International Data Transfer Agreement / Addendum to the EU Commission Standard Contractual Clauses
Introduction
The UK Information Commissioners Office is the home of GDPR and data protection for UK companies.
Exporters can use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers.
The IDTA and Addendum replaced standard contractual clauses for international transfers. They take into account the binding judgement of the European Court of Justice, in the case commonly referred to as “Schrems II”.
International Data Transfer Agreement
Context
Transfer of ‘data’ in context here represents emails, logs, screenshots etc that a customer (perhaps based in the EEA) may supply or make available to JEMHC support staff based in the UK. Our Jira support system is in the USA, information supplied is therefore ‘exported’ from the EEA under this agreement to the USA, where its accessed (technically, re-exported) to the UK JEMHC support staff. Further processing may result in that data being transferred to/from other systems in the US as part of our support function.
Data provided below is applicable to the International Data Transfer Agreement VERSION A1.0, in force 21 March 2022.
Part 1: Tables
Table 1: Parties and signature
Restating our details, customer details do not need supplying here.
Importer (who receives the Restricted Transfer)
Full legal name | The Plugin People Ltd |
---|---|
Main address | Pure Offices, Cheltenham Office Park, |
Company Number | 08404380 |
Key Contact | Andy Brook, CTO, andy@thepluginpeople.com |
Table 2: Transfer Details
UK country’s law that governs the IDTA | England and Wales |
---|---|
Primary place for legal claims to be made by the Parties | England and Wales |
The status of the Exporter : (In relation to the Processing of the Transferred Data) | Exporter is a Controller |
The status of the Importer : (In relation to the Processing of the Transferred Data:) | Importer is the Exporter’s Processor or Sub-Processor |
Whether UK GDPR applies to the Importer: | UK GDPR applies to the Importer’s Processing of the Transferred Data |
Linked Agreement | The Cloud EULA accepted through subscription |
Term | The term of the subscription |
Ending the IDTA before the end of the Term | The Parties cannot end the IDTA before the end of the Term unless there is a breach of the IDTA or the Parties agree in writing |
Ending the IDTA when the Approved IDTA changes | neither Party |
Can the Importer make further transfers of the Transferred Data? | The Importer MAY NOT transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data) |
Specific restrictions when the Importer may transfer on the Transferred Data | there are no specific restrictions |
Review Dates | We retain support data for 7 years to help us understand problems that customer have had historically. We execute periodic purges of such old data. Customers can ask for supplied data to be removed at the closure of a support case, which be handled on a case by case basis. |
Table 3: Transferred Data
Transferred Data : (The personal data to be sent to the Importer under this IDTA consists of:) | The categories of Transferred Data will update automatically if the information is updated in the Linked Agreement referred to |
---|---|
Special Categories of Personal Data and criminal convictions and offences: (The Transferred Data includes data relating to:) | None of the above
|
Relevant Data Subjects | The categories of Data Subjects will update automatically if the information is updated in the Linked Agreement referred to |
Purpose | The purposes will update automatically if the information is updated in the Linked Agreement referred to |
Table 4: Security Requirements
Security of Transmission | Our support system uses secure HTTPS transport ‘flagged’ support emails are made using secure HTTPS transport |
Security of Storage | Data supplied in support is secured by the Jira platform, Data ‘flagged' is secured by the JEMHC production application which uses encryption at rest |
Security of Processing | Full time employees participate in support and have access to ‘flagged’ data. Customer data is processed locally and on remote Jira instance sites. Data can also be reprocessed through external services as part of support. secure HTTPS transport is used at all times for such transfers |
Organisational security measures | We use 2fa for Jira account security and access to ‘flagged’ data |
Technical security minimum requirements | Access is limited to authorized named employees who are subject to a role based permissions policy Data is encrypted at rest (applies to webhooks, raw emails in/out) Field level encryption is used for sensitive values |
Updates to the Security Requirements | The Security Requirements will update automatically if the information is updated in the Linked Agreement referred to |
Part 2: Extra Protection Clauses
Extra Protection Clauses: | none |
---|---|
(i) Extra technical security protections | 2 factor authentication wherever possible The deployment works on a least privilege basis with group access policies for different environments (DEV/UAT/PROD) Outbound SMTP mail must use TLS or SSL Inbound POP/IMAP mail retrieval must use SSL Mail stored as part of auditing is purged by policy after 30 days Webhook ‘event’ data is purged by policy after 7 days to allow for review by customer and avoid data loss in cases where the monthly Capacity Plan is consumed or Plan Upgrade lapses, ie customer has 7d to purchase more capacity before webhook data will be lost. A ‘dead end’ mailhost is used for consuming mail sent during testing with customer supplied email data to ensure no data can ‘leak’ to actual recipients. Support closure requires JEMHC support staff to confirm via checkbox that local copies of data from support/flagged mail have been purged. MS Windows is not used for development |
(ii) Extra organisational protections | Access to cloud development environment is limited to cloud team only, named users |
(iii) Extra contractual protections | none |
Part 3: Commercial Clauses
Commercial Clauses | none |
---|
Part 4: Mandatory Clauses
As per International Data Transfer Agreement VERSION A1.0, in force 21 March 2022