border transfer scenarios. Module One addresses the cross-border transfer of personal information from controller to controller, Module Two addresses the cross-border transfer of personal information from controller to processor, Module Three addresses the cross-border transfer of personal information from processor to sub-processor, and Module Four addresses the cross-border transfer of personal information from processor to controller. While many of the responsibilities and data processing principles under the new SCCs remain the same, some of the key differences from the old SCCs include, but are not limited to: • more responsibilities and shifting burdens to data importers (e.g., additional representations and warranties, onward transfer obligations, notification and recordkeeping requirements, as well as new sensitive data and accuracy obligations, and expanded security and data breach requirements); • for data importers who are data processors, Modules Two and Three also incorporate the compulsory clauses of the GDPR mentioned above in Set One; • more direct liability to both individuals and authorities in Europe for data importers; • options and even some requirements for multi-party use; • more choices for governing law and venue during a dispute; and • more explicit requirements on both parties with respect to the new Schrems II analysis regarding the potential for overly intrusive foreign government access programs. Binding Corporate Rules The EU developed the concept of Binding Corporate Rules (BCRs) to allow multinational corporations to make intra-organizational transfers of personal data across borders and still be in compliance with EU data protection law. The BCR is essentially a global code of conduct based upon 153
Made with FlippingBook - Online Brochure Maker