/Docs//S/Index/DataSharing/Frameworks.md
Source views: Source JSON(ish) on GitHub (VSCode) Doc views: Document (&k=IntraGroup.r00t): Visual Print Technical: OpenParameters Xray

GUID: {Doc.GUID}

Intra Group Data Transfer Agreement

{P1.Name.Full}
Effective Date: {Sign.YMD}

{P1.US.Contract.Among.Block}

This Agreement is made on {Sign.YMD}.
Between each of the {_P1} Group entities specified in Schedule A, who are Parties to this Agreement on the date on which it is first entered into, together with any other member of the {_P1} Group which from time to time enters into a Participation Agreement (each a "Party" and together, the "Parties").
The Parties have agreed on the following contractual clauses (the “Agreement”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals. This Agreement is comprised of the following parts:
- These Clauses which are comprised of certain universal clauses to which the {_P1} Group agree to be bound in the interpretation of the rights and obligations of each {_P1} Group under this Agreement.
- Schedule A – A list of {_P1} Group entities each of which are signatories to the Agreement and are bound by this Agreement.
- Schedule B – Participation Agreement (signature page).
- Schedule C – Clauses governing each Data Controller to Data Controller transfer.
- Schedule D – Clauses governing each Data Controller to Data Processor transfer.
- Schedule E – Basic Controller-Processor Agreement which applies to all Regulated Processing.
- Schedule F – Technical and Organisational Security Measures.
- Schedule G – Special terms.

Definitions
For the purposes of this Agreement, the following terms shall have the following meanings and cognate terms shall be construed accordingly:
"{_P1} Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with {_P1}, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
"{_P1} Group" means the group of companies comprising {_P1} and {_P1} Affiliates, an indicative but not inclusive list of which entities is set out in Schedule A as amended from time to time;
"Data Controller" means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, or the person meeting any similar concept under National Privacy Law as the context requires;
"Data Exporter" means any Party to this Agreement which transfers Personal Data to a Data Importer;
"Data Importer" means any Party to this Agreement which receives Personal Data from a Data Exporter;
"Data Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of a Data Controller, or the person meeting any similar concept under National Privacy Law;
"Data Subject" means an identified or identifiable natural person and, only in those countries whose other legal persons receive the same or similar protection pursuant to National Privacy Laws as natural persons, also includes such other legal persons. For these purposes, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
"EU Data Protection Law" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time including by the GDPR and laws implementing or supplementing the GDPR;
"European Economic Area" (also "EEA") means those countries which are part of the European Economic Area, (which currently comprises the 28 EU Member States together with Norway, Iceland and Lichtenstein) from time to time;
"Exported Personal Data" means Personal Data exported by a Data Exporter to a Data Importer by way of a Relevant Transfer pursuant to this Agreement;
"GDPR" means the EU General Data Protection Regulation 2016/679;
"Lead Entity" means {_P1};
"National Privacy Law" means:
in the case of a Member State of the European Union, EU Data Protection Laws as applicable in such Member State; or
in the case of a jurisdiction which is not a Member State of the European Union, the national legislation governing the collection, use, disclosure and protection of Personal Data and other data protection or privacy legislation in that jurisdiction, in force from time to time, together with EU Data Protection Law to the extent that such EU Data Protection Law is applicable;
"Onward Transfer" means the onward transfer from any Party to this Agreement of Protected Personal Data:
"Participation Agreement" means a deed substantially in the form set out in Schedule B which has been executed and delivered by both the Lead Entity and such member of {_P1} Group as wishes to join this Agreement to confirm its adoption of the terms of this Agreement, such terms to be modified where necessary to comply with any legal or operational considerations in relation to the relevant {_P1} Affiliate;
"Party" means a Party to this Agreement;
"Permitted Variation" has the meaning given to it in clause 7.
"Personal Data" means any information relating to a Data Subject and/or any such information as may be defined as constituting personal data, or any equivalent thereof, in any applicable National Privacy Law;
"Processing" shall have the same meaning as in EU Data Protection Law;
"Regulated Processing" means any Processing undertaken by a Data Processor within the {_P1} Group on behalf of a Data Controller within the {_P1} Group which would be prohibited by National Privacy Law in the absence of the Processing terms set out in Schedule E in the form of a "Basic Controller-Processor Agreement";
"Relevant Transfer" shall mean a transfer between any Parties to this Agreement
of Personal Data which is subject to any National Privacy Law of a relevant jurisdiction in respect of that Personal Data in circumstances which do not offer an adequate level of protection for the rights and freedoms of data subjects in relation to the Processing of Personal Data as required by the relevant National Privacy Law of a relevant jurisdiction; and
which is not subject to any of the permitted derogations or conditions contained in the relevant National Privacy Law (including without limitation a legally valid consent of the Data Subject) such that in the absence of the obligations created by this Agreement the export of the Personal Data would be in breach of the relevant National Privacy Law;
"Special Term" has the meaning given to it in clause 7.1;
"Supervisory Authority" means
an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and
any similar regulatory authority responsible for the enforcement of applicable National Privacy Laws;
"Third Party" means any natural or legal person outside the {_P1} Group and its employees;
"Third Party Subprocessor" means any Subprocessor of the Data Importer's Processing operations, where that Data Importer acts as a Processor, which is not a Party to this Agreement.
The Agreement applies as between any member of the {_P1} Group in its capacity as a Data Exporter or a Data Importer in relation to the relevant Exported Personal Data. Any {_P1} Group entity may be a Data Exporter and/or a Data Importer.
Where the Data Exporter is not subject to EU Data Protection Law, then the definitions set out above shall be interpreted, to the extent that such definitions are inconsistent with the relevant National Privacy Law applicable in that country and to the extent that is necessary, in accordance with the relevant National Privacy Law in that jurisdiction.
Where responses to enquiries from Data Subjects, Data Importers, Data Exporters or the relevant authority(ies) are to be made within a "reasonable time", if any provision of applicable National Privacy Law prescribes a specified timeframe by which a response must be provided, the response must be provided within that prescribed timeframe.
Data description
The details of the Personal Data, as required by article 28(3) of the GDPR (and equivalent requirements of other Data Protection Laws), including the categories of Personal Data and the purposes for which they are transferred, are set out in Schedules C, D, E and G each of which form an integral part of this Agreement. Some or all of the Parties may execute additional Schedules to cover additional transfers between such Parties, which will be submitted to the relevant Supervisory Authority where required.
Relevant Transfers between Data Controllers
The provisions of Schedule C ("Controller-Controller Agreement") shall apply in respect of exports of Exported Personal Data where the Data Exporter and the Data Importer are each acting as a Data Controller in respect of the Exported Personal Data. Accordingly, each Party to this Agreement that is either:
a Data Exporter and Data Controller in respect of a Relevant Transfer to another Party to this Agreement as Data Importer and Data Controller in respect of that transfer; or
A Data Importer and Data Controller in respect of a Relevant Transfer from another Party to this Agreement as Data Exporter and Data Controller in respect of that transfer hereby enters into a Controller-Controller Agreement with that other Party.
The Parties enter into the Controller-Controller Agreement respectively as data importer and/or data exporter as those terms are defined in the Controller-Controller Agreement.
Each Controller-Controller Agreement comes into effect on the later of:
the Data Exporter becoming a Party to this Agreement;
the Data Importer becoming a Party to this Agreement; or
commencement of a Relevant Transfer to which the Controller-Controller Agreement relates.
For the purposes of the Controller-Controller Agreement set out in Schedule C:
Clause I(d) - the data importer (as defined therein) will be responsible in the first instance for responding to enquiries from data subjects and the authority concerning its Processing of the personal data transferred pursuant to this Agreement; and
Clause II(h) - option (iii) shall apply.
Relevant Transfers from Data Controller to Data Processor/ Data Processor to Data Processor
The provisions of Schedule D ("Controller-Process") shall apply in respect of exports of Exported Personal Data where the Data Exporter is subject to EU Data Protection Law and is acting as a Data Controller in respect of the Exported Personal Data and the Data Importer is acting as a Data Processor in respect of the Exported Personal Data. Accordingly, each Party to this Agreement that is either:
a Data Exporter and Data Controller/Data Processor in respect of a Relevant Transfer to another Party to this Agreement as Data Importer and Data Processor in respect of that transfer; or
a Data Importer and Processor in respect of a Relevant Transfer from another Party to this Agreement as Data Exporter and Data Controller/Data Processor in respect of that transfer, hereby enters into a Controller-Process with that other Party.
The Parties enter into the Controller-Process respectively as data exporter and/or data importer as those terms are defined in the Controller-Process.
Each Controller-Process comes into effect on the later of:
The Data Exporter becoming a Party to this Agreement;
The Data Importer becoming a Party to this Agreement; or
Commencement of the Relevant Transfer to which the Controller-Process relates.
Other Intra-Group Transfers
1. The provisions of Schedule D ("Controller-Process"), shall also apply in respect of exports of Exported Personal Data where the Data Importer is acting as a Data Processor in respect of the Exported Personal Data and the Data Exporter is not subject to EU Data Protection. Accordingly, each Party to this Agreement that is either:
  1. a Data Exporter and Data Controller/Data Processor in respect of a Relevant Transfer to another Party to this Agreement as Data Importer and Data Processor in respect of that transfer; or
  2. a Data Importer and Processor in respect of a Relevant Transfer from another Party to this Agreement as Data Exporter and Data Controller/Data Processor in respect of that transfer,
  hereby enters into a Controller-Process with that other Party.
2. The Parties enter into the Controller-Process respectively as data exporter and/or data importer as those terms are defined in the Controller-Process.
3. Each Controller-Process comes into effect on the later of:
  1. The Data Exporter becoming a Party to this Agreement;
  2. The Data Importer becoming a Party to this Agreement; or
  3. Commencement of the Relevant Transfer to which the Controller-Process relates.
Regulated Processing
1. The provisions of Schedule E shall apply in respect of all Regulated Processing. Accordingly, where Regulated Processing is undertaken, the Data Controller and Data Processor hereby enter into a Basic Controller-Processor Agreement with each other.
2. The Parties enter into the Basic Controller-Processor Agreement respectively as Data Controller and Data Processor.
3. Each Basic Controller-Processor Agreement comes into effect on the later of:
  The Data Controller becoming a Party to this Agreement;
  The Data Processor becoming a Party to this Agreement; or
  Commencement of any Regulated Processing.
Amendments and Onward Transfers
National Privacy Laws in certain jurisdictions may require the obligations in Schedule C, D and E to be supplemented by additional or alternative provisions to ensure an adequate level of protection in respect of Relevant Transfers originating from those jurisdictions ("Special Terms"). The provisions in Schedule C, D and E shall be interpreted in accordance with any Special Terms identified in Schedule G, as applicable to Relevant Transfers originating from a jurisdiction specified in that schedule.
In the case of Onward Transfers the Data Importer receiving the Personal Data upon the Onward Transfer shall observe the same obligations as those imposed on a Data Importer under the original Relevant Transfer.
The Parties undertake not to vary or modify the provisions set out in Schedule C, D or E where applicable, of this Agreement. This restriction does not preclude the Parties from amending other parts of this Agreement or adding provisions on business related issues where required as long as they do not contradict the provisions in Schedule C, D or E ("Permitted Variation").
The Lead Entity may propose a Permitted Variation to this Agreement by providing details of the proposed Permitted Variation in a notice to the other {_P1} Affiliates. If, within thirty (30) days of receipt of that notice, a Party notifies the Lead Entity in writing of any objections (on reasonable grounds) to the proposed Permitted Variation, the Lead Entity shall work with the Party in good faith to agree the Permitted Variation and provide details of any amendments to the proposed Permitted Variation to other {_P1} Affiliates. The Parties shall be deemed to have agreed to the proposed change if they do not notify the Lead Entity within the period of thirty (30) business days of the date of the notice, or such other period as may be specified by the Lead Entity in its notice to other {_P1} Affiliates. If no comments or objections are made, the Lead Entity may execute the Permitted Variation as attorney on behalf of the Parties, in accordance with the power of attorney granted by clause 9.2. The Permitted Variation will take effect when executed by the Lead Entity.
Data subjects and enforcement
The Parties agree that this Agreement (including its Schedules) only provides any third party rights (and therefore the Data Subject may only enforce and rely on this Agreement (including its Schedules)) in respect of a Relevant Transfer or subsequent Onward Transfer and accordingly this Agreement does not provide any third party rights where the Data Subject does not enjoy such rights in relation to the Processing of the Exported Personal Data under applicable National Privacy Law.
A person who is not a Party to this Agreement has no right under the Contracts (Rights of Third Parties) Act 1999 (or such other equivalent national legislation that may be applicable in a relevant jurisdiction) to enforce any term of this Agreement except to the extent set out in Clause 8.1.
Subject to Clause 11.4 this Agreement may be terminated and any term may be amended or waived without the consent of any Data Subject.
Except as set forth in Clause 8.1 and Schedule C, D and E and to the fullest extent permissible under applicable law, nothing contained in this Agreement will entitle any Third Party, including, without limitation, Data Subjects to any claim, cause of action, remedy or right of any kind whatsoever.
Power of Attorney
1. In respect of any Relevant Transfer or Onward Transfer to another Party where the Data Importer acts as a Processor, the Data Exporter hereby grants, to the extent permissible by law by virtue of this clause, a power of attorney to such Data Importer to execute, in the name and on behalf of the Data Exporter, any Subprocessor agreement contemplated under or made pursuant to clause 11 of Schedule D or clause 3.6.2 of Schedule E.
2. All Parties other than the Lead Entity hereby grant, to the extent permissible by law by virtue of this clause, a power of attorney to the Lead Entity to act as their attorney for the purposes of executing:
  any Permitted Variations proposed in accordance with clause 7; and
  any Participation Agreements prepared in accordance with clause 12.
3. Where due to local formalities it is not permissible by law solely by virtue of clauses 9.2 or 9.2 for the relevant Party to grant a power of attorney as required by clauses 9.1 or 9.2 as applicable, each other Party shall at the request of the relevant Party execute or otherwise enter into all such deeds, documents, assurances, acts and things (which may include an agency Agreement) as any Party may reasonably require to achieve the purpose envisaged by clauses 9.1 and 9.2.
Limitation of liability
Subject to Clause 8, the Parties shall be liable for all direct loss and damages, but to the extent permissible by law not any indirect or consequential losses arising out of, or in connection with, all breaches by them of this Agreement.
The Parties agree that if one Party is held liable under Clause 8 for a violation which was a result of the other Party’s breach of Clause 7.2 or of the obligations in Schedule C, D or E the Party in breach will, to the extent to which it is liable, indemnify the other Party for any cost, charge, damages, expenses or loss it has incurred.
Termination and consequences of termination
In the event that:
the Data Importer or Data Processor gives notice to the Data Exporter or Data Controller that it is unable to comply with applicable National Privacy Law; or
the Data Importer or Data Processor is in material breach of any of its obligations under this Agreement which is incapable of being remedied or has not been remedied within a reasonable period on receipt of notice from any Party to this Agreement; or
a Supervisory Authority or other tribunal or court with jurisdiction over the Data Exporter or Data Controller rules that there has been a breach of applicable laws by virtue of the Data Importer’s or Data Processor's Processing of the Exported Personal Data or Personal Data, the Data Exporter or Data Controller, without prejudice to any other rights which it may have against the Data Importer or Data Processor, shall be entitled to terminate this Agreement with respect to the Data Importer or Data Processor concerned on reasonable notice.
In the event that the Data Exporter or Data Controller is in material breach of any of its obligations under this Agreement which is incapable of being remedied or has not been remedied within a reasonable period on receipt of notice from any Party to this Agreement the Data Importer or Data Processor, without prejudice to any other rights which it may have against the Data Exporter or Data Controller, shall be entitled to terminate this Agreement with respect to the Data Exporter or Data Controller concerned on reasonable notice.
In the event that a {_P1} Affiliate ceases to be an {_P1} Affiliate (the “Exiting Party”) the Agreement will no longer apply to the Exiting Party, other than in relation to acts and omissions which occurred while the Exiting Party was a {_P1} Affiliate.
Notwithstanding anything else in this clause 11, the Parties agree that the termination of the Agreement at any time, in any circumstances and for whatever reason does not exempt them from the obligations and/or conditions under the Agreement as regards the Processing of the transferred Exported Personal Data.
In the event of termination of this Agreement, with the relevant provision of Schedule D and Schedule E as applicable shall apply in respect of the deletion or return of the Exported Personal Data.
Participation Agreement
The Parties acknowledge that any {_P1} Affiliate which enters into the Participation Agreement in accordance with this clause 12 shall be bound by and subject to all the rights and obligations of this Agreement irrespective of whether such {_P1} Affiliate enters into such Participation Agreement at a date later than any other Party.
The Lead Entity shall notify the Parties to this Agreement of any {_P1} Affiliates who enter into a Participation Agreement from time to time or who become an Exiting Party. The Lead Entity shall maintain an up to date list of the Parties at any given time.
The Parties, in their capacity as Data Exporter, hereby appoint Lead Entity to act as their agent for the receipt of any notices from the Data Importer under this Agreement (including any separate data transfer agreements between the Parties created under or as a result of this Agreement) or the provision of any consent required to be provided to the Data Importer under this Agreement (including any separate data transfer agreements between the Parties created under or as a result of this Agreement). In such circumstances, the Lead Entity shall act at all times in the best interests of the relevant Data Exporter and shall co ordinate and manage relevant notices and consents on behalf of that Data Exporter, mindful of the Data Exporter's obligations under this Agreement (including any separate data transfer agreements between the Parties created under or as a result of this Agreement) and responsibility to comply with the National Privacy Laws.
Miscellaneous
1. No IP Rights
  The Parties acknowledge that nothing in this Agreement constitutes a transfer or assignment of any ownership rights (including any intellectual property rights) in respect of the Exported Personal Data or Personal Data.
2. Further Efforts
  The Parties will use their best endeavours to procure that any Third Party executes and performs all such further deeds, documents, assurances, acts and things as any of the Parties to this Agreement may reasonably require by notice in writing to any other Party to carry the provisions of this Agreement into full force and effect.
3. Entire Agreement
  This Agreement represents the entire understanding between the Parties in relation to its subject matter and supersedes all agreements and representations made by the Parties, whether oral or written in relation to its subject matter.
4. No Waiver
  Failure by any Party to enforce its rights under this Agreement shall not be taken as or deemed to be a waiver of such right.
5. Severance
  If any part, term or provision under this Agreement is held to be illegal or unenforceable the validity or enforceability of the remainder of this Agreement will not be affected.
6. No Assignment
  None of the Parties may assign or transfer any of the rights or obligations under this Agreement without the prior written consent of the Lead Entity.
7. Counterpart
  This Agreement may be executed in any number of counterparts each of which, when executed and delivered, shall be an original but all the counterparts together shall constitute one and the same document.
8. Registration
  The Parties agree to deposit a copy of this Agreement with the relevant Authorities if they so request or if such deposit is required under the applicable National Privacy Law.
Governing law
This Agreement shall be interpreted according to and governed by the {Law.cl}, except for those provisions or clauses which dictate the application of another law.

Signature
In witness whereof this document has been entered into on the date stated at the beginning.
{P1.US.Contract.By.Sec}

Schedules

Schedule A

Group Initial Members
{_P1} Group as at {Sign.YMD}, {Group.InitialMembers.sec}.

Schedule B

GUID: {Doc.GUID}

Participation Agreement

{P1.Name.Full}
{P2.Name.Full}
Effective Date: {Sign.YMD}

By and Between:

{P1.US.Contract.Among.Sec}
{P2.US.Contract.Among.Sec}

Each a "Party" and collectively the "Parties."

This Deed is made on {Sign.YMD} between: {P1.US.N,E,A} and {P2.US.N,E,A}.

Whereas:

By a Intra Group Data Transfer Agreement dated {Sign.YMD} ("Intra-Group Agreement"), members of {_P1} Group have agreed to ensure the adequate protection of any Personal Data which is transferred between themselves.
The Intra-Group Agreement inter alia provides that members of {_P1} Group shall become Parties to the Intra-Group Agreement by a Participation Agreement and each Party shall recognise the rights and obligations of all Parties to the Intra-Group Agreement including any Party which enters into the Intra-Group Agreement.

It is therefore agreed:

Defined terms used in this Deed shall have the meanings given to them in the Intra-Group Agreement;
{_P2} covenants for itself to observe and perform and be bound by all the terms and conditions of the Intra-Group Agreement to the intent and effect that it shall from the date of this Deed be a Party to the Intra-Group Agreement with the benefit of, but subject to, all its terms and conditions;
The parties to this Deed acknowledge that {_P1} is entering into this Deed for itself and as attorney for all other Parties to the Intra-Group Agreement, in accordance with clause 9.2 of the Intra-Group Agreement;
The parties to this Deed agree that:
1. this Deed shall be read together with the Intra-Group Agreement which shall accordingly be construed as one instrument; and
2. that this Deed shall be governed by and construed in accordance with the {Law.cl}.

Signature
IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective Date.

{P1.US.Contract.By.Sec}

{P2.US.Contract.By.Sec}

Schedule C

Controller - Controller Agreement
Commission Decision C(2004)5721
SET II
Standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers)

ANNEX A
Data processing principles
ANNEX B

Description of the Transfer

Schedule D

Controller-Processor Agreement
Commission Decision C(2010)593
Standard Contractual Clauses (processors)

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

Schedule E

Basic Controller-Processor Agreement

Schedule F

Technical and Organisational Security Measures

Schedule G

Country Specific Amendments to Schedule C, D and E