Questions regarding EU GDPR & ISO 27001 Integrated Documentation Toolkit

1. Regarding EU GDPR & ISO 27001 Integrated Documentation Toolkit:
Does it cover also ISO 27701:2019?

Please note that ISO 27701 was developed as an extension of ISO 27001 and ISO 27002. Considering that, ISO27001/GDPR toolkit is approximately 80% compliant with ISO 27701. The remaining 20% refers to small adjustments to include the protection of privacy in the context of the documents (e.g., where a document states “information security”, it now should state “information security and privacy”, and applicable controls should consider complementary privacy protection measures), and the inclusion of applicable controls specifically developed for ISO 27701 (in a total of 49 controls).

For further information, read:

• Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/

2. Does it cover also GDPR cases where EU customer personal data is processed outside of EU in a country like ***? (like using standard data protection clauses adopted by the EU Commission, etc?)

The EU GDPR & ISO 27001 Integrated Documentation Toolkit has a full section dedicated to the transfer of personal data in a third country. The templates are indicated for all controllers subject to the EU GDPR wherever they are located. This section of the EU GDPR & ISO 27001 Integrated Documentation Toolkit includes templates of:

• Cross Border Personal Data Transfer Procedure
• Processor GDPR Compliance Questionnaire
• Supplier Data Processing Agreement
• Controller to Controller Data Processing Agreement
• Agreement for the Appointment of an EU Representative

3. Does there exist an employee contract template which takes into account GDPR?

Employee contracts are subject to local labor legislation so there is not template. However, in the EU GDPR & ISO 27001 Integrated Documentation Toolkit you can find:

• The Employee personal data protection policy on how the company handles the personal data of its own employee
• The employee privacy notice to inform the employee about the processing of their own personal data by the company when signing a job contract
• In the security measures section, there are most policies about how employees should handle personal data (of clients, suppliers, colleagues) like Access control policies, teleworking policies, etc. These policies should be known by employees and can be attached to their job contracts.

For more information, see:

• What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/
• How the GDPR could impact your HR department https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/

4. Does there exist a B2B contract template which takes into account GDPR when processing EU customer personal data in a country like ***?

As mentioned above, in the section of the EU GDPR & ISO 27001 Integrated Documentation Toolkit about data transfer there are some templates about the data transfer between controller and processor and among controllers.
This agreement can be used as an annex to the B2B agreement (your general terms and conditions) and signed jointly. You need to remember to insert a clause in your B2B agreement in which undertakers are aware of compliance with GDPR requirements and comply with the terms in the attached data processing agreement. Of course, you should also mention compliance with your local privacy law requirements!

This article may provide additional information:

• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

5. Does there exist a B2B contract template which takes into account GDPR when EU customer personal data is processed outside of EU in a country like ***??

Because of the extraterritorial applicability of the EU GDPR, templates are not affected by the location of the company but only if the company is subjected to the EU GDPR requirements. If so, and the processing takes place in a third country, the transfer of the data section of the Toolkit will help to comply with contractual requirements. The easiest way is to develop a Data Processing Agreement and Standard Contractual Clauses as annexes to your own B2B agreement template (which vary depending on your own kind of activity).

To understand how to comply with GDPR requirements when a transfer of data outside the EU is involved, you can consider enrolling in our free online training:

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//