International personal data transfers – Binding Corporate rules (BCR) under GDPR – and Cross boarder documentation

"I have been through the forwarded material around GDPR compliance and I have the following questions:

1. International personal data transfers – Binding Corporate rules (BCR) under GDPR – and Cross border documentationHow do we secure compliance? Is it by fill in and sign the Cross Border document or do we need another agreement?

I assume you are referring to the documentation in the EU GDPR Documentation Toolkit. As you may know, Binding corporate rules (BCR) under Article 47 GDPR apply to group companies for transfers inside the same group, and to be compliant must be approved by the competent Data Protection Authority (DPA) following the procedure in Article 63 GDPR which is quite complex.

BCR must

BCR are quite complex and not suitable for small-medium companies, with a long and complex adoption procedure. Maybe, your question referred to the Standard Contractual Clauses, which are used for assuring the transfer of data between companies that do not belong to the same group.

These are contained in Folder 7 of the EU GDPR Documentation Toolbox that you bought. If so, you need to attach the Data Transfer Agreement to the original Agreement with the other Party selecting the right template depending if you are transferring to a data processor or to a data controller.

2. When we have “employed” sellers and consultants with their own companies which invoices their “salary” to Digizuite, do we then need specific Data processing agreements with each of them?

Do your sellers and consultants process personal data on your behalf in their job? If they do, you need to sign a specific data processing agreement with each of them independently from the use of Digizuite. Maybe sellers relate with customer's personal data and you need to assure the process data being compliant with GDPR requirements as data processors.

3. I can’t find a Data Processor agreement in your material. Why isn’t it part of the toolkit?"

In the EUGDPR Documentation Toolkit, you can find 2 templates of Data Processor Agreement in Folder 8 - Third Party Compliance.

Here you can find some useful material about data transfer:

• 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
• Standard Contractual Clauses for the Transfer to Processors and Standard Contractual Clauses for the Transfer to Controllers.: https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes
• EU GDPR Article 44 – General principle for transfers: https://advisera.com/eugdpracademy/gdpr/general-principle-for-transfers/
• EU GDPR Article 45 – Transfers on the basis of an adequacy decision: https://advisera.com/gdpr/transfers-on-the-basis-of-an-adequacy-decision/
• EU GDPR Article 46 – Transfers subject to appropriate safeguards: https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/
• EU GDPR Article 47 – Binding corporate rules: https://advisera.com/gdpr/binding-corporate-rules/
• Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/
• EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

You can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//