suggestion to use more intra-document references
The documents look good. Great work!
Currently there is a lot of adjustment necessary, e.g. as the parties called by their roles throughout the Ts&Cs part.. just referencing them as party 1/2 (as in oneNDA v2) might make this considerably easier; also all the annexes could just reference the info provided in the DPA.
Also, even though I prefer not to ask for approval of additional subprocessors (especially in our daily business), it might make sense to add the option that additional subprocessors need to be approved.
also, I don't think we need to add the full text of the EU SCC to the respective modules.
I added the files including my comments/suggestions.
Btw, why is there no module 4 annex?
Thank you so much for taking the time to provide your input Michael - we'll take your feedback on board.
Good question on why Module 4 isn't there. Our rationale is that because this is so situation-specific and not a standard type of transfer, it's likely the parties would have to negotiate the terms of their DPA to fit the particular risk level and type of processing happening and so oneDPA wouldn't be entirely appropriate. Keen to hear your thoughts though, do you agree?
Re not adding the full text of the SCCs, how do you suggest we incorporate them? By reference? If so, would that not be problematic in certain jurisdictions? Also, the ICO has not provided guidance on this point so wouldn't the safest approach not be to include it in its entirety?
Electra Japonas : I'd definitely agree that Module 4 is the least relevant. But I'm not sure if the situation is so special that in any case there will be individual agreements.. Also, here the EU entity would be the processor only acting on behalf of the non-EU entity. I would consider the risk level for the EU entity lower under Module 4 than under the other modules.
Regarding EU SCC: I would only include a reference to the commission decision. This is basically like a reference to a specific law - which you also would not cite. At least in Germany (which usually treats business likes babies/consumers) this would work... and that is usually a good sign that it works in other jurisdictions, too ;) We are using this approach in our daily practice and did not get any pushback yet.
Or with regard to which jurisdiction would you have concerns?