In the case of transfer of personal data within the EU, the RGPD does not impose additional requirements for the direct applicability of the RGPD. However, when a processor hires a subcontractor, the relationship between the processor and the data processor must be resolved by agreement and, in these circumstances, subject to the minimum criteria set out in the RGPD. The person in charge of the processing (Article 28 of the RGPD) determines the purpose and duration of the treatment, the nature and purposes of the treatment, the nature of the personal data and the categories of persons involved, and the obligations and rights of the person in charge of the treatment. It is important that the Court of Justice has not overturned the European Commission`s decision authorising certain standard contractual clauses for transfers to data processors (“CCS C2P”). However, the explanatory statement of the Court of Justice`s decision on the data protection shield suggests that companies should assess their use of CCS C2Ps and, in particular, whether the clauses are sufficient to protect the transfer of personal data in cases where third country legislation allows its authorities to have access to this information. For the purposes of Article 26, paragraph 2 of Directive 95/46/EC, for the transmission of personal data to subcontractors based in third countries, which, in any event, do not guarantee an adequate level of data protection (the data exporter)The importer of data subcontracting data has agreed on the following contractual clauses (the clauses) in order to obtain appropriate safeguards regarding the protection of privacy and fundamental rights and individual freedoms for the transfer by the data exporter of personal data subject to Schedule A to the importer. You can make a limited transfer if you and the recipient have entered into a custom contract for a specific limited transfer, which has been approved individually by the country`s control authority for exporting personal data. If you make a limited transfer from the UK, the ICO must have approved the contract. The new CSC clearly outlines the obligations of the controller and subcontractor. In many cases, the English-language version of the new SSC is clearer than the English-language version of the RGPD itself. U.S. companies with little knowledge of the RGPD – for example, companies that receive personal data from the EU but do not themselves fall within the territorial jurisdiction of the RGPD – will find it easier to understand their concrete obligations under the SSCs.
The clarity of the new SSC is a marked improvement over the RGPD`s wave of contractual hands, which is a feature of many agreements with EU personal data. Processing Personal data transmitted is subject to the following basic processing activities (precise).