~~May~~ June 20~~174~~, 2022 v1

COUNCIL OF EUROPE

CONVENTION 108+

Model Clauses for Transborder Data Flows of Personal Data~~STANDARD CONTRACTUAL CLAUSES~~

Agreement number [xx/2022]

Term/Duration: Start date [MM/DD/YEAR] - End date [MM/DD/YEAR]

Data eExporter information

~~Company~~Name:

Address:

City, Country, zip code:

Email:

Data importer information

Name~~Company~~:

Address:

City, Country, zip code:

Email:

By the signatures of their authorized representatives below, the parties agree to be bound by the terms of this agreement.

Data eExporter

By ~~Name~~:

~~Title: [xxxx]~~

Signature Date [MM/DD/YEAR]

Data importer

By ~~Name~~:

~~Title: [xxxx]~~

Signature Date [MM/DD/YEAR]

NOTE: These Model~~contractual~~ clauses provide an appropriate level of protection for the transfer of personal data to non-Parties of Modernised Convention 108 following the standards established by Article 14(3) (b) of Modernised Convention 108~~[1]~~.

~~STANDARD~~ MODEL CONTRACTUAL CLAUSES

~~Contractual~~ Model clauses for transborder flow of personal data from controller to controller

The Data Exporter and the Data importer (hereinafter, the Parties) agree to these ~~standard~~ Model ~~contractual~~ clauses (hereinafter the Clauses):

PART I - GENERAL CLAUSES

Clause 1. Purpose and scope

1.1. The aim of these ~~standard contractualmodel~~ Cclauses is to ensure compliance with the requirements for the transfer of personal data to a non-Party under Convention 108+ (hereinafter the Convention).

When adopted and implemented by the persons involved in the transfer and further processing, tThese ~~contractual Model c~~Clauses provide an appropriate level of protection for the transfer of personal data following Article 14(3)(b) of the Convention.

1.2. Description of the transfer

These Clauses shall apply to the transfer of personal data described in Annex 1.

1.3. Purpose of the transfer

The purpose and additional details of the transfer of personal data is described in Annex 1.

Clause 2. Definitions

[Note: Apart from the sources cited in each defined term, see also document T-PD(2020)06rev3, Interpretation of provisions, May 7, 2021].

As used in these Clauses, the following terms shall have the following meanings:

Applicable law: domestic data protection law of the jurisdiction of the Data exporter.

Biometric data: data resulting from a specific technical processing of data concerning the physical, biological or physiological characteristics of a human person which allows the unique identification or authentication of such individuals.

[Source: Par. 58 of Explanatory Report].

Convention: Convention for the Protection of Individuals with regard to the processing of Personal Data (CETS No. 108), as amended by Protocol CETS No 223, adopted by the Committee of Ministers at its 128th Session in Elsinore on 18 May 2018.

Model Clauses ~~(or Standard contractual clauses)~~: Approved standardised safeguards provided by legally binding and enforceable instruments as required under Article 14(3)(b) of the Convention.

Controller: means the natural or legal person, public authority, service, agency or any other body which, alone or jointly with others, has decision-making power with respect to data processing.

[Source: Article 2 of the Convention]

Data processing: any operation or set of operations performed on personal data, such as the collection, storage, preservation, alteration, retrieval, disclosure, making available, erasure, or destruction of, or the carrying out of logical and/or arithmetical operations on such data. Where automated processing is not used, Data processing means an operation or set of operations performed upon personal data within a structured set of such data which are accessible or retrievable according to specific criteria.

[Source: Article 2 of the Convention]

Data importer: The Controller or Processor located in a non-Party to whom the Data exporter transfers Personal data.

Data Exporter: The Controller or Processor located in a country that is a member of the Convention, that transfers Personal data to a Data importer.

Data subject: an identified or identifiable individual whatever his or her nationality or residence.

[Source: Article 2 of the Convention and para. 15 of the Explanatory Report]

Data breach: Any accidental or unauthorised access to, destruction, loss, use, modification or disclosure of Personal Data due to a violation of the principle of data security, in which Personal data is copied, transmitted, viewed, stolen or used by an individual or entity unauthorized to do so.

[Source: Article 7 of the Convention]

Genetic data: all data relating to the genetic characteristics of an individual which have been either inherited or acquired during early prenatal development, as they result from an analysis of a biological sample from the individual concerned including chromosomal, DNA or RNA analysis or analysis of any other element enabling equivalent information to be obtained.

[Source: Par. 57 of the Explanatory Report]

Transborder flows of personal data: the transfer, making available or disclosure of personal data to a recipient subject to the jurisdiction of another State.

[Source: Article 14 of the Convention, Paragraphs 102 to 104 of the Explanatory report, and the legal opinion provided by the Legal Advisor DLAPIL02/2021_JP/DG3]

Non-Party: a country that has not ratified the Convention or where it is not ~~fully~~ yet in force.

[Source: Article 26.3 of the Convention]

Onward transfer: when Personal data is transferred by the Data Importer to another Controller or Processor.

Party (or Parties): each of the signatory of these Clauses.

Personal data: means any information relating to an identified or identifiable individual.

[Source: Article 2 of the Convention]

Processor: means a natural or legal person, public authority, service, agency or any other body which processes personal data on behalf and under the instructions of the Controller.

[Source: Article 2 of the Convention]

Recipient: means a natural or legal person, public authority, service, agency or any other body to whom data are disclosed or made available.

[Source: Article 2 of the Convention]

Special categories of data:~~(or Sensitive data)~~: (i) Genetic data, (ii) personal data relating to offences, criminal proceedings and convictions, or related security measures; (iii) Biometric data uniquely identifying a person; or (iv) personal data for the information they reveal relating to racial or ethnic origin, political opinions, trade-union membership, religious or other beliefs, health or sexual life.

[Source: Article 6 of the Convention]

Supervisory authority/ies: One or more authorities responsible for ensuring compliance with

the provisions of the Convention, the Applicable law and these Clauses.

[Source: Article 15 of the Convention]

Third Party Beneficiary: the Data subject whose Personal data is the object of transborder data flows under these Clauses.

Clause 3. General clauses

3.1. Invariability of the Clauses

These Clauses set out appropriate safeguards, including enforceable data subject rights, obligations for data controllers ~~, obligations for data processors~~ and effective legal remedies, pursuant to Article 14(3)(b) of the Convention, provided they are not modified, except to add or update information in the Annexes.

This does not prevent the Parties from including these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the human rights and fundamental freedoms of data subjects recognised in the Convention.

These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of the Applicable law.

Interpretation

Where these Clauses use terms that are defined in the Convention, those terms shall have the same meaning as in the Convention and interpreted in light of the Explanatory Report of the Convention.

These Clauses shall be read and interpreted in the light of the provisions of the Convention.

These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in the Convention as incorporated by the Applicable law.

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail. The exception to this is where the conflicting terms of the related agreements provide greater protection for the Data Subject’s rights, in which case those terms will ~~override~~ prevail over these Clauses.

Clause 4. Accession clause

An entity that is not a Party to these Clauses may, with the agreement of the other Parties, accede to these Clauses at any time, either as a Data exporter or as a Data importer, by completing and signing Annex 2, and, if required, updating the ~~data~~ description of the transfer of Annex 1.

Once it has completed and signed the form of Annex 2, the acceding entity shall become a Party to these Clauses and shall have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex 2.

The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

Clause 5. Third Party Beneficiaries

The Parties agree and acknowledge that any Data subject whose Personal data were transferred under these Clauses shall be entitled to invoke the safeguards and guarantees set out in Section II of these Clauses as a Third-party beneficiary with respect to any provisions of these Clauses affording a right, action, claim, benefit or privilege to such Data subject.

~~The jurisdiction established in Clause 25 is for the benefit of the Data Subject and must allow for third-party beneficiary rights. The Parties shall not challenge such recognition of jurisdiction.~~

SECTION II – RIGHTS AND OBLIGATIONS OF THE PARTIES

Clause 6. Data protection safeguards

The Data exporter warrants that it has used reasonable efforts to determine that the Data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

~~The Data exporter represents that it has the right to transfer the personal data to the Data importer in accordance with these Clauses and the Applicable law.~~

Clause 7. Purpose limitation

The Data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex 1.

[Source: Article 5(4) (b) of the Convention]

Clause 8. Transparency of processing

8.1. In order to enable Data subjects to effectively exercise their rights pursuant to these Clauses, the Data importer shall inform them, either directly or through the Data exporter of :

a. his or her identity and habitual residence or establishment;

b. the purposes of the intended processing;

c. the categories of personal data processed;

d. the recipients or categories of recipients of the personal data, if any;

e. the means of exercising the rights set out in these Clauses, as well as any necessary additional information in order to ensure fair and transparent processing of the personal data;

f. of the right to obtain a copy of these Clauses.

8.2. Paragraph 1 shall not apply where the Data subject already has the relevant information.

8.3. Paragraph 1 shall not apply , when the Personal data are not collected from the data subject where the processing is expressly prescribed by law or this proves to be impossible or involves disproportionate efforts.

[Source: Article 8 of the Convention]

Clause 9. Accuracy and data minimisation

Each Party shall ensure that the personal data is accurate and, where necessary, kept up to date. The data importer shall take every reasonable step to ensure that personal data that is inaccurate, having regard to the purpose(s) of processing, is erased or rectified without delay.

If the Data importer is informed by the Data Exporter of corrections made by Data Exporter to the Personal Data, the Data importer will promptly implement those corrections.

The Data importer shall ensure that the Personal data is adequate, relevant and limited to what is necessary in relation to the purpose(s) of processing.

[Source: Article 5(4) (d) of the Convention]

Clause 10. Storage limitation

The Data importer shall retain the Personal data for no longer than necessary for the purpose(s) for which it is processed. It shall put in place appropriate technical or organizational measures to ensure compliance with this obligation, including erasure or anonymisation of the data and all back-ups at the end of the retention period.

Clause 11. Data security

The Data importer and, during transmission also the Data exporter shall ensure that the Controller~~, and where applicable the Processor~~, takes appropriate security measures against risks such as accidental or unauthorized access to, destruction, loss, use, modification or disclosure of personal data.

In particular, the Data importer shall adopt appropriate security measures, both of a technical and organizational nature, for each processing, taking into account: in particular the nature of the personal data, the volume of personal data processed, the degree of vulnerability of the technical architecture used for the processing, and the need to restrict access to the data. Their cost should be commensurate with the seriousness and probability of the potential risks.

The Parties have agreed on the technical and organizational measures set out in Annex 3. The Data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security, and shall update them where this is no longer the case.

If there is a substantial change in the security measures implemented and described in Annex 3, the Parties shall update the Annex.

In the event of a Data breach concerning personal data processed by the Data importer under these Clauses, the Data importer shall take appropriate measures to address the Personal data breach, including measures to mitigate its possible adverse effects.

The Data importer shall ~~notifiy~~notify, without delay, at least the Data Exporter, who will notify the competent Supervisory Authority of those data breaches which may interfere with the rights and fundamental freedoms of data subjects.

In case where a Data breach has occurred that may seriously interfere with the human rights and fundamental freedoms of the individual (e.g. the disclosure of data covered by professional confidentiality, Special categories of~~sensitive~~ data, or which may result in financial, reputational, or physical harm or humiliation) the Data importer shall notify without delay the Data Exporter and the relevant Supervisory Authority/es of (i) the incident including a complete description of the Data Breach, and (ii) of any measures taken and/or proposed to address the breach and its potential consequences.

[Source: 65 of the Explanatory Report]

If the Data breach is likely to result in a significant risk for the rights and freedoms of individuals, (such as discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage), the Data importer, and where applicable, ~~and also~~ the Data Exporter, shall notify the Data subjects involved in the Data breach and provide them with adequate and meaningful information on, notably, the contact points and possible measures that they could take to mitigate the adverse effects of the Data breach.

In specific circumstances, where the notification would require unreasonable time, effort or resources, the Data importer may seek the cooperation or the assistance of the Data exporter to produce the notifications and measures in the previous paragraph.

[Source: Article 7 of the Convention & Paragraph 66 of the Explanatory Report]]

~~[Source: Article 7 of the Convention & Paragraphs 62 to 66 of the Explanatory Report]~~

Where not all the relevant information related to the Data Breach is available, notification may take place “in stages”, with more information to be provided as soon as the new information about the Data breach becomes available to the Parties.

Clause 12. Special categories of data

Where the transfer involves ~~Sensitive~~ Special categories of data, the Data importer shall apply additional safeguards adapted to the risks at stake and the interests, rights and freedoms to be protected.

Such safeguards must guard against the risks that the processing of special categories of data may present for the interests, rights and fundamental freedoms of the data subject notably a risk of discrimination.

The Parties have agreed on the safeguards as set out in Annex 4~~The Parties shall set out these measures in Annex 4~~.

[Source: Article 6 of the Convention and Paragraphs 56 to 61 of the Explanatory Report]

Clause 13. Onward transfers

The Data importer shall not disclose the personal data to a third party located in a non-Party unless the third party ensures an appropriate level of protection in line with Article 14 of the Convention ~~108+~~.

Otherwise , an Onward transfer by the Data importer may only take place if:

(i) the recipient is subject to the jurisdiction of a State whose law, including the applicable international treaties or agreements, secure an appropriate level of protection in accordance with Article 14(2) and Article 14 (3)(a) of the Convention;

(ii) the third party enters into a legally binding and enforceable instrument with the Data importer ensuring the same level of data protection as under these Clauses, and the Data importer provides a copy of these safeguards to the Data exporter;

(iii) it is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings;

(iv) it is necessary in order to protect the vital interests of the Data subject or of another natural person; or

(vi) where none of the other conditions apply, the Data importer has obtained the explicit consent of the Data subject for an onward transfer in a specific situation, after having informed him/her of its purpose(s), the identity of the recipient and the possible risks of such transfer to him/her due to the lack of an appropriate level of data protection. In this case, the Data importer shall inform the Data exporter of the onward transfer based on consent and, at the request of the latter, shall transmit to it a copy of the information provided to the Data subject.

Any onward transfer is subject to compliance by the Data importer with all the other safeguards under these Clauses, in particular the purpose limitation clause.

Clause 14. Processing under the authority of the Data importer

The Data importer shall ensure that any person acting under its authority, including a processor, processes the data only on its instructions and in compliance with these Clauses.

Clause 15. Documentation and compliance

Each Party shall be able to demonstrate compliance with its obligations under these Clauses.

In particular, the Data exporter shall keep appropriate documentation of the processing activities carried out under its responsibility.

The Data exporter shall make such documentation available to the competent Supervisory authority/ies on request.

The Data importer shall take all appropriate measures to comply with the obligations of these Clauses and be able to demonstrate such compliance , to the competent Supervisory authority/ies mentioned in Clause 19.

The Data importer guarantees that it has paid due regard to the impact the intended data processing might have on the rights and fundamental freedoms of Data subjects prior to the commencement of such processing according to the circumstances of the specific transfer and ~~has taken~~ to the necessary technical and organisational measures which would be necessary to comply with the clause. it has examined the likely impact of intended data processing on the rights and fundamental freedoms of Data subjects prior to the commencement of such processing and has designed the data processing in such a manner as to prevent or minimize the risk of interference with those rights and fundamental freedoms.

~~The Data importer shall implement technical and organizational measures which take into account the implications of the right to the protection of personal data at all stages of the data processing.~~

The Data importer shall comply with the duties mentioned in the paragraphs above having regard to the risks arising for the interests, rights and fundamental freedoms of the data subjects, adapt the application of the mentioned duties according to the nature and volume of the data, the nature, scope and purpose of the processing and, where appropriate, the size of the controller or processor.

[Source clause 10 of the Convention]

Clause 16 – Rights of the Data subjects

The Data importer, if required with the assistance of the Data exporter, shall deal with any enquiries and requests it receives from a Data subject related to the processing of his/her personal data and the exercise of his/her rights under these Clauses without undue delay and at the latest within one month of the receipt of the enquiry or request.

The Data importer shall take appropriate measures to facilitate such enquiries, requests and the exercise of data subject rights. Any information provided to the Data subject shall be in an intelligible and easily accessible form, using clear and plain language.

In particular the Data importer shall provide, free of charge, the following rights:

a) not to be subject to a decision significantly affecting him or her based solely on an automated processing of data without having his or her views taken into consideration;

b) to obtain, on request, at reasonable intervals, confirmation of the processing of Personal data relating to him or her, the communication in an intelligible form of the data processed, all available information on their origin, on the preservation period as well as any other information that the Data importer is required to provide in order to ensure the transparency of processing in accordance with these Clauses;

c) to obtain, on request, knowledge of the reasoning underlying data processing where the results of such processing are applied to him or her;

d) to object at any time, on grounds relating to his or her situation, to the processing of personal data concerning him or her unless the controller demonstrates legitimate grounds for the processing which override his or her interests or rights and fundamental freedoms;

e) to obtain, on request, and without excessive delay, rectification or erasure, as the case may be, of such data if these are being, or have been, processed contrary to the provisions of this Convention and/or the Applicable law;

f) to benefit, whatever his or her nationality or residence, from the assistance of a Supervisory authority within the meaning of these Clauses, in exercising his or her rights under these Clauses.

g) to obtain a copy of these Clauses.

h) To be provided with a contact person on the staff of both Parties, whose responsibility it is to ensure compliance with letters (a) to (g) of this Clause. The Data subject would be free to contact this person at any time and at no cost in relation to the data processing or transfers and, where applicable, obtain assistance in exercising his or her rights.

[Source: Article 9 of the Convention & Par. 111 of the Explanatory Memorandum of Convention]

Clause 17. Redress for the Data subject

The Data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to receive requests to exercise individual rights and handle complaints. It shall deal promptly with any complaints it receives from a Data subject.

[OPTION: The data importer agrees that Data subjects may also lodge a complaint with an independent dispute resolution body at no cost to the data subject. It shall inform the data subjects, of such a redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.]

The data importer may offer independent dispute resolution through an arbitration body only if it is established in a country that has ratified the New York Convention on Enforcement of Arbitration Awards.

The alternative mentioned in the paragraph above does not exclude or alter the right of the Data subject afforded by these Clauses, the Convention and the Applicable law to lodge a ~~claim~~ complaint at the Supervisory Authority/ies or at the courts of the applicable jurisdiction. The Data importer shall abide by a decision that is binding under the Applicable law.

Clause 18. Liability.

Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

Each Party shall be liable to the Data subject, and the Data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching these Clauses and the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the Data exporter under the Applicable law.

Where more than one Party is responsible for any damage caused to the Data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the Data subject is entitled to bring an action in court against any of these Parties.

The Parties agree that if one Party is held liable under the previous paragraph, it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to the other Party’s/Parties responsibility for the damage.

The Data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

[Source: Par. 22 of the Explanatory Report]

Clause 19. Supervisory authority

The Supervisory authority/ies with responsibility for ensuring compliance by the Data exporter with the Applicable law and the Convention as regards the data transfer shall act as competent Supervisory authority/ies.

The Parties hereby consent that the supervisory authority is entitled to request that any of the Parties demonstrates the effectiveness of the safeguards or including the existence of prevailing legitimate interests and that the supervisory authority may, in order to protect the rights and fundamental freedoms of data subjects, prohibit such transfers, suspend them or subject them to conditions.

[Source: article 14.6 of the Convention]

The Parties agree to submit to the jurisdiction of the Supervisory authorities and not to question its powers, its jurisdiction as established by the Applicable law or these Clauses, or any other action including any forms of co-operation between supervisory authorities as provided by the Applicable law and article 15 and 17 of the Convention.

[Source: article 15 and 17 of the Convention],

The Data importer agrees to submit itself to the jurisdiction of and cooperate with the competent Supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the Data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the Supervisory authority, including remedial and compensatory measures. It shall provide the Supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 20. Local laws and practices affecting compliance with the Clauses

(a)The Parties warrant that they have no reason to believe that the laws and practices in the country of destination~~the non-Party of destination~~ applicable to the processing of the personal data by the Data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This should include full and joint liability for any material and non-material damages made by the Parties or which occurred to the data subject in relation of the use of the Clauses.

(b) This is based on the understanding that specific exceptions to these Clauses based on applicable law(s) that respect the essence of the human rights and fundamental freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in 11(1) of the Convention, are not in contradiction with these Clauses.

The Parties declare that in providing the warranty stated in the previous paragraph, they have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii) the laws and practices in the country of destination~~of the third country of destination~~– including those requiring the disclosure of data to public authorities or authorizing access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii) any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The Data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information [issue][A1] and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the ~~non Party~~country of destination or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The Data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the Data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 22(d) and (e) shall apply.

Clause 21. Obligations of the data importer in case of access by public authorities

Notification

(a) The Data importer agrees to~~agreesto~~ notify the Data exporter and, where applicable, and to the extent possible the Ddata subject promptly (if necessary with the help of the data exporter) if it:

(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, on the request of the data exporter~~at regular intervals for the duration of the contract~~, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 20(e) and Clause 22 to inform the data exporter promptly where it is unable to comply with these Clauses.

Review of legality and data minimisation

(a) The Data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The Data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 20(e).

(b) The Data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

(c) The Data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 22. Non-compliance with the Clauses and termination

(a) Each Party shall promptly inform each other party if it is unable to comply ~~Both Parties shall promptly inform each other if they are unable to comply~~ with these Clauses, for whatever reason.

(b) In the event that the Data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 20(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii) the data importer is in substantial or persistent breach of these Clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data.

The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where the Supervisory authority adopts [a decision pursuant the Applicable law that covers the transfer of personal data to which these Clauses apply]. This is without prejudice to other obligations applying to the processing in question under the Applicable law.

Clause 23. Governing law

These Clauses shall be governed by the law of the country of the Data Exporter, provided such law allows for third-party beneficiary rights.

Clause 24. Choice of forum and jurisdiction

Any dispute arising from these Clauses shall be resolved by the courts of [____].

A Data subject may also bring legal proceedings against the Data exporter and/or Data importer before the courts of the country in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.

[OPTIONAL Clause 25. Arbitration]

[OPTION 1]

Any dispute, controversy or claim between the Parties arising under, out of or relating to these Clauses including, without limitation, its formation, validity, binding effect, interpretation, performance, breach or termination, as well as non-contractual claims, shall be referred to and finally determined by arbitration in accordance with the WIPO Arbitration Rules. The arbitral tribunal shall consist of [a sole arbitrator] [three arbitrators]. The place of arbitration shall be [specify place]. The language to be used in the arbitral proceedings shall be [specify language]. The dispute, controversy or claim shall be decided in accordance with the law of ~~[specify jurisdiction]~~the country of the Data Exporter.

[WIPO CLAUSE - Arbitration clause only for B2B conflicts]

[Source Adapted from https://www.wipo.int/amc/en/clauses/arbitration/index.html ]

Source https://www.wipo.int/amc/en/center/specific-sectors/b2b_data/

The alternative mentioned in the paragraph above does not exclude or alter the right of the Data subject afforded by these Clauses, the Convention and the Applicable law to lodge a ~~claim~~ complaint of any kind at the Supervisory Authority/ies or at the courts of the applicable jurisdiction.

[OPTION 2]

If the Parties are unable to resolve amicable any difference they may have, the dispute shall be finally settled under the Rules of Arbitration (the “Rules”) of the International Chamber of Commerce (“ICC”) by three (3) arbitrators designated by the Parties. Each Party shall designate one arbitrator. The third arbitrator shall be designated by the two arbitrators designated by the Parties. If either Party fails to designate an arbitrator within thirty (30) days after the filing of the Dispute with the ICC, such arbitrator shall be appointed in the manner prescribed by the Rules of the ICC. An arbitration proceeding hereunder shall be conducted in [City, Country], and shall be conducted in the [English] language. The decision or award of the arbitrators shall be in writing and is final and binding on both Parties.

The alternative mentioned in the paragraph above does not exclude or alter the right of the Data subject afforded by these Clauses, the Convention and the Applicable law to lodge a complaint ~~claim~~ of any kind at the Supervisory Authority/ies or at the courts of the applicable jurisdiction.

[Clause 26. General Provisions]

[These are ~~standard~~ model clauses in contracts. These may be merged with the general clauses of the first section ~~of the SCC~~ in order not to have two general sections]

Term. This Agreement will remain in force and effect during the Term until terminated by either party in accordance with clause 22.

OPTION: Term. This Agreement will remain in force and effect and renew automatically until terminated by either party in accordance with clause 22.

Assignment. This Agreement may not be assigned by the Data importer or by operation of law to any person(s), firm(s) or corporation(s) without the express written approval of the Data exporter.

Notices. All notices and demands hereunder by a party to the other will be in writing and will be served by personal service, or by email at the address set forth in the Cover Page, or at such different addresses as may be designated by the Parties by written notice to the other party. All such notices or demands by mail will be by certified or registered mail, return receipt requested, or by a nationally recognised private express courier, and will be deemed complete upon receipt.

All Amendments and Waivers in are to be made Writing. Except to the extent expressly set forth in this Agreement, no provisions in either Party’s business forms, letter or communications employed by either Party will supersede the terms and conditions of this Clauses. Any waiver by either party of a breach of any provision of this Agreement must be in writing.

Severability. If any provision of this Clauses is held invalid by a court with jurisdiction over the Parties to this Clauses, such provision will be deemed to be restated to reflect as nearly as possible the original intentions of the parties in accordance with the Convention and Applicable law, and the remainder of this Agreement will remain in full force and effect.

Entire Agreement. No representations or statements of any kind made by either party that are not expressly stated herein will be binding on such party. The Parties agree that these Clauses constitute the complete and exclusive statement of the Agreement between them, and supersedes all proposals, oral or written, and all other communications between them relating to the subject matter hereof.

Authority. Each party hereby represents and warrants that the execution, as applicable, delivery and performance by such party of this Agreement is within its corporate powers and has been duly authorized by all necessary corporate action on its part.

Separate Counterparts. This Agreement may be simultaneously executed in separate counterparts, all of which will constitute one and the same instrument and each of which will be, and will be deemed to be, an original.

The Annexes, Appendices, and footnotes to this Agreement constitute an integral part of this Agreement. All the Annexes to these Clauses are an integral part of these Clauses. Capitalised terms will have the meanings given to them in clause 2.

***

Annex 1

Information about the transfer

Description of the transfer: [....]

Purpose(s) of the transfer: [....]

Additional information: [....]

Annex 2

Accession form

Agreement number [xx/2022]

Designation: [Data Exporter] or [Data importer]

Company name:

Address:

City, Country, zip code:

Email:

By the signatures of their authorized representatives below, [Company name] agrees to become, with immediate effect, a Party to and agrees to be bound by the terms of the Contractual clauses for transborder flow of personal data [from controller to controller] OR [from controller to processor].

By Name:

Title: [xxxx]

Signature Date [xxxx]

Annex 3

Security measures

[This annex has to be completed and updated by the Data importer]

[Examples of possible measures:

Measures of pseudonymisation and encryption of personal data

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Measures for user identification and authorisation

Measures for the protection of data during transmission

Measures for the protection of data during storage

Measures for ensuring physical security of locations at which personal data are processed

Measures for ensuring events logging

Measures for ensuring system configuration, including default configuration

Measures for internal IT and IT security governance and management

Measures for certification/assurance of processes and products

Measures for ensuring data minimisation

Measures for ensuring data quality

Measures for ensuring limited data retention

Measures for ensuring accountability

~~Measures for allowing data portability and ensuring erasure~~]

[Annex 4

Measures for ~~sensitive~~ Special categories of data]

[These safeguards may include, for instance, alone or cumulatively (i) the data subject’s explicit consent for the processing of ~~sensitive~~ Special categories of data; (ii) a professional secrecy obligation; (iii) measures following a risk analysis; (iv) a particular and qualified organizational or technical security measure (e.g. data encryption, pseudonymisation), (v) limiting the personnel permitted to access the Special categories of~~Sensitive~~ data, and (vi) additional restrictions with respect to further disclosure according to the nature of the data].

Annex 5

LIST OF SUB-PROCESSORS

[ONLY FOR MODULE 2 & 3 to be drafted after concluding model C2C - This annex has to be completed by the Parties if they agree to pre authorize sub processors]

~~[1]~~ It is without prejudice to the fact the current clauses may be subject, after its adoption by the Committee of Convention 108, to an approval based on domestic law by a supervisory authority or other competent body or institution

[A1]including those going beyond the mere risks that may arise with the data transfer