of Client Technologies entities (acting either as a controller or a processor) in the EU/EEA.
EU GDPR also applies to the processing of personal data of data subjects who are in the EU/EEA by a controller or processor not established in the EU/EEA, where the processing activities are related to:
- The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU/EEA; or
- The monitoring of their behaviour as far as their behaviour takes place within the EU/EEA.
The Policy applies to all departments, deals with transfers of personal data to third country.
In the event that any of the rules laid out in this document are in conflict with local laws and regulations, the latter shall prevail.
Cross Border Data Transfers
The EU GDPR allows personal data transfers to a third country only if a set of conditions are fulfilled.
The EU GDPR allows for personal data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. Thus, Client Technologies, in the absence of European Commission adequacy decision, will transfer personal data outside non-EU states by using of standard contractual clauses as listed in Annex 1 and Annex 2 to this document.
Standard Contractual Clauses
Use of the EU-prescribed templates
The European Commission has defined standard contractual clauses which need to be used when transferring the personal data outside of the EU/EEA. The Commission has approved clauses listed in Annex 1 and Annex 2.
The content in the standard contractual clauses must not be modified unless there is the express authorization from the competent Data Protection Authority/Supervisory Authority. Any unauthorized modifications will cause the CBDT to become void.
The standard contractual clauses set obligations on both the exporter and the importer of the data to ensure that the transfer will protect the rights and freedoms of the data subjects.
Data Protection Officer (DPO) will be responsible for monitoring the official European Commission website (http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm) as well as other communication channels to quickly identify any new versions of the standard contractual clauses and update Annex 1 and Annex 2 of the procedure.
Controller to controller standard contractual clauses
When the Company is acting as a data controller and is sending data to another entity located outside EEA which is also acting as a data controller, DPO is responsible to fill the documents in Annex 1 to ensure the lawfulness of the cross-border data transfer.
Controller to processor standard contractual clauses
When the Company is acting as a data controller and is sending data to another entity located outside EEA which is acting as a data processor, [job title] is responsible to fill the documents in Annex 2 to ensure the lawfulness of the cross-border data transfer.
Any individual who breaches this Procedure may be subject to internal disciplinary action (up to and including termination of their employment) and may also face civil or criminal liability if their action violates the law.
Name: Shubhangi Hedau