STANDARD CONTRACTUAL CLAUSES FOR DATA TRANSFERS BETWEEN THE UK AND USA
Clause 1: Definitions
1. *Data Exporter:* The UK-based representative transmitting the personal data.
2. *Data Importer:* The USA-based representative receiving the personal data.
3. *Personal Data:* Any information relating to an identified or identifiable natural person.
4. *Processing:* Any operation performed on personal data, such as collection, storage, alteration, or disclosure.
5. *GDPR:* General Data Protection Regulation (EU 2016/679) and the UK GDPR following Brexit.
Clause 2: Purpose
This agreement regulates the transfer and processing of personal data between the Data Exporter and the Data Importer for the purpose of providing services on the BIMeta platform, ensuring full compliance with UK GDPR and applicable US privacy laws.
Clause 3: Obligations of the Data Exporter
1. The Data Exporter must ensure that any transfer of personal data is limited to what is necessary for the legitimate business purposes of BIMeta.
2. The Data Exporter guarantees that all data subjects have been informed about the transfer and that their rights under the UK GDPR have been respected.
Clause 4: Obligations of the Data Importer
1. The Data Importer agrees to process the data only as directed by the Data Exporter, ensuring that the data is used only for the purposes outlined in this agreement.
2. The Data Importer must implement appropriate technical and organizational security measures to protect personal data from unauthorized access, disclosure, or loss, consistent with both UK GDPR standards and US privacy regulations (e.g., CCPA).
3. The Data Importer agrees to promptly notify the Data Exporter of any data breach or security incident involving personal data.
Clause 5: Data Subject Rights
1. The Data Importer must assist the Data Exporter in responding to any requests from data subjects exercising their rights under the UK GDPR, such as the right to access, correct, or delete their data.
2. If the Data Importer receives a direct request from a data subject, they must inform the Data Exporter and follow their instructions in response.
Clause 6: Sub-processing
1. The Data Importer shall not engage any third party to process the personal data without prior written consent from the Data Exporter.
2. If third-party sub-processors are used, they must agree to the same data protection obligations set out in this agreement.
Clause 7: Security Measures
1. Both parties will implement appropriate security measures (encryption, access controls, etc.) to protect personal data.
2. Regular audits shall be conducted to ensure compliance with this agreement.
Clause 8: Data Transfers
1. The Data Importer acknowledges that, under the UK GDPR, they must adopt adequate safeguards for data transferred from the UK to the US. This may include further binding corporate rules or certification schemes like the EU-US Data Privacy Framework.
2. The Data Importer agrees to maintain records of all data processing activities related to the transfer and will allow for audits by the Data Exporter or an independent auditor.
Clause 9: Liability and Indemnity
1. The Data Importer will be liable for any breach of this agreement, particularly in relation to the unauthorized or unlawful processing of personal data or its accidental loss or destruction.
2. Both parties agree to indemnify the other for any claims or damages arising from the breach of this agreement.
Clause 10: Termination
This agreement shall remain in force until the purpose of the data transfer has been completed, or until either party terminates the contract with written notice. In the event of termination, both parties must return or securely destroy the personal data in their possession.
Clause 11: Governing Law
This contract shall be governed by the laws of the United Kingdom, with the UK GDPR being the primary governing regulation for all personal data transferred under this agreement.
Related Articles
What Is GDPR (General Data Protection Regulations)?
The General Data Protection Regulation (GDPR) sets out guidelines that cover various aspects of data protection and privacy for individuals within the European Union (EU) and the European Economic Area (EEA), including how organizations should ...13. Data Breach
A privacy breach occurs when there is unauthorized access to or collection, use, disclosure or disposal of personal information. You will be notified about data breaches when BIMeta Corporation believes you are likely to be at risk or serious harm. ...Privacy Policy
Last updated June 22, 2024 This privacy notice for BIMeta Corporation ("we," "us," or "our"), describes how and why we might collect, store, use, and/or share ("process") your information when you use our services ("Services"), such as when you: ...14. Controls For Do-Not-Track Features
Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track (“DNT”) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and ...3. Will Your Information Be Shared With Anyone?
In Short: We only share information with your consent, to comply with laws, to provide you with services, to protect your rights, or to fulfill business obligations. We may process or share data based on the following legal basis: Consent: We may ...