Few GDPR queries

2. Could you clarify the confidential level, what should we write and why?
3. About the Cross-border Transfer of Personal Data. The current legislation GDPR EU 2016/679 says about the free movement of data, so why we need Data Transfer Agreement and with whom? And why we should to obtain the authorization from Supervisory Authority? ( it was before 25 may 2018, the Transfer was with license).
4. So we need only Processor Data Processing Agreement, please approve...
5. Question from 8.1.3 Section: If we are Controller and provide service for Non-EU companies with our nominee EU persons, what we are doing in this case? My opinion, we have EU local Supervisory Authority and we have Processor Agreement with all our suppliers, is it enough lawful or correct...

Answers:

1. Data Protection Policy is usually an internal document but there are companies that chose to publish the document on their website in order to be more tran sparent in front of their clients.

2. Usually companies classify their internal documents based on their importance to the company. Personal data should at least be considered as “Confidential” so it can only be handled by specific personnel that needs to process the data to fulfill their duties. For more information about “Information classification” you can check out our free article https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

3. A Data Transfer Agreement (DTA)is a contract between the providing and recipient organizations that governs the legal obligations and restrictions, as well as compliance with applicable laws and regulations, related to the transfer of such data between the parties. When you are transferring personal data outside the EEA, in addition to the DTA you must use appropriate safeguards in the absence of an adequacy decision. Appropriate safeguards are intended to provide enforcement and effective rights to individuals. All require prior approval from a supervisory authority. According to GDPR the appropriate safeguards are: Binding corporate rules, Standard Contractual Clauses, Approved codes of conduct or certification mechanisms, Ad hoc contractual clauses and Reliance on international agreements. Among the most used appropriate safeguards are Standard Contractual Clauses.

The document “Standard contractual clauses for the transfer to Processors ” is to be used when transferring personal data to countries outside the EEA the same information can be found in the “Cross border data transfer procedure” (Cross Border Data Transfer (CBDT) - Transfer of personal data by controllers established in the European Union (EU) to recipients established outside the territory of the EU/EEA who act either as controllers or as processors.). To learn more about cross border data transfer please check out our free webinar on “How to make personal data transfers to other countries compliant with GDPR “ https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

4. If you are transferring data to a processor (supplier) which is located in the EU you need to use document 07.2 Supplier data processing agreement that can be found in folder 7 “Third party compliance” in the EU GDPR Documentation Toolkit.
5. I am not sure I understand very well the question. Please rephrase it and please provide more details of what data you are processing in order to provide services to your non – EU clients. Please define “nominee EU Persons”.

To learn more about GDPR implementation please check out our free article “9 steps for implementing GDPR” https://advisera.com/articles/9-steps-for-implementing-gdpr/