8 COOPERATION WITH SUPERVISORY AUTHORITIES 8.1 The data exporter undertakes to deposit with the supervisory authority a copy of this contract if it so requires or where such deposit is required by current data protection legislation.8.2 The parties agree that the supervisory authority has the right to carry out a control of the data importer and a possible subcontractor of the same magnitude and subject to the same conditions, 8.3 The data importer shall immediately inform the data exporter of the existence of the legislation applicable to it or of a subcontractor which prevents the performance of a check by the data importer or a subcontractor in accordance with paragraph 2. In this case, the data exporter has the right to take the measures provided for in clause 5(b). The content and structure of an intra-group agreement (“IGA”) will depend in the first place: the OIC said there had been “no satisfactory explanation” for the inability of Yahoo`s UK subsidiary to protect data and described the company`s “inadequacies” as “systemic” issues that “have existed for a long time without being detected or corrected”. The deficiencies “put at risk the personal data of up to 515,121 people,” he said. The GDPR does not define the concrete form in which the treaty must be concluded, it must only be a legally binding document (in national law). Processors who sell products to thousands of customers often operate with unilaterally imposed conditions, which they make available through their website. Most organizations now have the measure of these rules and are able to conclude contracts with third parties. One of the areas in which they are less coherent concerns intergroup agreements, i.e. contracts between affiliated undertakings, undertakings in the same commercial group. An intra-group SCC would need certain types of framework document and I do not understand why this document could not be designed in such a way that SCCs cover several jobs/orders, provided that the specific information that needs to be included in the schedules/additions to the CSCs is properly referenced. By transferring to a group the concept of data processing on behalf, the question arises as to whether a parent company can act at the same time as a subcontractor for its subsidiaries. To further develop this aspect, it is useful to look at the definitions of the GDPR.

Where different categories of personal data may be transmitted within the group and those different categories are subject to different rules, it is particularly important to identify the data concerned. Where transfers are made on the basis of controllers to subcontractors or where transfers are made outside the EEA under the standard contractual clauses, the identification of the data is mandatory. Britain`s Watchdog also noted that Yahoo`s UK division lacked proper monitoring systems to “protect Yahoo employee registration information with access to Yahoo customers` personal data from compromise” and stop the transfer of personal data from the UK to the US before it is reviewed. 8. Data protection impact assessment and prior consultation The processor shall provide appropriate assistance to the company for all data protection impact assessments and prior consultations with supervisory authorities or other competent data protection authorities that the company deems reasonably necessary in accordance with Articles 35 or 36 of the GDPR or equivalent provisions of another protection law data selection. in any event, only with regard to the processing of the company`s personal data by and taking into account the type of processing and information available to the processors. . . .