GDPR Annex 3 - Standard Contractual Clauses For The Transfer of Personal Data Processor To Processor

Scope and Purpose

This annex is a mandatory clause of the agreement, and it covers the purpose and means of the processing of the personal data. Any auditor may request to review it in the scope of an internal or external audit.

The required steps for complying with the statutes of data sharing are –

1. The organizations who are taking part in the data processing: Explains which organization will process which data.

2. The goal of the data transfer: Explains which personal data will be transferred, how it will be processed and the restrictions that apply to both processors.

3. Data protection measures: Explains the steps that the processors of the data will follow in order to protect it, both technical and procedural, and how they will inform the data controller of any data breaches.

4. Proxy for data protection: Ensures that all data processors understand that they must allow the end-users to access, rectify, or delete their personal data, as stipulated by the GDPR.

5. Accountability: Details the liability in case one processor breaches the term of the contract, and causes harm to one or more of the other parties.

Term Definitions

Who are the Parties Involved?

The cloud-based sharing of files, information and analyses has made it very easy and worthwhile for companies to share the personal data of their end-users. Sharing this data with one or more processing organizations can be leveraged for multiple purposes, such as DR capabilities, standard backup, or brute force of analysts. Sharing such information between two (or more) data processors, when one or more of them is outside of the EEA, requires a standard contractual clause known in the GDPR as “Annex 3”.

What is a data subject (also known as an end-user)?

Any person who created a unique username on the organizations’ website, thus giving them the possibility of using that username to perform certain tasks and use features offered on the website.

What is personal data?

Any type of unique data which relates to an individual data subject. This can include such information as Name, phone number, Email address, ID number, health records, political opinions, IP address, etc.

What is the processing of personal data?

Any act that is performed on the collected personal data of all the organizations’ data subjects. This may include such actions as storing the data, analyzing it in any way to extract insights or deleting it once it’s no longer required.

What is a data controller?

An organization or person who determines the use of the collected personal data from the data subjects. The data controller owns the collected personal data, decides in which ways it will be processed and bears the sole responsibility for safekeeping it.

What is a data processor?

A person or organization which was hired by the data controller to act as their proxy in all matters of handling the personal data which was collected by the data controller. This may include such tasks as storing, retrieving, or analyzing it.

What is a data breach?

Any intentional or unintentional security incident, which involves the sharing of personal data with any unauthorized element. Sharing of personal data may include the viewing, copying, stealing, or altering of the personal data.

Types of Processed Personal Data

Examples –

1. Name
2. Phone number
3. Email address
4. IP address
5. ID number
6. Marital status
7. Number of children
8. Annual income
9. Political opinions
10. Religious beliefs
11. Sexual orientation

Obligations of the Data Exporter

1. To describe the relations between the multiple data processors.

2. Explain which tools and processes are planned to be used to protect the personal data.

3. Describe the penalties for data breaches.

4. Accuracy: If the data importer becomes aware that the personal data it has received is inaccurate or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to rectify or erase the data.

5. Duration of processing and erasure or return of data: Define the length of time in which the parties can keep the personal data for the purpose of processing it.

6. Sensitive Data: Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply specific restrictions and/or additional safeguards. E.g.: Masking data.

Obligations of the Data Importer

1. To comply with all the GDPR statutes, same as what the exporter has committed to.

2. To immediately notify the exporter of any data breaches.

3. Ensure that the shared personal data stays safe and secure.

4. Store the data only until it has served its purpose, and no longer than that.

Transfer Details

Both data processors will perform the same processing of the personal data supplied by the data controller and by working in two different time zones, will effectively “chase the sun” to provide twenty-four-hour coverage, seven days a week. This methodology ensures that the data will be available during the regular business hours in each country.

The main goal of the processing of the data will be to provide DR recovery capabilities to the data controller within the following parameters –

1. RPO: 2 hours
2. RTO: 25 minutes

The personal data which will be shared will include –

1. Name (Last, First)
2. Phone number (Cell, Work, Home)
3. Email address
4. IP address (Home)
5. Marital status
6. Number of children
7. Annual income ($)

Security Measures

Tools -

1. Using cloud-based data: Using only the data stored on the cloud will ensure that any process made by one processor will be used by the others, thus ensuring that no data duplicates will be mistakenly made.

2. Encryption: All the processors will have a key to unlock the data, and this key will be rotated every 12 hours. The encryption tool will keep a log that captures who opened the data files, when this happened and where they were.

3. Storage access restrictions: Since all the personal data will be kept on the data controllers’ cloud, access to it will be given to certain individuals in the data processors’ organizations.

Processes -

1. No downloading of the data: The data on the cloud won’t be able to be downloaded by any of the processors

Data Subject Rights

The data importer is obliged to follow the same GDPR statutes that the exporter committed to when it first started to collect the personal data of its data subjects. This includes responding in a timely manner to their DSAR’s, while using clear everyday language.

In case of a justified request to erase personal data, the exporter shall include the servers of the importer on the list of databases that must expunge the personal data. The importer will send a validation of the erasure to the exporter once it has followed the request. The same shall apply to any rectification request for personal data.

Terminating the SCC

The clauses stated above shall take effect once the transfer of the personal data has started and will remain valid until the contract has been terminated and all personal data has been expunged from the importer’s servers. The termination of the agreement can be done by either party to the joint venture at any given moment. The fine, duration of notice, etc. need to be included in the contract between the parties. The termination of the SCC must include the deletion of all the personal data by the data importer, both on the primary and backup servers.