Utilization of 11.A.15.2 and 11.A.15.1 documents

Answer:

"Supplier Data Processing Agreement" is the document that should be used when you are acting as a data controller and you are sending personal data to a processor which is established in the EEA or a country without an adequacy decision. The document establishes the obligations of the data controller pursuant to EU GDPR art. 28 - Processor (https://advisera.com/eugdpracademy/gdpr/processor/) and I would not suggest amending it except when you need to adapt it to your own business needs.

The "Standard Contractual Clauses for Transfer of Personal Data to Controllers" should be used when sending data to a company that is established outside the EEA. This is one of the safeguards provided by art. Articl e 46 – Transfers subject to appropriate safeguards (https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/) and the text was drafted by the EU Commission and it should not be amended. This document is to be used when data is being transferred between entities that both act as data controllers.

To learn more about international data transfers check our webinar "How to make personal data transfers to other countries compliant with GDPR" (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/)

That was as clear as mud :) Also the webinar link cut off -- please email that or repost it . Bottom line is that you are posting a very generic response which anyone could get from the generic verbiage in the GDPR vague articles . I asked a specific question about a specific travel company based in U.S. with offices and customers in EU and their 3rd party travel agents; this travel company both act as controllers and processors. The standard clauses and contracts (3 different documents) are poorly written as a "1-size fits" all and i'm looking to cut the fat out and trim down to a simple 1-to-2 page addendum to their existing contracts. For example, these addendums should NOT need to re-DEFINE what is in the GDPR but should merely reference that this is an agreement to protect personal data in accordance with the GDPR --> that alone would change these 12 page contract addendums to a more normal size addendum of 1 to 2 pages (something people would actually read). Thanks for your help.

As mentioned before, the “Standard Contractual Clauses for Transfer of Personal Data to Controllers” as well as ”Standard Contractual Clauses for Transfer of Personal Data to Processors” are standard documents issued by the EU Commission and they are to be used as such. I completely understand your need to make the documents shorter, but I am afraid that shortening them will most likely lead to the data exporter being fined. In case you would like to make a suggestion for changing this, please feel free to contact the EU Commission (https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en).

As for your particular situation of the data recipient/data importer (that would be you) acting as both a data controller and a data processor you would need to have both documents signed.

Please note that there are more safeguards that allow you to send data outside the EEA but in the toolkit we only refer to the Standard Contractual Clauses as they are the easiest and most straight forward to use . You can also check out the others which are referred to in Chapter 5 of the EU GDPR - Transfers of personal data to third countries or international organizations ( https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/).

Please provide correct full link . (Link Not Found message)

Here is the full link:
https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en