Standard Contractual Clauses for controllers to processors 


This template contract contains standard contractual clauses which can be used as an appropriate safeguard to comply with the restricted transfer rules contained in the UK GDPR and the Data Protection Act 2018 (“DPA 2018”). In this document where we refer to UK GDPR, we mean the UK GDPR as supplemented by terms in the DPA 18.


There are two different sets of standard contractual clauses. Which set to use will depend on the nature of the restricted transfer: controller to controller or controller to processor.


The previous EU GDPR standard contractual clauses automatically became valid for restricted transfers under the UK GDPR on 31 December 2020. You are permitted to make changes to them so they make sense for restricted transfers under the UK GDPR (see Schedule 21 of the updated Data Protection Act 2018). In this document we have made those suggested changes for you.


Signing the agreement 

Arrange for the sender (the data exporter) and the receiver (the data importer) to sign all the boxes, highlighted in pink, where their signature is required.


There are different ways to sign agreements. These are just suggestions of how you might arrange for the standard contractual clauses to be signed.


  • If the sender and receiver are both present, both can sign two copies. Once both have signed, you should add the date in the box beneath the signatures. The standard contractual clauses are now a binding contract. Each party keeps one copy for its records. 
  • One party (it doesn’t matter which) signs two copies. It posts them to the other party. The other party signs the two copies. Once both have signed then you should enter the date in the box beneath the signatures on each copy. The standard contractual clauses are now a binding contract. One copy is posted back to the first party for its records.
  • One party (it doesn’t matter which party) signs one copy. It scans the signed version and emails it to the other party. The other party signs the version containing the scanned signatures. Once both have signed, it can be dated in the box beneath the signatures. The standard contractual clauses are now a binding contract. A scanned version can be shared with the other party for its records.

You do not need to have an original signed copy of the standard contractual clauses to comply with the UK GDPR rules on restricted transfers. A scanned signed version of the complete contract is sufficient evidence. You may also use document signing platforms. 

The standard contractual clauses for international transfers from controllers to processors

Non-legally binding guidance

This column does not form part of the standard contractual clauses, and is not legally binding on either party

Parties

Name of the data exporting organisation:

ebebek UK Retail Services Ltd.

This is the sender of the restricted transfer of personal data (referred to as the exporter). Insert the full legal name:

  • If a sole trader, his/her full name.
  • If a company or limited liability partnership – as formally registered.
  • If a partnership as set out in Partnership Deed.

If an unincorporated association, check the establishing document, as to who should enter into this contract.

Address

Building 3 Chiswick Business Park, 566 ChiswickHigh Road, W4 5YA London, United Kingdom


Country: England

This is the contact address for the exporter.


It may be the registered address but does not need to be. 


You must include the country. 

Telephone

Click here to enter text.

This can be the exporter’s general contact telephone number.

Fax

 

This can be the exporter’s general contact fax number.


Leave this blank if you do not have a fax.

Email

Click here to enter text.

This can be the exporter’s general contact email address

Other information needed to identify the organisation

Company Number: 13269666                                    VAT No: 382 1438 01

For UK companies and limited liability partnerships it is helpful to include the following:

A company/limited liability partnership (delete as appropriate) registered in England and Wales/Scotland/Northern Ireland (delete as appropriate).

Company number: insert number.

For companies outside the UK, if possible it is helpful to include the registration number and country of incorporation. 

A company number is useful as it can help identify a company even if it has changed its name and address.

(the data exporter”) 

And 

Name of the data importing organisation:

ebebek Mağazacılık A.Ş

This is the receiver of the restricted transfer of personal data (referred to as the importer). Insert the full legal name:

  • If a sole trader, his/her full name.
  • If a company or limited liability partnership – as formally registered.
  • If a partnership as set out in Partnership Deed.
  • If an unincorporated association, check the establishing document, as to who should enter into this contract.

Address

İçerenköy Mahallesi Değirmen Yolu Caddesi No:37 D:6 PK: 34752 Ataşehir / İstanbul

 

Country: Turkey

This is the contact address for the importer.

It may be the registered address but does not need to be.


You must include the country. 

Telephone

Click here to enter text.

This can be the importer’s general contact telephone number.

Fax

Click here to enter text.

This can be the importer’s general contact fax number.

Leave this blank if you do not have a fax.

Email

Click here to enter text.

This can be the importer’s general contact email address

Other information needed to identify the organisation

Tax No: 336 055 4272                                    Trade Registration No: 439123-386705

For UK companies and limited liability partnerships it is helpful to include the following:


A company/limited liability partnership (delete as appropriate) registered in England and Wales/Scotland/Northern Ireland (delete as appropriate).


Company number: insert number


For companies outside the UK, if possible it is helpful to include the registration number and country of incorporation. 


A company number is useful as it can help identify a company even if it has changed its name and address.

(the data importer”) 

Clause 1. Definitions

For the purposes of the Clauses:


(a)‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘Commissioner’ shall have the same meaning as in the UK GDPR;


A brief overview of these definitions are:


“Personal data”

Information relating to an identified or identifiable natural person.


“Special categories of data”

Personal data which relates to an individual’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life, or sexual orientation.


“Process/processing”

In practice means anything which can be done to data, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


“Controller” 

A natural or legal person which decides the purposes and means of processing data


“Processor”

A natural or legal person which is responsible for processing personal data on behalf of a controller


“Data subject”
The individual that personal data relates to.


“The Commissioner”
The Information Commissioner, as the UK’s independent data protection authority, which we refer to as the ‘ICO’.

(b) ‘the data exporter’ means the controller who transfers the personal data;

This is the sender/exporter of the personal data, set out on page 1.

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system covered by UK adequacy regulations issued under Section 17A Data Protection Act 2018 or Paragraphs 4 and 5 of Schedule 21 of the Data Protection Act 2018;

This is the receiver/importer of the personal data, set out on page 3.


The definition clarifies that the importer should not be in a country covered by UK “adequacy regulations”. 


These are UK regulations confirming that the legal framework in a country (or territory or sector) provides an adequate level of data protection for personal data. Currently, it includes all EEA countries and all countries (territories or sectors) covered by a European Commission “adequacy decision” 


You do not need to use the standard contractual clauses if the importer is covered by UK adequacy regulations.

(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

This is a sub-contractor of the processor, to which the processor has delegated some of its personal data processing services.

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the UK;

“Applicable data protection law” means the data protection law of the UK which is  the UK GDPR and the Data Protection Act 2018 ("DPA 2018").



(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

This definition is aligned with UK GDPR Art 32, which places obligations on both controllers and processors to keep personal data secure.


In brief, this requires security measures that involve policies, processes and people as well as technology. This usually means that:

  • You consider things like risk analysis, organisational policies and physical and technical measures.
  • You take into account additional requirements about the security of your processing.
  • You consider the state of the art and costs of implementation when deciding what measures to take – but they must be appropriate both to your circumstances and the risk your processing poses.
  • Where appropriate, you should look to use measures such as pseudonymisation and encryption.
  • Your measures must ensure the confidentiality, integrity and availability of your systems and services and the personal data you process within them.
  • The measures must also enable you to restore access to and availability of personal data in a timely manner in the event of a physical or technical incident.
  • You also need to ensure that you have appropriate processes in place to test the effectiveness of your measures regularly (such as pen testing and testing application security), and undertake any required improvements.

Clause 2. Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

You must fill in Appendix 1 with the details of the restricted transfer (see below).


Clause 2 flags that if “special categories of personal data” are being transferred these should be set out, as they receive a higher standard of protection in data protection law.

Clause 3. Third-party beneficiary clause

Clause 3 sets out the rights of data subjects to enforce certain provisions in the standard contractual clauses against the importer and exporter.


Data subjects do not sign up to the standard contractual clauses, but they can enforce compliance with particular clauses which are intended to benefit them. The clauses which can be enforced by a data subject are set out below. 


If a data subject wishes to bring a claim for non-compliance with the standard contractual clauses, it must first try to bring the claim against the exporter. 


If it is not possible to bring a claim against the exporter, the data subject can try to bring a claim against the importer (see Cl 3(2))


If it is not possible to bring a claim against the importer, the data subject can try to bring a claim against a sub-processor (if there is one) (see Cl 3(3)).

3(1)

The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

Data subjects can enforce the clauses listed directly against the exporter.

Data subject enforcement against:

  • Exporter

(if that is not possible:)

  • Importer

(if that is not possible:)

  • Sub-processor

3(2)

The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

Data subjects can enforce the clauses listed directly against the importer, but only where:

  • the exporter has “factually disappeared” (for example, it is not contactable or traceable) OR it no longer legally exists (for example, it is a company which has been dissolved); 

and

  • there is no entity which has taken over all of the exporter's obligations.

Data subject enforcement against:

  • Exporter
    If that is not possible:

  • Importer
    If that is not possible:

  • Sub-processor

3(3)

The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Data subjects can enforce the clauses set out listed directly against the sub-processor if:

  • both the exporter and importer have either “factually disappeared” (for example, neither is contactable or traceable) OR no longer legally exist (for example: a company which has been dissolved); 

and

  • there is no entity which has taken on all of the exporter's obligations.

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor

3(4)

The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

This clause prevents the exporter and importer objecting to data subjects being represented by associations or other bodies (eg interest or campaign groups). 

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor

Clause 4. Obligations of the data exporter

The data exporter agrees and warrants:

Clause 4 sets out the general commitments which the exporter provides in relation to the data.


These commitments are “warranties”, which are promises given in a contract. 


If the exporter does not comply with a warranty, this may lead to a claim from the importer for damages. 


If the exporter does not comply with certain obligations, this may lead to a claim from data subjects. We have shown below where a data subject can take such action in relation to a clause. These are also set out in Clause 3 above. 

4(a)

that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the Commissioner) and does not violate the applicable data protection law;

The exporter of the data must make sure that it has complied with the UK GDPR and DPA 2018 (and all other UK laws which apply to it), in relation to its collection, use and transfer of the personal data being sent under the standard contractual clauses.  


The clause refers to notifying the ICO about processing activities. However, exporters in the UK no longer need to notify the ICO of their processing of personal data.

4(b)

that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

The exporter must only instruct the importer to process the data on the exporter's behalf (i.e. for the purposes instructed by the exporter).


The instructions must also be: 

  • in accordance with the UK GDPR and the DPA 2018; and
  • in accordance with the standard contractual clauses.

This means that the exporter cannot instruct the importer to do something which is not permitted by the UK GDPR and DPA 18, or by the standard contractual clauses.

Data subject enforcement

against:

  • Exporter

4(c) 

that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

The exporter must ensure that the importer provides sufficient guarantees in relation to the security measures set out by the parties in Appendix 2.


In practice, ensuring that the importer provides sufficient guarantees is likely to involve the exporter carrying out due diligence on the importer before it selects it as a processor. This might include:

  • asking questions about the importer’s data protection practices;
  • reviewing its security measures; 
  • reviewing its internal data protection policies; and 
  • asking questions about any previous data security incidents.

Data subject enforcement against:

  • Exporter

4(d)

that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

This clause requires the exporter to have assessed the importer’s security measures, both technical and organisational (which includes policies, processes and people).


The exporter must be satisfied that these security measures offer appropriate protection for the data being transferred, to protect it against it being destroyed, lost, altered or disclosed, or accessed by unauthorised persons. 

The UK GDPR and the standard contractual clauses do not set any specific mandatory security measures. 

It is for the exporter to assess what measures are appropriate in the circumstances, taking into account:

  • the nature of the data;
  • the nature of the technology used to process the data; 
  • the cost of implementing any particular measures; and 
  • the risks that could arise from any accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access to the personal data. 

The parties should keep the measures under review and be aware that they may need to change or update them over time as new technology becomes available, or if the risks of the processing change.

Data subject enforcement against:

  • Exporter

4(e)

that it will ensure compliance with the security measures;

This clause makes the exporter responsible for ensuring that the importer complies with the security measures set out in Appendix 2.  


This is an on-going obligation which lasts for the duration of the processing by the importer.


This means that the exporter should take steps throughout the life of the contract to make sure that the importer is complying with the measures.  This could be by asking questions to the importer or by audits of the importer on a regular basis (such as annually).

Data subject enforcement against:

  • Exporter

4(f)

that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not covered by adequacy regulations issued under Section 17A Data Protection Act 2018 or Paragraphs 4 and 5 of Schedule 21 Data Protection Act 2018;

This clause only applies where special categories of data are transferred to the importer. 


In that case, the exporter must tell data subjects that their data has been transferred outside the UK to a country not covered by UK adequacy regulations.

Data subject enforcement against:

  • Exporter

4(g)

to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the Commissioner if the data exporter decides to continue the transfer or to lift the suspension;

This clause relates to circumstances in which the exporter has received one (or both) of the following notifications from the importer.

- A notification under clause 5(b): that the laws which apply to the importer have changed and this is likely to have a substantial adverse effect on the importer’s obligations under the standard contractual clauses. 

- A notification under clause 8(3): telling the exporter about any laws applicable to the importer which prevent an audit by the ICO of the importer or any sub-processor. 

If the exporter receives such a notification but still plans to continue the transfer of data to the importer or (if it has stopped transferring personal data) to lift a suspension, it must forward the notification to ICO). 


This is so that the ICO can decide whether to audit the importer to ensure that the personal data is adequately protected.

Data subject enforcement against:

  • Exporter

4(h)

to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

The exporter must provide copies of the following documents/ information to data subjects who request them:

  • the standard contractual clauses (excluding Appendix 2);
  • a summary description of the security measures in Appendix 2; and
  • any contract for sub-processing services which has to be made in accordance with the standard contractual clauses (see clause 11 below which covers using a sub-processor).
  • The exporter can remove commercial information before disclosing the standard contractual clauses and any sub-processing contract to a data subject.

Data subject enforcement:

  • Exporter

4(i)

that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses;

The exporter must make sure that: 

  • any sub-processing is carried out in accordance with the requirements of clause 11; and
  • any sub-processor provides at least the same level of data protection and rights of data subjects as the importer is required to provide under the standard contractual clauses.

Data subject enforcement against:

  • Exporter

4(j)

that it will ensure compliance with Clause 4(a) to (i).

This clause requires the exporter to ensure its own compliance with clauses 4(a) to 4(i), set out above.  


In practice, this means that the exporter will need to make sure its employees, contractors and agents comply with clauses 4(a) to 4(i).

Clause 5. Obligations of the data importer

The data importer agrees and warrants:

Clause 5 sets out the general commitments which the importer gives in relation to the data. 


These commitments are “warranties”, which are promises given in a contract. 


If the importer does not comply with a warranty, this may lead to a claim from the exporter for damages against the importer. 


In addition, if the importer does not comply with certain obligations, this may lead to a claim from data subjects. 


We have indicated below where a data subject can take such action in relation to a clause. These are also set out in Clause 3 above. 


The obligations in Clause 5 are intended to make sure that the importer, who is not subject to the UK GDPR, provides at least the same level of protection for the personal data as required under the UK GDPR.

5(a)

to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

The importer must process the data:

  • only on behalf of the exporter; and
  • in accordance with the exporter’s instructions.

  • If the importer cannot do this, it must promptly tell the exporter. Following this, the exporter can suspend the transfer of data to the importer and/or the exporter can terminate the contract.

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor

5(b) 

that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

This clause requires the importer to consider the laws that apply to it and whether any of those laws will prevent it from meeting the exporter's instructions and complying with its obligations under the standard contractual clauses. 


If any of the laws which apply to the importer change – and these changes are likely to have a substantial adverse effect on the promises and obligations set out in the standard contractual clauses – the importer must notify the exporter as soon as it becomes aware of the changes. 


A “substantial adverse effect” would be any legal requirement on the importer which might prevent the importer from complying with the standard contractual clauses. 


In these circumstances, the exporter can stop the transfer of data to the importer and/or terminate the contract. 

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor 

5(c)

that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

The importer must put in place the security measures contained in Appendix 2 before it starts processing the data. This effectively means that the security measures must be place before the data is transferred to the importer.


The UK GDPR or the standard contractual clauses do not set any mandatory security measures. It is for the exporter to assess what is appropriate in the circumstances. 


When deciding what security measures are appropriate, the receiver should think about the type of data (eg how sensitive it is), the type of processing carried out (eg how intrusive it is) and the likely harm which could come to data subjects if the data were lost, stolen or accessed by an unauthorised person.  


Further guidance:

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor

5(d)

that it will promptly notify the data exporter about:


(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

(ii) any accidental or unauthorised access; and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

The importer must promptly tell the exporter about:

  • any legally binding request for disclosure of the personal data it receives from a law enforcement agency (unless it is prohibited by law from telling the exporter);
  • any accidental, unlawful or unauthorised access to the data; 

and

  • any request the importer receives directly from a data subject. The importer must not respond to a request from a data subject unless the exporter authorises it to do so.

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor

5(e)

 

to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the Commissioner with regard to the processing of the data transferred;

The importer must respond promptly to any questions from the exporter about the importer's processing of the data.


The importer must also follow the advice of the ICO about the processing of the personal data transferred, as the restricted transfer is from an exporter in the UK.

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor

5(f)

at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the Commissioner;

If the exporter requests, the importer must allow the exporter to carry out an audit of the facilities it uses to process the personal data transferred. 


Audits can be carried out by:

  • the exporter itself; or 
  • third party auditors appointed by the exporter. These auditors must be independent and have appropriate professional qualifications. They must also be subject to confidentiality obligations in relation to the data.

The appointment of third party auditors does not currently require agreement by the ICO.

5(g)

to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

The importer must provide copies of the following documents/information to data subjects who request them:

  • the standard contractual clauses (excluding Appendix 2);
  • a summary description of the security measures in Appendix 2; and
  • any existing contract for sub-processing.
  • The importer can remove commercial information from the sub-processing contracts and the standard contractual clauses before disclosing them to a data subject.

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor

5(h)

that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;

The importer can only appoint sub-processors to process the personal data if it has told the exporter about this – and the exporter has consented in writing beforehand to this appointment. 


  • The authorisation required for appointing sub-processors should be set out in the main contract between the exporter and the importer (under UK GDPR rules on controller-processor contracts).

Data subject enforcement:

  • Exporter
  • Importer
  • Sub-processor

5(i)

that the processing services by the sub-processor will be carried out in accordance with Clause 11;

  • The importer must make sure that its sub-processors process the personal data in accordance with clause 11.

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor 

5(j)

to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

  • The importer must promptly provide to the exporter a copy of all sub-processing agreements it enters into under the standard contractual clauses. 

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor 

Clause 6. Liability

Clause 6 sets out which parties will be liable for breaches of the standard contractual clauses. It also sets out data subjects’ rights to enforce compliance with the standard contractual clauses by both the exporter and importer.

6(1)

The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

  • If a data subject suffers damage due to a breach of clauses 3 or 11 by any of the exporter, the importer or a sub-processor, the exporter is responsible in the first instance for compensating the data subject.

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor 

6(2)

If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.


The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

As set out against clause 3, above, if there has been a breach of the clauses set out in clauses 3 or 11 by the exporter, importer or any sub-processor, the data subject should try to bring a claim against the exporter first.


If the data subject cannot bring a claim against the exporter because the exporter has factually disappeared, no longer exists in law, or is insolvent, the data subject can bring a claim against the importer. 


This does not apply if a successor entity has taken on all the legal obligations of the exporter by contract or by operation of law. In that case, the data subject should bring a claim against the exporter's successor.

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor

6(3)

If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

As set out in clause 3, if there has been a breach by a sub-processor of clause 3 or 11, the data subject should try to bring a claim first against the exporter and then the importer. 


This clause explains that: if the data subject cannot bring a claim against the exporter or the importer because they have factually disappeared, no longer exist in law or are insolvent, the sub-processor agrees that the data subject can bring a claim against it for the sub-processor's own breaches.


This does not apply if a successor entity has taken on all the legal obligations of the exporter or importer by contract or operation of law. In this case, the data subject should bring a claim against the successor.

Clause 7. Mediation and jurisdiction

Clause 7 relates to circumstances in which a data subject can bring a claim against the importer for breach of the standard contractual clauses.

7(1)

The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:


(a) to refer the dispute to mediation, by an independent person or, where applicable, by the Commissioner;

(b) to refer the dispute to the UK courts.

If a data subject decides to bring a claim against the importer for breach of the standard contractual clauses, the data subject can choose to either: 

  • refer disputes to mediation by an independent person or the ICO; or 
  • bring a claim in the courts of the UK.
  • The importer must accept the data subject’s decision. 

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor 

7(2)

The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

  • This is an acknowledgement by the exporter and importer that: regardless of whether the data subject chooses mediation or a court action, the data subject can still take advantage of any other remedies which are available to them under national or international law.

Data subject enforcement:

  • Exporter
  • Importer
  • Sub-processor

Clause 8. Cooperation with supervisory authorities

The data exporter agrees to deposit a copy of this contract with the Commissioner if it so requests or if such deposit is required under the applicable data protection law.

The exporter must give a copy of the standard contractual clauses to the ICO if the ICO requests it (or if it is required  under applicable data protection law).



8(2)

The parties agree that the Commissioner has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

The ICO can audit the importer and any sub-processor, in the same way as it could audit the exporter.

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor 

8(3)

The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

The importer must tell the exporter about any laws which apply to the importer or any of its sub-processors which would prevent the importer/sub-processor from being audited by the ICO.  


If there are such laws, the exporter can suspend the transfer of data to the importer and/or terminate the contract.

Clause 9. Governing law

The Clauses shall be governed by the law of the country of the United Kingdom in which the data exporter is established, namely;

England and Wales.

The standard contractual clauses are governed by the law of the UK country of the exporter.


ACTION: Fill out this section with the law of the UK where the exporter is established. 


i.e. choose one of "England and Wales", “Scotland” or “Northern Ireland”.

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor 

Clause 10. Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from (i) making changes permitted by Paragraph 7(3) & (4) of Schedule 21 Data Protection Act 2018; or (ii) adding clauses on business related issues where required as long as they do not contradict the Clause.

The parties must not amend the standard contractual clauses although:


- they must fill in the Appendices and governing law in clauses 9 and 11;


- they may make changes which are only to make the Clauses make sense in a UK context (as permitted by Paragraph 7(3) & (4) of Schedule 21 DPA 2018).


- they may add commercial clauses which don’t contradict the standard contractual clauses.

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor 

Clause 11. Sub-processing

This clause covers the use of sub-processors by the importer.


  • A sub-processor is a processor engaged by the importer to carry out processing activities on behalf of the exporter.

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor 

11(1)

The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.

The importer can only use a sub-processor if the exporter agrees to this in writing beforehand.


There should be rules in the main controller-processor contract regarding how the importer appoints a sub-processor, to meet the requirements of the UK GDPR.


If the importer uses a sub-processor, it must enter into a written agreement with the sub-processor. This written agreement must include the same obligations for the sub-processor as those which apply to the importer under the standard contractual clauses.  


In practice, many importers meet this requirement by having the sub-processor co-sign the standard contractual clauses between the exporter and the importer.


Alternatively, many importers meet this requirement by entering into a duplicate with the sub-processor (i.e. entering into a copy of the same standard contractual clauses as the importer and exporter have signed).


  • If a sub-processor does not comply with its equivalent contractual obligations, the importer remains liable to the exporter for this. It is therefore in the importer's interests to choose its sub-processors carefully.

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor 

11(2)

The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

The contract between the importer and the sub-processor must include rights for data subjects to bring claims against the sub-processor if:


  • both the exporter and importer no longer exist in law (eg a company which has been dissolved), have factually disappeared (for example, they are uncontactable or traceable) or are insolvent; and 
  • no entity has taken on all of the exporter's obligations (in which case the data subject may bring action against that successor entity).  
  • Claims by data subjects against a sub-processor are limited to damages caused by sub-processor's own processing activities.

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor 

11(3)

The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the laws of the country of the UK where the exporter is established.

The agreement between the importer and the sub-processor must be governed by the same law as the standard contractual clauses, set out in Clause 9 above. 


Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor 

11(4)

The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the Commissioner.

The exporter must keep a list of sub-processing agreements which the importer has: 

  • entered into in relation to the data which is being transferred under the standard contractual clauses; and 
  • has told the exporter about.  

The exporter must update this list at least once a year. 


The exporter must provide this to the ICO if the ICO requests it. 

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor 

Clause 12. Obligation after termination

  • Clause 12 sets out obligations under the standard contractual clauses which the parties must still comply with even after the contract has ended, and the importer is no longer providing the data processing services.

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor 

12(1)

The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

On termination of the data processing services, the importer and all sub-processors must either return all the personal data to the exporter or destroy it.  


It is up to the exporter to choose whether the data should be returned or destroyed.


If the exporter chooses for the importer and sub-processors to destroy the data, the importer and sub-processors must confirm in writing to the exporter that they have done this.


If laws which apply to the importer/sub-processor mean that they cannot destroy or return the data, they must keep the data confidential and not process it in any other way.  The importer is responsible for making sure its sub-processors do this.

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor 

12(2)

The data importer and the sub-processor warrant that upon request of the data exporter and/or of the Commissioner, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

The exporter can audit the importer and the sub-processor to check that they have destroyed the personal data and/or kept it confidential after its processing activity for the exporter has come to an end. 


  • The ICO can also audit the importer and the sub-processor to check that they have destroyed this data after its processing activity for the exporter has come to an end. 

Data subject enforcement against:

  • Exporter

If that is not possible:

  • Importer

If that is not possible:

  • Sub-processor 

Additional commercial clauses

The parties are able to add additional commercial clauses. 


When including additional commercial clauses, the parties should ensure that these clauses do not in any way:

  • overlap with or contradict the standard contractual clauses;

  • reduce the level of protection which the data importer is required to provide for the personal data; or

  • reduce the rights of data subjects, or make it any more difficult for them to exercise their rights.





You may add any additional commercial clauses to the standard contractual clauses.


You do not need to add any of these clauses in order to comply with the UK GDPR rules on restricted transfers.


When including additional commercial clauses, the parties should ensure that these clauses do not in any way:

  • overlap with or contradict the standard contractual clauses;
  • reduce the level of protection which the data importer is required to provide for the personal data; or
  • reduce the rights of data subjects or make it more difficult for them to exercise their rights.

We do not recommend including terms required under UK GDPR for a controller-processor contract in the standard contractual clauses. In nearly all cases it is better to have those in a separate agreement.


If you are unsure whether or not you can add a particular additional clause or not, you should consider adding it to your main controller – processor agreement instead.

Indem-nification

Please click in the box if you wish to include the following optional clause:

🗹 Include


Liability

The parties agree that if one party is held liable for a violation of the clauses committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred.

Indemnification is contingent upon:


(a) the data exporter promptly notifying the data importer of a claim; and

(b) the data importer being given the possibility to cooperate with the data exporter in the defence and settlement of the claim.

This indemnification clause is included an example of an additional clause which you could include. 


This example is optional – you do not need to include it, and you can choose to add other additional commercial clauses instead of, or in addition to, this example. You can also amend this example.


The clause is a mutual indemnity: 

  • the importer indemnifies the exporter; and
  • the exporter indemnifies the importer;

if either of them is in breach of the standard contractual clauses.


In this context, an “indemnity” means that the party in breach has to fully compensate the other for its losses which arise from its breach. This may be more than just a standard claim for breach of contract, where damages can be claimed.


This clause provides a route for an innocent party to claim back from the other any compensation it has had to pay to a data subject under the standard contractual clauses, arising from a breach by that other party. 


This example indemnity is wider than that, and provides additional compensation for any breach of the standard contractual clauses.


Indemnities are often dealt with in the main controller – processor contract between the parties. 

Priority of standard contractual clauses

Please click in the box if you wish to include the following optional clause:


🗹 Include


The Standard Contractual Clauses take priority over any other agreement between the parties, whether entered into before or after the date these Clauses are entered into. 


Unless the Clauses are expressly referred to and expressly amended, the parties do not intend that any other agreement entered into by the parties, before or after the date the Clauses are entered into, will amend the terms or the effects of the Clauses, or limit any liability under the Clauses, and no term of any such other agreement should be read or interpreted as having that effect. 

This clause is provided as it may also be helpful to you.


Please review it carefully and only include it if you think it is appropriate for your circumstances.


The intended effect of the clause is to make sure that you and the other party do not inadvertently amend the standard contractual clauses or limit your liability. If you did, then you would risk not being able to rely on the standard contractual clauses for compliance with the UK GDPR rules on restricted transfers.


The clause allows you the freedom to amend the standard contractual clauses, but only if you expressly refer to them.


If you are going to amend the standard contractual clauses, we would always recommend you seek professional legal advice. 


Any amendment runs the risk that the standard contractual clauses will not comply with the UK GDPR rules on restricted transfers.

On behalf of the data exporter: Ebebek UK

Name (written out in full):

Click here to enter text.

Position:

Click here to enter text.

Signature:

Click here to enter text.

ACTION: The exporter should fill in this section with the:

  • Full name of the person signing. This must be a person who is authorised to enter into contracts on behalf of the exporter.
  • Their position.
  • Their business addresses. 

And sign where indicated.

On behalf of the data importer: Ebebek Turkey

Name (written out in full):

Click here to enter text.

Position:

Click here to enter text.

Signature:

Click here to enter text.

ACTION: The importer should fill in this section with the:

  • Full name of the person signing. This must be a person who is authorised to enter into contracts on behalf of the importer.
  • Their position.
  • Their business addresses. 
  • And sign where indicated.

Date of the Standard Contractual Clauses:10/09/2022

Do not date the standard contractual clauses until both the exporter and importer have signed.

It can be the date of the last signature, or a later date if that is agreed by the exporter and importer.




Non-legally binding guidance

Appendix 1

This Appendix forms part of the Clauses and must be completed and signed by the parties.



ACTION: This Appendix must be appropriately completed for the standard contractual clauses to be an appropriate safeguard and allow restricted transfers of personal data under the UK GDPR.


Currently, the UK does not require any additional information to be included in the Appendix.


Instructions for using the checklists:

To help you completing this Appendix, we have provided optional checklists. These are just suggestions. You do not need to use the checklists at all. 


You can also amend the contents of any category, as you consider best reflects the international transfer of personal data, including to add specific details. If you do not fit into any of these types, you may add your own description at the end of the checklist.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):


Please select one option:

🗹 Option 1: The data exporter is (please specify briefly your activities relevant to the transfer): a UK based e-retail company that markets and sales various types of products for babies and children. 

🗹 Option 2: The following checklist and other details set out, in brief, what the data exporter is and its activities relevant to the transfer:

The data exporter’s business or organisation type is: 

Central government

Charitable and voluntary

Education and childcare

Finance, insurance and credit

General business

Health

IT, digital, technology and telecoms

Justice and policing

Land and property services

Legal and professional advisers

Local government

Marketing and research

Media

Membership association

Political

Regulators

Religious

Research

🗹 Retail and manufacture

Social care

Trade, employer associations, and professional bodies

Traders in personal data

Transport and leisure

Utilities and natural resources

Other – Please add details:     


The data exporter is using the personal data which is being transferred for the following purposes or activities:

The data exporter is using the personal data which is being transferred for the following purposes or activities:

Standard business activities, which apply to most businesses and organisations

🗹 Staff administration, including permanent and temporary staff, including appointment or removals, pay, discipline; superannuation, work management, and other personnel matters in relation to the data exporter’s staff.

🗹 Advertising, marketing and public relations of the data exporter’s own business or activity, goods or services.

🗹 Accounts and records, including 

  • keeping accounts relating to the data exporter’s business or activity;
  • deciding whether to accept any person or organisation as a customer;
  • keeping records of purchases, sales or other transactions, including payments, deliveries or services provided by the data exporter or to the data exporter;
  • keeping customer records
  • records for making financial or management forecasts; and
  • other general record keeping and information management.

Other activities:

Accounting and auditing services

Administration of justice, including internal administration and management of courts of law, or tribunals and discharge of court business. 

🗹 Administration of membership or supporter records.

🗹 Advertising, marketing and public relations for others, including public relations work, advertising and marketing, host mailings for other organisations, and list broking.

Assessment and collection of taxes, duties, levies and other revenue 

Benefits, welfare, grants and loans administration

Canvassing, seeking and maintaining political support amongst the electorate.

Constituency casework on behalf of individual constituents by elected representatives.

Consultancy and advisory services, including giving advice or rendering professional services, and the provision of services of an advisory, consultancy or intermediary nature.

Credit referencing, including the provision of information by credit reference agencies relating to the financial status of individuals or organisations on behalf of other organisations

🗹 Data analytics, including profiling

Debt administration and factoring, including the tracing of consumer and commercial debtors and the collection on behalf of creditors, and the purchasing of consumer or trade debts from business, including rentals and instalment credit payments. 

Education, including the provision of education or training as a primary function or as a business activity.

Financial services and advice including the provision of services as an intermediary in respect of any financial transactions including mortgage and insurance broking

Fundraising in support of the objectives of the data exporter

Health administration and services, including the provision and administration of patient care.

Information and databank administration, including the maintenance of information or databanks as a reference tool or general resource. This includes catalogues, lists, directories and bibliographic databases.

Insurance administration including the administration of life, health, pensions, property, motor and other insurance business by an insurance firm, an insurance intermediary or consultant

🗹 IT, digital, technology or telecom services, including use of technology products or services, telecoms and network services, digital services, hosting, cloud and support services or software

Journalism and media, including the processing of journalistic, literary or artistic material made or intended to be made available to the public or any section of the public.

Legal services, including advising and acting on behalf of clients.

Licensing and registration, including the administration of licensing or maintenance of official registers.

Not-for-profit organisations’ activities, including 

  • establishing or maintaining membership of or support for a not-for-profit body or association, and
  • providing or administering activities for individuals who are either members of the not-for-profit body or association or have regular contact with it.

Pastoral care, including the administration of pastoral care by a vicar or other minister of religion.

Pensions administration, including the administration of funded pensions or superannuation schemes.

🗹 Procurement, including deciding whether to accept any person or organisation as a supplier, and the administration of contracts, performance measures and other records. 

Private investigation, including the provision on a commercial basis of investigatory services according to instruction given by clients

Property management, including the management and administration of land, property and residential property, and the estate management of other organisations. 

Realising the objectives of a charitable organisation or voluntary body, including the provision of goods and services in order to realise the objectives of the charity or voluntary body.

🗹 Research in any field, including market, health, lifestyle, scientific or technical research. 

Security of people and property, including using CCTV systems for this purpose.

Trading/sharing in personal information, including the sale, hire, exchange or disclosure of personal information to third parties in return for goods/services/benefits.

Other activities (please provide details):      

ACTION: Set out the exporter’s type of business and its activities relevant to the restricted transfer. 


You have two options:


Option 1. You may set this out in your own words.  As a suggestion, you could use the following form: 


The data exporter is: insert description of importer.

The data exporter’s activities which are relevant to the restricted transfer are: add activities.


For example: 

"The data exporter is a UK-based supplier of home office equipment and is contracting with the importer for it to provide a software solution for managing the exporter's customer database".


You should also have a controller-processor contract in place. If so, you may be able to re-use a description of the exporter’s activities as set out in that contract.


Option 2: you may find it easier to use the checklists provided.


Instructions

Step 1: Think about the exporter’s type of business or organisation and click in the box next to the appropriate category, making any appropriate amendments or adding specific detail.


Step 2: Think about why the exporter is using the personal data to be transferred and why it is making the transfer. Click in the box next to all of the activities which apply, making appropriate amendments or adding specific details. You can click “other” and add your own description at the end.

Data importer

The data importer is (please specify briefly your activities relevant to the transfer): 


Please select one option:

🗹 Option 1: The data importer is (please specify briefly your activities relevant to the transfer): is a Turkey based company that also markets and sales various types of baby and children products. 


🗹 Option 2: The following checklist and other details set out, in brief, what the data importer is and its activities relevant to the transfer:



The data importer’s business or organisation type is: 


Central government

Charitable and voluntary

Education and childcare

Finance, insurance and credit

General business

Health

IT, digital, technology and telecoms

Justice and policing

  Land and property services

Legal and professional advisers

Local government

Marketing and research

Media

Membership association

Political

Regulators

Religious

Research

🗹 Retail and manufacture

Social care

Trade, employer associations, and professional bodies

Traders in personal data

Transport and leisure

Utilities and natural resources

Other – Please add details:      activities 


The data importer’s activities for the data exporter, which are relevant to the transfer are:  


🗹 Accounts and records services, including 

  • keeping accounts;

  • deciding whether to accept any person or organisation as a customer

  • keeping records of purchases, sales or other transactions, including payments, deliveries or services provided by the data exporter or to the data exporter;

  • records for making financial or management forecasts

  • other general records and information management services.

Administration services relating to membership or supporter records.

🗹 Advertising, marketing, and public relations services.

Auditing services

🗹 Facilities management services, including cleaning, catering, reception, security, maintenance, gardening, events management, business travel, meetings, vehicle hire, copying, printing and post services.

Benefits, grants and loans administration services.

🗹 Consultancy and general advisory services.

Debt administration and factoring services, including the tracing of consumer and commercial debtors and the collection on behalf of creditors. 

🗹 Education or training services.

Financial services administration and advice services including the provision of services as an intermediary in respect of any financial transactions including mortgage and insurance broking.

Fundraising services.

Health administration and health services, including the provision and administration of patient care.

Information and databank administration, including the maintenance of information or databanks as a reference tool or general resource. This includes catalogues, lists, directories and bibliographic databases.

Insurance administration including the administration of life, health, pensions, property, motor and other insurance business.

🗹 IT, digital, technology or telecom services, including provision of technology products or services, telecoms and network services, digital services, hosting, cloud and support services or software licensing

🗹 Legal administration and legal support services.

Licensing and registration services, including the administration of licensing or maintenance of official registers.

🗹 Media services.

Pensions administration, including the administration of funded pensions or superannuation schemes. 

Property management services, including the management and administration of land, property and residential property, and the estate management of other organisations. 

🗹 Procurement services, including deciding whether to accept any person or organisation as a supplier, and the administration of contracts, performance measures and other records.

Provision of temporary and agency staff.

🗹 Research and development services, including market, health, lifestyle, scientific or technical research. 

Services in relation to the assessment and collection of taxes, duties, levies and other revenue.

🗹 Services in relation to trading/sharing in personal information, including the sale, hire, exchange or disclosure of personal information to third parties in return for goods/services/benefits.

🗹 Staff administration services, including appointment or removals, pay, discipline; superannuation, training, employee benefits, work management, and other personnel matters in relation to the data exporter’s staff.

Other services (please provide a description):     

ACTION: Set out the importer’s type of business and its activities relevant to the restricted transfer. 


You have two options:


Option 1. You may set this out in your own words.  As a suggestion, you could use the following form: 


The data importer is: insert description of importer.

The data importer’s activities which are relevant to the restricted transfer are: add activities.


For example:

"The data importer is a US-based supplier of software solutions. It is supplying a software package to the exporter and will host the importer's customer data on its servers in the US."


You should also have a controller-processor contract in place. If so, you may be able to re-use a description of the importer’s activities as set out in that contract.


Option 2: you may find it easier to use the checklists provided.


Instructions

Step 1: Think about the importer’s type of business or organisation and click in the box next to the appropriate category, making appropriate amendments or adding specific detail.


Step 2: Think about why the data importer is using the personal data to be transferred. Click in the box next to all of the activities which apply, making appropriate amendments or adding specific details. You can click “other” and add your own description at the end.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):


Each category includes current, past and prospective data subjects. Where any of the following is itself a business or organisation, it includes their staff.

🗹 staff including volunteers, agents, temporary and casual workers

🗹 customers and clients (including their staff)

🗹 suppliers (including their staff)

members or supporters

🗹 shareholders

relatives, guardians and associates of the data subject

🗹 complainants, correspondents and enquirers;

experts and witnesses

🗹 advisers, consultants and other professional experts

patients

students and pupils

offenders and suspected offenders

other (please provide details of other categories of data subjects):     

ACTION: The parties should list the categories of data subject. 


Instructions: Think about who the personal data being transferred is about, and click in the box next to all of the categories of data subjects which are included in the personal data being transferred.


You may make appropriate amendments or add specific details to any of the categories or click “other” and add your own categories at the end.

Categories of data

The personal data transferred concern the following categories of data (please specify): 


The following is a list of standard descriptions of categories of data:

🗹 Personal details, including any information that identifies the data subject and their personal characteristics, including: name, address, contact details, age, date of birth, sex, and physical description.

Personal details issued as an identifier by a public authority, including passport details, national insurance numbers, identity card numbers, driving licence details.

Family, lifestyle and social circumstances, including any information relating to the family of the data subject and the data subject’s lifestyle and social circumstances, including current marriage and partnerships, marital history, details of family and other household members, habits, housing, travel details, leisure activities, and membership of charitable or voluntary organisations.

Education and training details, including information which relates to the education and any professional training of the data subject, including academic records, qualifications, skills, training records, professional expertise, student and pupil records.

🗹 Employment details, including information relating to the employment of the data subject, including employment and career history, recruitment and termination details, attendance records, health and safety records, performance appraisals, training records, and security records.

🗹 Financial details, including information relating to the financial affairs of the data subject, including income, salary, assets and investments, payments, creditworthiness, loans, benefits, grants, insurance details, and pension information.

🗹 Goods or services provided and related information, including details of the goods or services supplied, licences issued, and contracts.

Personal data relating to criminal convictions and offences

Other (please provide details of other data subjects):     

ACTION: The parties should list the categories of personal data being transferred. 


Instructions: Think about what the personal data being transferred is about and click in the box next to all of the categories of personal data which are being transferred 


You may make appropriate amendments or add specific details to any of the categories, or click “other” and add your own categories at the end.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify): 


Personal data which is on, which reveals, or which concerns: 

racial or ethnic origin

political opinions

religious or philosophical beliefs

trade union membership

genetic data

biometric data (if used to identify a natural person)

health

sex life or sexual orientation

criminal convictions and offences

none of the above

ACTION

Include a list of any of the special categories of data which are being transferred:


For completeness, and to ensure the Clauses work under the UK GDPR, we have included the new special categories of data added by the UK GDPR and criminal convictions and offences data.


Instructions: Think about the set of personal data being transferred and click in the box next to any of the special categories of data or criminal records and convictions data, which are included.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify): 


🗹 Receiving data, including collection, accessing, retrieval, recording, and data entry

🗹 Holding data, including storage, organisation and structuring

🗹 Using data, including analysing, consultation, testing, automated decision making and profiling

🗹 Updating data, including correcting, adaptation, alteration, alignment and combination

🗹 Protecting data, including restricting, encrypting, and security testing

🗹 Sharing data, including disclosure, dissemination, allowing access or otherwise making available 

🗹 Returning data to the data exporter or data subject

🗹 Erasing data, including destruction and deletion

Other (please provide details of other types of processing):      

ACTION: List the processing activities which may be carried out.


Instructions: Think about how the data importer will be using and handling the set of personal data transferred to it, and click in the box next to all of the processing activities which apply.


You may make appropriate amendments or add specific details to any of the categories, or click “other” and add your own categories at the end.


DATA EXPORTER: Ebebek UK

Name:      

Authorised Signature …

ACTION: The exporter should fill in this section with the:

  • Full name of the person signing. This must be the same person throughout the document.
  • Their position.
  • Their business addresses. 

And sign where indicated.


DATA IMPORTER: Ebebek Turkey

Name:      

Authorised Signature …

ACTION: The importer should fill in this section with the:

  • Full name of the person signing. This must be the same person throughout the document.
  • Their position.
  • Their business addresses. 

And sign where indicated.



Appendix 2

Non-legally binding guidance

This Appendix forms part of the Clauses and must be completed and signed by the parties.


Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):


Please click in a box to select one option:

Option 1: Please refer to the description of the importer’s security measures set out in the contract between the controller and processor, named       dated      


Option 2: The following is the description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):      


🗹 Option 3: The following checklist and supplementary details set out the description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5 (c):

🗹 We use firewalls to protect our internet connection This will be your first line of defence against an intrusion from the internet.

Supplementary details of firewalls used (add any relevant details):     

🗹 We choose the most appropriate secure settings for our devices and software Most hardware and software will need some level of set-up and configuration in order to provide effective protection. 

Supplementary details of security settings used (add any relevant details):     

🗹 We control who has access to your data and services Restrict access to your system to users and sources you trust. 

Supplementary details of how access to your system is controlled (add any relevant details):     

🗹 We protect ourselves from viruses and other malware? Anti-virus products can regularly scan your network to prevent or detect threats.

Supplementary details of antivirus and malware protection used (add any relevant details):     

🗹 We keep our software and devices up-to-date Hardware and software needs regular updates to fix bugs and security vulnerabilities.

Supplementary details of how software and devices are kept up to date (add any relevant details, including details of the software packages, cloud services and devices you use in processing the personal data transferred, and how you keep those updated):     

🗹 We regularly backup our data Regular backups of your most important data will ensure it can be quickly restored in the event of disaster or ransomware infection.

Supplementary details of how data is backed up (add any relevant details):     

ACTION: The parties should fill in Appendix 2 with details of the security measures which the importer will provide for the transferred data.


You should also have a controller-processor contract in place, this is often the main service contract you have between you. If so, you may refer to or re-use the importer’s security measures set out in that contract.


There are 3 main options for completing this Appendix.


Option 1: simply add in the name and date of the main service contract, to refer to the description of the importer’s security measures contained in that agreement.


Option 2: insert your description of the importer’s security measures there.  You may choose to copy all or part of this from the main service contract.


Option 3: complete the checklist, adding in additional details which are relevant.

Instructions: 

The checklist includes the baseline security measures that any business (small or large) should implement to protect its data/systems. 


It is unlikely to be appropriate if the data importer is providing IT, digital, technology or telecom processor services.


This checklist for use where the transfer to the data importer and its processing of the personal data does not cause a particularly high risk to the rights of individuals. For example, where the personal data transferred is:

  • not special category data;
  • not criminal convictions and offences data;
  • not personal details issued as an identifier by a public authority; 
  • not bank account, credit card or other payment data; and
  • not a large volume of data.

Consider each statement, and the relevant guidance set out below, and click in the box next to those statements which apply. 


Add supplementary notes to provide any further relevant detail of those security measures.


Further guidance:


DATA EXPORTER: Ebebek UK

Name:      

Authorised Signature …

ACTION: The exporter should fill in this section with the:

  • Full name of the person signing. This must be the same person throughout the document.

And sign where indicated.


DATA IMPORTER: Ebebek Turkey

Name:      

Authorised Signature …

ACTION: The importer should fill in this section with the:

  • Full name of the person signing. This must be the same person throughout the document.

And sign where indicated