Several modules can be applied to each business relationship. Therefore, companies should consider adopting the new CLCs in their entirety and defining their applicability to specific data transfers in Annex 1, rather than signing individual modules separately. Data Importer The Data Importer is (please briefly indicate your activities relevant to dissemination) To reinforce this commitment and help its customers comply with global regulations, Mimecast implements a comprehensive global privacy and security program that places the protection of personal data at the heart of its customer relationships. In this context, we publish our inter-company agreement for download. Finally, Brazil has adopted a General Data Protection Regulation, which came into force in September 2020 and is similar to the GDPR. One of the transfer mechanisms provided for by law is the model clauses, but Brazil`s Autoridade Nacional de Proteção de Dados has not yet published them. Although there is no official statement from the Data Protection Authority in this regard, many companies expect that the new CLAs will also be considered acceptable for the transfer of personal data from Brazil, given that Brazilian law has been inspired by them and followed them. The legal basis for transfers must be explicitly stated. This should include the reference to ongoing direct and indirect transfers (if any) and the legal basis for onward transfers. In addition, the transfer agreement must state that a processor: 3.2 Processes personal data only on written instructions (including by e-mail) from the controller and the processor, including with regard to the transfer of personal data to a third country or an international organisation, unless this is subject to EU or Member State law to which the sub-processor is subject; Obligatory.

In that case, the sub-processor shall inform the controller and the processor of that legal obligation prior to the processing, unless Union or Member State law prohibits such information on grounds of public interest. Like existing CBAs, new CBAs can offer companies the possibility to transfer personal data from the EU. While companies have yet to assess local laws in the data importer`s country and consider additional measures, new CTCs, like existing CTCs, offer at least a first step towards meeting GDPR requirements to ensure adequate data protection. Data protection experts from all over the world are feverishly working on the configuration and implementation of the European Union`s new Standard Contractual Clauses. From 27 September, companies in the European Economic Area that conclude new cross-border data transfer agreements with companies located outside the EEA on the basis of CCTs will have to adopt the new versions. Each recipient who signs the new CBA undertakes to have appropriate agreements with its own suppliers in accordance with clauses 8.8 and 9. Countless businesses are affected, as each company has many affiliated and disconnected suppliers and other business partners around the world. To remain open to EEA companies, all companies must have the new CLAs in place by 27 September. Consider the provision of services by the processor to the controller (or, where applicable, to the sub-processor for the processor). The descriptions in the agreement must accurately reflect the data processing carried out. Second, the new CBAs effectively require data importers to process government requests for submission of personal data transferred from the EU through a remedy. Data importers must also, to the extent permitted by law, inform the data exporter and, if possible, data subjects in the EU of the government`s request for personal data.

The GDPR stipulates that a controller must only use a processor that provides sufficient guarantees that it will take appropriate technical and organisational measures to ensure that the processing complies with the requirements of the GDPR and respects the rights of the data subject. Therefore, prior to the engagement, controllers should conduct a due diligence review of the proposed processors, including indirect transfers. This should include an assessment of data transfers, especially since indirect transfers may not be primarily apparent. 11.1 The Processor may not transfer or authorise the transfer of data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company. Where personal data processed under this Agreement are transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To do this, unless otherwise agreed, the parties rely on EU-approved standard contractual clauses for the transfer of personal data. 4.3 Conclude a written agreement with the controller of personal data, setting out the rights and obligations of the controller and the processor. The Processor acknowledges and agrees that the processing of personal data provided by the Processor to the Sub-Processor has been and will continue to be carried out by the Processor in accordance with applicable laws and in accordance with information intended for data subjects. Please fill in the form below with an overview of the data processing activities within the Cubiks Group Data exporter The data exporter is (please briefly indicate your activities relevant to the transfer) This agreement defines the conditions under which a company that is a member of the Cubiks Group (acting as a personal data processor on behalf of a controller) defines the conditions under which a group member company Cubiks to act as a sub-processor of such personal data….