These Clauses are China’s Standard Contractual Clauses adopted by the Cyberspace Administration of China (CAC) and effective as of 1 June 2023, for the cross-border transfer of personal information (applicable to controller-to-controller transfers).
In order to ensure that the handling of personal information by the overseas recipient meets the personal information protection standards stipulated in the relevant laws and regulations of the People’s Republic of China, and to specify the rights and obligations of the personal information handler (“Personal Information Handler”) and the overseas recipient (“Overseas Recipient”) to protect the personal information, these clauses (the “Clauses”) are agreed between the following parties in respect of any personal data which relates to Chinese citizens or which otherwise originates from China by way of agreement and signature of a related Subscription Agreement:
Personal Information Handler
Name:
Modern Agency SAS (“Personal Information Handler”)
Address:
69bis rue de Vaugirard, 75006 Paris, France
Activities relevant to the data transferred under these Clauses:
The provision of client services to the Overseas Recipient, in particular granting the Overseas Recipient subscription-based access to the Personal Information Handler’s Platform (as defined in the Subscription Agreement to which these Clauses are applicable and appended, the “Subscription Agreement”).
Signature and date:
Accepted and agreed by the Personal Information Handler by way of signing the Subscription Agreement on the date of such Subscription Agreement.
Role (controller/processor):
Independent Controller
Overseas Recipient
Name:
Customer (as defined in the Subscription Agreement) (“Overseas Recipient”)
Address:
The address for the Customer as set out in the Subscription Agreement.
Activities relevant to the data transferred under these Clauses:
Receiving client services from the Personal Information Handler, in particular accessing the Personal Information Handler’s Platform (as defined in the Subscription Agreement) on a subscription basis.
Signature and date:
Accepted and agreed by the Overseas Recipient by way of signing the Subscription Agreement on the date of such Subscription Agreement.
Role (controller/processor):
Independent Controller
Personal Information Handler or Overseas Recipient are individually referred to as a “Party” and collectively referred to as the “Parties”.
The Personal Information Handler and the Overseas Recipient carry out activities of outbound transfer of the personal information in accordance with these Clauses and the Subscription Agreement.
The main text of these Clauses is drafted in accordance with the requirements of the Measures for Standard Contractual Clauses on Outbound Transfer of Personal Information. The parties may specify other terms and conditions pursuant to the Subscription Agreement (if any), on the premise that they do not conflict with the main text of these Clauses. The appendices shall constitute an integral part of these Clauses.
Article 1 – Definition
Unless otherwise specified, in these Clauses or the Subscription Agreement:
“Overseas Recipient” refers to any organization or individual outside the territory of the People’s Republic of China that receives personal information from the Personal Information Handler.
“Personal Information” refers to any kind of information related to an identified or identifiable natural person recorded electronically or in other ways, excluding any anonymised information.
“Personal Information Handler” refers to any organization or individual that independently determines the purpose and method of personal information processing activities and provides personal information outside the territory of the People’s Republic of China.
“Personal Information Subject” refers to any natural person identified by or associated with the personal information.
“Regulatory Authorities” refers to the Cyberspace Administration at or above the provincial level of the People’s Republic of China.
“Relevant Laws and Regulations” refers to the Cybersecurity Law of the People’s Republic of China, Data Security Law of the People’s Republic of China, Personal Information Protection Law of the People’s Republic of China, Civil Code of the People’s Republic of China, Civil Procedure Law of the People’s Republic of China, Measures for Standard Contractual Clauses on Outbound Transfer of Personal Information and other laws and regulations of the People’s Republic of China.
“Sensitive Personal Information” refers to the Personal Information that, if leaked or illegally used, may easily lead to the infringement of the personal dignity of natural persons or the harm of personal and property safety, including biometrics, religious beliefs, specific identities, medical health, financial accounts, whereabouts and other information, as well as the Personal Information of minors under the age of 14.
Any undefined terms used in these Clauses shall have the meanings assigned to them under the applicable laws and regulations.
Article 2 – Obligations of Personal Information Handler
The Personal Information Handler is obligated to:
(i) process the Personal Information in accordance with the Relevant Laws and Regulations. The Personal Information transferred outbound shall be limited to the minimum scope required to achieve the purpose of processing;
(ii) inform the Personal Information Subject of the processing purpose, processing method, type of the Personal Information, retention period and the method and procedures of exercising the rights of the Personal Information Subject. Where any Sensitive Personal Information is transferred outbound, where practicable the Personal Information Subject shall also be notified of the necessity of providing Sensitive Personal Information and the impact on personal rights and interests, unless otherwise stipulated by the laws and administrative regulations;
(iii) obtain a separate consent from the Personal Information Subject, where the Personal Information is transferred outbound based on the consent of the individual. Where the Personal Information of minors under the age of 14 is involved, a separate consent of the minor’s parents or other guardians shall be obtained. A written consent shall be obtained where the laws and administrative regulations so require;
(iv) inform the Personal Information Subject that he/she will be a third-party beneficiary under these Clauses and can enjoy the rights of a third-party beneficiary according to these Clauses unless he/she explicitly rejects within 30 days;
(v) make reasonable efforts to ensure that the Overseas Recipient adopts the Technical and Organisational measures set out in Appendix II considering the purpose of processing of the Personal Information, the type, scale, scope and sensitivity of the Personal Information, the quantity and frequency of the transfer, the security risks the transfer may bring to the Personal Information and the storage period by the Overseas Recipient, in order to fulfil the obligations stipulated in these Clauses;
(vi) provide the Overseas Recipient with copies of the Relevant Laws and Regulations, and technical standards at the request of the Overseas Recipient;
(vii) respond to the Regulatory Authorities regarding inquiries from the Regulatory Authorities regarding processing activities of the Personal Information by the Overseas Recipient;
(viii) where appropriate, carry out an impact assessment on personal information protection on the envisaged transfer of the Personal Information to the Overseas Recipient according to the law, focusing on the assessment of the followings:
the legality, proportionality, and necessity of the purpose, scope, and method of processing the Personal Information by the Personal Information Handler and Overseas Recipient;
the scale, scope, type, and sensitivity of the Personal Information transferred abroad, and the risks that the outbound data transfer may bring to the rights and interests regarding the Personal Information;
the obligations that the Overseas Recipient undertakes to perform, and whether its management and technical measures and capabilities can guarantee the security of the Personal Information transferred abroad;
the risk of being tampered with, destroyed, leaked, lost, or illegally used after the Personal Information is transferred abroad, and whether the channels to protect the rights and interests regarding the Personal Information are readily available;
the assessment on impact of local personal information protection policies and regulations on the performance of these Clauses in accordance with Article 4 of these Clauses; and
other matters that may affect the security of outbound transfer of the Personal Information.
Any personal information protection impact assessment report shall be kept for at least 3 years;
(ix) provide a copy of these Clauses to the Personal Information Subject upon request. If any business secrets or confidential business information is involved, the relevant content of the copy of these Clauses can be properly redacted, provided that it can be understood by the Personal Information Subject;
(x) bear the burden of proof for the performance of the obligations of these Clauses; and
(xi) provide the information mentioned in Section (xi) of Article 3 of these Clauses, including all the compliance according to the Relevant Laws and Regulations.
Article 3 – Obligations of Overseas Recipient
The Overseas Recipient is obligated to:
(i) process the Personal Information in accordance with Appendix I – Description of Outbound Transfer of Personal Information. Where the Personal Information will be processed beyond the agreed purpose and method of processing and type of the Personal Information, and the Personal Information is processed based on the consent of the individual, a separate consent of the Personal Information Subject shall be obtained in advance; if the Personal Information of minors under the age of 14 is involved, a separate consent of the minor’s parents or other guardians shall be obtained;
(ii) process the Personal Information in accordance with the agreement with the Personal Information Handler, where the processing of the Personal Information is entrusted by the Personal Information Handler. The Personal Information shall not be processed beyond the purpose and method of processing as agreed with the Personal Information Handler;
(iii) provide the Personal Information Subject with a copy of these Clauses upon request. If any business secret or confidential business information is involved, the relevant content of the copy of these Clauses can be properly redacted, provided that it can be understood by the Personal Information Subject;
(iv) process the Personal Information in a way that has the least impact on personal rights and interests;
(v) store the Personal Information for the shortest period necessary to achieve the purpose of processing. Upon expiration of the storage period, the Personal Information (including all the backups) shall be deleted. Where the processing of the Personal Information is entrusted by the Personal Information Handler, and the entrustment contract is void, invalid, revoked or terminated, the Personal Information shall be returned to the Personal Information Handler or deleted, and a written explanation shall be provided to the Personal Information Handler. If it is technically difficult to delete the Personal Information, the processing other than storage and necessary security protection measures should be stopped;
(vi) safeguard the security of processing of the Personal Information in the following ways:
(vi)(a) to take technical and management measures including but not limited to Section (v) of Article 2 of these Clauses, and conduct regular inspections to ensure the security of the Personal Information; and
(vi)(b) to ensure that the personnel authorized to process the Personal Information fulfil their confidentiality obligations and establish the access control with the least authorizations;
(vii) carry out the following if the Personal Information processed is or may be tampered with, destroyed, leaked, lost, illegally used, provided or accessed without authorization:
(vii)(a) to take appropriate remedial measures in a timely manner to reduce the adverse impact on the Personal Information Subject;
(vii)(b) to notify the Personal Information Handler immediately, and to report to the Regulatory Authorities in accordance with the Relevant Laws and Regulations. The notice shall contain the following items:
the type of the Personal Information which has been or is likely to be tampered, destructed, disclosed, lost, illegally used, provided or accessed without authorization, the reason and possible harm;
remedial measures taken;
measures that the Personal Information Subject can take to mitigate the harm; and
contact information of the person or team in charge of handling the relevant incident;
(vii)(c) if the Relevant Laws and Regulations require notification to the Personal Information Subject, the content of the notification shall include the items in Section (vii)(b). If the processing of the Personal Information is entrusted by the Personal Information Handler, the Personal Information Subject shall be notified by the Personal Information Handler; and
(vii)(d) to record and retain all the circumstances related to the occurrence or possible occurrence of tampering, destruction, disclosure, loss, illegal use, unauthorized provision or access, including all the remedial measures taken;
(viii) ensure onward transfer out of China is only allowed when all the following conditions are simultaneously met:
(viii)(a) where it is necessary for business;
(viii)(b) the Personal Information Subject has been notified of the third party’s name, contact information, purpose and method of processing, type of Personal Information, retention period, and methods and procedures for exercising the rights of the Personal Information Subject. Where any Sensitive Personal Information is provided to a third party, the Personal Information Subject shall also be notified of the necessity of providing Sensitive Personal Information and the impact on personal rights and interests, except for otherwise required by the Relevant Laws and Regulations;
(viii)(c) where the Personal Information is processed based on consent of an individual, a separate consent from the Personal Information Subject shall be obtained. Where the Personal Information of minors under the age of 14 is involved, a separate consent of the minor’s parents or other guardians shall be obtained. A written consent shall be obtained if stipulated by the laws and administrative regulations;
(viii)(d) to reach a written agreement with the third party to ensure that processing activities of the Personal Information by the third party meet the personal information protection standards stipulated in the Relevant Laws and Regulations of the People’s Republic of China, and assume the legal responsibilities on the infringement of the rights of the Personal Information Subject arising from the onward transfer; and
(viii)(e) to provide the Personal Information Subject with a copy of the written agreement upon request. If any business secret or confidential business information is involved, the relevant content of the written agreement can be properly redacted – provided that it can be understood by the Personal Information Subject;
(ix) obtain the consent of the Personal Information Handler in advance, request the third party not to process the Personal Information beyond the purpose and method of processing as agreed in Appendix I – Description of Outbound Transfer of Personal Information, and monitor the processing activities of the Personal Information by the third party, where the processing of the Personal Information is entrusted by the Personal Information Handler and is subcontracted to a third party;
(x) ensure the transparency of decision-making and the fairness and impartiality of the results, and avoid unreasonable differential treatments on transaction prices and other transaction conditions for the Personal Information Subject, where the Personal Information is used for automated decision-making. Where the automated decision-making is applied for information pushes and commercial marketing to the Personal Information Subject, options that do not target their personal characteristics should be provided simultaneously, or a convenient opt-out option shall be provided to the Personal Information Subject;
(xi) undertake to provide the Personal Information Handler with the necessary information required on the performance of obligations under these Clauses, allow the Personal Information Handler to review necessary data files and documents, or conduct compliance audits on the processing activities under these Clauses and provide convenience for the Personal Information Handler to carry out compliance audits;
(xii) keep objective records of processing activities of the Personal Information carried out for at least 3 years, and provide the relevant record documents to the Regulatory Authorities through the Personal Information Handler in accordance with the requirements of the Relevant Laws and Regulations; and
(xiii) agree to accept the supervision and management by the Regulatory Authorities during the supervision procedures on the implementation of these Clauses, including but not limited to answering the inquiries of the Regulatory Authorities, cooperating with the inspection of the Regulatory Authorities, taking the measures or following the decisions required by the Regulatory Authorities, and providing written proof that the necessary action has been taken, etc.
Article 4 – Impact on the performance of these Clauses under the personal information protection policies and regulations of the foreign destination country or region
(i) Both Parties shall ensure that they have exercised their duty of reasonable care at the time of conclusion of these Clauses, and have not discovered any personal information protection policies and regulations of the country or region where the Overseas Recipient is located (including any requirements for providing the Personal Information or any regulations authorizing public agencies to access the Personal Information) that affect the performance of the obligations of the Overseas Recipient under these Clauses.
(ii) Both Parties declare that when making the warranties under Section (i) of this Article, they have already evaluated the following circumstances:
(ii)(a) the specific circumstances of the outbound transfer, including the purpose of processing of the Personal Information, the type, scale, scope and sensitivity of the Personal Information transferred, the scale and frequency of the transfer, the transfer of the Personal Information and storage period by the Overseas Recipient, and the relevant experience of similar cross-border data transfer and processing of the Personal Information previously conducted by the Overseas Recipient, whether the Overseas Recipient has been involved in any incidents related to the Personal Information security and whether it has disposed of the incident in a timely and effective manner, whether the Overseas Recipient has ever received a request from a public agency in its jurisdiction to provide the Personal Information and how the Overseas Recipient responded;
(ii)(b) personal information protection policies and regulations of the country or region where the Overseas Recipient is located, including the following factors:
the current personal information protection laws and regulations and generally applicable standards of such country or region;
the regional or global personal information protection organizations that the country or region has joined, and the international commitments binding on such country or region; and
the mechanism for personal information protection implemented in such country or region, such as if any regulatory and law enforcement authorities and relevant judicial institutions are in place for personal information protection; and
(ii)(c) the safety management system and technical capabilities of the Overseas Recipient.
(iii) The Overseas Recipient undertakes that it has made its best effort to provide the Personal Information Handler with the information needed to conduct the assessment in accordance with Section (ii) of this Article.
(iv) Both Parties shall keep record of the process and results of the assessment conducted in accordance with Section (ii) of this Article.
(v) If the Overseas Recipient is unable to perform these Clauses due to changes in the personal information protection policies and regulations of the country or region where the Overseas Recipient is located (including amendments to laws or the adoption of compulsory measures in the country or region where the Overseas Recipient is located), the Overseas Recipient shall notify the Personal Information Handler immediately upon becoming aware of such change.
(vi) If the Overseas Recipient receives any request from the government departments or judicial institutions of the country or region where it is located to provide the Personal Information under these Clauses, it shall immediately notify the Personal Information Handler.
Article 5 – Rights of Personal Information Subject
Both Parties agree that the Personal Information Subject, as a third-party beneficiary of these Clauses, shall enjoy the following rights:
(i) the Personal Information Subject shall have the right to know and to decide on the processing of his/her Personal Information in accordance with the Relevant Laws and Regulations, right to restrict or refuse others to process his/her Personal Information, and have the right to request inspection, copying, correction, supplementation, and deletion of his/her Personal Information, right to request an explanation of rules of processing of his/her Personal Information;
(ii) when the Personal Information Subject requests to exercise the above-mentioned rights on the Personal Information that has been transferred abroad, the Personal Information Subject can request the Personal Information Handler to take appropriate measures to assist with the exercising of such rights or submit a request to the Overseas Recipient directly. If the Personal Information Handler cannot assist the Personal Information Subject in exercising his/her rights, it shall notify and request the Overseas Recipient to assist;
(iii) the Overseas Recipient shall assist with the exercising of the rights of the Personal Information Subject entitled by the Relevant Laws and Regulations within a reasonable period of time, in accordance with the notification of the Personal Information Handler or the request of the Personal Information Subject;
(iv) the Overseas Recipient shall provide the Personal Information Subject with true, accurate and complete information relevant to the request in a conspicuous manner and in clear and understandable language;
(v) if the Overseas Recipient rejects the request of the Personal Information Subject, it shall inform the Personal Information Subject of the reason for the rejection, as well as how to file a complaint with the relevant Regulatory Authorities and seek judicial remedies; and
(vi) the Personal Information Subject, as a third-party beneficiary of these Clauses, has the right to claim against any or both of the Personal Information Handler and the Overseas Recipient according to the terms of these Clauses and demand the performance of the following provisions related to the rights of the Personal Information Subject under these Clauses:
Article 2, except for Sections (v), (vi), (vii) and (xi).
Article 3, except for Sections (vii)(b), (vii)(d), (ix), (xi), (xii) and (xiii).
Article 4, except for Sections (v) and (vi).
Article 5.
Article 6.
Sections (ii) and (iii) of Article 8.
Section (v) of Article 9.
The above does not impair the rights and interests of the Personal Information Subject in accordance with the Personal Information Protection Law of the People’s Republic of China.
Article 6 – Remedies
(i) The Overseas Recipient shall designate and authorize a contact person to respond to inquiries or complaints on the processing of the Personal Information, and handle inquiries or complaints from the Personal Information Subject in a timely manner. The Overseas Recipient shall inform the Personal Information Handler of its contact information, and, through a separate notice or an announcement on its website, inform the Personal Information Subject of its contact information in a concise and easy-to-understand manner; i.e., contact person and contact information (office phone or email).
(ii) Where any Party has a dispute with the Personal Information Subject due to the performance of these Clauses, it shall notify the other Party, and both Parties shall cooperate to resolve the dispute.
(iii) If the dispute cannot be resolved amicably and the Personal Information Subject exercises the rights of third-party beneficiary in accordance with Article 5, the Overseas Recipient accepts the following channels for the Personal Information Subject to assert his/her rights:
(iii)(a) to complain to the Regulatory Authorities; and/or
(iii)(b) to file a lawsuit with the court specified in Section (v) of this Article.
(iv) Both Parties agree to follow the choice of the Personal Information Subject if he/she chooses to apply the Relevant Laws and Regulations of the People’s Republic of China while exercising the rights of third-party beneficiary regarding the disputes under these Clauses.
(v) Both Parties agree that if the Personal Information Subject exercises the rights of third-party beneficiary regarding the disputes under these Clauses, he/she may file a lawsuit in a competent people’s court in accordance with the Civil Procedure Law of the People’s Republic of China.
(vi) Both Parties agree that the choice made by the Personal Information Subject to defend his/her rights does not diminish the rights of the Personal Information Subject to seek remedies under other laws and regulations.
Article 7 – Termination
(i) Where the Overseas Recipient violates the obligations stipulated in these Clauses, or the change of personal information protection policies and regulations of the country or region where the Overseas Recipient is located (including amendment to laws or the adoption of compulsory measures in the country or region where the Overseas Recipient is located) causes that the Overseas Recipient is unable to perform these Clauses, the Personal Information Handler can suspend the provision of the Personal Information to the Overseas Recipient until the breach is corrected or the Subscription Agreement (including these Clauses) is terminated.
(ii) The Personal Information Handler has the right to terminate the Subscription Agreement (including these Clauses) and when necessary, to notify the Regulatory Authorities under any of the following circumstances:
(ii)(a) the Personal Information Handler suspends the transfer of the Personal Information to the Overseas Recipient for more than one month in accordance with the provisions of Section (i) of this Article;
(ii)(b) complying with these Clauses by the Overseas Recipient will violate the laws and regulations of the country or region where it is located;
(ii)(c) the Overseas Recipient seriously or continuously violates the obligations stipulated in these Clauses; or
(ii)(d) according to the final decision made by the competent court or the Regulatory Authorities which have jurisdiction over the Overseas Recipient, the Overseas Recipient or the Personal Information Handler has violated the obligations stipulated in these Clauses.
(iii) The Overseas Recipient can terminate these Clauses under the circumstances of Section (ii)(a), (ii)(b) and (ii)(d).
(iv) Where both Parties agree to terminate the Subscription Agreement (including these Clauses), the termination of the Subscription Agreement (including these Clauses) does not exempt them from their obligations of protection of the Personal Information during the processing activities of the Personal Information.
(v) When the Subscription Agreement is terminated, the Overseas Recipient shall promptly return or delete the Personal Information (including all backups) it has received under these Clauses, and provide a written explanation to the Personal Information Handler. If it is technically difficult to delete the Personal Information, the processing other than storage and necessary security protection measures should be stopped.
Article 8 – Liability for Breach
(i) Each Party shall be liable for any damages caused to the other Party as a result of its breach of these Clauses.
(ii) Any Party that violates these Clauses and infringes the rights of the Personal Information Subject shall bear civil liability to the Personal Information Subject, without prejudice to the administrative and criminal liabilities stipulated by the Relevant Laws and Regulations applicable to the Personal Information Handler.
(iii) Where both Parties bear joint and several liabilities in accordance with the law, the Personal Information Subject is entitled to request either Party or both Parties to bear the liability. Each Party has recourse against the other Party if it assumes more than its share of liability.
Article 9 – Miscellaneous
(i) If there is any conflict between these Clauses and any other legal documents executed by both Parties, the terms of these Clauses shall prevail.
(ii) The conclusion, effectiveness, performance, interpretation of these Clauses, and any disputes between both Parties arising from these Clauses shall be governed by the Relevant Laws and Regulations of the People’s Republic of China.
(iii) Notifications shall be sent by e-mail or registered airmail as set out in the Subscription Agreement or other addresses in lieu of this address as otherwise notified in writing. If the notice under these Clauses is sent by registered airmail, it shall be deemed to have been received within 2 working days after the postmark date; if it is sent by email, it shall be deemed to have been received within 2 working days after it is sent.
(iv) The disputes between both Parties arising out of these Clauses and either Party’s claim against the other Party for the compensation already paid to the Personal Information Subject shall be resolved through negotiation. If the negotiation fails, the Parties agree to arbitration to be conducted in Paris, France in accordance with its arbitration rules then in force.
(v) These Clauses shall be construed in accordance with the provisions of the Relevant Laws and Regulations, and shall not be construed in a way that conflicts with the rights and obligations stipulated by the Relevant Laws and Regulations.
Appendix I – Description of Outbound Transfer of the Personal Information
Categories of data subjects whose personal data is transferred
Social media influencers, talents, KOLs, content creators, industry experts and VIPs (together, “Influencers”).
Categories of personal data transferred
Publicly available personal data volunteered freely by Influencers on social media sites, including:
name, age, email address and company/brand;
account name, social media handles and any other online identifiers;
posts or messages which you have shared publicly on social media; and
any other information Influencers make public.
Data format/scope:
Public social media content (text, images, video thumbnails/links), profile metadata (handles, bios, follower counts), post URLs, public engagement metrics.
Sensitive data transferred (if applicable) and applied restrictions or safeguards
The parties do not intend to transfer special categories of personal data. To the extent any special category data is inadvertently included, the Overseas Recipient will not use it to infer or target sensitive characteristics and will delete it promptly unless an exemption applies and is documented.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous during subscription to the Platform pursuant to the Subscription Agreement.
Nature of the processing:
Data collection, recording, organisation, structuring, storage and analysis.
Purpose(s) of the data transfer and further processing:
Client services – in particular to enable the Overseas Recipient to discover, evaluate, and manage influencer campaigns, including social listening, analytics, and reporting.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
Access to the Platform during the term of the Subscription Agreement. The Overseas Recipient will retain personal data no longer than necessary for the stated purposes and will delete or anonymise it upon termination or when no longer needed.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Not expected to be applicable. However, to the extent it does become applicable, the Overseas Recipient must ensure onward recipients (including its processors) provide an equivalent level of protection. The Overseas Recipient will provide, on request, categories of onward recipients for the imported personal data. The parties do not intend to transfer data relating to criminal convictions or offences. The parties do not target children; to the extent the Overseas Recipient becomes aware that personal data relates to a child under applicable age thresholds, it will refrain from profiling/targeting based on such data.
Appendix II – Technical and Organisational Measures
Overseas Recipient to ensure the following minimum technical and organisational measures:
Scope and Allocation
Unless stated otherwise, the following measures are implemented by the Overseas Recipient for the personal data imported under these Clauses and any copies created or stored in its environment.
During transmission from the Personal Information Handler to the Overseas Recipient, the Personal Information Handler ensures TLS 1.2+ with strong ciphers, certificate validation, and integrity protections.
Where the Overseas Recipient does not export or store personal data outside the Platform, it shall still apply Identity and Access Management, Endpoint, and Network controls to any device used to access the Platform.
Governance and Accountability
Maintain an information security programme approved by management, with documented policies covering access control, asset management, encryption, vulnerability management, incident response, backup/DR, acceptable use, and supplier risk.
Appoint a security lead accountable for the programme; review risks at least annually and on material change.
Ensure personnel with access to the personal data are subject to confidentiality obligations and receive privacy/security training at hire and annually.
Identity and Access Management
Unique user IDs; no shared accounts.
Strong authentication (SSO with SAML/OIDC where available) and multi-factor authentication (MFA) required for all accounts that can access the Platform or exported personal data.
Role-based access control (RBAC) enforcing least privilege; access granted on a need-to-know basis.
Joiner-mover-leaver process with prompt de-provisioning (within 24 hours of role change/cessation).
Periodic access reviews (at least quarterly) for all privileged and data-accessing accounts.
Session management: inactivity timeouts and account lockouts after repeated failed logins.
Endpoint and Device Security
(For devices used to access or store the personal data)
Company-managed devices only; full-disk encryption enabled (e.g. BitLocker/FileVault).
Up-to-date operating systems and applications; automated patching enabled.
Endpoint protection/EDR with real-time malware protection.
Screen lock with password/biometric; removable media use controlled.
Network and Communications Security
Enforce HTTPS/TLS 1.2+ for all data in transit; prohibit insecure protocols.
Secure remote access (e.g. VPN or ZTNA) with MFA when accessing internal resources holding exported data.
Network firewalls and secure configurations; DNS security controls (e.g. DNS filtering) to reduce exposure to malicious destinations.
Encryption and Key Management
Encrypt personal data at rest using industry-standard algorithms (e.g. AES-256) wherever the importer stores or backs up copies outside the Platform.
Manage encryption keys securely (role separation, access controls, rotation, and logging of key access/changes).
Logging, Monitoring and Auditability
Maintain audit logs for:
Authentication events (success/failure) to the Platform (via SSO) and to systems storing exported data.
Administrative actions and changes to access rights.
Creation, download, and deletion of exports containing personal data where technically feasible.
Protect logs from tampering; time-synchronise systems; retain relevant security logs for at least 180 days and target 12 months where technically and legally feasible.
Monitor for anomalous activity and investigate alerts.
Vulnerability and Patch Management
Regular vulnerability scanning of devices/systems that store or process exported data.
Remediate critical vulnerabilities promptly (target within 14 days), high within 30 days, and medium within 60 days, or apply compensating controls with documented risk acceptance.
Data Minimisation, Retention and Deletion
Limit creation of exports to what is necessary for the stated purposes; restrict access to exports.
Define and apply retention periods; delete or anonymise exports when no longer needed and upon contract termination, unless retention is required by law.
Ensure secure deletion (including from backups at the end of their lifecycle) using methods that prevent reconstruction.
Incident Response and Breach Notification
Initiate investigation within 24 hours of detection or notification of a suspected incident affecting imported personal data.
Maintain an incident response plan covering detection, containment, eradication, recovery, and lessons learned.
In the event of a personal data breach affecting imported data, investigate without undue delay and notify the Personal Information Handler without undue delay and, in any event, within 72 hours of becoming aware, providing available details on nature, scope, likely consequences, measures taken/proposed, and a contact point.
Cooperate with the Personal Information Handler in responding to supervisory authorities and data subjects.
Business Continuity and Back-up
Back-up any stored exports containing personal data as needed for business continuity; encrypt backups; restrict and log access.
Define RPO/RTO objectives commensurate with risk and test restores at least annually.
Physical Security
Physical access controls (badges/locks/visitor management) for offices or facilities where systems storing exported data are located.
Secure areas and equipment against unauthorised access, damage, and interference.
Supplier and Onward Transfer Management
Do not disclose imported personal data to third parties (including processors/sub-processors) unless required for permitted purposes and only under contracts imposing protections equivalent to these Clauses (including appropriate transfer safeguards).
Maintain a record of such recipients and make it available to the Personal Information Handler upon request.
Special Categories and Sensitive Inferences
The parties do not intend to process special categories of personal data. If any such data is inadvertently received, the Overseas Recipient will not use it to infer or target sensitive characteristics and will either delete it promptly or apply additional safeguards and ensure an appropriate exemption is met and documented.
Do not process data relating to criminal convictions/offences unless permitted by applicable law and with appropriate safeguards.
International Access/Location Controls (where applicable)
Where the agreement restricts access to “adequate” locations, implement reasonable technical and organisational controls to enforce it (e.g. IP geo-restriction, SSO conditional access, MDM/EDR location policies, administrative policies) and monitor compliance.
Data Protection by Design and Default
Configure systems and workflows to collect, store, and expose the minimum personal data necessary.
Default settings should limit visibility to authorised users and avoid unnecessary copying or exporting.
Testing, Assessment, and Continuous Improvement
Periodically test, assess, and evaluate the effectiveness of these measures (e.g. tabletop exercises, security reviews, endpoint compliance checks) and remediate identified gaps in a timely manner.