1. Enter into an agreement with the Controller, Processor or sub-processor ensuring respect of the European rules on cross border data flows, e.g. the EU Standard Contractual Clauses approved by the EU Commission 2021/914/EU, and 2. Conduct assessments pursuant to section 18.1-18.5 of these BCRs for all Transfers, and, where the appropriate safeguards contained in the agreement cannot be effectively complied with due to the law and/or the practices in the recipient’s country – in particular due to possible access to the Personal Data by public authorities of the recipient’s country - adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. With respect to Processors and sub-processors, the DSV Group Member further undertakes to instruct the Processor/sub-processor by written contractual means in accordance with applicable law in the EU/EEA member state where the Controller is established and which comprises all requirements set out in section 13.1.5. of these BCRs. 14.2 Processors within EU/EEA or in Countries ensuring an adequate level of protection In relation to Transfers to Processors within the EU/EEA or in Countries ensuring an adequate level of protection, which are not DSV Group Members, the DSV Group Member (the Controller) undertakes to instruct the Processor by written contractual means in accordance with applicable law in the EU/EEA member state where the Controller is established. The Processor must inter alia provide sufficient guarantees in respect of the technical security measures and organizational measures governing the Processing to be carried out and must ensure compliance with those measures. If the Processor is established within the EU/EEA, the contractual means in place shall inter alia specify that the technical and organizational security requirements which are applicable in the EU/EEA country in which the Processor is established shall apply, if so required. The agreement between the Controller and the Processor must comprise all requirements set out in section 13.1.5. of these BCRs and inter alia specify that the Processor will implement appropriate technical and organisational measures and procedures, that the Processor will hand over all results/Personal Data to the Controller after the end of the Processing and not process the Personal Data otherwise and that the Processor will make available to the Controller and the Supervisory Authority(-ies) all information necessary to control compliance with the obligations of the Processor. 14.3 General on Transfers to sub-processors Before transferring Personal Data to another Processor (sub-processor) established in Countries either ensuring or not ensuring an adequate level of protection (for special restrictions regarding the latter, see paragraph 14.1), the Processor must notify the Controller. Further, the Controller shall require that the Processor is obliged to fulfil the Processor ’s obligations pursuant to section 13 of these BCRs including that the sub-processor undertakes vis-à-vis the Processor to be bound by identical terms inter alia with respect to the security requirements under the contract between the Controller and the Processor. In addition, the Processor must conduct assessments pursuant to section 18.1-18.5 of these BCRs, and, where the appropriate safeguards contained in the agreement cannot be effectively complied with due to the law and/or the practices in the recipi ent’s country – in particular due to possible access to the Personal Data by public authorities of the recipient’s country - adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence 21
Download PDF file
Cookie policy