Module 2: Controller to Processor
(Commission Implementing Decision (EU) 2021/914 of 4 June 2021)
Effective Date: As of the Agreement execution date
Clause 1 – Purpose and scope
These Clauses ensure compliance with GDPR requirements for transfers of personal data to third countries.
Clause 2 – Effect and invariability of the Clauses
These Clauses set out appropriate safeguards pursuant to Articles 46(1) and 46(2)(c) of Regulation (EU) 2016/679.
Clause 3 – Third-party beneficiaries
Data subjects may invoke and enforce these Clauses as third-party beneficiaries against the data exporter and/or data importer, with exceptions listed in the standard clauses.
Clause 4 – Interpretation
Terms defined in Regulation (EU) 2016/679 have the same meaning in these Clauses.
Clause 5 – Hierarchy
In case of contradiction with other agreements, these Clauses prevail.
Clause 6 – Description of transfers
Details of transfers are specified in Annex I.B.
Clause 7 – Docking clause
Non-parties may accede to these Clauses with agreement of the Parties.
Clause 8 – Data protection safeguards
8.1 Instructions – Processor processes only on documented instructions from Controller.
8.2 Purpose limitation – Processing only for specified purposes in Annex I.B.
8.3 Transparency – Controller makes Clauses available to data subjects on request.
8.4 Accuracy – Processor informs Controller of inaccurate data.
8.5 Duration and erasure – Processing occurs only during service term; deletion or return upon termination.
8.6 Security – Appropriate technical and organizational measures per Annex II.
8.7 Sensitive data – Additional safeguards if applicable per Annex I.B.
8.8 Onward transfers – Only with appropriate safeguards.
8.9 Documentation and compliance – Maintain records and allow audits.
Clause 9 – Use of sub-processors
General authorization with 30-day notice for changes. Sub-processors bound by equivalent obligations.
Clause 10 – Data subject rights
Processor assists Controller with data subject requests.
Clause 11 – Redress
Contact point for complaints; cooperation in dispute resolution.
Clause 12 – Liability
Parties liable for damages caused by breach; joint and several liability where applicable.
Clause 13 – Supervision
Competent supervisory authority per Annex I.C.
Clause 14 – Local laws affecting compliance
Parties warrant no reason to believe local laws prevent compliance.
Clause 15 – Obligations in case of government access
15.1 Notification – Notify Controller of government requests where legally permitted.
15.2 Review of legality – Challenge unlawful requests.
15.3 Minimum information – Provide minimum necessary information.
Clause 16 – Non-compliance with the Clauses
Rights to suspend or terminate for breach.
Clause 17 – Governing Law
Option 1: Law of an EU Member State where data exporter is established.
Clause 18 – Choice of forum and jurisdiction
Courts of the Member State per Clause 17.
A. LIST OF PARTIES
Data exporter:
Name: [As per Order Form or Agreement]
Address: [As per Order Form or Agreement]
Contact: [As provided by Customer]
Role: Controller
Data importer:
Name: Wellness Research Institute LLC, D/B/A Shortlister
Address: 310 Busse Hwy, #386, Park Ridge, IL 60068
Contact: privacy@myshortlister.com
Role: Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects:
– Customer employees and users
– Customer clients
– Vendors
– Other platform users
Categories of personal data:
– Contact information
– Professional information
– Account data
Purpose: Provision of Shortlister platform services
Duration: Term of the Agreement
C. COMPETENT SUPERVISORY AUTHORITY
The supervisory authority where the data exporter is established or represented.
TECHNICAL AND ORGANISATIONAL MEASURES
Data importer implements appropriate measures including:
– Access controls
– Encryption for data in transit and at rest
– Regular security updates
– Incident response procedures
– Personnel training
– Backup and recovery
Specific measures are detailed at www.myshortlister.com/security and in the Data Processing Agreement.
LIST OF SUB-PROCESSORS
Current sub-processors listed at: www.myshortlister.com/subprocessors
30-day notice for changes.
—
By execution of the Agreement incorporating these Clauses, the parties agree to be bound by them.