Data Transfer Policy
1. Purpose
This Data Transfer Policy (“Policy”) outlines the guidelines and procedures for the secure and lawful transfer of personal data to ensure the protection of individual privacy and compliance with General Data Protection Regulation(“GDPR”). This policy is applicable to anyone (“Data Processor”) handling personal and sensitive data held for Contentrain Inc (“Data Controller”) that may have a need to transfer personal data.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person, as defined in applicable data protection laws.
- Sensitive Data: Personal health, racial or ethnic, religious or philosophical belief, political opinion, trade union membership, sexual orientation or gender identity, criminal record, financial or bank account information relating to an individual.
- Data Controller: The entity that determines the purposes and means of processing personal data.
- Data Processor: The entity that processes personal data on behalf of the Data Controller.
3. Legal Basis for Data Transfers
Personal data transfers will be based on one or more of the following legal mechanisms, as required by applicable data protection laws:
- Explicit Consent: Data subjects' informed and unambiguous consent for the specific data transfer purpose.
- Legitimate Interests: Data transfers necessary for the legitimate interests pursued by the Data Controller or a third party.
- Contractual Necessity: Data transfers necessary for the performance of a contract with the data subject.
- Legal Obligations: Data transfers required to comply with legal obligations of the Data Controller.
- Public Interest: Data transfers necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
4. Obligations of the Data Recipient
Data Processor takes all necessary technical and administrative measures to ensure an appropriate level of security in accordance with the nature of the personal data, in order to prevent the unlawful processing of personal data, prevent unauthorized access to personal data, and ensure the preservation of personal data. In the event that personal data is processed by another natural or legal person on behalf of the Data Processor, the Data Processor is jointly responsible with these individuals for taking the necessary measures.
Individuals, including data processors operating under the authority of the Data Processor, are obliged to process personal data solely and exclusively in accordance with the instructions received from the Data Processor. The Data Processor processes personal data in accordance with this policy and relevant legislation. If for any reason compliance with the law and Policy cannot be ensured, the Data Processor shall promptly inform the Data Controller about the matter. The Data Processor acknowledges that the Data Controller has the authority to conduct audits and inspections to verify the fulfillment of commitments and obligations of the Data Processor, and agrees to facilitate such audits as necessary.
The Data Processor acknowledges that in the event of the termination or expiration of this Policy, Data Processor shall, at the discretion of the Data Controller, either return the personal data subject to transfer to the Data Controller along with its backups or completely destroy the personal data. If there are legal provisions preventing the Data Processor from fulfilling this obligation, Data Processor agrees to take necessary administrative and technical measures to safeguard the confidentiality of the transferred personal data and to cease data processing activities.
The Data Processor acknowledges that Data Processor possesses the administrative and technical competence to fulfill the obligations arising from these provisions.When the Data Processor needs to transfer the personal data subject to this Policy to a subcontractor while performing the service under this Policy, Data Processor must inform the Data Controller in a verifiable manner and obtain the necessary consent. The Policy to be established between the Data Processor and the subcontractor must, at a minimum, include the provisions of the Policy between the Data Controller and the Data Processor and the provisions of this commitment. It should be stipulated in this agreement that the termination of this Data Transfer Policy for any reason shall automatically terminate the subcontractor's agreement. The Data Processor shall not transfer data abroad without prior written authorization/permission/approval from the Data Controller.
5. Retention And Disposal Periods
The time interval for conducting periodic disposal is set at 6 months.The Data Processor shall, in the first periodic disposal following the date when the obligation to delete, destroy, or anonymize personal data arises, delete, destroy, or anonymize the personal data. All processes related to the deletion, destruction, and anonymization of personal data shall be carried out by authorized personnel in accordance with policies and procedures and shall be documented. These records shall be retained for a minimum of three years, except for other legal obligations.
6. Measures
The Data Processor shall implement appropriate technical and administrative measures to ensure the security and confidentiality of personal data. These measures shall include, but are not limited to:
- Access Controls: Limiting access to personal data to authorized personnel only, based on the principle of least privilege.
- Data Encryption: Implementing encryption mechanisms to protect personal data during transmission and storage, where applicable and necessary.
- Data Integrity: Ensuring the accuracy and integrity of personal data through data validation and error-checking mechanisms.
- Security Audits: Conducting regular security audits to identify vulnerabilities, assess risks, and implement necessary improvements.
- Employee Training: Providing training to employees and personnel involved in data processing to raise awareness about data protection and privacy.
- Incident Response: Establishing procedures to handle data breaches, security incidents, and breaches of this policy, including notifying the Data Controller as required.
- Data Minimization: Limiting the collection and retention of personal data to what is necessary for the specified purposes.
- Physical Security: Implementing physical security measures to protect the storage and access to personal data, where applicable.
- Risk Assessments: Conducting periodic risk assessments to evaluate the effectiveness of implemented security measures and making necessary adjustments.
- Monitoring: Implementing monitoring mechanisms to detect and prevent unauthorized access or breaches.
- Third Parties: Ensuring that any third parties involved in data processing also adhere to appropriate security measures as per this Policy.
These measures shall be reviewed periodically and updated as necessary to address new risks and changes in data processing activities. The Data Processor shall maintain documentation of these measures to demonstrate compliance with data protection requirements.
7. Data Transfer Assessment
Before initiating any data transfer, the Data Processor must conduct a data transfer impact assessment to identify the risks and ensure adequate safeguards are in place to protect the personal data.
8. Documentation
All data transfers, including the legal basis, safeguards, and any relevant assessments, must be documented and maintained in a central record.
9. Training
Employees of the Data Processor involved in data transfers must be trained on the principles and procedures outlined in this Policy.
10. Review and Revision
This Policy will be reviewed regularly to ensure ongoing compliance with applicable data protection laws and any updates to data protection regulations.
11. Contact Information
For questions or concerns regarding data transfers or this Policy, please contact the Data Protection Officer at [email protected].
By following this Policy, we aim to ensure the secure and lawful transfer of personal data while upholding the rights and privacy of data subjects in accordance with applicable data protection laws.