idpas

IDPAs Intra-Group Data Processing Agreements 21.10.2020 IAPP - PowerPoint PPT Presentation

IDPAs Intra-Group Data Processing Agreements 21.10.2020 IAPP Switzerland KnowledgeNet Dr David Vasella, CIPP/E 1 Challenges and options for international groups 2 The challenge The reality : The law : International groups of


  1. IDPAs Intra-Group Data Processing Agreements 21.10.2020 • IAPP Switzerland KnowledgeNet Dr David Vasella, CIPP/E

  2. 1 Challenges and options for international groups 2

  3. The challenge The reality : The law : – International groups of companies – Cross-border transfers are restricted – require – Multiple data flows, over the border, in different safeguards roles – Outsourcing requires C2P agreements – Shared services, external providers (HR mgmt, CRM, procurement etc.) – C2C may require safeguards – Varying levels of maturity and compliance – JCs need to enter into JC arrangements – GDPR implementation program ongoing – Accountability requires documentation – Records of processing activities partially completed and partially accurate – etc. – Cross-border transfers not centrally managed and only partially lawful – C2P agreements for key relationships (external and internal) – JC not assessed and managed 3

  4. 2 Options for IDPAs 4

  5. Options for improving compliance – C2C, JC, C2P : – Cross-border transfers : – Use C2P and JC agreements on a case-by- – Rely on exemptions (article 49 GDPR) case basis – Use Standard Contractual Clauses (SCCs) – Agree on group-wide standard terms for on a case-by-case basis C2P and JC transfers – Use ad-hoc clauses on an case-by-case basis (requires approval) – Establish BCR (has broader scope and requires approval from the supervisory authority and the EDPB) – Use SCCs as part of a group-wide framework agreement (cf. Recital 109) 5

  6. Requirements for IDPAs - - Be broad enough to cover most → Provisions for C2C and C2P data flows cross-border transfers - C2P and JC terms optional - - Be specific enough to be effective → Document individual data and enable documentation and flows (accountability) accountability - - Be flexible enough to → One company to manage accommodate changes data flows, accession and changes to the IDPA 6

  7. Managing companies and data flows Change in law + cross- + C2P border + JC transfer Accession HQ / L&C Party B IDPA Party C central platform Party D 7

  8. Options for IDTAs - S Permit transfers to third countries (“IGDTA”) M - Establish agreements w/ processors (C2P) - Establish joint controller arrangements (JC) - Establish a baseline for data protection L - Strengthen legitimate interest - Provide safeguards for controller transfers (C2C) - Appoint EU and CH representatives XL - Establish confidentiality for non-personal data 8

  9. 3 IDPAs: a closer look 9

  10. IGDAs as framework agreements Annexes : Framework : - JC and C2P terms – Scope, interpretation, order of precedence - SCCs – General principles of data processing - Accession form – Cross-border transfers - Country-specific terms – C2C, JC, C2P - etc. – Accession – Term and termination – Miscellaneous 10

  11. Structure of IGDTAs Framework Agreement Annexes 11

  12. Recommendations for IDPAs 4 12

  13. Lessons learned – Don’t over-engineer – complexity should be proportional to maturity – Don’t over-comply, and don’t solve all legal issues – Don’t include terms you know will not be complied with – Make managing the IDPA and data flows as simple as possible – Be prepared to actively manage relationships between group companies 13

  14. Dr. David Vasella, CIPP/E david.vasella@walderwyss.com +41 58 658 52 87 Walder Wyss Ltd. Seefeldstrasse 123 8034 Zurich Switzerland 14

Recommend


More recommend