Cross Border Data Transfer
1. SCOPE, PURPOSE AND USER
This Cross Border Data Transfer Procedure (hereinafter referred to as ’Procedure ‘) is established to create a common approach throughout Netenrich Technologies (hereinafter referred to as the ’Netenrich‘) regarding all instances of transfers of personal data to a third country (hereinafter referred to ’Cross Border Data Transfer‘ or ’CBDT’).
All customers, contractors, job applicants, employees, beneficiaries (from CSR) and third parties working for and/or acting on behalf of the Netenrich must to be aware of, and follow this procedure when considering transferring data outside European Economic Area (EEA).
Cross Border Data Transfer (CBDT) – Transfer of personal data by controllers established in the European Union (EU) to recipients established outside the territory of the EU/EEA who act either as controllers or as processors.
Data Exporter – The controller who transfers the personal data.
Data Importer – The processor established in a third country who agrees to receive, from the data exporter, personal data intended for processing on the data exporter’s behalf after the transfer, in accordance with exporter instructions and the terms of applicable laws, and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
DPA – Data Protection Authority are independent public authorities that monitor and supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints that may have breached the law.
DTA – Data Transfer Agreement is a contract between the providing and recipient institutions that governs the legal obligations and restrictions, as well as compliance with applicable laws and regulations, related to the transfer of such data between the parties
European Union (EU) and European Economic Area (EEA) countries – The area set up by the EEA agreement, comprising the 27 Member States of the European Union and the three countries of EFTA (the European Free Trade Association), which are bound by the Agreement on the European Economic Area (EEA). The 27 Member States are Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden. The three EFTA countries which are also bound by the Data Protection Directive, through being part of the EEA, are Iceland, Liechtenstein and Norway.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
Third Country – Any country other than the EU and EEA Member States.
The rules set up in this Procedure apply to cross border transfers, which fall under the applicability of the EU GDPR. In this section, the applicability and the extraterritorial reach of the GDPR is explained.
This document is applicable to Netenrich entities under its direct or indirect control, excluding joint ventures.
It is important to highlight the extraterritorial applicability of the GDPR. The GDPR and consequently this Procedure applies to the processing of personal data in the context of the activities of Netenrich entities (acting either as a controller or a processor) in the EU/EEA.
EU GDPR also applies to the processing of personal data of data subjects who are in the EU/EEA by a controller or processor not established in the EU/EEA, where the processing activities are related to:
- The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU/EEA; or
- The monitoring of their behavior as far as their behavior takes place within the EU/EEA.
The Policy applies to all departments that deal with transfers of personal data to third country.
In the event that any of the rules laid out in this document are in conflict with local laws and regulations, the latter shall prevail.
4. CROSS BORDER DATA TRANSFERS
The EU GDPR allows personal data transfers to:
- a third country only if a set of conditions are fulfilled.
- Countries whose legal regime is deemed by the European Commission to provide for an ’adequate ‘level of personal data protection. Thus, Netenrich, in the absence of European Commission adequacy decision, will transfer personal data outside non-EU states by using of standard contractual clauses as listed in Annex 1 and Annex 2 to this document.
5. STANDARD CONTRACTUAL CLAUSES
USE OF THE EU-PRESCRIBED TEMPLATES
The European Commission has defined standard contractual clauses which need to be used when transferring the personal data outside of the EU/EEA. The Commission has approved clauses listed in Annex 1 and Annex 2.
The content in the standard contractual clauses must not be modified unless there is the express authorization from the competent Data Protection Authority/Supervisory Authority. Any unauthorized modifications will cause the CBDT to become void.
The standard contractual clauses set obligations on both the exporter and the importer of the data to ensure that the transfer will protect the rights and freedoms of the data subjects.
Data Protection Officer (DPO) will be responsible for monitoring the official European Commission website (http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm) as well as other communication channels to quickly identify any new versions of the standard contractual clauses and update Annex 1 and Annex 2 of the procedure.
CONTROLLER TO CONTROLLER STANDARD CONTRACTUAL CLAUSES
When the Company is acting as a data controller and is sending data to another entity located outside EEA, who is also acting as a data controller, the DPO is responsible completing the documents in Annex 1 to ensure the lawfulness of the cross border data transfer.
CONTROLLER TO PROCESSOR STANDARD CONTRACTUAL CLAUSES
When the Company is acting as a data controller and is sending data to another entity located outside EEA, who is acting as a data processor, Data Processing Officer is responsible to fill the documents in Annex 2 to ensure the lawfulness of the cross border data transfer.
Any individual who breaches this Procedure may be subject to internal disciplinary action, up to and including termination of their employment, and may also face civil or criminal liability if their action violates the law.