I am working on my company’s GDPR compliance documents and am using the EU GDPR toolkit to aid in this process. I have a question regarding cross-border personal data transfers. In particular, my company (as a processor) was given a cross-border agreement to sign (see attached) that we initially thought might make a good form to have our own processors sign. But, in reviewing the EU site, the Toolkit, and applicable law, it appears that you cannot modify the terms of the EU’s form agreements (Annexes 1 and 2) or they become unenforceable.
Two things, first is that the document is Data Processing Agreement and not a Cross Border Data Transfer Agreement these are two distinct documents.
Regarding the Annexes Data Processing agreement, Annex 1 is consistent with the requirements of EU GDPR article 28(3) – Processor (https://advisera.com/eugdpracademy/gdpr/processor/) and the information in there should reflect the processing activity that is undertake by the processor.
Annex 2 presents just some illustrative measures which shoul d be treated as sample measures taken to ensure the security of processing so they can definitively be changed based on your needs.