Intra Group Data Processing Agreement

If you deploy different sets of data processing rules, you must specify where and when each set is applied. If you apply or apply multiple sets of data processing rules to a particular category of data, you can also specify the priority rules. I suspect that very few SME groups have entered into formal agreements on data sharing – although I do not have data to support these suspicions – for the simple reason that, in the past, there was little risk of not complying with the rules on sharing personal data within groups. It remains to be seen whether this will change under the new data protection regime. While the potential penalties for non-compliance are more severe, regulators` resources are already overloaded and this type of hidden compliance issue may not be brought to anyone`s attention unless there is a serious data breach. Even then, the lack of a data-sharing agreement may not be significant. Data subjects The personal data transmitted relate to the following categories of data subjects (please specify) a transfer of corporate personal data from a processor to a processor or between two entities of a processor, in all cases where such a transfer is required by data protection laws (or by the terms of data transfer agreements established for restrictions on the transfer of data from data protection laws) would be prohibited; If different categories of personal data may be transferred within the group and these different categories are subject to different rules, it is particularly important to identify the data in question. If the transfers are made on the basis of the controller to the processor or if the transfers outside the EEA are made in accordance with the standard contractual clauses, the identification of the data is mandatory. Companies must adopt the clauses without revisions or modifications in order to benefit from the appropriate exemptions under the EU`s General Data Protection Regulation under clause 2. Companies are not prohibited from adding commercial clauses on liability, warranties, exclusions and indemnification, but cannot conclude clause 12, e.B. rendering the clauses completely invalid through an absolute limitation of liability.

In practice, however, it is preferable to address risk allocation in separate trade agreements in order to avoid complicating or delaying the implementation of new CBAs in which both parties have a common interest. In many cases, trade agreements are already in place or are negotiated by separate teams of lawyers and procurement professionals who prefer that privacy experts not interfere with the intricacies of data processing agreements. The difficult question is: what happens to the data shared after termination? The type of release affects the response. For example, data disclosed to the processor on the basis of a controller must be deleted or returned in accordance with the processing clauses in accordance with Article 28. If data is provided under the Standard Contractual Clauses, these clauses will continue to apply notwithstanding the termination of the IGA. For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection The processor in any event (the data exporter)The sub-processor in any event (the data importer)Has agreed on the following contractual clauses (the clauses) in order to provide adequate safeguards in this respect which concerns the protection of privacy and the rights and freedoms of natural persons with regard to the transfer of the personal data listed in Annex A by the data exporter to the data importer. Some companies have started to incorporate legally required data processing conditions into trade agreements. Others have created detailed supplements, state by state, with complicated and repetitive terms. Formal agreements often mix business issues such as risk allocation with compliance issues, the legal need to set specific contractual terms, and lead to lengthy negotiations and documentation that cannot be easily used for new contracts. To avoid the negative impact on sales cycles and legal budgets, companies should consider grouping mandatory clauses into a short set of privacy standards that they would accept as customers or service providers – something most companies do in different parts of their business. Processing of personal data for the purposes of personnel and assessment services, assistance in the recruitment, development and evaluation of staff for the group of data controllers. Online assessments can be used for profiling to assess candidates` suitability for a position.

Multinational companies that insist on separate and direct bilateral contracts between each subsidiary and each subcontractor on the supplier side demand unfeasibility. In most cases, solutions should include hub-and-spoke contract templates in which an entity in the customer group works with an entity in the supplier group and then passes the contractual obligations to their respective subsidiaries. Establishment by reference and signature of a contract by several parties should also be considered. To assist each other, the parties could agree to sign separate and additional bilateral versions if legitimately needed. .

Posted in:
Articles by