PRIV- 38- Adequacy Transfer Mechanism

What is this control about?

Implementing the control of ‘Adequacy Transfer Mechanism’ is crucial for organizations that transfer personal data across international borders. This control is essential in ensuring compliance with data protection laws, particularly when transferring data from a jurisdiction with strict data protection regulations to a jurisdiction with different or less stringent requirements.

Available tools in the marketplace

Tools:

N/A – No tools for this control

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• Leverage this data transfer data Sharing Agreement Template.Privacy documents are best to be drafted by your Legal team

Control implementation

Here are some guidelines to implement an effective records of Adequacy Transfer Mechanism program:

• Data Mapping and Classification: Perform a thorough data mapping exercise to identify the types of personal data collected, processed, or transferred across international borders. Classify the data based on its sensitivity and legal requirements for transfer.
• Identify Adequacy Mechanisms: Based on the regulatory research and data mapping, identify the adequacy transfer mechanisms that align with the data protection laws of the countries involved. Common adequacy mechanisms include the EU Standard Contractual Clauses, Binding Corporate Rules (BCRs), and approved Codes of Conduct.
• Develop Data Transfer Agreements: If the organization uses contractual clauses as an adequacy mechanism, develop data transfer agreements (DTAs) that incorporate the required provisions. The DTAs should clearly define the roles and responsibilities of the parties involved, data protection obligations, and measures to ensure compliance with data protection laws.
• Implement Technical Safeguards: Implement technical safeguards to protect the data during transit. This may involve using encryption, pseudonymization, or other security measures to prevent unauthorized access or interception of the data.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

• Data Transfer Agreements (DTAs): Copies of data transfer agreements between the organization and recipients of personal data in different jurisdictions. These agreements should incorporate the selected adequacy transfer mechanism, such as EU Standard Contractual Clauses or Binding Corporate Rules, and outline the rights and responsibilities of each party regarding data protection.
• Privacy Policies: Updated privacy policies that inform data subjects about the organization’s use of an adequacy transfer mechanism for cross-border data transfers. The policies should describe the safeguards in place to protect their personal data during the transfer process.

Evidence example

For the suggested action, an example is provided below:

• Data Transfer Agreements (DTAs)

Leverage this data transfer data Sharing Agreement Template.Privacy documents are best to be drafted by your Legal team

• Privacy Policies

This is mostly found on every company website.