重磅新课,立即扫描报名!
编者按:
技术发展正在为扩大国际合作和国际贸易所需的跨境数据流动提供便利。同时,有必要确保在个人数据被转移到第三国的情况下,包括再转移的情况下,欧盟2016/679号条例所给予自然人保护水平不会遭受减损。欧盟2016/679号条例第五章中的数据转移条款旨在确保在个人数据被转移到第三国时,能够持续维持该高水平的保护。
标准合同条款的作用仅限于确保国际数据转移的适当数据保护保障。因此,将个人数据转移到第三国的控制者或处理者(“数据出口方”)和接收个人数据的控制者或处理者(“数据进口方”)可以自由地将这些标准合同条款纳入更广泛的合同,并增加其他条款或额外的保障措施,只要它们不直接或间接地与标准合同条款相抵触或损害数据主体的基本权利或自由。欧盟鼓励控制者和处理者通过补充标准合同条款的合同承诺来提供额外的保障措施。标准合同条款的使用不影响数据出口方和/或进口方的任何合同义务,以确保尊重适用的特权和豁免权。
2021年6月4日,欧盟委员会公布了最新版个人数据从欧盟转移到第三国的标准合同条款。全球的数据合规从业者翘首以盼,DataLaws之前已组织了SCCs草案全文翻译(点击阅读)之前DataLaws已推送了王源律师撰写的《中国公司如何适用欧盟新修订的标准合同条款(中英双语版)》(点击阅读)
今天推送的是王源律师团队翻译的欧盟《新版标准合同条款》全文,感谢她们对公益项目的无私奉献!也期待为数据法实务界及理论界的各位同仁提供参考。
以下是欧盟《向第三国转移个人数据的标准合同条款》中译本全文 :
COMMISSION IMPLEMENTINGDECISION (EU) 2021/914
欧盟委员会执行决定(EU2021/914
of 4 June 2021
202164
on standard contractualclauses for the transfer of personal data to third countries pursuant to Regulation(EU) 2016/679 of the European Parliament and of the Council
根据欧洲议会和欧盟理事会的欧盟2016/679号条例
向第三国转移个人数据的标准合同条款
(Text with EEA relevance)
(与欧洲经济区相关文本)
THE EUROPEAN COMMISSION,
欧盟委员会,
Having regard to the Treaty on the Functioningof the European Union,
考虑到《欧洲联盟运行条约》,
Having regard to Regulation (EU) 2016/679 of theEuropean Parliament and of the Council of 27 April 2016 on the protection ofnatural persons with regard to the processing of personal data and on the freemovement of such data, and repealing Directive 95/46/EC (General DataProtection Regulation)[1], and in particular Article 28(7) andArticle 46(2)(c) thereof,
考虑到欧洲议会和理事会2016427日关于在处理个人数据方面保护自然人和该等数据自由流动的欧盟2016/679号条例(废除第95/46/EC号指令)(《通用数据保护条例》)1,特别是其中第28条第(7)项和第46条第(2)项第(c)点。
Whereas:
鉴于:
(1)Technological developments arefacilitating cross-border data flows necessary for the expansion ofinternational cooperation and international trade. At the same time, it isnecessary to ensure that the level of protection of natural persons guaranteedby Regulation (EU) 2016/679 is not undermined where personal data istransferred to third countries, including in cases of onward transfers[2]. The data transfer provisions inChapter V of Regulation (EU) 2016/679 are intended to ensure the continuity ofthat high level of protection where personal data is transferred to a thirdcountry[3].
技术发展正在为扩大国际合作和国际贸易所需的跨境数据流动提供便利。同时,有必要确保在个人数据被转移到第三国的情况下,包括再转移的情况下,欧盟2016/679号条例所给予自然人保护水平不会遭受减损。2欧盟2016/679号条例第五章中的数据转移条款旨在确保在个人数据被转移到第三国时,能够持续维持该高水平的保护。3
(2)Pursuant to Article 46(1) ofRegulation (EU) 2016/679, in the absence of an adequacy decision by theCommission pursuant to Article 45(3), a controller or processor may transferpersonal data to a third country only if it has provided appropriatesafeguards, and on condition that enforceable rights and effective legalremedies for data subjects are available. Such safeguards may be provided forby standard data protection clauses adopted by the Commission pursuant toArticle 46(2)(c).
根据欧盟2016/679号条例第46条第(1)项,在欧盟委员会没有根据第45条(3)条作出充分决定的情况下,控制者或处理者只有在提供适当的保障措施、并为数据主体提供可执行的权利和有效的法律救济措施的条件下,才可以将个人数据转移到第三国。这种保障措施可由委员会根据第46条第(2)项第(c)点通过的标准数据保护条款来规定。
(3)The role of standardcontractual clauses is limited to ensuring appropriate data protectionsafeguards for international data transfers. Therefore, the controller orprocessor transferring the personal data to a third country (the ‘dataexporter’) and the controller or processor receiving the personal data (the‘data importer’) are free to include those standard contractual clauses in awider contract and to add other clauses or additional safeguards, provided thatthey do not contradict, directly or indirectly, the standard contractualclauses or prejudice the fundamental rights or freedoms of data subjects.Controllers and processors are encouraged to provide additional safeguards bymeans of contractual commitments that supplement the standard contractualclauses[4]. The use of the standard contractualclauses is without prejudice to any contractual obligations of the dataexporter and/or importer to ensure respect for applicable privileges andimmunities.
标准合同条款的作用仅限于确保国际数据转移的适当数据保护保障。因此,将个人数据转移到第三国的控制者或处理者(“数据出口方”)和接收个人数据的控制者或处理者(“数据进口方”)可以自由地将这些标准合同条款纳入更广泛的合同,并增加其他条款或额外的保障措施,只要它们不直接或间接地与标准合同条款相抵触或损害数据主体的基本权利或自由。我们鼓励控制者和处理者通过补充标准合同条款的合同承诺来提供额外的保障措施。4标准合同条款的使用不影响数据出口方和/或进口方的任何合同义务,以确保尊重适用的特权和豁免权。
(4)Beyond using standardcontractual clauses to provide appropriate safeguards for transfers pursuant toArticle 46(1) of Regulation (EU) 2016/679, the data exporter has to fulfil itsgeneral responsibilities as controller or processor under Regulation (EU) 2016/679.Those responsibilities include an obligation of the controller to provide datasubjects with information about the fact that it intends to transfer theirpersonal data to a third country pursuant to Article 13(1)(f) and Article14(1)(f) of Regulation (EU) 2016/679. In the case of transfers pursuant toArticle 46 of Regulation (EU) 2016/679, such information must include areference to the appropriate safeguards and the means by which to obtain a copyof them or information where they have been made available.
除了使用标准的合同条款为根据条例欧盟2016/67946条第(1)项进行的转移提供适当的保障外,数据出口方必须履行其作为欧盟2016/679号条例的控制者或处理者的一般责任。该等责任包括控制者有义务根据欧盟2016/679号条例第13条第(1)项第(f)点和第14条第(1)项第(f)点,向数据主体提供意图将其个人数据转移到第三国的信息。在根据欧盟2016/679号条例第46条进行转移的情况下,该等信息必须包括提及适当的保障措施和获得其副本的方法,或已提供的信息。
(5)Commission Decisions2001/497/EC[5]and 2010/87/EU[6]contain standard contractual clausesto facilitate the transfer of personal data from a data controller establishedin the Union to a controller or processor established in a third country thatdoes not offer an adequate level of protection. Those decisions were based onDirective 95/46/EC of the European Parliament and of the Council[7].
委员会第2001/497/EC52010/87/EU6决定载有标准合同条款,以促进个人数据从设立在欧盟的数据控制者转移到设立在不提供充分保护水平的第三国的控制者或处理者。这些决定是基于欧洲议会和理事会的第95/46/EC号指令。7
(6)Pursuant to Article 46(5) ofRegulation (EU) 2016/679, Decision 2001/497/EC and Decision 2010/87/EU remainin force until amended, replaced or repealed, if necessary, by a Commissiondecision adopted pursuant to Article 46(2) of that Regulation. The standardcontractual clauses in the decisions required updating in the light of newrequirements in Regulation (EU) 2016/679. Moreover, since the decisions wereadopted, the digital economy has seen significant developments, with thewidespread use of new and more complex processing operations often involvingmultiple data importers and exporters, long and complex processing chains, andevolving business relationships. This calls for modernisation of the standardcontractual clauses to reflect those realities better, by covering additionalprocessing and transfer situations, and to allow a more flexible approach, forexample with respect to the number of parties able to join the contract.
根据欧盟第2016/679号条例第46条第(5)点,第2001/497/EC号决定和第2010/87/EU号决定在必要时由委员会根据该条例第46条第(2)点通过的决定修正、取代或废除之前仍然有效。决定中的标准合同条款需要根据欧盟2016/679号条例的新要求进行更新。此外,自这些决定通过以来,数字经济历经显著发展,广泛使用新的和更复杂的处理业务,往往涉及多个数据输入者和输出者,长而复杂的处理环节,以及迭代商业关系。这就要求对标准合同条款进行现代化改造,以更好地反映这些现实情况,涵盖更多的处理和转移情况,并允许采取更灵活的方式,例如在能够加入合同的当事方数量方面。
(7)A controller or processor mayuse the standard contractual clauses set out in the Annex to this Decision toprovide appropriate safeguards within the meaning of Article 46(1) ofRegulation (EU) 2016/679 for the transfer of personal data to a processor orcontroller established in a third country, without prejudice to theinterpretation of the notion of international transfer in Regulation (EU)2016/679. The standard contractual clauses may be used for such transfers onlyto the extent that the processing by the importer does not fall within thescope of Regulation (EU) 2016/679. This also includes the transfer of personaldata by a controller or processor not established in the Union, to the extentthat the processing is subject to Regulation (EU) 2016/679 (pursuant to Article3(2) thereof), because it relates to the offering of goods or services to datasubjects in the Union or the monitoring of their behaviour as far as it takesplace within the Union.
控制者或处理者可使用本决定附件中规定的标准合同条款,为向设立在第三国的处理者或控制者转移个人数据提供欧盟2016/679号条例第46条第(1)项意义上的适当保障,但不影响欧盟第2016/679号条例中国际转移概念的解释。只有在进口方的处理不属于条例欧盟2016/679号条例的范围内,标准合同条款才可用于此类转移。这也包括由不在欧盟设立的控制者或处理者进行的个人数据转移,只要该处理受欧盟2016/679条例(根据其第3条第(2)项)的约束,因为它涉及到向欧盟的数据主体提供商品或服务,或监测他们的行为,只要它发生在欧盟境内。
(8)Given the general alignment ofRegulation (EU) 2016/679 and Regulation (EU) 2018/1725 of the EuropeanParliament and of the Council[8], it should be possible to use thestandard contractual clauses also in the context of a contract, as referred toin Article 29(4) of Regulation (EU) 2018/1725 for the transfer of personal datato a sub-processor in a third country by a processor that is not a Unioninstitution or body, but which is subject to Regulation (EU) 2016/679 and whichprocesses personal data on behalf of a Union institution or body in accordancewith Article 29 of Regulation (EU) 2018/1725. Provided the contract reflectsthe same data protection obligations as set out in the contract or other legalact between the controller and the processor pursuant to Article 29(3)Regulation (EU) 2018/1725, in particular by providing sufficient guarantees fortechnical and organisational measures to ensure that the processing meets therequirements of that Regulation, this will ensure compliance with Article 29(4)of Regulation (EU) 2018/1725. In particular, that will be the case where thecontroller and processor use the standard contractual clauses in CommissionImplementing Decision on standard contractual clauses between controllers andprocessors under Article 28(7) of Regulation (EU) 2016/679 of the EuropeanParliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 ofthe European Parliament and of the Council[9].
鉴于欧洲议会和欧洲理事会的欧盟EU2016/679号条例和欧盟2018/1725号条例的普遍一致性8,有可能在符合如下情形的合同中使用标准合同条款:如欧盟2018/1725号条例第29条第(4)项所述、由非欧盟机构或团体的处理者向第三国的分包处理者转移个人数据,但该处理依照欧盟2016/679号条例并根据欧盟2018/1725号条例第29条代表欧盟机构或团体处理个人数据。只要合同或者其他法律行动反映了控制者和处理者之间根据欧盟2018/1725号条例第29条第(3)项规定的相同的数据保护义务,特别是通过提供足够的技术和组织措施保证处理符合该条例的要求,这将确保遵守欧盟2018/1725号条例第29条第(4)项。特别是,如果控制者和处理者使用欧洲议会和理事会欧盟2016/679号条例第28条第7项和欧洲议会和理事会欧盟第2018/1725号条例第29条第7项规定的关于控制者和处理者之间标准合同条款的委员会实施决定,情况将是如此。
(9)Where the processing involvesdata transfers from controllers subject to Regulation (EU) 2016/679 toprocessors outside its territorial scope or from processors subject toRegulation (EU) 2016/679 to sub-processors outside its territorial scope, thestandard contractual clauses set out in the Annex to this Decision should alsoallow to fulfil the requirements of Article 28(3) and (4) of Regulation (EU)2016/679.
如果处理过程涉及从受制于欧盟2016/679号条例的控制者向其领土范围以外的处理者转移数据,或从受制于欧盟2016/679号条例的处理者向其领土范围以外的分包处理者转移数据,本决定附件中列出的标准合同条款也应允许满足欧盟2016/679号条例第28条第(3)和(4)项的要求。
(10)The standard contractualclauses set out in the Annex to this Decision combine general clauses with amodular approach to cater for various transfer scenarios and the complexity ofmodern processing chains. In addition to the general clauses, controllers andprocessors should select the module applicable to their situation, so as totailor their obligations under the standard contractual clauses to their roleand responsibilities in relation to the data processing in question. It shouldbe possible for more than two parties to adhere to the standard contractualclauses. Moreover, additional controllers and processors should be allowed toaccede to the standard contractual clauses as data exporters or importersthroughout the lifecycle of the contract of which they form a part.
本决定附件中列出的标准合同条款将一般条款与模块方式结合起来,以满足各种转让场景和现代处理环节的复杂性。除一般条款外,控制者和处理者应选择适用于其情况的模块,以便根据其在有关数据处理方面的作用和责任,调整标准合同条款下的义务。两方以上合同方都可以纳入遵守标准合同条款。此外,应允许其他控制者和处理者作为数据出口方或进口方在其构成的合同的整个生命周期内加入标准合同条款。
(11)In order to provide appropriatesafeguards, the standard contractual clauses should ensure that the personaldata transferred on that basis is afforded a level of protection essentiallyequivalent to that guaranteed within the Union.[10] With a view to ensuring transparencyof processing, data subjects should be provided with a copy of the standardcontractual clauses and be informed, in particular, of the categories ofpersonal data processed, the right to obtain a copy of the standard contractualclauses, and any onward transfer. Onward transfers by the data importer to athird party in another third country should be allowed only if the third partyaccedes to the standard contractual clauses, if the continuity of protection isensured otherwise, or in specific situations, such as on the basis of theexplicit, informed consent of the data subject.
为了提供适当的保障,标准合同条款应确保在此基础上转移的个人数据得到基本等同于欧盟内部保障水平的保护。10为了确保处理的透明度,应向数据主体提供一份标准合同条款的副本,并特别告知所处理的个人数据的种类、获得标准合同条款副本的权利以及任何再转移。只有在第三方加入标准合同条款,或在保护的连续性得到保证的情况下,或在特定情况下,如在数据主体明确、知情同意的基础上,才允许数据进口方继续转移至位于另一个第三国的第三方。
(12)With some exceptions, inparticular as regards certain obligations that exclusively concern therelationship between the data exporter and data importer, data subjects shouldbe able to invoke, and where necessary enforce, the standard contractualclauses as third-party beneficiaries. Therefore, while the parties should beallowed to choose the law of one of the Member States as governing the standardcontractual clauses, that law must allow for third-party beneficiary rights. Inorder to facilitate individual redress, the standard contractual clauses shouldrequire the data importer to inform data subjects of a contact point and todeal promptly with any complaints or requests. In the event of a disputebetween the data importer and a data subject who invokes his or her rights as athird-party beneficiary, the data subject should be able to lodge a complaintwith the competent supervisory authority or refer the dispute to the competentcourts in the EU.
除了一些例外情况,特别是在某些只涉及数据进口方和数据出口方之间关系的义务方面,数据主体应能作为第三方受益人援引标准合同条款,并在必要时强制执行。因此,虽然应允许当事人选择其中一个成员国的法律来管辖标准合同条款,但该法律必须允许第三方受益人权利。为了方便个人救济,标准合同条款应要求数据进口方告知数据主体一个联络点,并立即处理任何投诉或请求。如果数据进口方与援引其作为第三方受益人的权利的数据主体之间发生争议,数据主体应能向主管监管机构提出投诉,或将争议提交欧盟的主管法院。
(13)In order to ensure effectiveenforcement, the data importer should be required to submit to the jurisdictionof such authority and courts, and to commit to abide by any binding decisionunder the applicable Member State law. In particular, the data importer shouldagree to respond to enquiries, submit to audits and comply with the measuresadopted by the supervisory authority, including remedial and compensatory measures.In addition, the data importer should have the option of offering data subjectsthe opportunity to seek redress before an independent dispute resolution body,at no cost. In line with Article 80(1) of Regulation (EU) 2016/679, datasubjects should be allowed to be represented by associations or other bodies indisputes against the data importer if they so wish.
为确保有效执行,应要求数据进口方应当被要求服从该机构和法院的管辖,并承诺遵守适用成员国法律的任何有约束力的决定。特别是,数据进口方应同意回应询问,接受审计,并遵守监管机构采取的措施,包括补救和赔偿措施。此外,数据进口方应选择向数据主体提供免费向独立争端解决机构寻求补救的机会。根据欧盟2016/679号条例第80条第(1)项,如果数据主体愿意,应允许他们在针对数据进口方的纠纷中由协会或其他机构代表。
(14)The standard contractualclauses should provide for rules on liability between the parties and withrespect to data subjects, and rules on indemnification between the parties.Where the data subject suffers material or non-material damage as a consequenceof any breach of the third-party beneficiary rights under the standardcontractual clauses, he or she should be entitled to compensation. This shouldbe without prejudice to any liability under Regulation (EU) 2016/679.
标准合同条款应规定各方之间以及与数据主体有关的责任规则,以及各方之间的赔偿规则。如果数据主体因标准合同条款规定的任何违反第三方受益人权利的行为而遭受物质或精神损害,他或她应有权获得赔偿。这应不影响根据欧盟2016/679号条例承担的任何责任。
(15)In the case of a transfer to adata importer acting as a processor or sub-processor, specific requirementsshould apply in accordance with Article 28(3) of Regulation (EU) 2016/679. Thestandard contractual clauses should require the data importer to make availableall information necessary to demonstrate compliance with the obligations setout in the clauses and to allow for and contribute to audits of its processingactivities by the data exporter. With respect to the engagement of anysub-processor by the data importer, in line with Article 28(2) and (4) ofRegulation (EU) 2016/679, the standard contractual clauses should in particularset out the procedure for general or specific authorisation from the dataexporter and the requirement for a written contract with the sub-processorensuring the same level of protection as under the clauses.
在向作为处理者或分包处理者的数据进口方转让的情况下,应根据欧盟2016/679号条例第28条第(3)项适用具体要求。标准合同条款应要求数据进口方提供所有必要的信息,以证明遵守条款中规定的义务,并允许和帮助数据出口方对其处理活动进行审计。关于数据进口方聘用任何分包处理者,根据欧盟2016/679号条例第28条第(2)项和第(4)项,标准合同条款应特别规定数据出口方的一般或具体授权程序,并要求与分包处理者签订书面合同,确保与条款规定的保护水平相同。
(16)It is appropriate to providedifferent safeguards in the standard contractual clauses that cover thespecific situation of a transfer of personal data by a processor in the Unionto its controller in a third country and reflect the limited self-standingobligations for processorsunder Regulation (EU) 2016/679. In particular, the standard contractual clausesshould require the processor to inform the controller if it is unable to followits instructions, including if such instructions infringe Union data protectionlaw, and require the controller to refrain from any actions that would preventthe processor from fulfilling its obligations under Regulation (EU) 2016/679.They should also require the parties to assist each other in responding toenquiries and requests from data subjects under the local law applicable to thedata importer or, for data processing in the Union, under Regulation (EU)2016/679. Additional requirements to address any effects of the laws ofthe third country of destination on the controller’s compliance with theclauses, in particular how to deal with binding requests from publicauthorities in the third country for disclosure of the transferred personaldata, should apply where the Union processor combines the personal datareceived from the controller in the third country with personal data collectedby the processor in the Union. Conversely, no such requirements are justifiedwhere the outsourcing merely involves the processing and transfer back ofpersonal data that has been received from the controller and in any event hasbeen and will remain subject to the jurisdiction of the third country inquestion.
在标准合同条款中提供不同的保障措施是适当的,这些保障措施涵盖了处理者在欧盟向其在第三国的控制者转移个人数据的具体情况,并反映欧盟2016/679号条例规定的处理者的有限自我义务。特别是,标准合同条款应要求处理者在无法遵循其指示的情况下通知控制者,包括这种指示违反欧盟数据保护法的情况,并要求控制者避免采取任何会阻止处理者履行条例欧盟2016/679号条例规定义务的行动。他们还应该要求各方相互协助,根据适用于数据进口方的当地法律,或者对于在欧盟的数据处理,根据条例欧盟2016/679号条例,回应数据主体的查询和请求。解决目的地第三国的法律对控制者遵守条款的任何影响的额外要求(特别是如何处理第三国公共当局要求披露被转移的个人数据的具有约束力的请求)应适用,如果欧盟处理者将从第三国控制者收到的个人数据与处理者在欧盟收集的个人数据混合。相反,如果分包仅仅涉及处理和转移回从控制者那里收到的个人数据,并且在任何情况下都已经并将继续受到有关第三国的管辖,则没有理由提出此类要求。
(17)The parties should be able todemonstrate compliance with the standard contractual clauses. In particular,the data importer should be required to keep appropriate documentation for theprocessing activities under its responsibility and to inform the data exporterpromptly if it is unable to comply with the clauses, for whatever reason. Inturn, the data exporter should suspend the transfer and, in particularlyserious cases, have the right to terminate the contract, insofar as it concernsthe processing of personal data under standard contractual clauses, where thedata importer is in breach of the clauses or unable to comply with them.Specific rules should apply where local laws affect compliance with theclauses. Personal data that has been transferred prior to the termination ofthe contract, and any copies thereof, should at the choice of the data exporterbe returned to the data exporter or destroyed in their entirety.
各方应能证明对标准合同条款的遵守。特别是,应要求数据进口方为其负责的处理活动保留适当的文件,无论什么原因不能遵守条款,均应及时通知数据出口方。同样,如果数据进口方违反条款或无法遵守条款,就涉及标准合同条款下的个人数据处理有权,数据出口方应暂停转让,在特别严重的情况下,有权终止合同。如果当地法律影响到对条款的遵守,则应适用具体规则。在合同终止前已经转移的个人数据及其任何副本,应根据数据出口方的选择,将其返还给数据出口方或全部销毁。
(18)The standard contractualclauses should provide for specific safeguards, in particular in the light ofthe case law of the Court of Justice[11], to address any effects of the lawsof the third country of destination on the data importer’s compliance with theclauses, in particular how to deal with binding requests from publicauthorities in that country for disclosure of the transferred personal data.
标准合同条款应规定具体的保障措施,特别是根据法院的判例法11,以解决目的地第三国的法律对数据进口方遵守条款的任何影响,特别是如何处理该国公共当局提出的具有约束力的披露所转移的个人数据的要求。
(19)The transfer and processing ofpersonal data under standard contractual clauses should not take place if thelaws and practices of the third country of destination prevent the dataimporter from complying with the clauses. In this context, laws and practicesthat respect the essence of the fundamental rights and freedoms and do notexceed what is necessary and proportionate in a democratic society to safeguardone of the objectives listed in Article 23(1) of Regulation (EU) 2016/679should not be considered as being in conflict with the standard contractualclauses. The parties should warrant that, at the time of agreeing to thestandard contractual clauses, they have no reason to believe that the laws andpractices applicable to the data importer are not in line with these requirements.
如果目的地第三国的法律和惯例阻止数据进口方遵守该等条款,则不应根据标准合同条款转移和处理个人数据。在这种情况下,尊重基本权利和自由的本质、并且不超过民主社会为保障欧盟2016/679号条例第23条第(1)项所列目标之一所必需和相称的法律和惯例,不应视为与标准合同条款相冲突。当事人应保证,在同意标准合同条款时,他们没有理由认为适用于数据进口方的法律和惯例不符合这些要求。
(20)The parties should takeaccount, in particular, of the specific circumstances of the transfer (such asthe content and duration of the contract, the nature of the data to betransferred, the type of recipient, the purpose of the processing), the lawsand practices of the third country of destination that are relevant in light ofthe circumstances of the transfer and any safeguards put in place to supplementthose under the standard contractual clauses (including relevant contractual,technical and organisational measures applying to the transmission of personal dataand its processing in the country of destination). As regards the impact ofsuch laws and practices on compliance with the standard contractual clauses,different elements may be considered as part of an overall assessment,including reliable information on the application of the law in practice (suchas case law and reports by independent oversight bodies), the existence orabsence of requests in the same sector and, under strict conditions, thedocumented practical experience of the data exporter and/or data importer.
双方应特别考虑到转让的具体情况(如合同的内容和期限、将转让的数据的性质、接收者的类型、处理的目的)、目的地第三国与转让情况有关的法律和惯例以及为补充标准合同条款规定的保障措施(包括适用于在目的地国传输和处理个人数据的有关合同、技术和组织措施)。就这些法律和惯例对遵守标准合同条款的影响,作为整体评估的一部分,可以考虑不同的因素,包括关于法律在实践中的应用的可靠信息(如案例法和独立监督机构的报告),同一部门是否存在要求,以及在严格的条件下,数据出口方和/或数据进口方的有记录的实践经验。
(21)The data importer should notifythe data exporter if, after agreeing to the standard contractual clauses, ithas reason to believe that it is not able to comply with the standardcontractual clauses. If the data exporter receives such notification or otherwisebecomes aware that the data importer is no longer able to comply with thestandard contractual clauses, it should identify appropriate measures toaddress the situation, if necessary in consultation with the competentsupervisory authority. Such measures may include supplementary measures adoptedby the data exporter and/or data importer, such as technical or organisationalmeasures to ensure security and confidentiality. The data exporter should berequired to suspend the transfer if it considers that no appropriate safeguardscan be ensured, or if so instructed by the competent supervisory authority.
如果在同意标准合同条款后,数据进口方有理由相信其无法遵守标准合同条款,则应通知数据出口方。如果数据出口方收到此类通知或以其他方式意识到数据进口方不再能够遵守标准合同条款,它应确定适当的措施来处理这种情况,必要时与主管监管部门协商。这些措施可能包括数据出口方和/或数据进口方采取的补充措施,如技术或组织措施,以确保安全和保密性。如果数据出口方认为无法确保适当的保障措施,或在主管监管部门的指示下,应要求其暂停转让。
(22)Where possible, the dataimporter should notify the data exporter and the data subject if it receives alegally binding request from a public (including judicial) authority under thelaw of the country of destination for disclosure of personal data transferredpursuant to the standard contractual clauses. Similarly, it should notify themif it becomes aware of any direct access by public authorities to such personaldata, in accordance with the law of the third country of destination. If,despite its best efforts, the data importer is not in a position to notify thedata exporter and/or the data subject of specific disclosure requests, itshould provide the data exporter with as much relevant information as possibleon the requests. In addition, the data importer should provide the dataexporter with aggregate information at regular intervals. The data importershould also be required to document any request for disclosure received and theresponse provided, and make that information available to the data exporter orthe competent supervisory authority, or both, upon request. If, following areview of the legality of such a request under the laws of the country ofdestination, the data importer concludes that there are reasonable grounds toconsider that the request is unlawful under the laws of the third country ofdestination, it should challenge it, including, where appropriate, byexhausting available possibilities of appeal. In any event, if the dataimporter is no longer able to comply with the standard contractual clauses, itshould inform the data exporter accordingly, including where this is theconsequence of a request for disclosure.
在可能的情况下,如果数据进口方收到目的地国法律规定的公共(包括司法)机构提出的具有法律约束力的要求,要求披露根据标准合同条款转让的个人数据,应通知数据出口方和数据主体。同样,如果它意识到公共当局根据第三目的地国的法律直接访问这些个人数据,它应该通知他们。如果数据进口方尽管尽了最大努力,但仍无法通知数据出口方和/或数据主体的具体披露要求,它应向数据出口方提供尽可能多的关于这些要求的相关信息。此外,数据进口方应定期向数据出口方提供综合信息。还应要求数据进口方记录收到的任何披露请求和提供的答复,并根据要求向数据出口方或主管监管部门或两者提供该信息。如果在根据目的地国的法律对这种请求的合法性进行审查后,数据进口方得出结论,有合理的理由认为根据第三目的地国的法律,该请求是非法的,那么它应该提出质疑,包括酌情用尽现有的上诉可能性。在任何情况下,如果数据进口方不再能够遵守标准的合同条款,它应该相应地通知数据出口方,包括不能遵守是由于要求披露引起的。
(23)As stakeholder needs,technology and processing operations may change, the Commission should evaluatethe operation of the standard contractual clauses in the light of experience,as part of the periodic evaluation of Regulation (EU) 2016/679 referred to inArticle 97 of that Regulation.
由于利益相关者的需求、技术和处理业务可能发生变化,委员会应根据经验评估标准合同条款的运作,作为该条例第97条提及的对欧盟2016/679号条例的定期评估的一部分。
(24)Decision 2001/497/EC andDecision 2010/87/EU should be repealed three months after the entry into forceof this Decision. During that period, data exporters and data importers should,for the purpose of Article 46(1) of Regulation (EU) 2016/679, still be able touse the standard contractual clauses set out in Decisions 2001/497/EC and2010/87/EU. For an additional period of 15 months, data exporters and dataimporters should, for the purpose of Article 46(1) of Regulation (EU) 2016/679,be able to continue to rely on standard contractual clauses set out inDecisions 2001/497/EC and 2010/87/EU for the performance of contracts concludedbetween them before the date of repeal of those decisions, provided that theprocessing operations that are the subject matter of the contract remainunchanged and that reliance on the clauses ensures that the transfer ofpersonal data is subject to appropriate safeguards within the meaning ofArticle 46(1) of Regulation (EU) 2016/679. In the event of relevant changes tothe contract, the data exporter should be required to rely on a new ground fordata transfers under the contract, in particular by replacing the existingstandard contractual clauses with the standard contractual clauses set out inthe Annex to this Decision. The same should apply to any sub-contracting to a(sub-)processor of processing operations covered by the contract.
2001/497/EC号决定和第2010/87/EU号决定应在本决定生效三个月后废除。在此期间,就欧盟2016/679号条例第46条第(1)项而言,数据出口方和数据进口方仍应能够使用2001/497/EC2010/87/EU号决定中规定的标准合同条款。在额外的15个月内,数据出口方和数据进口方应就欧盟2016/679号条例第46条第(1)项条而言,能够继续依赖第2001/497/EC2010/87/EU号决定中规定的标准合同条款,以履行他们在这些决定废除之日前签订的合同。只要作为合同标的物的处理业务保持不变,并且依靠这些条款可以确保个人数据的转移受到2016/679号条例欧盟第46条第(1)项意义上的适当保障。在合同发生相关变化的情况下,应要求数据出口方依据合同规定的新理由进行数据转移,特别是用本决定附件中的标准合同条款取代现有的标准合同条款。这也应适用于将合同所涉及的处理业务分包给(分包)处理者的情况。
(25)The European Data ProtectionSupervisor and the European Data Protection Board were consulted in accordancewith Article 42(1) and (2) of Regulation (EU) 2018/1725 and delivered a jointopinion on 14 January 2021[12], which has been taken into considerationin the preparation of this Decision.
根据欧盟2018/1725号条例第42条第(1)项和第(2)项,咨询了欧洲数据保护监督员和欧洲数据保护委员会,并于2021114日发表了联合意见12,在编写本决定时已经考虑到了这一点。
(26)The measures provided for inthis Decision are in accordance with the opinion of the Committee establishedunder Article 93 of Regulation (EU) 2016/679.
本决定中规定的措施符合根据欧盟2016/679号条例第93条设立的委员会的意见。
HAS ADOPTED THIS DECISION:
采纳以下决定:
Article1
第一条
1. The standard contractualclauses set out in the Annex are considered to provide appropriate safeguardswithin the meaning of Article 46(1) and (2)(c) of Regulation (EU) 2016/679 forthe transfer by a controller or processor of personal data processed subject tothat Regulation (data exporter) to a controller or (sub-)processor whoseprocessing of the data is not subject to that Regulation (data importer).
附件中列出的标准合同条款被认为提供了欧盟2016/679号条例第46条第(1)项和第(2)项第(c)点意义上的适当保障,即控制者或处理者将根据该条例处理的个人数据(数据出口方)转移到不受该条例约束的控制者或(分包)处理者(数据进口方)的情况。
2. The standard contractualclauses also set out the rights and obligations of controllers and processorswith respect to the matters referred to in Article 28(3) and (4) of Regulation(EU) 2016/679, as regards the transfer of personal data from a controller to aprocessor, or from a processor to a sub-processor.
标准合同条款还规定了控制者和处理者在欧盟2016/679号条例第28条第(3)项和第(4)项所述事项方面的权利和义务,即从控制者向处理者,或从处理者向分包处理者转移个人数据。
Article2
第二条
Where the competent Member State authoritiesexercise corrective powers pursuant to Article 58 of Regulation (EU) 2016/679in response to the data importer being or becoming subject to laws or practicesin the third country of destination that prevent it from complying with thestandard contractual clauses set out in the Annex, leading to the suspension orban of data transfers to third countries, the Member State concerned shall,without delay, inform the Commission, which will forward the information to theother Member States.
如果成员国主管部门根据欧盟2016/679号条例第58条行使纠正权力,以应对数据进口方正在或将要受制于目的地第三国的法律或惯例,使其无法遵守附件中规定的标准合同条款,导致暂停或禁止向第三国转移数据,有关成员国应不迟延地通知委员会,委员会将把信息转发给其他成员国。
Article3
第三条
The Commission shall evaluate the practicalapplication of the standard contractual clauses set out in the Annex on thebasis of all available information, as part of the periodic evaluation requiredby Article 97 of Regulation (EU) 2016/679.
欧盟委员会应根据所有可获得的信息,评估附件中规定的标准合同条款的实际应用情况,作为欧盟2016/679号条例第97条要求的定期评估的一部分。
Article4
第四条
  1. This Decision shall enter intoforce on the twentieth day following that of its publication in the OfficialJournal of the European Union.
本决定应在欧盟官方公报公布后的第20天生效。
  1. Decision 2001/497/EC isrepealed with effect from 27 September 2021.
2001/497/EC号决定自2021927日起废止。
    2.Decision 2010/87/EU is repealedwith effect from 27 September 2021.
2010/87/EU号决定自2021927日起废止。
  3.Contracts concluded before 27September 2021 on the basis of Decision 2001/497/EC or Decision 2010/87/EUshall be deemed to provide appropriate safeguards within the meaning of Article46(1) of Regulation (EU) 2016/679 until 27 December 2022, provided theprocessing operations that are the subject matter of the contract remainunchanged and that reliance on those clauses ensures that the transfer ofpersonal data is subject to appropriate safeguards.
2021927日之前根据第2001/497/EC号决定或第2010/87/EU号决定签订的合同应被视为提供了第2016/679号条例第46条第(1)项意义上的适当保障,直至20221227日,前提是作为合同标的的处理业务保持不变,并且对该等条款的依赖确保了个人数据的转移受到适当保障。
Done at Brussels, 4 June 2021
For the Commission
The President
Ursula VON DER LEYEN
2021年6月4日订于布鲁塞尔
委员会
主席
Ursula VON DER LEYEN 
EUROPEAN COMMISSION
欧盟委员会
Brussels, 4.6.2021
C(2021) 3972 final
ANNEX
布鲁塞尔,2021年6月4日
C(2021)3972终稿
附件
ANNEX
欧盟委员会执行决定的
to the
附件
COMMISSION IMPLEMENTING DECISION
on standard contractual clauses forthe transfer of personal data to third countries pursuant to Regulation (EU)2016/679 of the European Parliament and of the Council
根据欧洲议会和欧盟理事会的欧盟2016/679号条例
向第三国转移个人数据的标准合同条款
ANNEX
附件
STANDARD CONTRACTUAL CLAUSES
标准合同条款
SECTION I
第一部分
Clause 1
1
Purpose and scope
目的和范围
(a)The purpose of these standardcontractual clauses is to ensure compliance with the requirements of Regulation(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 onthe protection of natural persons with regard to the processing of personal dataand on the free movement of such data (General Data Protection Regulation)[13]for the transfer of personal data to athird country.
该标准合同条款的目的是为了确保个人数据向第三国转移中,遵守欧洲议会和欧盟理事会20164272016/679号条例(通用数据保护条例)规定的与处理个人数据和该等数据的自由流动有关的保护自然人的要求1
(b)The Parties:
双方:
(i)the natural or legal person(s),public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”)transferring the personal data, as listed in Annex I.A. (hereinafter each “dataexporter”), and
附件I.A.列举的转移个人数据的自然人或法人、公共机构、代理机构或其他实体(以下简称“实体”)(统称为“数据出口方”),和
(ii)the entity/ies in a thirdcountry receiving the personal data from the data exporter, directly orindirectly via another entity also Party to these Clauses, as listed in AnnexI.A. (hereinafter each “data importer”)
附件I.A.列举的从数据出口方接收个人数据的位于第三国的实体,通过另一方实体直接或间接地接收数据方也为合同一方(统称为“数据进口方”)。
have agreed to thesestandard contractual clauses (hereinafter: “Clauses”).
就标准合同条款(以下简称“条款”)协商一致。
(c)These Clauses apply withrespect to the transfer of personal data as specified in Annex I.B.
该等条款适用于附件I.B.中规定的个人数据的转移。
(d)The Appendix to these Clausescontaining the Annexes referred to therein forms an integral part of theseClauses.
包含附件的该等条款的附录为该等条款不可分割的一部分。
Clause 2
2
Effect and invariability of theClauses
效力和条款恒定
(a)These Clauses set outappropriate safeguards, including enforceable data subject rights and effectivelegal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation(EU) 2016/679 and, with respect to data transfers from controllers toprocessors and/or processors to processors, standard contractual clausespursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are notmodified, except to select the appropriate Module(s) or to add or updateinformation in the Appendix. This does not prevent the Parties from includingthe standard contractual clauses laid down in these Clauses in a wider contractand/or to add other clauses or additional safeguards, provided that they do notcontradict, directly or indirectly, these Clauses or prejudice the fundamentalrights or freedoms of data subjects.
该等条款规定了包括可执行的数据主体权利和有效的法律救济措施在内的适当的保障措施,其依据为根据欧盟2016/679号条例第46条第(1)项和第46条第(2)(c)项规定,就数据从控制者向处理者和/或处理者向处理者传输而言,依据为欧盟2016/679号条例第28条第(7)项规定的标准合同条款,前提为除根据附录选择适当的模块或者添加或更新信息外不做其他修改。在不直接或间接地与该等条款相矛盾或损害数据主体的基本权利或自由前提下,双方可以将标准合同条款中规定的该等条款纳入其他合同中和/或增加其他条款或额外的保障措施。
(b)These Clauses are withoutprejudice to obligations to which the data exporter is subject by virtue ofRegulation (EU) 2016/679.
该等条款不得对数据出口方根据欧盟2016/679号条例所承担的义务造成不利影响。
Clause 3
3
Third-party beneficiaries
第三方受益人
(a)Data subjects may invoke andenforce these Clauses, as third-party beneficiaries, against the data exporterand/or data importer, with the following exceptions:
数据主体可以作为第三方受益人对数据出口方和/或数据进口方援引并执行该等条款,除非:
(i)Clause 1, Clause 2, Clause 3,Clause 6, Clause 7;
1条、第2条、第3条、第6条、第7条;
(ii)Clause 8 - Module One: Clause8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e);Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f)and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
8 - 模块1:第8.5条第(e)项和第8.9条第(b)项;模块2:第8.1条第(b)项,第8.9条第(a)、(c)、(d)和(e)项;模块3:第8.1条第(a)、(c)和(d)项和第8.9条第(a)、(c)(d)、(e)、(f)和(g)项;模块4: 8.1条第(b)项和第8.3条第(b)项;
(iii)Clause 9 - Module Two: Clause9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
9 - 模块2:第9条第(a)、(c)、(d)和(e)项;模块3:第9条第(a)、(c)、(d)和(e)项;
(iv)Clause 12 - Module One: Clause12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
12 - 模块1:第12条第(a)和(d)项;模块23:第12条第(a)、(d)和(f)项;
(v)Clause 13;
13条;
(vi)Clause 15.1(c), (d) and (e);
15.1条第(c)、(d)和(e)项;
(vii)Clause 16(e);
16条第(e)项;
(viii)Clause 18 - Modules One, Twoand Three: Clause 18(a) and (b); Module Four: Clause 18.
18 - 模块123:第18条第(a)和(b)项;模块4:第18条。
(b)Paragraph (a) is withoutprejudice to rights of data subjects under Regulation (EU) 2016/679.
a)项不影响数据主体在欧盟2016/679号条例下的权利。
Clause 4
4
Interpretation
解释
(a)Where these Clauses use termsthat are defined in Regulation (EU) 2016/679, those terms shall have the samemeaning as in that Regulation.
如果该等条款使用了在欧盟2016/679号条例中定义的术语,该等术语应具有与该条例相同的含义。
(b)These Clauses shall be read andinterpreted in the light of the provisions of Regulation (EU) 2016/679.
该等条款应根据欧盟2016/679号条例的规定进行理解和解释。
(c)These Clauses shall not beinterpreted in a way that conflicts with rights and obligations provided for inRegulation (EU) 2016/679.
该等条款的解释不得与欧盟2016/679号条例规定的权利和义务相冲突。
Clause 5
5
Hierarchy
效力层级
In the event of a contradiction between these Clauses and theprovisions of related agreements between the Parties, existing at the timethese Clauses are agreed or entered into thereafter, these Clauses shallprevail.
如果该等条款与双方在就该等条款达成一致时存在的或随后签订的相关协议的约定相冲突,以该等条款为准。
Clause 6
6
Description of the transfer(s)
转移说明
The details of the transfer(s), and in particular the categories ofpersonal data that are transferred and the purpose(s) for which they aretransferred, are specified in Annex I.B.
转移的具体事宜,尤其是转移的个人数据种类和转移目的,在附件I.B.列明。
Clause 7-Optional
7可选
Docking clause
对接条款
(a)An entity that is not a Party to these Clauses may, with theagreement of theParties, accede to these Clauses at any time, either as a dataexporter or as a data importer,by completing the Appendix and signing AnnexI.A.
经该等条款双方同意,非该等条款一方的实体可在任何时候,通过填写附录和签署附件I.A.,作为数据出口方或数据进口方加入该等条款。
(b)Once it has completed the Appendix and signed Annex I.A, theacceding entityshall become a Party to these Clauses and have the rights andobligations of adata exporter or data importer in accordance with itsdesignation in AnnexI.A.
完成附录且签署附件I.A后,加入实体应成为该等条款的一方,并根据其在附件I.A.中确定的内容享有数据出口方或数据进口方的权利和义务。
(c)TheaccedingentityshallhavenorightsorobligationsarisingundertheseClausesfrom the period prior to becoming aParty.
加入的实体在成为一方之前,不享有该等条款规定的任何权利或义务。
SECTIONII – OBLIGATIONS OF THE PARTIES
第二部分 - 双方的义务
Clause8
8
Data protection safeguards
数据保护保障措施
Thedataexporterwarrantsthatithasusedreasonableeffortstodeterminethatthedataimporter is able, through the implementation of appropriate technical andorganisational measures, to satisfy its obligationsunder these Clauses.
数据出口方保证,其已尽到合理努力,确定数据进口方能够通过采取适当的技术和组织措施,履行其在该等条款项下的义务。
MODULE ONE: Transfer controller tocontroller
模块一:从控制者转移到控制者
  1. 8.1Purposelimitation
目的限制
The data importer shall process the personal data only forthe specific purpose(s) ofthe transfer, as set out in Annex I.B. It may onlyprocess the personal data for anotherpurpose:
数据进口方应仅以附件I.B.中规定的特定转让目的处理个人数据。在以其他目的处理数据时,需满足如下条件之一:
(i)where it has obtained the data subject’s priorconsent;
已获得数据主体的事先同意;
(ii)wherenecessaryfortheestablishment,exerciseordefenceoflegalclaimsinthe context of specific administrative, regulatory or judicial proceedings;or
在具体的行政、监管或司法程序中,为建立、行使或支持法律主张所必需;或
(iii)wherenecessaryinordertoprotectthevitalinterestsofthedatasubjectorofanother naturalperson.
为了保护数据主体或其他自然人的关键利益所必需。
  1. 8.2Transparency
透明度
(a)In order to enable data subjects to effectively exercisetheir rights pursuanttoClause10,thedataimportershallinformthem,eitherdirectlyorthroughthedataexporter:
为了使数据主体能够根据第10条有效地行使其权利,数据进口方应直接或通过数据出口方通知数据主体:
(i)of its identity and contactdetails;
其身份和详细联系方式;
(ii)of the categories of personal dataprocessed;
所处理的个人数据的类别;
(iii)of the right to obtain a copy of theseClauses;
有权获得该等条款的副本;
(iv)whereitintendstoonwardtransferthepersonaldatatoanythirdparty/ies,ofthe recipient or categories of recipients (as appropriate with a viewtoproviding meaningful information), the purpose of such onward transfer andtheground therefore pursuant to Clause8.7.
在意图将个人数据再转移给任何第三方实体时,根据该等条款第8.7条,接收方或接收方的类别(视情形提供有效信息),再转移目的和相关理由。
(b)Paragraph(a)shallnotapplywherethedatasubjectalreadyhastheinformation,including when such information has already been provided by the dataexporter,or providing the information proves impossible or would involveadisproportionateeffortforthedataimporter.Inthelattercase,thedataimportershall,totheextentpossible, make the information publiclyavailable.
第(a)项不适用于数据主体已经拥有的信息,包括数据出口方已经提供的信息,或提供信息被证明是不可能的,或数据进口方将付出不成比例的努力。在后一种情形下,数据进口方应尽可能地公开提供该信息。
(c)Onrequest,thePartiesshallmakeacopyoftheseClauses,includingtheAppendixascompletedbythem,availabletothedatasubjectfreeofcharge.Totheextent necessaryto protect business secrets or other confidential information,includingpersonal data, the Parties may redact part of the text of the Appendix priortosharing a copy, but shall provide a meaningful summary where the datasubjectwould otherwise not be able to understand its content or exercisehis/her rights. Onrequest, thePartiesshallprovidethedatasubjectwiththereasonsfortheredactions,totheextent possible without revealing the redactedinformation.
经请求,双方应免费向数据主体提供一份该等条款的副本,包括他们所填写的附录。在保护商业秘密或其他保密信息(包括个人数据)的必要范围内,双方可在分享副本之前编辑附录的部分文本,但如数据主体无法理解其内容或行使其权利时,还应提供有效的摘要。经请求,双方应在不泄露经编辑的信息的情况下,尽可能向数据主体提供编辑的理由。
(d)Paragraphs(a)to(c)arewithoutprejudicetotheobligationsofthedataexporterunder Articles 13 and 14 of Regulation (EU)2016/679.
a)至(c)项不应对数据出口方在欧盟2016/679号条例第1314条下的义务造成不利影响。
  1. 8.3Accuracy and dataminimization
准确性和数据最小化
(a)Each Party shall ensure that the personal data is accurateand, where necessary,kept up to date. The data importer shall take everyreasonable step to ensure thatpersonaldatathatisinaccurate,havingregardtothepurpose(s)ofprocessing,iserasedorrectified withoutdelay.
各方应确保个人数据的准确性,并在必要时持续更新。数据进口方应采取一切合理步骤,确保在考虑到处理目的的情况下,不迟延地消除或更正不准确的个人数据。
(b)IfoneofthePartiesbecomesawarethatthepersonaldataithastransferredorreceived is inaccurate, or has become outdated, it shall inform the otherPartywithout unduedelay.
如果一方意识到它所转移或接收的个人数据不准确或已经过时,不得无故迟延通知另一方。
(c)The data importer shall ensure that the personal data isadequate, relevant andlimited to what is necessary in relation to thepurpose(s) ofprocessing.
数据进口方应确保个人数据是充分的、相关的,并仅限于与目的有关的处理。
  1. 8.4Storage limitation
存储限制
The data importer shall retain the personal data for nolonger than necessary for thepurpose(s) for which it is processed. It shall put in place appropriatetechnical or organisationalmeasures to ensure compliance with this obligation,including erasure or anonymisation[14]of the dataand all back-ups at the endof the retentionperiod.
数据进口方留存个人数据的时间不得超过处理目的所需的时间。它应采取适当的技术或组织措施,以确保该义务得以遵守,包括在留存期限结束时对数据和所有备份进行删除或匿名化2处理。
  1. 8.5Security ofprocessing
处理的安全性
(a)Thedataimporterand,duringtransmission,alsothedataexportershallimplementappropriate technical and organisational measures to ensure the security ofthepersonal data, including protection against a breach of security leadingtoaccidental or unlawful destruction, loss, alteration, unauthorised disclosureoraccess(hereinafter“personaldatabreach”).Inassessingtheappropriatelevelofsecurity,theyshalltakedueaccountofthestateoftheart,thecostsofimplementation,the nature,scope, context and purpose(s) of processing and the risks involved intheprocessing for the data subject. The Parties shall in particular considerhavingrecoursetoencryptionorpseudonymisation,includingduringtransmission,where thepurpose of processing can be fulfilled in thatmanner.
数据进口方,以及在传输过程中的数据出口方,应采取适当的技术和组织措施,以确保个人数据的安全,包括防止安全漏洞导致意外或非法的破坏、丢失、篡改、未经授权的披露或访问(以下简称“个人数据泄露”)。在评估适当的安全水平时,双方应适当考虑技术水平、实施成本、处理的性质、范围、场景和目的以及处理过程中相对于数据主体的风险。如果处理的目的可以通过这种方式实现,双方应特别考虑采用(包括在传输过程中的)加密或假名化。
(b)ThePartieshaveagreedonthetechnicalandorganisationalmeasuressetoutinAnnex II. The data importer shall carry out regular checks to ensure thatthesemeasures continue to provide an appropriate level ofsecurity.
双方已就附件II所列的技术和组织措施达成一致。数据进口方应进行定期检查,以确保这些措施持续提供适当的安全水平。
(c)Thedataimportershallensurethatpersonsauthorisedtoprocessthepersonaldatahave committed themselves to confidentiality or are under anappropriatestatutory obligation ofconfidentiality.
数据进口方应确保被授权处理个人数据的人已承诺保密或负有适当的法定保密义务。
(d)In the event of a personal data breach concerning personaldata processed by thedata importer under these Clauses, the data importer shalltake appropriate measuresto address the personal data breach, includingmeasures to mitigate its possibleadverse effects.
如果发生涉及数据进口方根据该等条款处理的个人数据泄露事件,数据进口方应采取适当措施处理个人数据泄露事件,包括采取措施减轻其可能的不利影响。
(e)In case of a personal data breach that is likely to resultin a risk to the rights and freedoms of natural persons, the data importershall without undue delay notifyboth the data exporter and the competentsupervisory authority pursuant to Clause13. Such notification shall contain i)a description of the nature of the breach(including,wherepossible,categoriesandapproximatenumberofdatasubjectsandpersonal datarecords concerned), ii) its likely consequences, iii) the measures takenorproposedtoaddressthebreach,andiv)thedetailsofacontactpointfromwhom moreinformation can be obtained. To the extent it is not possible for thedataimporter to provide all the information at the same time, it may do so inphaseswithout undue furtherdelay.
如果发生可能导致自然人的权利和自由遭受威胁风险的个人数据泄露事件,数据进口方应根据第13条的规定,不得无故迟延通知数据出口方和主管监管部门。该通知应包括:i) 对泄露性质的描述(在可能的情况下,包括有关数据主体和个人数据记录的类别和大致数量),ii) 其可能的后果,iii) 为解决泄露而采取或建议采取的措施,和 iv) 可获得更多信息的联络点的详细信息。如果数据进口方无法同时提供所有的信息,可以分阶段提供,但应确保不会无故迟延。
(f)In case of a personal data breach that is likely to resultin a high risk to the rightsand freedoms of natural persons, the data importershall also notify without unduedelay the data subjects concerned of thepersonal data breach and its nature, if necessaryin cooperation with the dataexporter, together with the information referred toin paragraph (e), points ii)to iv), unless the data importer has implemented measuresto significantlyreduce the risk to the rights or freedoms of natural persons,or notificationwould involve disproportionate efforts. In thelatter case, thedataimportershallinsteadissueapubliccommunicationortakeasimilarmeasureto inform thepublic of the personal databreach.
如果发生可能导致自然人的权利和自由遭受威胁高风险的个人数据泄露事件,数据进口方应不得无故迟延通知数据主体个人数据泄露和性质,必要时与数据出口方共同协作,提供(e)项第ii)至iv)点所述的信息,除非数据进口方已采取措施实质性降低对自然人的权利或自由的风险。在后一种情况下,数据进口方应另行发布公告或采取类似措施,将个人数据泄露事件告知公众。
(g)The data importer shall document all relevant facts relatingto the personaldata breach, including its effects and any remedial actiontaken, and keep a recordthereof.
数据进口方应记录与个人数据泄露有关的所有相关事实,包括其影响和所采取的任何补救行动,并保存相关记录。
  1. 8.6Sensitive data
敏感数据
Where the transfer involves personal data revealing racialor ethnic origin, politicalopinions, religious or philosophical beliefs, ortrade union membership, genetic data, or biometricdata for the purpose ofuniquely identifying a natural person, data concerning health or aperson’s sexlife or sexual orientation, or data relating to criminal convictions or offences(hereinafter“sensitive data”), the data importer shall apply specific restrictionsand/oradditional safeguards adapted to the specific nature of the data and therisks involved. This may includerestrictingthepersonnelpermittedtoaccessthepersonaldata,additionalsecuritymeasures(such as pseudonymisation) and/or additional restrictions with respect tofurtherdisclosure.
如果转移涉及显示种族或民族血统、政治观点、宗教或哲学信仰或工会会员资格的个人数据、遗传数据或用于唯一识别自然人的生物识别数据、有关健康或个人性生活或性取向的数据、或与刑事定罪或犯罪有关的数据(以下简称“敏感数据”),数据进口方应根据数据的特定性质和所涉及的风险采取特定限制和/或附加保障措施。这可能包括限制允许访问个人数据的人员,额外的安全措施(如假名化)和/或对进一步披露的额外限制。
  1. 8.7Onward transfers
再转移
ThedataimportershallnotdisclosethepersonaldatatoathirdpartylocatedoutsidetheEuropean Union[15](in the same country as the dataimporter or in another thirdcountry, hereinafter “onward transfer”) unless thethird party is or agrees to be bound by these Clauses,undertheappropriateModule.Otherwise,anonwardtransferbythedataimportermayonlytake placeif:
数据进口方不得向位于欧盟以外3的第三方披露个人数据(与数据进口方在同一国家或在另一个第三国,以下简称“再转移”),除非该第三方根据适当的模块同意该等条款的约束。否则,只有在以下情况下,数据进口方才可进行再转移:
(i)it is to a country benefitting from an adequacy decisionpursuant to Article45 of Regulation (EU) 2016/679 that covers the onwardtransfer;
再转移的目标国是根据包含再转移的欧盟2016/679号条例第45条享受充分性保护决定的国家;
(ii)the third party otherwise ensures appropriate safeguardspursuant to Articles46 or 47 of Regulation (EU) 2016/679 with respect to theprocessing inquestion;
第三方根据欧盟2016/679号条例第46条或47条,以其他方式确保对有关处理的适当保障措施;
(iii)the third party enters into a binding instrument with thedata importerensuring the same level of data protection as under these Clauses,and the dataimporter provides a copy of these safeguards to the dataexporter;
第三方与数据进口方签订具有约束力的文书,确保数据保护水平与该等条款规定的相同,且数据进口方向数据出口方提供这些保障措施的副本;
(iv)it is necessary for the establishment, exercise or defenceof legal claims inthe context of specific administrative, regulatory orjudicialproceedings;
在特定的行政、监管或司法程序中,为建立、行使或支持权利主张所必需;
(v)itisnecessaryinordertoprotectthevitalinterestsofthedatasubjectorofanother natural person;or
为了保护数据主体或其他自然人的关键利益所必需;或
(vi)wherenoneoftheotherconditionsapply,thedataimporterhasobtainedtheexplicit consent of the data subject for an onward transfer in aspecific situation,afterhavinginformedhim/herofitspurpose(s),theidentityoftherecipientandthepossiblerisksofsuchtransfertohim/herduetothelackof appropriatedata protection safeguards. In this case, the data importershallinformthedataexporterand,attherequestofthelatter,shalltransmittoita copy of theinformation provided to the datasubject.
在其他条件都不适用的情况下,数据进口方在向数据主体告知其目的、接收方的身份以及由于缺乏适当的数据保护措施而可能对其造成的风险后,在特定情况下获得了数据主体对再转移的明确同意。在这种情况下,数据进口方应通知数据出口方,并在后者的要求下,向其传送一份提供给数据主体的信息副本。
Any onward transfer is subject to compliance by the dataimporter with all theothersafeguardsunder these Clauses, in particular purposelimitation.
数据进口方的任何再转移都必须遵守该等条款规定的所有其他保障措施,特别是关于目的限制的规定。
  1. 8.8Processing under theauthority of the data importer
数据进口方的授权处理
The data importer shall ensure that any person acting underits authority, includinga processor, processes the data only onitsinstructions.
数据进口方应确保其授权的包括处理者在内的任何任人,均仅根据数据进口方的指示处理数据。
  1. 8.9Documentation andcompliance
文件和合规性
(a)EachPartyshallbeabletodemonstratecompliancewithitsobligationsundertheseClauses. In particular, the data importer shall keep appropriate documentationofthe processing activities carried out under itsresponsibility.
各方应能证明其遵守了该等条款规定的义务。尤其是数据进口方应保留在其责任范围内进行的处理活动的适当文件。
(b)The data importer shall make such documentation available tothecompetent supervisory authority onrequest.
数据进口方应根据请求向主管监管部门提供此类文件。
MODULE TWO: Transfer controller to processor
模块二:从控制者转移到处理者
  1. 8.1Instructions
说明
(a)The data importer shall process the personal data only ondocumentedinstructions from the data exporter. The data exporter may give suchinstructions throughoutthe duration of thecontract.
数据进口方应仅根据数据出口方的书面指示处理个人数据。数据出口方可在整个合同期内发出此类指示。
(b)The data importer shall immediately inform the data exporterif it is unable tofollow those instructions.
如果数据进口方无法遵守这些指示,应立即通知数据出口方。
  1. 8.2Purpose limitation
目的限制
The data importer shall process the personal data only forthe specific purpose(s) ofthe transfer, as set out in Annex I.B, unless onfurther instructions from the dataexporter.
数据进口方应仅为附件I.B.中规定的特定转让目的处理个人数据,除非根据数据出口方的进一步指示。
  1. 8.3Transparency
透明度
On request, the data exporter shall make a copy of these Clauses,including the Appendixas completed by the Parties, available to the data subject free of charge. To theextentnecessary to protect business secrets or other confidential information, includingthe measuresdescribed in Annex II and personal data, the data exporter mayredact part of the text of the Appendixto these Clauses prior to sharing acopy, but shall provide a meaningful summary where thedata subject wouldotherwise not be able to understand the its content or exercise his/herrights.Onrequest,thePartiesshallprovidethedatasubjectwiththereasonsfortheredactions,totheextent possible without revealing the redacted information. This Clause iswithout prejudiceto the obligations of the data exporter under Articles 13 and14 of Regulation (EU)2016/679.
经请求,数据出口方应免费向数据主体提供一份该等条款的副本,包括双方所填写的附录。在保护商业秘密或其他保密信息(包括附件II中的措施和个人数据)的必要范围内,数据出口方可在分享副本之前编辑附录的部分文本,但如数据主体无法理解其内容或行使其权利时,还应提供有效的摘要。经请求,双方应在不泄露经编辑的信息的情况下,尽可能向数据主体提供编辑的理由。该等条款不影响数据出口方根据欧盟第2016/679号条例第1314条所承担的义务。
  1. 8.4Accuracy
准确性
If the data importer becomes aware that the personal data ithas received is inaccurate, orhas become outdated, it shall inform the dataexporter without undue delay. In this case, thedata importer shall cooperatewith the data exporter to erase or rectify thedata.
如果数据进口方意识到它所接收的个人数据不准确或已经过时,不得无故迟延通知数据出口方。在该情形下,数据进口方应当配合数据出口方对数据进行更正或者删除。
  1. 8.5Duration ofprocessing and erasure or return of data
处理期限和数据的删除或归还
Processing by the data importer shall only take place forthe duration specified in AnnexI.B. After the end of the provision of theprocessing services, the data importer shall, at the choice of the data exporter,delete all personal data processedon behalf of the data exporterand certify to the data exporter that it has doneso,or return to the data exporter all personal data processedon its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses.In case of local laws applicable to the data importer that prohibit return or deletion of the personal data,the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law.This is without prejudice to Clause 14, in particular the requirement for the data importerunder Clause14(e) to notify the data exporter through out the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirement sunder Clause14(a).
数据进口方的处理应仅在附件I.B.中规定的期限内进行。在提供处理服务结束后,数据进口方应根据数据出口方的选择,删除代表数据出口方处理的所有个人数据,并向数据出口方证明它已这样做,或向数据出口方归还代表其处理的所有个人数据并删除现有副本。在数据被删除或归还之前,数据进口方应继续确保遵守该等条款。如果适用于数据进口方的当地法律禁止归还或删除个人数据,数据进口方保证它将继续确保遵守该等条款,并且只在当地法律规定的范围内和时间内处理这些数据。这并不影响第14条,特别是第14条第(e)项对数据进口方的要求,即如果它有理由相信它受到或已经受到不符合第14条第(a)项要求的法律或惯例的约束,则在整个合同期内通知数据出口方。
  1. 8.6Security of processing
处理的安全性
(a)The data importer and,during transmission,also the data exporter shall implement appropriate technical and organisational measures to ensure the security ofthedata,includingprotectionagainstabreachofsecurityleadingtoaccidentalorunlawful destruction,loss, alteration, unauthorised disclosure or access to that data(hereinafter“personaldatabreach”).Inassessingtheappropriatelevelofsecurity,thePartiesshall take due account of the state of the art, the costs of implementation,thenature, scope, context and purpose(s) of processing and the risks involvedin theprocessingforthedatasubjects.ThePartiesshallinparticularconsiderhavingrecoursetoencryption or pseudonymisation, including during transmission, where thepurposeof processing can be fulfilled in that manner. In case ofpseudonymisation, the additional information for attributing the personal data to aspecific data subject shall,where possible,remain under the exclusive control of the data exporter.In complying with its obligation sunder this paragraph,the data importer shall atleast implement the technical and organisational measures specified in Annex II.Thedata importer shall carry out regular checks to ensure that these measurescontinueto provide an appropriate level ofsecurity.
数据进口方,以及在转移过程中的数据出口方,应采取适当的技术和组织措施,以确保个人数据的安全,包括防止安全漏洞导致意外或非法的破坏、丢失、篡改、未经授权的披露或访问(以下简称“个人数据泄露”)。在评估适当的安全水平时,双方应适当考虑技术水平、实施成本、处理的性质、范围、场景和目的以及处理过程中相对于数据主体的风险。如果处理的目的可以通过这种方式实现,双方应特别考虑采用(包括在传输过程中的)加密或假名化。双方应特别考虑采用加密或假名化,包括在转移过程中,如果处理的目的可以通过这种方式实现。在假名化的情况下,在可能的情况下,用于将个人数据归属于特定数据主体的额外信息应保持在数据出口方的排他控制之下。在遵守本段规定的义务时,数据进口方应至少实施附件II中规定的技术和组织措施。数据进口方应进行定期检查,以确保这些措施持续提供适当的安全水平。
(b)The data importer shall grant access to the personal data tomembers of itspersonnel only to the extent strictly necessary for theimplementation, managementand monitoring of the contract. It shall ensure that persons authorised toprocessthe personal data have committed themselves to confidentiality or areunderan appropriate statutory obligation ofconfidentiality.
数据进口方应仅在执行、管理和监督合同所严格必要的范围内允许其工作人员访问这些数据。应确保被授权处理个人数据的人已承诺保密或负有适当的法定保密义务。
(c)In the event of a personal data breach concerning personaldata processed by thedata importer under these Clauses, the data importer shalltake appropriate measuresto address the breach, including measures to mitigateits adverse effects. Thedata importer shall also notify the data exporterwithout undue delay after havingbecomeawareofthebreach.Suchnotificationshallcontainthedetailsofacontactpointwheremoreinformationcanbeobtained,adescriptionofthenatureofthebreach (including,where possible, categories and approximate number of data subjectsand personaldata records concerned), its likely consequences and the measures takenorproposed to address the breach including, where appropriate, measures tomitigateits possibleadverseeffects.Where,andinsofaras,itisnotpossibletoprovideallinformation at the same time, the initial notification shall contain theinformation then available and further information shall, as it becomesavailable, subsequently be provided without undue delay.
如果发生涉及数据进口方根据该等条款处理的个人数据泄露事件,数据进口方应采取适当措施处理泄露事件,包括采取措施减轻其可能的不利影响。数据进口方还应在意识到泄露后,不得无故迟延通知数据出口方。该通知应当包含可获得更多信息的联络点的详细信息,对泄露性质的描述(在可能的情况下,包括有关数据主体和个人数据记录的类别和大致数量),可能的后果和为解决数据泄露而采取或建议采取的措施,包括采取措施减轻其可能的不利影响。如果当时无法提供所有信息,初步通知应当包含当时可得的信息,随后在获得进一步信息时,不得无故迟延提供。
(d)The data importer shall cooperate with and assist the dataexporter to enable the data exporter to comply with its obligations underRegulation (EU) 2016/679, in particular to notify the competent supervisoryauthority and the affected data subjects, taking into account the nature ofprocessing and the information available to the data importer.
数据进口方应与数据出口方合作并提供协助,使数据出口方能够遵守欧盟2016/679号条例规定的义务,特别是通知主管监管部门和受影响的数据主体,需同时考虑到处理的性质和数据进口方所掌握的信息。
  1. 8.7Sensitive data
敏感数据
Where the transfer involves personal data revealing racialor ethnic origin, politicalopinions, religious or philosophical beliefs, ortrade union membership, genetic data, or biometricdata for the purpose ofuniquely identifying a natural person, data concerning health or aperson’s sexlife or sexual orientation, or data relating to criminal convictions andoffences(hereinafter “sensitive data”), the data importer shall apply thespecific restrictions and/oradditional safeguards described in AnnexI.B.
如果转移涉及显示种族或民族血统、政治观点、宗教或哲学信仰或工会会员资格的个人数据、遗传数据或用于唯一识别自然人的生物识别数据、有关健康或个人性生活或性取向的数据、或与刑事定罪或犯罪有关的数据(以下简称“敏感数据”),数据进口方应根据附件I.B.中的规定采取特定限制和/或额外保障措施。
  1. 8.8Onward transfers
再转移
The data importer shall only disclose the personal data to athird party ondocumented instructions from the data exporter. In addition, thedata may only be disclosed to a thirdparty locatedoutsidetheEuropeanUnion[16](inthesamecountryasthedataimporterorinanotherthirdcountry,hereinafter“onwardtransfer”)ifthethirdpartyisoragreestobeboundbythese Clauses, under the appropriate Module, orif:
数据进口方应仅根据数据出口方的书面指示将个人数据披露给第三方。此外,只有在第三方根据适当的模块同意受该等条款约束的情况下,数据才能披露给位于欧盟以外4的第三方(与数据进口方在同一国家或在另一个第三国,以下简称“再转移”),或者如果:
(i)the onward transfer is to a country benefitting from anadequacydecision pursuant to Article45 of Regulation(EU)2016/679that covers the onward transfer;
再转移的目标国是根据欧盟2016/679号条例第45条享受充分性保护决定的国家;
(ii)the third party otherwise ensures appropriate safeguardspursuant to Articles46 or 47 Regulation of (EU) 2016/679 with respect to theprocessing inquestion;
第三方根据欧盟2016/679号条例第46条或47条,以其他方式确保对有关处理的适当保障措施;
(iii)the onward transferis necessary for the establishment,exercise or defence of legal claims in the context of specific administrative, regulatory orjudicialproceedings;or
在特定的行政、监管或司法程序中,为建立、行使或支持权利主张所必需;或者
(iv)the onward transfer is necessary in order to protect thevital interests of thedata subject or of another naturalperson.
为了保护数据主体或其他自然人的关键利益所必需。
Any onward transfer is subject to compliance by the dataimporter with all theother safeguards under these Clauses, in particularpurposelimitation.
数据进口方的任何再转移都必须遵守该等条款规定的所有其他保障措施,特别是关于目的限制的规定。
  1. 8.9Documentation andcompliance
文件和合规性
(a)Thedataimportershallpromptlyandadequatelydealwithenquiriesfromthedataexporter that relate to the processing under theseClauses.
数据进口方应及时和充分地处理数据出口方提出的与该等条款下的处理有关的询问。
(b)The Parties shall be able to demonstrate compliance withthese Clauses. Inparticular,thedataimportershallkeepappropriatedocumentationontheprocessingactivitiescarried out on behalf of the dataexporter.
双方应能证明遵守该等条款。尤其是数据进口方应保留代表数据出口方进行的处理活动的适当文件。
(c)The data importer shall make available to the data exporterall informationnecessarytodemonstratecompliancewiththeobligationssetoutintheseClausesandatthe dataexporter’s request, allow for and contribute to audits of theprocessingactivities coveredbytheseClauses,atreasonableintervalsorifthereareindicationsofnon-compliance. In deciding on a review or audit, the data exporter may takeintoaccount relevant certifications held by the dataimporter.
数据进口方应向数据出口方提供所有必要的信息,以证明遵守该等条款中规定的义务,在合理的时间间隔或有不合规迹象时,应数据出口方的请求,允许并协助对该等条款所涵盖的处理活动进行审计。在决定审查或审计时,数据出口方可以考虑到数据进口方持有的相关认证。
(d)The data exporter may choose to conduct the audit by itselfor mandatean independent auditor. Audits may include inspections at thepremises orphysical facilities of the data importer and shall, whereappropriate, be carried outwith reasonablenotice.
数据出口方可以自愿选择自行审计,也可以委托独立审计方进行审计。审计可包括对数据进口方的场所或物理设施的检查,在适当的情况下需进行合理通知。
(e)The Parties shall make the information referred to inparagraphs (b) and (c),includingtheresultsofanyaudits,availabletothecompetentsupervisoryauthority onrequest.
各方应根据请求向主管监管部门提供(b)和(c)项所述的信息,包括任何审计的结果。
MODULE THREE: Transfer processor toprocessor
模块三:从处理者转移到处理者
  1. 8.1Instructions
说明
(a)The data exporter has informed the data importer that it acts as process or under the instruction so fits controller(s),which the data exporter shall make available to the dataimporter prior toprocessing.
数据出口方应在处理前通知数据进口方,数据出口方根据控制者的指示成为处理者。
(b)The data importer shall process the personal data only ondocumentedinstructionsfromthecontroller,ascommunicatedtothedataimporterbythedataexporter,and any additionaldocumented instructions from the data exporter. Suchadditional instructionsshall not conflict with the instructions from the controller. Thecontroller ordata exporter may give further documented instructions regarding thedataprocessing throughout the duration of thecontract.
数据进口方应仅根据数据出口方传达给数据进口方的控制者的书面指示以及其他来自出口方的书面指示处理个人数据。该等来自出口方的其他指示不得与控制者的指示相冲突。控制者或数据出口方可以在合同期间就数据处理提供进一步的书面指示。
(c)The data importer shall immediately inform the data exporterif it is unable tofollow those instructions. Where the data importer is unableto follow the instructionsfrom the controller, the data exporter shallimmediately notify thecontroller.
如果数据进口方无法遵守该等指示,应立即通知数据出口方。如果数据进口方无法遵守控制者的指示,数据出口方应立即通知控制者。
(d)The data exporter warrants that it has imposed the same data protection obligationson the data importer as set out in the contract or other legal act underUnionor Member State law between the controller and the data exporter[17].
数据出口方保证其对数据进口方规定的数据保护义务与控制者和数据出口方之间根据欧盟或成员国法律签订的合同或其他法律行为中规定的义务相同。5
  1. 8.2Purpose limitation
目的限制
The data importer shall process the personal data only forthe specific purpose(s) ofthe transfer, as set out in Annex I.B., unless onfurther instructions from the controller,as communicated to the data importerby the data exporter, or from the dataexporter.
数据进口方应仅为附件I.B.中规定的特定转移目的处理个人数据,除非数据出口方将控制者的进一步指示传达给数据进口方,或者数据出口方自行向数据进口方发出进一步指示。
  1. 8.3Transparency
透明度
On request,the data exporter shall make a copy of these Clauses,including the Appendixas completed by the Parties, available to the data subject free of charge. To theextentnecessary to protect business secrets or other confidential information,including personal data, thedata exporter may redact part of the text of theAppendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions,to the extent possible without revealing the redacted information.
经请求,数据出口方应免费向数据主体提供一份该等条款的副本,包括双方所填写的附录。在保护商业秘密或其他保密信息(包括个人数据)的必要范围内,数据出口方可在分享副本之前编辑附录的部分文本,但如数据主体无法理解其内容或行使其权利时,还应提供有效的摘要。经请求,双方应在不泄露经编辑的信息的情况下,尽可能向数据主体提供编辑的理由。
  1. 8.4Accuracy
准确度
If the data importer becomes aware that the personal data ithas received is inaccurate, orhas become outdated, it shall inform the dataexporter without undue delay. In this case, thedata importer shall cooperatewith the data exporter to rectify or erase thedata.
如果数据进口方意识到它所接收的个人数据不准确或已经过时,不得无故迟延通知数据出口方。在该情形下,数据进口方应当配合数据出口方对数据进行更正或者删除。
  1. 8.5Duration ofprocessing and erasure or return of data
处理期限和数据删除或归还
Processing by the data importer shall only take place forthe duration specified in AnnexI.B. After the end of the provision of theprocessing services, the data importer shall, at thechoiceofthedataexporter,deleteallpersonaldataprocessedonbehalfofthecontrollerandcertifytothedataexporterthatithasdoneso,orreturntothedataexporterallpersonaldataprocessedonitsbehalfanddeleteexistingcopies.Untilthedataisdeletedorreturned,thedataimportershallcontinuetoensurecompliancewiththeseClauses.Incaseoflocallawsapplicabletothedataimporterthatprohibitreturnordeletionofthepersonaldata,thedataimporter warrants that it will continue to ensure compliance with these Clausesand willonlyprocessittotheextentandforaslongasrequiredunderthatlocallaw.Thisiswithoutprejudice to Clause 14, in particular the requirement for the data importerunder Clause14(e) tonotifythedataexporterthroughoutthedurationofthecontractifithasreasontobelievethatitisorhasbecomesubjecttolawsorpracticesnotinlinewiththerequirementsunderClause14(a).
数据进口方的处理应仅在附件I.B.中规定的期限内进行。在提供处理服务结束后,数据进口方应根据数据出口方的选择,删除代表控制者处理的所有个人数据,并向数据出口方证明它已这样做,或将代表其处理的所有个人数据归还数据出口方并删除现有副本。在数据被删除或归还之前,数据进口方应继续确保遵守该等条款。如果适用于数据进口方的当地法律禁止归还或删除个人数据,数据进口方保证其将继续确保遵守该等条款,并且只在当地法律规定的范围内和时间内处理这些数据。这并不影响第14条,特别是第14条第(e)项对数据进口方的要求,即如果数据进口方有理由相信受到或已经受到不符合第14条第(a)项要求的法律或惯例的约束,则在合同期间内通知数据出口方。
  1. 8.6Security ofprocessing
处理的安全性
(a)The data importer and,during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security ofthedata,including protection against a breach of security leading to accident alorun lawful destruction, loss, alteration, unauthorised disclosure or access to thatdata(hereinafter “personal data breach”). In assessing the appropriate level ofsecurity, they shalltakedueaccountofthestateoftheart,thecostsofimplementation,thenature,scope, contextand purpose(s) of processing and the risks involved in the processing forthedata subject. The Parties shall in particular consider having recourse toencryptionor pseudonymisation, including during transmission, where the purposeofprocessing can be fulfilled in that manner. In case of pseudonymisation, theadditional information for attributing the personal data to a specific datasubject shall, where possible, remain under the exclusive control of the dataexporter or the controller. In complying with its obligations under thisparagraph, the data importer shall at least implement the technical andorganisational measures specified in Annex II. The data importer shall carryout regular checks to ensure that these measures continue to provide anappropriate level of security.
数据进口方,以及在传输过程中的数据出口方,应采取适当的技术和组织措施,以确保数据的安全,包括防止安全漏洞导致意外或非法的破坏、丢失、篡改、未经授权的披露或访问(以下简称“个人数据泄露”)。在评估适当的安全水平时,双方应适当考虑技术水平、实施成本、处理的性质、范围、场景和目的以及处理过程中相对于数据主体的风险。如果处理的目的可以通过这种方式实现,双方应特别考虑采用(包括在传输过程中的)加密或假名化。在假名化的情况下,在可能的情况下,用于将个人数据归属于特定数据主体的额外信息应保持在数据出口方或控制者的排他控制之下。在遵守本段规定的义务时,数据进口方应至少实施附件II中规定的技术和组织措施。数据进口方应进行定期检查,以确保这些措施持续提供适当的安全水平。
(b)The data importer shall grant access to the datat omember so fits personnel only tothe extent strictly necessary for the implementation, management andmonitoringof the contract. It shall ensure that persons authorised to processthe personal datahave committed themselves to confidentiality or are under anappropriatestatutory obligation ofconfidentiality.
数据进口方应仅在执行、管理和监督合同所严格必要的范围内允许其工作人员访问这些数据。应确保被授权处理个人数据的人已承诺保密或负有适当的法定保密义务。
(c)In the event of a personal data breach concerning personaldata processed by thedata importer under these Clauses, the data importer shalltake appropriate measuresto address the breach, including measures to mitigateits adverse effects. Thedata importer shall also notify, without undue delay,the data exporter and,where appropriate and feasible, the controller afterhaving become aware of thebreach. Such notification shall contain the detailsof a contact point where moreinformation can be obtained, a description of thenature of the breach (including, wherepossible, categories and approximatenumber of data subjects and personal datarecordsconcerned),itslikelyconsequencesandthemeasurestakenorproposedtoaddressthedatabreach,includingmeasurestomitigateitspossibleadverseeffects.Where, andin so far as, it is not possible to provide all information at the sametime,the initial notification shall contain the information then availableandfurtherinformationshall,asitbecomesavailable,subsequentlybeprovidedwithoutundue delay.
如果发生涉及数据进口方根据该等条款处理的个人数据泄露事件,数据进口方应采取适当措施处理泄露事件,包括采取措施减轻其可能的不利影响。数据进口方还应在意识到泄露后,不得无故迟延通知数据出口方,并在适当和可行的情况下通知控制者。该通知应当包含可获得更多信息的联络点的详细信息,对泄露性质的描述(在可能的情况下,包括有关数据主体和个人数据记录的类别和大致数量),可能的后果和为解决数据泄露而采取或建议采取的措施,包括采取措施减轻其可能的不利影响。如果当时无法提供所有信息,初步通知应当包含当时可得的信息,随后在获得进一步信息时,不得无故迟延提供。
(d)The data importer shall cooperate with and assist the dataexporter to enable thedata exporter to comply with its obligations underRegulation (EU) 2016/679,inparticulartonotifyitscontrollersothatthelattermayinturnnotifythecompetentsupervisory authority and the affected data subjects, taking into account thenatureof processing and the information available to the dataimporter.
数据进口方应与数据出口方合作并提供协助,使数据出口方能够遵守欧盟2016/679号条例规定的义务,特别是通知其控制者,以便后者可以据此通知主管监管部门和受影响的数据主体,需同时考虑到处理的性质和数据进口方所掌握的信息。
  1. 8.7Sensitive data
敏感数据
Where the transfer involves personal data revealing racialor ethnic origin, politicalopinions, religious or philosophical beliefs, ortrade union membership, genetic data, or biometricdata for the purpose ofuniquely identifying a natural person, data concerning health or aperson’s sexlife or sexual orientation, or data relating to criminal convictions andoffences(hereinafter “sensitive data”), the data importer shall apply thespecific restrictions and/oradditional safeguards set out in AnnexI.B.
如果转移涉及显示种族或民族血统、政治观点、宗教或哲学信仰或工会会员资格的个人数据、遗传数据或用于唯一识别自然人的生物识别数据、有关健康或个人性生活或性取向的数据、或与刑事定罪或犯罪有关的数据(以下简称“敏感数据”),数据进口方应根据附件I.B.中的规定采取特定限制和/或额外保障措施。
  1. 8.8Onward transfers
再转移
The data importer shall only disclose the personal data to athird party ondocumented instructions from the controller, as communicated tothe data importer by the data exporter.In addition, the data may only bedisclosed to a third party located outside theEuropean Union[18](in the same country as the dataimporter or in another third country, hereinafter“onward transfer”)ifthethirdpartyisoragreestobeboundbytheseClauses,undertheappropriateModule, orif:
数据进口方应仅根据数据出口方传达给数据进口方的控制者的书面指示将个人数据披露给第三方。此外,只有在第三方根据适当的模块同意受该等条款约束的情况下,数据才能披露给位于欧盟以外6的第三方(与数据进口方在同一国家或在另一个第三国,以下简称“再转移”),或者如果:
(i)the onward transfer is to a country benefitting from anadequacydecision pursuanttoArticle45ofRegulation(EU)2016/679thatcoverstheonwardtransfer;
再转移的目标国是根据欧盟2016/679号条例第45条享受充分性保护决定的国家;
(ii)the third party otherwise ensures appropriate safeguardspursuant to Articles46 or 47 of Regulation (EU)2016/679;
第三方根据欧盟2016/679号条例第46条或47条,以其他方式确保适当保障措施;
(iii)the onward transferis necessary for the establishment,exercise or defenceoflegal claims in the context of specific administrative, regulatory orjudicialproceedings;or
在特定的行政、监管或司法程序中,为建立、行使或支持权利主张所必需;或者
(iv)the onward transfer is necessary in order to protect thevital interests of the data subject or of another naturalperson.
为了保护数据主体或其他自然人的关键利益所必需。
Any onward transfer is subject to compliance by the dataimporter with all theother safeguards under these Clauses, in particularpurposelimitation.
数据进口方的任何再转移都必须遵守该等条款规定的所有其他保障措施,特别是关于目的限制的规定。
  1. 8.9Documentation andcompliance
文件和合规性
(a)The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under theseClauses.
数据进口方应及时和充分地处理数据出口方或者控制者提出的与该等条款下的处理有关的询问。
(b)The Parties shall be able to demonstrate compliance with theseClauses. Inparticular,the data importer shall keep appropriate documentation on the processing activities carried out on behalf of thecontroller.
双方应能证明遵守该等条款。尤其是数据进口方应保留代表控制者进行的处理活动的适当文件。
(c)The datai mporter shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter,which shallprovide it to the controller.
数据进口方应向数据出口方提供所有必要的信息,以证明遵守该等条款中规定的义务,而数据出口方应将其提供给控制者。
(d)The data importer shall allow for and contribute to auditsby the data exporter ofthe processing activities covered by these Clauses, atreasonable intervals or if thereare indications of non-compliance. The sameshall apply where the data exporterrequestsanauditoninstructionsofthecontroller.Indecidingonanaudit,thedataexporter may take into account relevant certifications held by thedataimporter.
数据进口方应允许并协助数据出口方在合理的时间间隔内或在有迹象表明不遵守规定的情况下对该等条款所涵盖的处理活动进行审计。这也适用于数据出口方根据控制者的指示要求进行审计的情况。在决定审计时,数据出口方可以考虑到数据进口方持有的相关认证。
(e)Wheretheauditiscarriedoutontheinstructionsofthecontroller,thedataexportershall make the results available to thecontroller.
如果审计是根据控制者的指示进行的,数据出口方应将结果提供给控制者。
(f)The data exporter may choose to conduct the audit by itselfor mandatean independent auditor. Audits may include inspections at thepremises orphysical facilities of the data importer and shall, whereappropriate, be carried outwith reasonablenotice.
数据出口方可以自愿选择自行审计,也可以委托独立审计方进行审计。审计可包括对数据进口方的场所或物理设施的检查,在适当的情况下需进行合理通知。
(g)The Parties shall make the information referred to inparagraphs (b) and(c), including the results of any audits,available to the competent supervisory authorityon request.
各方应根据请求向主管监管部门提供(b)和(c)项所述的信息,包括任何审计的结果。
MODULE FOUR: Transfer processor tocontroller
模块四:从处理者转移到控制者
  1. 8.1Instructions
说明
(a)The data exporter shall process the personal data only on documented instructionsfrom the data importer acting as itscontroller.
数据出口方应仅根据作为控制者的数据进口方的书面指示处理个人数据。
(b)The data exporter shall immediately inform the data importerif it is unable tofollow those instructions, including if such instructionsinfringe Regulation (EU)2016/679 or other Union or Member State dataprotectionlaw.
如果数据出口方无法遵守这些指示,包括如果这些指示违反欧盟2016/679号条例或者其他欧盟或成员国数据保护法,应立即通知数据进口方。
(c)The data importer shall refrain from any action that wouldprevent the dataexporter from fulfilling its obligations under Regulation (EU)2016/679, including inthe context of sub-processing or as regards cooperationwith competentsupervisory authorities.
无论是分包处理情形或者就和主管监管部门合作而言,数据进口方应避免采取任何行动,妨碍数据出口方履行欧盟2016/679号条例规定的义务。
(d)After the end of the provision of the processings ervices,the data exporter shall, at the choice of the dataimporter,delete all personal data processed on be half of the dataimporter and certify to the data importer that it has done so, or return tothedata importer all personal data processed on its behalf and deleteexistingcopies.
在提供处理服务结束后,数据出口方应根据数据进口方的选择,删除代表控制者处理的所有个人数据,并向数据出口方证明它已这样做,或将代表其处理的所有个人数据归还数据进口方并删除现有副本。
  1. 8.2Security of processing
处理的安全性
(a)The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction,loss,alteration,unauthorised disclosure or access (hereinafter “personal data breach”).Inassessing the appropriate level ofsecurity,they shall take dueaccount of the state of theart, thecosts of implementation, the nature of the personal data[19], the nature,scope, context andpurpose(s) of processing and the risks involved in the processing forthe datasubjects, and in particular consider having recourse to encryptionorpseudonymisation, including during transmission, where the purpose ofprocessingcan be fulfilled in thatmanner.
双方应采取适当的技术和组织措施确保包括传输过程中的数据安全,防止安全漏洞导致意外或非法的破坏、丢失、篡改、未经授权的披露或访问(以下简称“个人数据泄露”)。在评估适当的安全水平时,双方应适当考虑技术水平、实施成本、处理的性质7、范围、场景和目的以及处理过程中相对于数据主体的风险。如果处理的目的可以通过这种方式实现,双方应特别考虑采用(包括在传输过程中的)加密或假名化。
(b)The data exporter shall assist the data importer in ensuringappropriate security ofthe datainaccordancewithparagraph(a).Incaseofapersonaldatabreachconcerningthe personal data processed by the data exporter under these Clauses, thedataexporter shall notify the data importer without undue delay after becomingawareof it and assist the data importer in addressing thebreach.
数据出口方应协助数据进口方按照(a)项的规定确保适当水平的数据安全。如果发生与数据出口方根据该等条款处理的个人数据有关的个人数据泄露事件,数据出口方应在意识到这一事件后不得无故迟延通知数据进口方,并协助数据进口方处理该泄露事件。
(c)Thedataexportershallensurethatpersonsauthorisedtoprocessthepersonaldatahave committed themselves to confidentiality or are under an appropriatestatutoryobligation ofconfidentiality.
数据出口方应确保被授权处理个人数据的人承诺保密或承担适当的法定保密义务。
  1. 8.3Documentation and compliance
文件和合规性
(a)The Parties shall be able to demonstrate compliance withtheseClauses.
双方应能证明对该等条款的遵守。
(b)The data exporter shall make available to the data importerall informationnecessary to demonstrate compliance with its obligations underthese Clauses and allow forand contribute toaudits.
数据出口方应向数据进口方提供所有必要的信息,以证明其遵守该等条款规定的义务,并允许和协助进行审计。
Clause9
9
Use of sub-processors
分包处理者的作用
MODULE TWO: Transfer controllertoprocessor
模块二:从控制者转移到处理者
(a)OPTION 1: SPECIFIC PRIOR AUTHORISATION The data importershall notsub- contract any of its processing activities performed on behalf ofthe dataexporter under these Clauses to a sub-processor without the dataexporter’s priorspecific written authorisation. The data importer shall submitthe request forspecific authorisation at least [Specify time period] prior to the engagement ofthesub-processor,togetherwiththeinformationnecessarytoenablethedataexportertodecide on the authorisation. The list of sub-processors already authorised bythedata exporter can be found in Annex III. The Parties shall keep Annex III uptodate.
方案 1:具体的事先授权未经数据出口方事先具体书面授权,数据进口方不得将其根据该等条款代表数据出口方进行的任何处理活动分包给其他处理方。数据进口方应在聘用其他处理方之前至少[注明时间段]提交具体授权请求,同时提供必要的信息,以便数据出口方对授权作出决定。已获数据出口方授权的分包处理者名单见附件III。双方应及时更新附件III
OPTION 2: GENERAL WRITTENAUTHORISATION The data importer hasthe data exporter’s general authorisationfor the engagement of sub-processor(s) froman agreed list. Thedata importer shall specifically inform the data exporter in writingof anyintended changes to that list through the addition or replacement ofsub-processors at least [Specify time period]in advance, thereby giving the dataexportersufficienttimetobeabletoobjecttosuchchangespriortotheengagementofthesub-processor(s). The data importer shall provide the data exporter withtheinformation necessary to enable the data exporter to exercise its righttoobject.
方案 2:一般书面授权数据进口方拥有数据出口方的一般授权,可从经同意的清单中聘用分包处理者。数据进口方应至少提前[注明时间段]以书面形式明确通知数据出口方通过增加或更换分包处理者对该清单进行的任何预期更改,从而使数据出口方有足够的时间在聘用分包处理者之前反对此类更改。数据进口方应向数据出口方提供必要的信息,使数据出口方能够行使其反对权。
(b)Where the data importer engages asub-processor to carry out specific processing activities(onbehalfofthedataexporter),it shall do so by way of a written contract that providesfor, in substance, the same data protection obligations as those binding the data importer under these Clauses, including interms of third-party beneficiary rights for data subjects.[20]The Parties agree that,by complying with this Clause,the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importeris subject pursuant to these Clauses.
如果数据进口方聘请分包处理者(代表数据出口方)进行具体的处理活动,它应通过书面合同的方式进行,该合同实质上规定了与数据进口方在该等条款下所受约束相同的数据保护义务,包括数据主体的第三方受益人权利方面。8双方同意,通过遵守该等条款,数据进口方履行了其在第8.8条下的义务。数据进口方应确保分包处理者遵守数据进口方根据该等条款所承担的义务。
(c)The data importer shall provide, at the data exporter’srequest, a copy of such asub-processoragreementandanysubsequentamendmentstothedataexporter.Tothe extentnecessary to protect business secrets or other confidentialinformation,including personal data, the data importer may redact the text of theagreementprior to sharing acopy.
应数据出口方的请求,数据进口方向数据出口方提供与该分包处理者签署的协议及任何后续修订的副本。在保护商业秘密或其他机密信息(包括个人数据)的必要范围内,数据进口方可以在分享副本之前对协议文本进行编辑。
(d)The data importer shall remain fully responsible to the dataexporter forthe performance of the sub-processor’s obligations under itscontract with the data importer.The data importer shall notify the data exporter of any failure by the sub- processor to fulfil its obligationsunder that contract.
数据进口方应继续就分包处理者履行其与数据进口方合同项下的义务向数据出口方承担全部责任。数据进口方应将分包处理者未能履行其在该合同下的义务的情况通知数据出口方。
(e)The data importer shall agree a third-party beneficiaryclause with thesub-processor whereby - in the event the data importer hasfactually disappeared, ceased to existin law or has become insolvent - the dataexporter shall have the right to terminate the sub-processor contract and to instructthe sub-processor to erase or return the personal data.
数据进口方应与分包处理者就第三方受益人条款达成一致,据此,在数据进口方事实上已经消失、在法律上不复存在或已经破产的情况下,数据出口方应有权终止分包处理者合同并指示分包处理者删除或归还个人数据。
MODULE THREE: Transfer processor toprocessor
模块三:从处理者转移到处理者
(a)OPTION 1: SPECIFIC PRIOR AUTHORISATION The data importershall notsub- contract any of its processing activities performed on behalf ofthe dataexporter under these Clauses to a sub-processor without the priorspecific written authorisation of the controller. The data importer shallsubmit the request forspecific authorisation at least [Specify time period] prior to the engagement of the sub- processor,together with the information necessary to enable the controller todecide onthe authorisation. It shall informthe data exporter of such engagement. The listofsub-processorsalreadyauthorisedbythecontrollercanbefoundinAnnexIII.The Partiesshall keep Annex III up todate.
方案 1:具体的事先授权未经控制者事先具体书面授权,数据进口方不得将其根据该等条款代表数据出口方进行的任何处理活动分包给其他处理方。数据进口方应在聘用其他处理方之前至少[注明时间段]提交具体授权请求,同时提供必要的信息,以便控制方对授权作出决定。其应当告知数据出口方聘用情况。数据出口方授权的分包处理者名单见附件III。双方应及时更新附件III
OPTION 2: GENERAL WRITTENAUTHORISATION The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from anagreedlist.The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement ofsub-processor satleast[Specifytimeperiod]inadvance,there by giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide thecontroller with theinformation necessary to enable the controller to exerciseits right to object. The dataimporter shall inform the data exporter of theengagement of thesub-processor(s).
方案 2:一般书面授权数据进口方拥有数据出口方的一般授权,可从经同意的清单中聘用分包处理者。数据进口方应至少提前[注明时间段]以书面形式明确通知数据出口方通过增加或更换分包处理者对该清单进行的任何预期更改,从而使数据出口方有足够的时间在聘用分包处理者之前反对此类更改。数据进口方应向数据出口方提供必要的信息,使数据出口方能够行使其反对权。
(b)Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a writtencontractthat provides for, in substance, the same data protection obligationsas those bindingthe data importer under these Clauses, including in terms ofthird-party beneficiaryrights fordatasubjects.[21]The Parties agreethat,by complying with this Clause,the data importer fulfilsits obligations under Clause8.8.The data importer shall ensure that the sub-processor complies with the obligations to which the data importerissubject pursuant to theseClauses.
如果数据进口方聘请分包处理者(代表控制者)进行具体的处理活动,它应通过书面合同的方式进行,该合同实质上规定了与数据进口方在该等条款下所受约束相同的数据保护义务,包括数据主体的第三方受益人权利方面。9双方同意,通过遵守该等条款,数据进口方履行了其在第8.8条下的义务。数据进口方应确保分包处理者遵守数据进口方根据该等条款所承担的义务。
(c)The data importer shall provide, at the data exporter’s orcontroller’s request, acopyofsuchasub-processoragreementandanysubsequentamendments.Totheextent necessaryto protect business secrets or other confidential information,including personal data, the data importer may redact the text of the agreement priortosharing acopy.
应数据出口方或者控制者的请求,数据进口方应提供与该分包处理者签署的协议及任何后续修订的副本。在保护商业秘密或其他机密信息(包括个人数据)的必要范围内,数据进口方可以在分享副本之前对协议文本进行编辑。
(d)The data importer shall remain fully responsible to the dataexporter forthe performance of the sub-processor’s obligations under itscontract with the data importer.The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
数据进口方应继续就分包处理者履行其与数据进口方合同项下的义务向数据出口方承担全部责任。数据进口方应将分包处理者未能履行其在该合同下的义务的情况通知数据出口方。
(e)The data importer shall agree a third-party beneficiaryclause with thesub-processor whereby - in the event the data importer hasfactually disappeared, ceased to existinlaworhasbecomeinsolvent-thedataexportershallhavetherighttoterminatethe sub-processorcontract and to instruct the sub-processor to erase or return the personaldata.
数据进口方应与分包处理者商定一个第三方受益人条款,据此,在数据进口方事实上已经消失、在法律上不复存在或已经破产的情况下,数据出口方应有权终止分包处理者合同并指示分包处理者删除或归还个人数据。
Clause10
10
Data subject rights
数据主体权利
MODULE ONE: Transfer controller tocontroller
模块一:从控制者转移到控制者
(a)The data importer, where relevant with the assistance of thedata exporter, shalldeal with any enquiries and requests it receives from adata subject relating tothe processing of his/her personal data and the exercise of his/he rrights under these Clauses without undue delay an dat the latest with in one month of the receipt of the enquiry or request.[22]The data importer shall take appropriate measurestofacilitate such enquiries, requests and the exercise of data subjectrights. Any information provided to the data subject shall be in an intelligible and easilyaccessibleform,using clear and plainlanguage.
数据进口方,相关时在数据出口方的协助下,应处理其从数据主体收到的有关处理其个人数据和行使其在该等条款下的权利的任何询问和请求,不得无故迟延,最迟在收到询问或请求后1个月内处理。10数据进口方应当采取适当措施以协助提出该等询问、请求和行使数据主体权利。提供给数据主体的任何信息都应以可理解和容易获取的形式,使用清晰和平实的语言。
(b)In particular, upon request by the data subject the dataimporter shall, free of charge:
特别是,在数据主体的要求下,数据进口方应免费:
(i)provide confirmation to the data subject as to whetherpersonal dataconcerning him/her is being processed and, where this is the case,a copy of thedata relating to him/her and the information in Annex I; ifpersonal data has beenor will be onward transferred,provide information on recipients or categories of recipients (as appropriate with a view to providing meaningful information) towhich the personal data has been or will be onward transferred, the purpose of such onward transfers and their ground pursuant to Clause8.7; and provide information on the right to lodgea complaint with a supervisory authority in accordancewith Clause12(c)(i);
向数据主体确认有关他/她的个人数据是否正在处理,如果是这种情况,则提供与他/她有关的数据副本和附件I中的信息;如果个人数据已经或将被再次转移,提供个人数据已经或将被转移的接收者或接收者类别的信息(视情况而定,以提供有意义的信息),此类再次转移的目的和他们基于第8.7条再转移的理由;并提供有关根据第 12条第(c)项第(i)点向监管机构提出投诉的权利的信息;
(ii)rectify inaccurate or incomplete data concerning thedatasubject;
更正有关数据主体的不准确或不完整的数据;
(iii)erase personal data concerning the data subject if such datais being or hasbeen processed in violation of any of these Clauses ensuringthird-partybeneficiary rights,or if the data subject with draws the consent on which the processing is based.
如果正在或者发生过的数据处理行为违反了该等条款中确保第三方受益人权利的内容,或者如果数据主体撤回处理所依据的同意,则删除数据主体数据。
(c)Where the data importer processes the personal data fordirect marketing purposes,it shall cease processing for such purposes if thedata subject objects toit.
如果数据进口方为直接营销目的处理个人数据,在数据主体提出反对时,它应停止基于反对的目的所进行的处理。
(d)The data importer shall not make a decision based solely onthe automated processing of the personal data transferred (hereinafter“automated decision”),which would produce legal effects concerning the data subjectors imilarly significantly affect him / her, unless with the explicit consent of the data subject or ifauthorisedto do so under the laws of the country of destination, provided thatsuch laws laysdown suitable measures to safeguard the data subject’srights and legitimate interests. Inthis case, the data importer shall, where necessary in cooperation with thedataexporter:
如果自动处理对数据主体将产生法律效力或者类似显著影响,数据进口方则不得仅根据所转让个人数据的自动处理作出决定(以下简称“自动决定”),除非得到数据主体的明确同意或目的地国法律的授权,前提是该等法律规定了适当的措施来保障数据主体的权利和合法利益。在这种情况下,数据进口方应在必要时与数据出口方合作:
(i)inform the data subject about the envisaged automateddecision, theenvisaged consequences and the logic involved;and
告知数据主体可能的自动决定、可能的后果和相关逻辑;以及
(ii)implement suitable safeguards, at least by enabling the datasubject tocontest the decision, express his/her point of view and obtain reviewby ahuman being.
实施适当的保障措施,至少使数据主体能够对决定提出异议,表达他/她的观点并进行人工复查。
(e)Where requests from a data subject are excessive, inparticular because oftheir repetitive character, the data importer may eithercharge a reasonable fee takinginto account the administrative costs of grantingthe request or refuse to act onthe request.
如果数据主体的请求繁多,尤其是提出重复请求,数据进口方可以在考虑批准该请求的手续成本后,收取合理的费用或者拒绝基于该请求采取行动。
(f)The data importer may refuse a data subject’s request ifsuch refusal is allowedunder the laws of the country of destination and isnecessary and proportionate ina democratic society to protect one of theobjectives listed in Article 23(1)of Regulation (EU)2016/679.
如果目的地国的法律允许拒绝数据主体的请求,并且在民主社会中为保护欧盟2016/679号条例第23条第(1)项所列目标之一是必要和相称的,则数据进口方可拒绝该请求。
(g)If the data importer intends to refuse a data subject’srequest, it shall inform thedata subject of the reasons for the refusal and thepossibility of lodging a complaintwith the competent supervisory authorityand/or seeking judicialredress.
如果数据进口方打算拒绝数据主体的要求,它应告知数据主体拒绝的理由以及向主管监管部门提出投诉和/或寻求司法补救的可能性。
MODULE TWO: Transfer controllertoprocessor
模块二:从控制者转移到处理者
(a)The data importer shall promptly notify the data exporter ofany request ithas received froma data subject.It shall not respond to that request itself unlessithasbeen authorised to do so by the dataexporter.
数据进口方应及时通知数据出口方它从数据主体收到的任何请求。除非得到数据出口方的授权,否则它本身不得对该请求作出回应。
(b)The data importer shall assist the data exporter infulfilling its obligations to respond to data subjects’ requests for the exercise of the irrights under Regulation(EU)2016/679. In this regard, theParties shall set out in Annex II the appropriate technical and organisationalmeasures, taking into account the nature oftheprocessing,by which the assistance shall be provided,as well as the scope and the extent of the assistance required.
数据进口方应协助数据出口方履行义务,回应数据主体根据欧盟2016/679号条例行使其权利的请求。双方应据此考虑到处理的性质后在附件II中规定协助所需的适当的技术和组织措施,以及所需协助的范围和程度。
(c)Infulfillingitsobligationsunderparagraphs(a)and(b),thedataimportershallcomply with the instructions from the dataexporter.
在履行第(a)和第(b)项规定的义务时,数据进口方应遵守数据出口方的指示。
MODULE THREE: Transfer processor toprocessor
模块三:从处理者转移到处理者
(a)The data importer shall promptly notify the data exporterand, where appropriate,the controllerofanyrequestithasreceivedfromadatasubject,withoutrespondingtothat request unless it has been authorised to do so by thecontroller.
数据进口方应立即通知数据出口方,并在适当情况下通知控制者它从数据主体收到的任何请求,除非它得到控制者的授权,否则不对该请求作出回应。
(b)The data importer shall assist, where appropriate incooperation with thedata exporter, the controller in fulfilling its obligationsto respond to datasubjects’ requests for the exercise of their rights underRegulation (EU) 2016/679or Regulation (EU) 2018/1725, as applicable. In thisregard, the Parties shall set outin Annex II the appropriate technical andorganisational measures, taking intoaccount the nature of the processing, bywhich the assistance shall be provided, as well asthe scope and the extent ofthe assistancerequired.
数据进口方应在适当情形下与数据出口方合作,协助控制者履行义务,回应数据主体根据欧盟2016/679号条例或欧盟2018/1725号条例(如适用)行使其权利的请求。双方应据此考虑到处理的性质后在附件II中规定协助所需的适当的技术和组织措施,以及所需协助的范围和程度。
(c)Infulfillingitsobligationsunderparagraphs(a)and(b),thedataimportershallcomply with the instructions from the controller, as communicated by thedataexporter.
在履行(a)(b)段规定的义务时,数据进口方应遵守由数据出口方传达的控制者的指示。
MODULE FOUR: Transfer processor tocontroller
模块四:从处理者转移到控制者
The Parties shall assist each other in responding to enquiries and requests made by datasubjects under the local law applicable to the data importer or, for dataprocessing by thedata exporter in the EU, under Regulation (EU)2016/679.
双方应相互协助,回应数据主体基于适用于数据进口方的当地法律提出的询问和请求;就数据出口方在欧盟境内的数据处理,回应数据主体基于欧盟2016/679号条例提出的询问和请求。
Clause11
11
Redress
救济措施
(a)The data importer shall inform datasubjectsinatransparentandeasilyaccessibleformat,throughindividualnoticeoronitswebsite,ofacontactpointauthorisedto handlecomplaints. It shall deal promptlywith any complaints it receives from adata subject.
数据进口方应通过个别通知或在其网站上公告,以透明和易于获知的形式,告知数据主体授权处理投诉的联络点。它应立即处理它从数据主体收到的任何投诉。
[OPTION:Thedataimporteragreesthatdatasubjectsmayalsolodgeacomplaintwithanindependentdisputeresolutionbody[23]atnocosttothedatasubject.Itshallinformthedatasubjects,inthemannersetoutinparagraph(a),ofsuchredress mechanismand that they are not required to use it, or follow a particular sequenceinseekingredress.]
[方案:数据进口方同意数据主体在无需承担费用的情况下可向独立的争议解决机构11提出申诉。它应以第(a)项规定的方式告知数据主体这种救济措施,而且告知数据主体不要求他们必须使用这种机制,也不要求他们按照特定的顺序寻求救济。 ]
MODULE ONE: Transfer controller tocontroller
模块一:从控制者转移到控制者
MODULE TWO: Transfer controller toprocessor
模块二:从控制者转移到处理者
MODULE THREE: Transfer processor toprocessor
模块三:从处理者转移到处理者
(b)In case of a dispute between a data subject and one of theParties asregards compliance with these Clauses, that Party shall use its bestefforts to resolve theissue amicably in a timely fashion. The Parties shallkeep each other informed aboutsuch disputes and, where appropriate, cooperatein resolvingthem.
如果数据主体与其中一方在遵守该等条款方面出现争议,该方应尽最大努力及时友好地解决问题。双方应相互通知此类争议,并在适当时合作解决这些争议。
(c)Wherethedatasubjectinvokesathird-partybeneficiaryrightpursuanttoClause3,the data importer shall accept the decision of the data subjectto:
如果数据主体根据第3条援引第三方受益权,数据进口方应接受数据主体的决定:
(i)lodge a complaint with the supervisory authority in theMember State ofhis/herhabitualresidenceorplaceofwork,orthecompetentsupervisoryauthority pursuant to Clause13;
向其经常居住地或工作地点的成员国的监管机构或根据第13条规定的主管监管机构提出投诉;
(ii)refer the dispute to the competent courts within the meaningof Clause18.
将争端提交给第18条意义上的主管法院。
(d)The Parties accept that the data subject may be represented by a not-for-profitbody,organisation or association under the conditions set out in Article 80(1)ofRegulation (EU)2016/679.
双方同意,根据欧盟2016/679号条例第80条第(1)项规定的条件,非营利性机构、组织或协会可代表数据主体行事。
(e)The data importer shall abide by a decision that is bindingunder the applicable EUor Member Statelaw.
数据进口方应遵守根据适用的欧盟或成员国法律具有约束力的决定。
(f)The data importer agrees that the choice made by the datasubject will notprejudice his/her substantive and procedural rights to seekremedies in accordance with applicable laws.
数据进口方同意,数据主体的选择不会损害他/她根据适用法律寻求补救的实质性和程序性权利。
Clause12
12
Liability
责任
MODULE ONE: Transfer controllertocontroller
模块一:从控制者转移到控制者
MODULE FOUR: Transfer processortocontroller
模块四:从处理者转移到控制者
(a)EachPartyshallbeliabletotheotherParty/iesforanydamagesitcausestheotherParty/ies by any breach of theseClauses.
各方应对其违反任何该等条款而给另一方造成的任何损失承担责任。
(b)Each Party shall be liable to the data subject, and the datasubject shall be entitledto receive compensation, for any material ornon-material damages that the Partycauses the data subject by breaching thethird-party beneficiary rights under theseClauses.ThisiswithoutprejudicetotheliabilityofthedataexporterunderRegulation(EU)2016/679.
各方应对数据主体承担责任,该方因违反该等条款规定的第三方受益人权利而给数据主体造成任何物质或精神损失,数据主体有权获得补偿。这不影响数据出口方根据欧盟2016/679号条例承担的责任。
(c)Where more than one Party is responsible for any damagecaused to the data subject as a result of a breach of these Clauses, all responsible Parties shallb ejointly and severally liable and the data subject is entitled to bring an action in courtagainstany of theseParties.
如果不只一方应对违反该等条款而给数据主体造成的任何损害承担责任,所有责任方应承担连带责任,数据主体有权在法院对任何一方提起诉讼。
(d)The Parties agree that if one Party is held liable under paragraph(c), it shall be entitled to claim back from the other Party/ies that part of thecompensationcorresponding to its / their responsibility for thedamage.
双方同意,如果一方根据(c)项规定应当承担责任,它应有权向另一方/各方追偿与该另一方/各方对损害的责任相应的那部分赔偿。
(e)The data importer may not invoke the conduct of a processor or sub-process or to avoid its own liability.
数据进口方的处理者或分包处理者地位不影响其应当承担的责任。
MODULE TWO: Transfer controllertoprocessor
模块二:从控制者转移到处理者
MODULE THREE: Transfer processortoprocessor
模块三:从处理者转移到处理者
(a)Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
各方应对其违反任何该等条款而给另一方造成的任何损失承担责任。
(b)The data importer shall be liable to the data subject,andthedatasubjectshallbeentitled to receive compensation, for any material or non-material damagesthedata importer or its sub-processor causes the data subject by breachingthethird-party beneficiary rights under theseClauses.
数据进口方应对数据主体承担责任,数据进口方或者其分包处理者因违反该等条款规定的第三方受益人权利而给数据主体造成任何物质或精神损失,数据主体有权获得补偿。
(c)Notwithstandingparagraph(b),thedataexportershallbeliabletothedatasubject,andthedatasubjectshallbeentitledtoreceivecompensation,foranymaterialornon-materialdamagesthedataexporterorthedataimporter(oritssub-processor) causesthe data subject by breaching the third-party beneficiary rights undertheseClauses. This is without prejudice to the liability of the data exporter and,wherethe data exporter is a processor acting on behalf of a controller, to theliability of the controller under Regulation (EU) 2016/679 or Regulation (EU)2018/1725, as applicable.
尽管有(b)项的规定,因数据出口方或数据进口方(或其分包处理者)违反该等条款规定的第三方受益人权利而给数据主体造成任何物质或精神损失,数据出口方应向数据主体承担责任,并且数据主体有权获得赔偿。在数据出口方作为处理者代表控制者时,这不影响根据所适用的欧盟2016/679号条例或欧盟2018/1725号条例,数据出口方应当承担的责任,也不影响数据控制者应当承担的责任。
(d)ThePartiesagreethatifthedataexporterisheldliableunderparagraph(c)fordamagescausedbythedataimporter(oritssub-processor),itshallbeentitledto claimback from the data importer that part of the compensation corresponding tothedata importer’s responsibility for thedamage.
双方同意,如果数据出口方根据(c)项对数据进口方(或其分包处理者)造成的损失应当承担责任,数据出口方有权就数据进口方应当承担的责任损失部分进行追偿。
(e)Where more than one Party is responsible for any damagecaused to the datasubjectasaresultofabreachoftheseClauses,allresponsiblePartiesshallbejointlyandseverally liable and the data subject is entitled to bring an action in courtagainstany of theseParties.
如果有一个以上的合同方对违反任何该等条款给数据主体造成的任何损害均应承担责任,所有责任方应承担连带责任,数据主体有权选择任何一方提起司法诉讼。
(f)ThePartiesagreethatifonePartyisheldliableunderparagraph(e),itshallbeentitled to claim back from the other Party/ies that part of thecompensationcorresponding to its / their responsibility for thedamage.
双方同意,如果一方根据(e)项被认定为应当承担责任,其有权就其他方应当承担的责任损失部分进行追偿。
(g)Thedataimportermaynotinvoketheconductofasub-processortoavoiditsownliability.
数据进口方不得援引分包处理者的行为来规避责任。
Clause13
13
Supervision
监管
MODULE ONE: Transfer controller to controller
模块一:从控制者转移到控制者
MODULE TWO: Transfer controller to processor
模块二:从控制者转移到处理者
MODULE THREE: Transfer processor to processor
模块三:从处理者转移到处理者
(a)[WherethedataexporterisestablishedinanEUMemberState:]Thesupervisoryauthority with responsibility for ensuring compliance by the data exporterwithRegulation(EU)2016/679asregardsthedatatransfer,asindicatedinAnnexI.C, shall actas competent supervisoryauthority.
[如果数据出口方设立在欧盟成员国:]如附件I.C所示,负责确保数据出口方在数据转移方面遵守欧盟2016/679号条例的监管机构应作为主管监管机构。
[WherethedataexporterisnotestablishedinanEUMemberState,butfallswithinthe territorial scope of application of Regulation (EU) 2016/679 inaccordancewith its Article 3(2) and has appointed a representative pursuant toArticle 27(1)of Regulation (EU) 2016/679:] The supervisory authority of theMember State inwhich the representative within the meaning of Article 27(1) ofRegulation (EU)2016/679 is established, as indicated in Annex I.C, shall act ascompetentsupervisory authority.
[如果数据出口方未在欧盟成员国设立,但根据欧盟2016/679号条例第3条第(2)项属于的适用领域范围,并已根据欧盟2016/679号条例第27条第(1)项任命了一名代表:] 如附件I.C所示,欧盟2016/679号条例第27条第(1)项所指的代表所在的成员国的监管机构应作为主管监管机构。
[WherethedataexporterisnotestablishedinanEUMemberState,butfallswithinthe territorial scope of application of Regulation (EU) 2016/679 inaccordancewith its Article 3(2) without however having to appoint arepresentative pursuant to Article 27(2) of Regulation (EU) 2016/679:] Thesupervisory authority of one oftheMemberStatesinwhichthedatasubjectswhosepersonaldataistransferredundertheseClausesinrelationtotheofferingofgoodsorservicestothem,orwhose behaviour ismonitored, are located, as indicated in Annex I.C, shall act ascompetentsupervisoryauthority.
[如果数据出口方未在欧盟成员国设立,但根据欧盟2016/679号条例第3条(2)项属于的适领域范围,但无需根据欧盟2016/679号条例第27条第(2)项指定代表:] 如附件I.C所示,根据该等条款向其提供商品或服务,其个人数据被转移或其行为被监控的数据主体所在的一个成员国的监管部门应作为主管监管部门。
(b)The data importer agrees to submit itself to thejurisdiction of and cooperate with the competent supervisory authority in anyprocedures aimed at ensuring compliance with these Clauses. In particular, thedata importer agrees to respond to enquiries, submit to audits and comply withthe measures adopted by the supervisory authority, including remedial andcompensatory measures. It shall provide the supervisory authority with writtenconfirmation that the necessary actions have been taken.
数据进口方同意在任何旨在确保遵守该等条款的程序中服从主管监管部门的管辖并与之合作。特别是,数据进口方同意回应询问、接收审计和遵守监管部门采取的措施,包括损害赔偿和补偿措施。数据出口方应当就已经采取的必要行动以书面方式向监管部门进行确认。
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLICAUTHORITIES
第三部分 - 当地法律和公共机构访问时的义务
Clause14
14
Local laws and practices affecting compliance with theClauses
影响遵守该条款的当地法律和惯例
MODULE ONE: Transfer controllertocontroller
模块一:从控制者转移到控制者
MODULE TWO: Transfer controller toprocessor
模块二:从控制者转移到处理者
MODULE THREE: Transfer processortoprocessor
模块三:从处理者转移到处理者
MODULE FOUR: Transfer processor tocontroller (where the EU processorcombinesthepersonaldatareceivedfromthethirdcountry-controllerwithpersonaldatacollectedbytheprocessor in theEU)
模块四:从处理者转移到控制者(欧盟处理者将从第三国控制者那里收集的个人数据与处理者在欧盟收集的个人数据混合起来)
(a)The Parties warrant that they have no reason to believe thatthe laws and practicesinthethirdcountryofdestinationapplicabletotheprocessingofthepersonaldataby thedata importer, including any requirements to disclose personal data ormeasuresauthorising access by public authorities, prevent the data importer from fulfillingitsobligationsundertheseClauses.Thisisbasedontheunderstandingthatlawsand practicesthat respect the essence of the fundamental rights and freedoms and donotexceed what is necessary and proportionate in a democratic society tosafeguardone oftheobjectiveslistedinArticle23(1)ofRegulation(EU)2016/679,arenotincontradiction with theseClauses.
双方保证,他们没有理由相信,目的地第三国适用于数据进口方处理个人数据的法律和惯例,包括披露个人数据的任何要求或授权公共当局查阅的措施,会妨碍数据进口方履行该等条款规定的义务。该理解基于该等法律和惯例与该等条款不相抵触,该等法律和惯例本质上应是尊重基本权利和自由的且该等法律和惯例没有超越民主社会为保障欧盟2016/679号条例第23条第(1)项所列目标之一的必要性和相称性。
(b)ThePartiesdeclarethatinprovidingthewarrantyinparagraph(a),theyhavetakendue account in particular of the followingelements:
双方声明,在提供(a)项中的保证时,他们特别考虑到了以下因素:
(i)thespecificcircumstancesofthetransfer,includingthelengthoftheprocessing chain, the number of actors involved and the transmissionchannelsused;intendedonwardtransfers;thetypeofrecipient;thepurposeof processing; thecategories and format of the transferred personal data;theeconomicsectorinwhichthetransferoccurs;thestoragelocationofthedata transferred;
转移的具体情况,包括处理环节的长度、涉及的行为者的数量和使用的传输渠道;预计再转移情况;接收者的类型;处理的目的;转移的个人数据的种类和格式;发生转移涉及的产业部门;转移数据的存储地点;
(ii)the laws and practices of the third country of destination–includingthose requiringthedisclosureofdatatopublicauthoritiesorauthorisingaccessbysuch authorities – relevant in light of the specific circumstances ofthetransfer, and the applicable limitations and safeguards[24];
与特定转让情形相关的目的地第三国的法律和惯例、适用的限制、保障措施,包括那些要求向公共当局披露数据或授权这些当局访问的法律和惯例12
(iii)any relevant contractual, technical or organisationalsafeguards put in placeto supplement the safeguards under these Clauses,including measuresapplied during transmission and to the processing of thepersonal data in the countryof destination.
为补充该等条款规定的保障措施而采取的任何相关的合同、技术或组织保障措施,包括在传输过程中以及在目的地国处理个人数据时采用的措施。
(c)The data importer warrants that, in carrying out theassessment under paragraph (b), it has made its best efforts to provide thedata exporter with relevant informationandagreesthatitwillcontinuetocooperatewiththedataexporterinensuring compliancewith theseClauses.
数据进口方保证,在进行(b)项规定的评估时,它已尽最大努力向数据出口方提供相关信息,并同意它将继续与数据出口方合作,确保遵守该等条款。
(d)The Parties agree to document the assessment under paragraph(b) and makeit available to the competent supervisory authority onrequest.
双方同意将(b)项规定的评估记录在案,并根据请求向主管监管部门提供。
(e)The data importer agrees to notify the data exporterpromptly if, after havingagreed to these Clauses and for the duration of thecontract, it has reason to believe that itisorhasbecomesubjecttolawsorpracticesnotinlinewiththerequirementsunderparagraph(a),includingfollowingachangeinthelawsofthethirdcountryora measure(such as a disclosure request) indicating an application of such lawsinpractice that is not in line with the requirements in paragraph (a). [ForModuleThree: The data exporter shall forward the notification tothecontroller.]
如果在同意该等条款之后以及在合同期内,数据进口方有理由相信它受到或已经受到不符合(a)项要求的法律或惯例的约束,包括在第三国的法律发生变化或有措施(如披露要求)表明这些法律在实践中的应用不符合(a)项的要求之后,数据进口方同意立即通知数据出口方。[对于模块三:数据出口方应将通知转发给控制者]
(f)Followinganotificationpursuanttoparagraph(e),orifthedataexporterotherwisehas reason to believe that the data importer can no longer fulfil itsobligationsunder theseClauses,thedataexportershallpromptlyidentifyappropriatemeasures(e.g.technical or organisational measures to ensure security and confidentiality)tobe adopted by the data exporter and/or data importer to address thesituation[for Module Three: , if appropriate in consultation with thecontroller]. The dataexporter shall suspend the data transfer if it considersthat no appropriate safeguards forsuchtransfercanbeensured,orifinstructedby[forModuleThree:thecontrolleror]thecompetent supervisory authority to do so. In this case, the data exportershallbe entitledtoterminatethecontract,insofarasitconcernstheprocessingofpersonaldataundertheseClauses.IfthecontractinvolvesmorethantwoParties,thedataexporter may exercise this right to termination only with respect to therelevant Party, unless the Parties have agreed otherwise. Where the contractisterminated pursuant to this Clause, Clause 16(d) and (e) shallapply.
收到根据(e)发出的通知后,或如果数据出口方有理由相信数据进口方不能再履行其在该等条款下的义务,数据出口方应立即确定数据出口方和/或数据进口方将采取的适当措施(例如,确保安全和保密的技术或组织措施),以应对该等情况[对于模块三:如果适当,与控制者协商]。如果数据出口方认为无法确保此类转移的适当保障措施,或者如果[模块三:控制者或]主管监管部门指示这样做,数据出口方应暂停数据转移。在这种情况下,数据出口方应有权就涉及该等条款规定的个人数据处理事宜终止合同。如果合同涉及两个以上的合同方,数据出口方只能对相关合同方行使这一终止权,除非双方另有约定。如果合同根据该等条款被终止,则应适用第16条第(d)项和第(e)项。
Clause15
15
Obligations of the data importer in case of access by publicauthorities
数据进口方在被公共当局访问时的义务
MODULE ONE: Transfer controller tocontroller
模块一:从控制者转移到控制者
MODULE TWO: Transfer controller toprocessor
模块二:从控制者转移到处理者
MODULE THREE: Transfer processor toprocessor
模块三:从处理者转移到处理者
MODULE FOUR: Transfer processor to controller(where the EU processor combinesthepersonaldatareceivedfromthethirdcountry-controllerwithpersonaldatacollectedbytheprocessor in theEU)
模块四:从处理者转移到控制者(欧盟处理者将从第三国控制者那里收到的个人数据与处理者在欧盟收集的个人数据混合起来)
15.1     Notification
通知
(a)Thedataimporteragreestonotifythedataexporterand,wherepossible,thedatasubject promptly (if necessary with the help of the data exporter) ifit:
数据进口方同意在以下情况下立即通知数据出口方,并在可能的情况下立即通知数据主体(必要时在数据出口方的帮助下):
(i)receivesalegallybindingrequestfromapublicauthority,includingjudicialauthorities, under the laws of the country of destination for the disclosureofpersonal data transferred pursuant to these Clauses; such notificationshallinclude information about the personal data requested, the requestingauthority,the legal basis for the request and the response provided;or
收到公共当局(包括司法当局)根据目的地国法律提出的具有法律约束力的要求,要求披露根据该等条款转让的个人数据;这种通知应包括关于所要求的个人数据、提出要求的当局、提出要求的法律依据和所提供的答复的信息;或
(ii)becomes aware of any direct access by public authorities topersonaldata transferred pursuant to these Clauses in accordance with the lawsofthe country of destination; such notification shall include allinformationavailable to theimporter.
意识到公共当局根据目的地国的法律对根据该等条款转让的个人数据进行任何直接访问;该等通知应包括进口方可获得的所有信息。
[ForModuleThree:Thedataexportershallforwardthenotificationtothecontroller.]
[对于模块三。数据出口方应将通知转发给控制者。]
(b)Ifthedataimporterisprohibitedfromnotifyingthedataexporterand/orthedatasubjectunderthelawsofthecountryofdestination,thedataimporteragreestouse itsbest efforts to obtain a waiver of the prohibition, with a view to communicatingasmuch information as possible, as soon as possible. The data importer agreestodocumentitsbesteffortsinordertobeabletodemonstratethemonrequestofthedataexporter.
如果数据进口方根据目的地国的法律被禁止通知数据出口方和/或数据主体,数据进口方同意尽其最大努力获得禁令的豁免,以期尽快传达尽可能多的信息。数据进口方同意记录其最大的努力,以便能够在数据出口方的要求下证明这些努力。
(c)Wherepermissibleunderthelawsofthecountryofdestination,thedataimporteragrees to provide the data exporter, at regular intervals for the durationofthe contract,withasmuchrelevantinformationaspossibleontherequestsreceived(inparticular, number of requests, type of data requested,requestingauthority/ies,whetherrequestshavebeenchallengedandtheoutcomeofsuchchallenges,etc.).[ForModuleThree:Thedataexportershallforwardtheinformationtothe controller.]
在目的地国法律允许的情况下,数据进口方同意在合同期内定期向数据出口方提供尽可能多的关于收到的请求的相关信息(特别是请求的数量、请求的数据类型、请求的主管部门、是否对请求提出质疑以及这些质疑的结果等)。[对于模块三:数据出口方应将这些信息转发给控制者]
(d)The data importer agrees to preserve the informationpursuant to paragraphs (a) to (c)forthedurationofthecontractandmakeitavailabletothecompetentsupervisoryauthority onrequest.
数据进口方同意在合同期内保存(a)至(c)项规定的信息,并根据请求向主管监管部门提供这些信息。
(e)Paragraphs (a) to (c) are without prejudice to theobligation of the dataimporter pursuant to Clause 14(e) and Clause 16 to informthe data exporter promptly whereit is unable to comply with theseClauses.
a)至(c)项不影响数据进口方根据第14条(e)条和第16条在无法遵守该等条款时立即通知数据出口方的义务。
15.2Review of legality and data minimization
对合法性和数据最小化的审查
(a)Thedataimporteragreestoreviewthelegalityoftherequestfordisclosure,inparticularwhetheritremainswithinthepowersgrantedtotherequestingpublicauthority,andtochallengetherequestif,aftercarefulassessment,itconcludesthattherearereasonablegroundstoconsiderthattherequestisunlawfulunderthelaws of thecountry of destination, applicable obligations under international lawandprinciples of international comity. The data importer shall, under the sameconditions, pursue possibilities of appeal. When challenging a request, thedata importer shall seek interim measures with a view to suspending the effectsof the request until the competent judicial authority has decided on itsmerits. It shall not disclose the personal data requested until required to doso under the applicable procedural rules. These requirements are withoutprejudice to the obligations of the data importer under Clause 14(e).
数据进口方同意审查披露请求的合法性,特别是它是否持续属于授予提出请求的公共当局的权力范围内,并在经过仔细评估后认为有合理理由认为根据目的地国的法律、所适用的国际法义务和国际礼让原则,该请求是非法的,则对该请求提出质疑。数据进口方应在相同条件下寻求上诉的可能性。在对请求提出质疑时,数据进口方应寻求临时措施,以期在主管司法当局对其案情作出实质性决定之前暂停请求的效力。在根据适用的程序规则要求披露之前,它不应披露所要求的个人数据。这些要求不影响第14条第(e)项规定的数据进口方的义务。
(b)The data importer agrees to document its legal assessmentand any challenge to the request for disclosure and, to the extent permissibleunder the laws of the country of destination, make the documentation availableto the data exporter. It shall also make it available to the competentsupervisory authority on request. [For Module Three: The data exporter shallmake the assessment available to the controller.]
数据进口方同意记录其法律评估和对披露请求的任何质疑,并在目的地国法律允许的范围内,向数据出口方提供这些文件。它还应根据请求向主管监管部门提供该文件。[对于模块三:数据出口方应向控制者提供评估报告。]
(c)The data importer agrees to provide the minimum amount ofinformation permissible when responding to a request for disclosure, based on areasonable interpretation of the request.
数据进口方同意在回应披露请求时,根据对请求的合理解释,提供允许的最低数量的信息。
SECTION IV – FINAL PROVISIONS
第五部分 - 最终条款
                                                  Clause16                                                 
16
Non-compliance with the Clauses and termination
无法遵守条款及终止
(a)Thedataimportershallpromptlyinformthedataexporterifitisunabletocomplywith these Clauses, for whateverreason.
如果数据进口方因任何原因无法遵守该等条款,应立即通知数据出口方。
(b)IntheeventthatthedataimporterisinbreachoftheseClausesorunabletocomplywith these Clauses, the data exporter shall suspend the transfer of personaldata tothe data importer until compliance is again ensured or the contract isterminated. Thisis without prejudice to Clause14(f).
如果数据进口方违反该等条款或无法遵守该等条款,数据出口方应暂停向数据进口方转让个人数据,直到再次确保遵守或终止合同。第14条第(f)项不受影响。
(c)The data exporter shall be entitled to terminate thecontract, insofar as it concernsthe processing of personal data under theseClauses,where:
在以下情况下,数据出口方有权就该等条款项下处理个人数据事宜终止合同,如果:
(i)the data exporter has suspended the transfer of personaldata to thedata importer pursuant to paragraph (b) and compliance with theseClauses isnot restored within a reasonable time and in any event within onemonthof suspension;
数据出口方已根据(b)项暂停向数据进口方转移个人数据,而在合理时间(无论如何不超过暂停后1个月)内,仍未恢复遵守该等条款;
(ii)the data importer is in substantial or persistent breach ofthese Clauses;or
数据进口方严重或持续地违反该等条款;或
(iii)the data importer fails to comply with a binding decision ofa competentcourt or supervisory authority regarding its obligations undertheseClauses.
数据进口方未能遵守主管法院或监管部门关于其在该等条款下的义务的具有约束力的决定。
In these cases, it shall inform the competent supervisoryauthority [for Module Three: and the controller] of such non-compliance. Wherethe contract involvesmore thantwoParties,thedataexportermayexercisethisrighttoterminationonlywithrespect to the relevant Party, unless the Parties have agreedotherwise.
在该等情况下,它应将这种不遵守规定的情况通知主管监管部门[针对模块三:和控制者]。如果合同涉及两个以上的合同方,除非双方另有约定,否则数据出口方只能对相关合同方行使这一终止权。
(d)[ForModulesOne,TwoandThree:Personaldatathathasbeentransferredpriortothe termination of the contract pursuant to paragraph (c) shall at the choiceof thedataexporterimmediatelybereturnedtothedataexporterordeletedinitsentirety.Thesameshallapplytoanycopiesofthedata.][ForModuleFour:Personaldata collected bythe data exporter in the EU that has been transferred prior to the terminationof the contract pursuant to paragraph (c) shall immediately be deleted in itsentirety, including any copy thereof.] The data importer shall certify thedeletion of the data to the data exporter. Until the data is deleted orreturned, the data importer shall continue to ensure compliance with theseClauses. In case of local laws applicable to the data importer that prohibitthe return or deletion of the transferred personal data, the data importerwarrants that it will continue to ensure compliance with these Clauses and willonly process the data to the extent and for as long as required under thatlocal law.
[对于模块一、二和三:根据(c)项,在合同终止前已经转移的个人数据,应根据数据出口方的选择立即返还给数据出口方或全部删除。这也应适用于数据的任何副本][针对模块四:数据出口方在欧盟收集的、在合同终止前根据(c)项转移的个人数据应立即全部删除,包括其任何副本。] 数据进口方应向数据出口方证明数据的删除。在数据被删除或归还之前,数据进口方应继续确保遵守该等条款。如果适用于数据进口方的当地法律禁止归还或删除转让的个人数据,则数据进口方保证将继续确保遵守该等条款,并仅在当地法律规定的范围内和时间内处理数据。
(e)Either Party may revoke its agreement to be bound by theseClauses where (i) the European Commission adopts a decision pursuant to Article45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data towhich these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of thelegal framework of the country to which the personal data is transferred. Thisis without prejudice to other obligations applying to the processing inquestion under Regulation (EU) 2016/679.
在以下情况下,任何一方均可撤销其受该等条款约束的协议:(i) 欧盟委员会根据欧盟2016/679号条例第45条第(3)项通过一项决定,该决定涉及该等条款适用的个人数据的转移;或(ii) 欧盟2016/679号条例成为个人数据被转移至的国家的法律框架的一部分。这不影响根据欧盟2016/679号条例适用于有关处理的其他义务。
Clause17
17
Governing law
法律适用
MODULE ONE: Transfer controller tocontroller
模块一:从控制者转移到控制者
MODULE TWO: Transfer controller to processor
模块二:从控制者转移到处理者
MODULE THREE: Transfer processor toprocessor
模块三:从处理者转移到处理者
[OPTION1:TheseClausesshallbegovernedbythelawofoneoftheEUMemberStates,provided such law allows for third-party beneficiary rights. The Parties agreethat this shallbe the lawof       (specifyMemberState).]
[方案 1:该等条款应受欧盟成员国之一的法律管辖,前提是该法律允许第三方受益人权利。双方同意这应是(指明成员国)的法律]
[OPTION 2 (for Modules Two andThree): These Clauses shall be governed by the law oftheEUMemberStateinwhichthedataexporterisestablished.Wheresuchlawdoesnotallowforthird-partybeneficiaryrights,theyshallbegovernedbythelawofanotherEUMemberState that does allow for third-party beneficiary rights. The Parties agreethat this shall bethe lawof       (specifyMemberState).]
[方案 2(针对模块二和模块三):该等条款应受数据出口方所在的欧盟成员国的法律管辖。如果该法律不允许第三方受益人权利,则应受另一个允许第三方受益人权利的欧盟成员国的法律管辖。双方同意,这将是(指定成员国)的法律。
MODULE FOUR: Transfer processor tocontroller
模块四:从处理者转移至控制者
These Clauses shall be governed by the law of acountry allowing for third-party beneficiary rights. The Parties agree that this shall be the law of  (specifycountry).
该等条款应受允许第三方受益人权利的国家的法律管辖。双方同意,这将是(指定国家)的法律。
Clause18
18
Choice of forum and jurisdiction
法院和管辖权的选择
MODULE ONE: Transfer controller tocontroller
模块一:从控制者转移到控制者
MODULE TWO: Transfer controller to processor
模块二:从控制者转移到处理者
MODULE THREE: Transfer processor to processor     
模块三:从处理者转移到处理者
(a) AnydisputearisingfromtheseClausesshallberesolvedbythecourtsofanEUMemberState.
由该等条款引起的任何争议应由欧盟成员国的法院解决。
(b) The Parties agree that those shall be the courts of    (specifyMemberState).
双方同意,这些法院应是(指明成员国)的法院。
(c)A data subject may also bring legal proceedings against thedata exporter and/ordata importer before the courts of the Member State inwhich he/she has his/herhabitual residence.
数据主体也可在其惯常居住地的成员国法院对数据出口方和/或数据进口方提起法律诉讼。
(d)The Parties agree to submit themselves to the jurisdiction ofsuchcourts.
双方同意接受这些法院的管辖。
MODULE FOUR: Transfer processor tocontroller
模块四:从处理者转移到控制者
Any dispute arising from theseClauses shall be resolved by the courts of                      (specifycountry).
由该等条款引起的任何争议应由(指定国家)的法院解决。
EXPLANATORYNOTE:
解释性说明:
APPENDIX
附录
It must be possible to clearly distinguish the informationapplicable to each transferorcategoryoftransfersand,inthisregard,todeterminetherespectiverole(s)ofthePartiesasdataexporter(s)and/ordataimporter(s).Thisdoesnotnecessarilyrequirecompletingandsigning separate appendices for each transfer/category of transfersand/orcontractualrelationship,wherethistransparencycanachievedthroughoneappendix.However,wherenecessary to ensure sufficient clarity, separate appendices should beused.
必须能够明确区分适用于每项转让或每类转让的信息,并据此确定双方作为数据出口方和/或数据进口方的各自角色。如果这种透明度可以通过一个附录实现,不一定需要为每项转让/转让类别和/或合同关系填写和签署单独的附录。当然在必要时,为确保足够明确,应使用单独的附录。
ANNEX I
附件I
  1. A.LIST OFPARTIES
各方列表
MODULE ONE: Transfer controllertocontroller
模块一:从控制者转移到控制者
MODULE TWO: Transfer controller toprocessor
模块二:从控制者转移到处理者
MODULE THREE: Transfer processor toprocessor
模块三:从处理者转移到处理者
MODULE FOUR: Transfer processor tocontroller
模块四:从处理者转移到控制者
Data exporter(s): [Identity and contact details of the data exporter(s) and,whereapplicable, of its/their data protection officer and/or representative inthe EuropeanUnion]
数据出口方:[数据出口方的身份和联系方式,以及在适用的情况下,其数据保护官员和/或在欧盟的代表的身份和联系方式]
1.     Name:…
姓名:……
Address:…
地址:……
Contact person’s name, position and contact details:…
联系人的姓名、职位和联系方式:……
Activities relevant to the data transferred under theseClauses:…
与根据该等条款转让的数据有关的活动:……
Signature and date:…
签名和日期:……
Role (controller/processor): …
角色(控制者/处理者):……
     2.     …
Data importer(s): [Identity and contact details of the data importer(s), includinganycontact person with responsibility for dataprotection]
数据进口方:[数据进口方的身份和联系细节,包括负责数据保护的任何联系人]
1. Name:…
1. 姓名:……
Address:…
地址:……
Contact person’s name, position and contact details:…
联系人的姓名、职位和联系方式:……
Activities relevant to the data transferred under theseClauses:…
与根据该等条款转让的数据有关的活动:……
Signature and date:…
签名和日期:……
Role (controller/processor): …
角色(控制者/处理者):……
2. …
B.DESCRIPTION OFTRANSFER
转移的描述
MODULE ONE: Transfer controller to controller
模块一:从控制者转移到控制者
MODULE TWO: Transfer controller to processor
模块二:从控制者转移到处理者
MODULE THREE: Transfer processor to processor
模块三:从处理者转移到处理者
MODULE FOUR: Transfer processor to controller
模块四:从处理者转移到控制者
Categories of data subjectswhose personal data istransferred
个人数据被转移的数据主体类别
………………………..
Categories of personaldatatransferred
转移的个人数据类别
………………………..
Sensitive datatransferred (if applicable) and applied restrictions or safeguards thatfullytakeintoconsiderationthenatureofthedataandtherisksinvolved,suchasforinstancestrictpurpose limitation, access restrictions (including access only for staffhavingfollowed specialised training), keeping a record of access to the data,restrictions for onwardtransfers or additional securitymeasures.
转移的敏感数据(如果适用)和充分考虑数据的性质和所涉及的风险后适用的限制或保障措施,例如,严格的目的限制、访问限制(包括只有经过专门培训的工作人员才能访问)、保存数据访问的记录、对再转移的限制或额外安全措施。
………………………..
The frequency of thetransfer (e.g. whether the data is transferred on a one-off orcontinuousbasis).
转移的频率(例如,数据是一次性的还是连续的转移)。
………………………… Nature oftheprocessing
…………………………处理的性质
Purpose(s) of the data transferand furtherprocessing
数据转移和进一步处理的目的
………………………..
The period for whichthe personal data will be retained, or, if that is not possible, thecriteriaused to determine thatperiod
个人数据的保留期限,如果无法保留,则确定该期限的标准
……………………..
Fortransfersto(sub-)processors,alsospecifysubjectmatter,natureanddurationoftheprocessing
对于转让给(分包)处理者,也要说明处理的事项、性质和期限
……………………..
  1. C.COMPETENT SUPERVISORYAUTHORITY
主管监管部门
MODULE ONE: Transfer controller tocontroller
模块一:从控制者转移到控制者
MODULE TWO: Transfer controller to processor
模块二:从控制者转移到处理者
MODULE THREE: Transfer processor toprocessor
模块三:从处理者转移到处理者
Identify the competentsupervisory authority/ies in accordance with Clause13
根据第13条规定,确定主管监管部门
………………………….
ANNEX II - TECHNICALAND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TOENSURE THE SECURITY OF THE DATA
附件II - 技术和组织措施,包括确保数据安全的技术和组织措施
MODULEONE: Transfer controller to controller
模块一:从控制者转移到控制者
MODULETWO: Transfer controller to processor
模块二:从控制者转移到处理者
MODULETHREE: Transfer processor to processor
模块三:从处理者转移到处理者
EXPLANATORYNOTE:
解释性说明:
The technical and organisational measures must be described in specific(andnotgeneric)terms.See also the general comment on the first page of the Appendix,in particular on the need to clearly indicate which measures apply to each transfer/set oftransfers.
技术和组织措施必须以具体的(而不是泛泛的)术语来描述。另见附录第1页的一般性评注,尤其需要明确指出哪些措施针对每次转让/每组转让。
Description of thetechnical and organisational measures implemented by thedata importer(s)(including any relevant certifications) to ensure an appropriate levelofsecurity, taking into account the nature, scope, context and purpose of theprocessing, and the risksfor the rights and freedoms of naturalpersons.
说明数据进口方实施的技术和组织措施(包括任何相关认证),以确保适当的安全水平,同时考虑到处理的性质、范围、背景和目的,以及对自然人的权利和自由的风险。
[Examples of possiblemeasures:
[可能采取的措施举例:
Measures ofpseudonymisation and encryption of personaldata
个人数据的假名化和加密的措施
Measures for ensuringongoing confidentiality, integrity, availability and resilienceof processingsystems andservices
确保处理系统和服务的持续保密性、完整性、可用性和弹性修复措施
Measuresforensuringtheabilitytorestoretheavailabilityandaccesstopersonaldata in a timely manner in the event of a physical or technicalincident
确保在发生物理或技术事故时有能力及时恢复个人数据的可用性和访问的措施
Processes forregularly testing, assessing and evaluating the effectiveness oftechnical andorganisational measures in order to ensure the security of theprocessing
定期测试、评估和评价技术和组织措施的有效性的程序,以确保处理的安全性
Measures for user identification and authorization           
用户识别和授权的措施
Measures for theprotection of data duringtransmission
在传输过程中保护数据的措施
Measures for theprotection of data duringstorage
存储期间的数据保护措施
Measures for ensuringphysical security of locations at which personal dataare processed
确保处理个人数据的地点的物理安全的措施
Measures for ensuringeventslogging
确保事件日志记录的措施
Measures for ensuringsystem configuration, including defaultconfiguration
确保系统配置的措施,包括默认配置
Measures for internalIT and IT security governance andmanagement
内部ITIT安全治理和管理的措施
Measures forcertification/assurance of processes andproducts
流程和产品的认证/保证的措施
Measures for ensuringdata minimisation
确保数据最小化的措施
Measures for ensuringdata quality
确保数据质量的措施
Measures for ensuringlimited dataretention
确保有限保留数据的措施
Measures forensuringaccountability、
确保问责制的措施
Measures for allowingdata portability and ensuringerasure]
允许数据可移植性和确保删除的措施]。
Fortransfersto(sub-)processors,alsodescribethespecifictechnicalandorganisationalmeasures to be taken by the (sub-) processor to be able to provide assistanceto thecontroller and, for transfers from a processor to a sub-processor, to thedataexporter
对于向(分包)处理者的转移,还要说明(分包)处理者将采取的具体技术和组织措施,以便能够向控制者提供协助,对于从处理者向分包处理者的转移,则向数据出口方提供协助。
ANNEX III – LIST OFSUB-PROCESSORS
附件III – 分包处理者列表
MODULETWO: Transfer controller toprocessor
模块二:从控制者转移到处理者
MODULETHREE: Transfer processor toprocessor
模块三:从处理者转移到处理者
EXPLANATORYNOTE:
解释性说明:
This Annex must be completed for Modules Two and Three, incase of thespecific authorisation of sub-processors (Clause 9(a), Option1).
对于模块二和模块三,在对分包处理者进行具体授权的情况下(第9条第(a)项,选项1),必须填写本附件。
The controller has authorised the use of thefollowingsub-processors:
控制者已授权使用以下分包处理者。
1.Name:…
姓名:……
Address:…
地址:……
Contactperson’s name, position and contact details:…
联系人的姓名、职位和联系方式:……
Description of processing (including a clear delimitation ofresponsibilities in caseseveral sub-processors are authorised):…
对处理过程的描述(包括在授权了多个分包处理者的情况下对责任的明确划分):……
2.…

[1]OJ L 119, 4.5.2016, p.1.
[2] Article 44 of Regulation (EU) 2016/679.
欧盟2016/679号条例第44条
[3] See also judgment of the Court of Justice of 16 July 2020 in CaseC-311/18, Data Protection Commissioner v Facebook Ireland Ltd and MaximillianSchrems (‘Schrems II’), ECLI:EU:C:2020:559, paragraph 93.另见法院2020年7月16日对C-311/18号案件的判决,数据保护专员诉Facebook爱尔兰有限公司和Maximillian Schrems("Schrems II"),ECLI:EU:C:2020:559,第93段。
[4] Recital 109 of Regulation (EU) 2016/679.欧盟2016/679号条例序言第109条
[5] Commission Decision 2001/497/EC of 15 June 2001 on standardcontractual clauses for the transfer of personal data to third countries, underDirective 95/46/EC (OJ L 181, 4.7.2001, p. 19).委员会2001年6月15日关于根据第95/46/EC号指令向第三国转移个人数据的标准合同条款的第2001/497/EC号决定(OJ L 181,4.7.2001,第19页)。
[6] Commission Decision 2010/87/EU of 5 February 2010 on standardcontractual clauses for the transfer of personal data to processors establishedin third countries under Directive 95/46/EC of the European Parliament and ofthe Council (OJ L 39, 12.2.2010, p. 5).委员会2010年2月5日关于根据欧洲议会和理事会的95/46/EC指令将个人数据转移到第三国的处理者的标准合同条款的2010/87/EU号决定(OJ L 39,12.2.2010,第5页)。
[7]Directive 95/46/EC of the European Parliament and of the Council of24 October 1995 on the protection of individuals with regard to the processingof personal data and on the free movement of such data (OJ L 281, 23.11.1995,p. 31).欧洲议会和理事会1995年10月24日关于在处理个人数据方面保护个人和此类数据自由流动的第95/46/EC号指令(OJ L 281,23.11.1995,第31页)。
[8]Regulation (EU) 2018/1725 of the European Parliament and of theCouncil of 23 October 2018 on the protection of natural persons with regard tothe processing of personal data by the Union institutions, bodies, offices andagencies and on the free movement of such data and repealing Regulation (EC) No45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39); see recital5.
欧洲议会和理事会2018年10月23日的关于在欧盟机构、团体、办事处和代理机构处理个人数据方面保护自然人以及此类数据的自由流动的欧盟2018/1725号条例,并废除(EC)45/2001号条例和1247/2002/EC号决定(OJ L 295,21.11.2018,第39页);见recital5。
[9] C(2021)3701.
[10] Schrems II, paragraphs 96 and 103. See also Regulation (EU)2016/679, recitals 108 and 114.Schrems II,第96和103段。另见欧盟2016/679号条例,序言第108和114条。
[11]Schrems II.
[12] EDPB EDPS Joint Opinion 2/2021 on the European Commission’sImplementing Decision on standard contractual clauses for the transfer ofpersonal data to third countries for the matters referred to in Article46(2)(c) of Regulation (EU) 2016/679.EDPB EDPS联合意见2/2021,关于欧盟委员会就欧盟2016/679号条例第46条第(2)项第(c)点所述事项向第三国转移个人数据的标准合同条款的实施决定。
[13]WherethedataexporterisaprocessorsubjecttoRegulation(EU)2016/679actingonbehalfofaUnioninstitutionor body as controller, reliance on these Clauses when engaging anotherprocessor(sub-processing)notsubjecttoRegulation(EU)2016/679alsoensurescompliancewithArticle29(4)ofRegulation(EU)2018/1725oftheEuropeanParliamentandoftheCouncilof23October2018ontheprotectionofnaturalpersonswith regard to the processing of personal data by the Union institutions,bodies, officesandagenciesandonthefreemovementofsuchdata,andrepealingRegulation(EC)No45/2001andDecisionNo1247/2002/EC(OJ L 295 of 21.11.2018, p. 39), to the extent these Clauses and thedataprotectionobligationsassetoutinthecontractorotherlegalactbetweenthecontrollerandtheprocessorpursuanttoArticle29(3)ofRegulation(EU)2018/1725arealigned.Thiswillinparticularbethecasewherethecontrollerand processor rely on the standard contractual clauses included in Decision2021/915.如果数据出口方是受欧盟2016/679号条例约束的处理者,代表作为控制者的欧盟机构或团体行事,在聘用不受欧盟2016/679号条例约束的另一个处理者(分包处理)时,依靠该等条款也能确保遵守欧洲议会和理事会2018年10月23日欧盟2018/1725号条例第29条第(4)项关于欧盟机构、团体、办事处和代理人就处理个人数据方面保护个人和该等数据自由流动(废除欧盟委员会第45/2001号条例和第1247/2002/EC号决定)(OJ L295 of 21. 11.2018,第39页),在该等条款和控制者与处理者之间根据欧盟2018/1725号条例第29条第(3)项规定的合同或其他法律行为中的数据保护义务一致的情况下。如果控制者和处理者依靠第2021/915号决定中的标准合同条款,情况尤为如此。
[14] Thisrequiresrenderingthedataanonymousinsuchawaythattheindividualisnolongeridentifiablebyanyone,in line with recital 26 of Regulation (EU) 2016/679, and that this processisirreversible.这就要求按照欧盟2016/679号条例序言第26条的规定,以不再能被任何人识别的方式对数据进行匿名化处理,并且匿名化过程是不可逆转的。
[15]The Agreement on the European EconomicArea (EEA Agreement) provides for the extensionoftheEuropeanUnion'sinternalmarkettothethreeEEAStatesIceland,LiechtensteinandNorway.TheUniondataprotection legislation, including Regulation (EU) 2016/679, is covered by theEEA Agreement andhasbeen incorporated into Annex XI thereto. Therefore, anydisclosure by the data importer to a thirdpartylocated in the EEA does notqualify as an onward transfer for the purpose of theseClauses.《欧洲经济区协议》(EEA协议)规定,欧洲联盟的内部市场扩展到三个欧洲经济区国家冰岛、列支敦士登和挪威。欧盟的数据保护立法,包括欧盟2016/679号条例,都在《欧洲经济区协议》的范围内,并被纳入其附件十一。因此,数据进口方以该等条款之目的向位于欧洲经济区内的第三方的任何披露都不属于发生再转移。
[16]The Agreement onthe European Economic Area (EEA Agreement) provides for the extensionoftheEuropeanUnion'sinternalmarkettothethreeEEAStatesIceland,LiechtensteinandNorway.TheUniondataprotection legislation, including Regulation (EU) 2016/679, is covered by theEEA Agreement andhasbeen incorporated into Annex XI thereto. Therefore, anydisclosure by the data importer to a thirdpartylocated in the EEA does notqualify as an onward transfer for the purpose of theseClauses.《欧洲经济区协议》(EEA协议)规定,欧洲联盟的内部市场扩展到三个欧洲经济区国家冰岛、列支敦士登和挪威。欧盟的数据保护立法,包括欧盟2016/679号条例,都在《欧洲经济区协议》的范围内,并被纳入其附件十一。因此,数据进口方以该等条款之目的向位于欧洲经济区内的第三方的任何披露都不属于发生再转移。
[17] See Article 28(4) of Regulation (EU)2016/679 and, where the controller is an EU institution or body, Article 29(4)of Regulation (EU) 2018/1725.见欧盟2016/679号条例第28条第(4)项,如果控制者是欧盟机构或团体,见欧盟EU2018/1725号条例第29条第(4)项。
[18]The Agreement on the European Economic Area (EEA Agreement) providesfor the extension of the European Union's internal market to the three EEAStates Iceland, Liechtenstein and Norway. The Union data protectionlegislation, including Regulation (EU) 2016/679, is covered by the EEAAgreement and has been incorporated into Annex XI thereto. Therefore, anydisclosure by the data importer to a third party located in the EEA does notqualify as an onward transfer for the purpose of these Clauses.《欧洲经济区协议》(EEA协议)规定,欧洲联盟的内部市场扩展到三个欧洲经济区国家冰岛、列支敦士登和挪威。欧盟的数据保护立法,包括欧盟2016/679号条例,都在《欧洲经济区协议》的范围内,并被纳入其附件十一。因此,数据进口方以该等条款之目的向位于欧洲经济区内的第三方的任何披露都不属于发生再转移。
[19]Thisincludeswhetherthetransferandfurtherprocessinginvolvespersonaldatarevealingracialorethnicorigin,politicalopinions,religiousorphilosophicalbeliefs,ortradeunionmembership,geneticdataorbiometric data for the purpose ofuniquely identifying a natural person, data concerning health or aperson’ssexlife or sexual orientation, or data relating to criminal convictionsoroffences.这包括转让和进一步处理是否涉及显示种族或民族血统、政治观点、宗教或哲学信仰或工会会员资格的个人数据,用于唯一识别自然人的遗传数据或生物识别数据,有关健康或个人性生活或性取向的数据,或与刑事定罪或犯罪有关的数据。
[20]This requirement may be satisfied by the sub-processor acceding tothese Clauses under the appropriate Module, in accordance with Clause 7.根据第7条,分包处理者可通过在适当模块下加入该等条款来满足这一要求。
[21]This requirement may be satisfied by the sub-processor acceding tothese Clauses under the appropriate Module, in accordance with Clause 7.根据第7条,分包处理者可通过在适当模块下加入该等条款来满足这一要求。
[22] That period may be extended by a maximum oftwo more months, to the extent necessary taking intoaccountthe complexity andnumber of requests. The data importer shall duly and promptly inform the datasubjectofany suchextension.考虑到请求的复杂性和数量,在必要的范围内,该期限最多可以再延长两个月。数据进口方应适当地立即通知数据主体任何该等延长。
[23] The data importer may offer independentdispute resolution through an arbitration body only ifitisestablishedinacountrythathasratifiedtheNewYorkConventiononEnforcementofArbitrationAwards.数据进口方可以通过仲裁机构采取独立的争端解决机制,前提是仲裁机构设立在已批准《纽约仲裁裁决执行公约》的国家。
[24] As regards the impact of such laws and practices on compliance withthese Clauses, different elements   maybeconsidered as part of an overall assessment. Such elements may include relevantand documentedpracticalexperience with prior instances of requests fordisclosure from public authorities, or the absence ofsuchrequests, covering asufficiently representative time-frame. This refers in particular to internalrecordsor other documentation, drawn up on a continuous basis in accordancewith due diligence and certifiedatseniormanagementlevel,providedthatthisinformationcanbelawfullysharedwiththirdparties.WherethispracticalexperienceisreliedupontoconcludethatthedataimporterwillnotbepreventedfromcomplyingwiththeseClauses,itneedstobesupportedbyotherrelevant,objectiveelements,anditisforthePartiestoconsidercarefullywhethertheseelementstogethercarrysufficientweight,intermsoftheirreliabilityandrepresentativeness,tosupportthisconclusion.Inparticular,thePartieshavetotakeintoaccountwhethertheirpractical experience is corroborated and not contradicted by publicly availableorotherwiseaccessible,reliableinformationontheexistenceorabsenceofrequestswithinthesamesectorand/ortheapplicationofthelaw in practice, such as case law and reports by independent oversightbodies.
就这些法律和惯例对遵守这些条款的影响而言,不同因素均可被作为整体评估的一部分进行考虑。这些因素可能包括在公共当局要求披露的先前事例中的相关和有记录的实际经验,或没有公共当局的要求时,涵盖足够的代表性时间范围内的相关和有记录的实际经验。这尤其是指根据尽职调查持续编制的内部记录或其他文件,并由高级管理层认证,前提是这些信息可以与第三方合法共享。如果依靠这一实践经验得出结论,数据进口方将不会被阻止遵守这些条款,它需要得到其他相关的、客观的因素的支持,并由合同方仔细考虑这些因素在其可靠性和代表性方面是否具有足够的分量来支持这一结论。特别是,双方必须考虑到他们的实际经验是否相符,与公开渠道可获得或者接触的可信信息不相抵触,存在或者缺乏相同行业和/或实践中对法律的应用(例如判例法和独立监督机构报告)。
DataLaws合规研究院年度新课
何渊:系统精解《数据安全法》10讲
立即扫码报名
继续阅读
阅读原文