When a transfer agreement is executed separately with the main service agreement, interaction with the main agreement must be carefully considered. If provisions that would normally be included in a separate delegation contract are indeed included in the main agreement, the broader provisions of the main agreement should be taken into account. The transmission of personal data to another processor is only permitted if certain conditions apply, as well as for transfers to a data processor outside the EEA. Similarly, the transfer contract must define the legal basis for direct and indirect transfers as well as subsequent transfers. Specific obligations for RGPD processors are listed below and must be reflected in the agreement between the processor and the processor (or the transformer and subprocesser). The terms of the transfer and personal data are contained in Appendix B. The parties agree that Schedule B may contain confidential business information that it does not share with third parties, unless required by law or in response to a competent regulatory or government authority or in accordance with Clause I. The parties may make additional annexes to cover the additional deferrals that will be submitted to the Authority if necessary. Appendix B may, in the alternative, be drafted to cover several transfers. A DTA must be set up by a member of the contract team at the research office prior to the data transfer. The descriptions in the agreement should accurately reflect the processing of the data. According to the RGPD (as in the old European data protection system), the default position is that EU personal data cannot be transferred or accessed outside the EEA unless certain conditions are met. For example, if the European Commission has made a decision on a suitability for a given country; or if appropriate security measures have been put in place, such as mandatory business rules (C.B), standard contractual clauses (CSR) or Privacy Shield certification; or where exceptions apply to certain situations (narrowly interpreted).
The delegation agreement should define the conditions on which it is based and, if necessary, include the appropriate adequacy mechanism in the agreement itself, for example with regard to the use of standard clauses. Whenever possible, it is good practice to research coded or completely anonymized data. In the event that identifiable information is requested by third parties or staff, it is important to ensure that any duty of trust is not breached. The terms of the initial consent should be reviewed to determine whether the proposed use is covered by third parties and, if not, authorization should be obtained if necessary. It should be noted that personal data should not be disclosed unless consent is available and the storage area is secure, if personal data is transferred or accessed outside the EEA, the transfer agreement between the parties must not only take into account the legality of the transfer, but also take into account the handling of personal data in general and take into account all requirements. related to it. For example, for data exports to a processor or subcontractor, the RGPD sets out detailed requirements that an agreement must include in addition to dealing with transmission. The requirement to include mandatory information in transfer agreements is a significant change made by the RGPD. As a data exporter, you execute such a transfer agreement with the accent unit or a third-party unit as a data importer or you get them to execute that data transfer agreement. What must be included in the agreement depends on the use of a waiver, a derogation or other transfer mechanism to legitimize the transfer of personal data.