GDPR Annex 1 – Standard Contractual Clauses for the Transfer of Personal Data Controller to Controller
Term Definitions
What is a data subject (also known as an end-user)? Any person who created a unique username on the organization’s website, thus giving them the possibility of using that username to perform certain tasks and use features offered on the website.
What is personal data?: Any unique data which relates to an individual data subject. This can include such information as Name, phone number, Email address, ID number, health records, political opinions, IP address, etc.
What is the processing of personal data?: Any act performed on the collected personal data of any organisation’s data subjects. This may include such actions as storing the data, analyzing it to extract insights or deleting it once it’s no longer required.
What is a data controller?: An organization or person who determines the use of the collected personal data from the data subjects. The data controller owns the collected personal data, decides how it will be processed and bears the sole responsibility for safekeeping it.
What is a data breach?: Any intentional or unintentional security incident involves sharing personal data with unauthorised elements. Sharing personal data may include viewing, copying, stealing, or altering personal data.
Data Transfer Purpose
- Organizations participate in joint-partner ventures with the goal of sharing information and processing to use the outcome for separate or joint services. The sharing of information between two or more data controllers, whether within the EEA or outside, is a data transfer.
- The SCC is required to appear in the joint-partner contract, and it covers the purpose and means of processing personal data. The main goal of the SCC is to ensure that all parties share the responsibility of safeguarding personal data during and after the transfer.
- Any auditor may request to review the SCC in the scope of an internal or external audit.
Scope and Applicability
- The SCC collates the steps required for complying with the GDPR limitations in this issue. Transferring personal data, also known as cross-border transfer, requires special attention. The SCC lays out in clear everyday language who the parties to the joint venture are, what its goal is and how all parties intend to keep the personal data safe, thus protecting the privacy of their end-users.
- Protecting personal data applies to all parties within or outside the EU borders.
Data Protection Responsibilities
1. Each party shall keep the personal data accurate and, where necessary, up to date. The data importer shall take every reasonable step to ensure that inaccurate personal data regarding the purpose(s) of processing is erased or rectified without delay.
2. The SCC will furthermore impose the obligation that the data importer shall retain the personal data for no longer than necessary for the purpose(s) for which it is processed. The SCC shall implement appropriate technical or organizational measures to ensure compliance with this obligation, including erasure or anonymization of the data and all backups at the end of the retention period. The same applies to the data exporter.
3. Masking the data ensures that any identifying details of the end users will not be shared with the data importers. If any specific concerns or questions arise, these attributes may be requested on a need-to-know basis. This applies to both importers and exporters.
4. In Encryption, both the exporter and the importers will have a key to unlock the data, which will be rotated every 12 hours. The encryption tool will keep a log that captures who opened the data files, when this happened and where they were. This applies to both importers and exporters.
5. In Storage access restrictions, the personal data will be kept on the exporters’ servers, and access to them will be given to certain individuals in the importers’ organizations. This applies to both importers and exporters.
The Nature of the Data being Transferred
The data which is shared between the parties contains any of the personal data that the data subject willingly shared during the process of creating the username or post creation.
Category examples:
- Name
- Phone number
- Email address
- IP address
- ID number
- Marital status
- Number of children
- Annual income
Special Category examples:
- Political opinions
- Religious beliefs
- Sexual orientation
Data Breach Obligations
The data importer is obligated to immediately notify the exporter if any data breach occurs, regardless of whether it resulted from human error, malicious attempts, etc.
The data exporter must report the breach within hours of receiving the notification to the proper GDPR authorities. The report must include:
1. Immediate Actions: Assessment of the breach ramifications, what caused the breach and who will be responsible for mitigating its impact and notifying the customers and authorities.
2. General Information: Location, date & time, how it was discovered, the scope of the breach and the organization’s details.
3. Details: The specifics of the breach, how the organization plans on dealing with it, and the consequences of the breach.
4. Notification (both the GDPR authorities and the customers): How were they notified, by whom and the POC.
5. Lessons Learned: How can the organization do better in the future, which new tools or procedures are required and personal ramifications in case of a human error.
Terminating the SCC
- The agreement can be terminated by either party to the joint venture at any given moment. The fine, notice duration, etc., must be included in the contract between the parties.
- The termination of the SCC must include the deletion of all the personal data by the data importer, both on the primary and backup servers.
Key Takeaways
- The SCC needs to outline the processes aimed at safeguarding the personal data of all joint venture parties.
- The SCC needs to outline the tools which will be used to safeguard the personal data of all parties to the joint venture.
- The SCC needs to lay out the fines for any data breaches on the side of the data importer.
