This contract is applicable for all data needing to be transferred to a country that does not benefit from an adequacy decision (e.g., the United States, India, or other non-adequate countries)

STANDARD CONTRACTUAL CLAUSES FOR INTERNATIONAL DATA TRANSFERS

PARTIES

Data Exporter:
Company Name: Consultinc Ltd T/A Thrive Training
Contact Information: paulevans@thrivetraining.co.uk
Role: Data Controller

Data Importer: Any International person or company in correspondence with Consultinc Ltd T/A Thrive Training

CLAUSE 1: PURPOSE OF THE AGREEMENT

This agreement governs the transfer of personal data from the Data Exporter (Thrive) to the Data Importer to ensure compliance with the UK General Data Protection Regulation (GDPR). The parties agree to ensure that the personal data transferred is subject to appropriate safeguards in accordance with the provisions of these SCCs.

CLAUSE 2: OBLIGATIONS OF THE DATA EXPORTER (Thrive)

  1. The Data Exporter warrants that the transfer of personal data to the Data Importer complies with UK GDPR.
  2. The Data Exporter shall ensure that data subjects (candidates or employees) have been informed of the transfer, including the purpose of the transfer and the identity of the Data Importer.
  3. The Data Exporter will provide the Data Importer with only the personal data necessary for fulfilling the agreed-upon purpose (e.g., assessment of hospitality professionals).

CLAUSE 3: OBLIGATIONS OF THE DATA IMPORTER (India/Nigeria Entity)

The Data Importer agrees to:

  1. Data Processing Restrictions: Process the personal data only for the specific purpose outlined by the Data Exporter, in accordance with the instructions provided, and not for any other purpose.
  2. Data Security: Implement appropriate technical and organizational measures to ensure the security of personal data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure.
  3. Sub-Processing: Not subcontract any data processing activities to third parties without the written consent of the Data Exporter. In the case of approved subcontracting, the subcontractor must be bound by the same data protection obligations.
  4. Data Subject Rights: Ensure that data subjects can exercise their rights under GDPR, including access to their personal data, rectification, erasure, or restriction of processing. The Data Importer must respond promptly to any such requests from the Data Exporter.
  5. Transfers to Third Countries: Not transfer the data to another third country without the Data Exporter’s prior consent and without ensuring that the new country provides adequate data protection standards.
  6. Data Breaches: Notify the Data Exporter immediately if there is a breach of personal data, providing details about the breach, including the affected data, impact, and mitigation steps.

CLAUSE 4: SECURITY OF PROCESSING

The Data Importer shall implement the following security measures to protect personal data:

  1. Encryption of personal data during transmission.
  2. Secure storage with access controls limiting who can view or process the data.
  3. Regular audits of data security practices to identify and rectify vulnerabilities.
  4. Immediate action in case of unauthorized access or data breach.

CLAUSE 5: LIABILITY AND INDEMNIFICATION

  1. Liability: The Data Importer shall be liable for any breach of these SCCs that results in harm to the Data Exporter or data subjects. The Data Importer agrees to indemnify the Data Exporter for any costs, claims, or damages resulting from the breach.
  2. Indemnification: In the event of a data breach caused by the Data Importer, the Data Importer agrees to cover all reasonable expenses incurred by the Data Exporter in resolving the breach, including legal fees, penalties, and damages to data subjects.

CLAUSE 6: DATA SUBJECT RIGHTS

  1. Data subjects in the UK have the right to lodge complaints with the UK Information Commissioner’s Office (ICO) if they believe their personal data has been mishandled.
  2. The Data Importer must fully cooperate with the Data Exporter in responding to any data subject requests, including providing access to personal data or correcting or erasing data when requested by the data subject or as required under GDPR.

CLAUSE 7: TERMINATION

  1. Termination of Processing: In the event of termination of this agreement, the Data Importer shall return or securely delete all personal data provided by the Data Exporter. The Data Importer shall provide written confirmation that no copies of the personal data have been retained.
  2. Immediate Termination: The Data Exporter reserves the right to terminate the agreement immediately if the Data Importer fails to comply with these SCCs or applicable data protection laws.

CLAUSE 8: DISPUTE RESOLUTION

  1. In case of a dispute arising from this agreement, the parties shall first attempt to resolve the matter amicably through mediation or negotiation.
  2. If the dispute cannot be resolved, the parties agree to submit to the jurisdiction of the courts of [Insert the jurisdiction where disputes will be resolved, typically the UK].

CLAUSE 9: GOVERNING LAW

This agreement is governed by and shall be interpreted in accordance with the laws of the United Kingdom and must comply with UK GDPR.

SIGNATURES

Data Exporter (Thrive Training Ltd):

Name: Paul Evans
Position: Data Controller
Date: 1 June 2024
Signature: Paul Evans (Electronic signature)

Acceptance of Data from Thrive Training explicitly agrees and infers agreement of this STANDARD CONTRACTUAL CLAUSES FOR INTERNATIONAL DATA TRANSFERS