For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection The processor in any event (the data exporter)The sub-processor in any event (the data importer)Has agreed on the following contractual clauses (the clauses) in order to provide adequate safeguards in this respect which concerns the protection of privacy and the rights and freedoms of natural persons for the transfer of personal data listed in Annex A by the data exporter to the data importer. Several states have passed omnibus privacy laws inspired by the California Consumer Privacy Act, as amended by the California Privacy Rights Act. Companies doing business in or with the U.S. will have to deal with this patchwork of laws until possible harmonization occurs through an omnibus federal data protection law. On the customer and supplier side, companies need to rethink their position on the “sale of personal data”. They cannot avail themselves of exceptions to the processing agreements unless they agree to certain conditions relating to the sale and disclosure of cross-border advertising and personal data. All data flows, from controllers to subcontractors, are subject to slightly different terms under the Virginia Consumer Data Protection Act and the Colorado Privacy Act. Seemingly simple clauses such as “Provider agrees to comply with California privacy laws” are ineffective and inadequate because customers require legally required obligations regarding the use and disclosure of customer data. Processing operations The personal data transferred are subject to the following basic processing activities (please specify) 3.9 Where European data protection laws apply, no personal data may be transferred outside the European Economic Area, except to a third country which, in the opinion of the European Commission, has an adequate level of protection, or in circumstances where the controller, processor or processor has put in place adequate safeguards with regard to the transfer and the data subject has enforceable rights and effective remedies. At the request of a member of the Cubiks Group based in the European Economic Area, each member of the Cubiks Group based outside the European Economic Area agrees to the following: If a transfer agreement is concluded separately from the main service contract, the interaction with the main agreement must be carefully considered.

If provisions that would normally be included in a separate delegation agreement are indeed included in the main agreement, the broader provisions of the main agreement must also be taken into account. 9 APPLICABLE LAW The clauses are governed by the law of the Member State in which the data exporter is established.10 MODIFICATION OF THE CONTRACT The parties undertake not to modify or amend the clauses. This does not prevent the parties from adding clauses on matters related to the cases if necessary, provided that they do not contradict the clauses. 8 COOPERATION WITH SUPERVISORY AUTHORITIES 8.1 The data exporter undertakes to deposit a copy of this contract with the supervisory authority if the supervisory authority so requests or if such deposit is required by applicable data protection law.8.2 The parties agree that the supervisory authority has the right to carry out an audit of the data importer and any sub-processor. which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.8.3 The data importer must immediately inform the data exporter of the existence of the legislation applicable to it or of a sub-processor preventing an audit of the data importer from being carried out, or sub-processors in accordance with paragraph 2. In such a case, the data exporter is entitled to take the measures provided for in clause 5(b). Data transfer agreements (whether controller-to-processor, subcontractor-to-processor, or any other combination of parties) are not new, but with the advent of the GDPR, they are upgraded and require a much higher level of control and detail. The transfer agreement must reflect the relevant binding requirements of the GDPR. Before you start reviewing or drafting the contract, you need to establish the data processing relationship between the parties. B for example if the data are a joint controller for the controller, the controller for the processor or the processor for the sub-processor or a combination of the above data.

Under the GDPR (as under the old European data protection regime), the default position is that EU personal data cannot be transferred or accessed outside the EEA unless certain conditions are met. .