Supplementary Measures to ensure Data Transfer Lawfulness
Where the provision of the Services requires a transfer of Customer Personal Data from within the EU to one or more countries outside of the EU, this Questionnaire is meant to gather information on supplementary measures which may have been implemented by the Processor in order to ensure the lawfulness of such transfers, under Art. 46 GDPR, and to comply with the requirements laid down by the European Court of Justice in Case C-311/18 ("Schrems II");
One copy of this Questionnaire should be filled out - by the Processor - for each Recipient (whether the Processor itself, or a Sub-processor engaged by the Processor under the terms of the DPA) which is located, or will otherwise Process Client Personal Data, outside of the EU;
The relevant filled-out copies of this Questionnaire should be delivered to the Controller within 30 (thirty) days from its receipt. A failure to do so may be construed by the Controller as an inability to guarantee appropriate protection for the Client Personal Data; The Processor hereby commits to updating any and all Questionnaires submitted to the Controller as soon as possible, whenever internal or external developments render previously provided information inaccurate;
If, according to the Controller, at any point in time, a Recipient of Client Personal Data can no longer guarantee that Client Personal Data is appropriately protected, the Controller may, at its discretion, have the Processor terminate the transfer of Client Personal Data to that Recipient OR choose to terminate the DPA and, in either case, request the retrieval or deletion of the Client Personal Data transferred to that Recipient.
Sub-Processor Details, if applicable
The Processor warrants and guarantees to the Controller that the below questions have been answered truthfully.
1. Relevant Laws
1.1. Is the (Sub-)Processor subject to any local laws or regulations which may require it to process Client Personal Data outside of the Controller's instructions, as laid down in the DPA and Standard Contractual Clauses (e.g., laws requiring disclosure of Client Personal Data to public authorities)?**
Yes
No
1.1.1. Please identify the specific obligations in question, within those local laws or regulations, and how they may require the (Sub-)Processor to process Client Personal Data outside of the Controller's instructions. Please also mention any statutory limitations on the powers of the authorities and any guarantees offered to the data subjects in this respect. *
2. Measures against Mass and/or Indiscriminate Access at Rest and in Transit
2.1. Has the (Sub-)Processor implemented appropriate technical and organizational measures (see Article 32 GDPR) to prevent mass and/or indiscriminate access to Client Personal Data (including phone numbers, e-mail, IP addresses and/or other device identifiers, where applicable) by or on behalf of local public authorities or other local public bodies? *
Yes
No
2.2. Please specify which of these technical and organizational measures have been put in place: *
2.2.1. Systems, tools and/or mechanisms to guarantee lawful end-to-end encryption, both in transit and at rest, for all Client Personal Data transfers between the Controller and the Processor (or the Processor and the Sub-Processor), and any onward transfers of Client Personal Data performed by the (Sub-)Processor (e.g., to authorized Sub-processors)? *
Yes
No
2.2.2. Please describe how the (Sub-)Processor can lawfully ensure that local public authorities or other local public bodies will not have access to the encryption key or to Client Personal Data in an unencrypted form? *
2.2.3. Please justify why this has not been done. *
2.2.4. Does the Processor have additional or alternative lawful technical and organizational measures in place to prevent a situation as described under 2.1. above? *
Yes
No
2.2.4.1. Please describe the specific measures in place. *
(**) Please note that this does not include any applicable mandatory national legal requirements, which:do not go beyond what is necessary in a democratic society (with regard to surveillance programmes for example, this means that those provisions should indicate limitations on the power they confer to implement those programmes, or should contain guarantees for potentially targeted foreign persons, who are not located within the country. These provisions should also grant data subjects actionable rights before the courts against the authorities), and constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others.
