Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

International personal data transfers – Binding Corporate rules (BCR) under GDPR – and Cross boarder documentation

  Quote
Guest
Guest user Created:   Jun 29, 2020 Last commented:   Jul 01, 2020

International personal data transfers – Binding Corporate rules (BCR) under GDPR – and Cross boarder documentation

I have been through the forwarded material around GDPR compliance and I have the following questions:

1. International personal data transfers – Binding Corporate rules (BCR) under GDPR – and Cross boarder documentation
How do we secure compliance? Is it by fill in and sign the Cross Boarder document or do we need another agreement?

2. When we have “employed” sellers and consultants with their own companies which invoices their “salary” to Digizuite, do we then need specific Data processing agreements with each of them?

3. I can’t find a Data Processor agreement in your material. Why isn’t it part of the toolkit?

0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Alessandra Nisticò Jul 01, 2020

"I have been through the forwarded material around GDPR compliance and I have the following questions:

1. International personal data transfers – Binding Corporate rules (BCR) under GDPR – and Cross border documentationHow do we secure compliance? Is it by fill in and sign the Cross Border document or do we need another agreement?

I assume you are referring to the documentation in the EU GDPR Documentation Toolkit. As you may know, Binding corporate rules (BCR) under Article 47 GDPR apply to group companies for transfers inside the same group, and to be compliant must be approved by the competent Data Protection Authority (DPA) following the procedure in Article 63 GDPR which is quite complex.

BCR must

  • be enforceable to all companies of the group and legally binding,
  • assure data subjects rights,
  • provide information and contacts of the group and each company belonging to the group,
  • provide information on data transfers, data subjects involved, third countries of destination,
  • assure the application of principle layout in GDPR as data minimization, data retention period, purpose limitation, data quality, data protection by design and by default,
  • accept liability for any breach of the BCR by any company of the group as reported by the competent DPA,
  • assure compliance of all group’s companies to BCR with audits, employees’ training to follow BCR, and willingness to modify and implement BCR to DPA’s new requirements,
  • Cooperate with and report to DPA any data breach.
  • BCR are quite complex and not suitable for small-medium companies, with a long and complex adoption procedure. Maybe, your question referred to the Standard Contractual Clauses, which are used for assuring the transfer of data between companies that do not belong to the same group.

    These are contained in Folder 7 of the EU GDPR Documentation Toolbox that you bought. If so, you need to attach the Data Transfer Agreement to the original Agreement with the other Party selecting the right template depending if you are transferring to a data processor or to a data controller.

    2. When we have “employed” sellers and consultants with their own companies which invoices their “salary” to Digizuite, do we then need specific Data processing agreements with each of them?

    Do your sellers and consultants process personal data on your behalf in their job? If they do, you need to sign a specific data processing agreement with each of them independently from the use of Digizuite. Maybe sellers relate with customer's personal data and you need to assure the process data being compliant with GDPR requirements as data processors.

    3. I can’t find a Data Processor agreement in your material. Why isn’t it part of the toolkit?"

    In the EUGDPR Documentation Toolkit, you can find 2 templates of Data Processor Agreement in Folder 8 - Third Party Compliance.

    Here you can find some useful material about data transfer:

    You can consider enrolling in this EU GDPR Foundations Course: https://training.advisera.com/se/eu-gdpr-foundations-course//

    Quote
    0 0

    Comment as guest or Sign in

    HTML tags are not allowed

    Jun 29, 2020

    Jul 01, 2020

    Suggested Topics

    Guest user Created:   Sep 24, 2021 EU GDPR
    Replies: 0
    0 0

    Conversion to UK version of GDPR

    Guest user Created:   Sep 21, 2021 EU GDPR
    Replies: 2
    0 0

    Application of GDPR to emailed CVs