...
Personal data must be protected adequately, via technical and organisational measures. For example: passwords, encryption, secure (SSL/TLS) network connections and pseudonymisation of data. Technical norms such as the ISO 27001 are not mandatory, but in practice they are the best way to make sure a service provider uses adequate protection. Service providers who are able to provide a statement from an independent auditor offer even more security. The most well-known statements are the ISAE 3402 and the SSAE No. 16. When you exchange data within the iSHARE Scheme iSHARE Trust Framework and you adhere to the iSHARE technical specifications, this means that you comply with GDPR with respect to the technical security measures required for the exchange of personal data.
Although the majority of data shared via the iSHARE Scheme iSHARE Trust Framework may not be personal data, there could be personal data involved. For example, data relating to employees or clients of participating parties. If personal data is shared via the iSHARE SchemeTrust Framework, the participating parties will need to have a legal basis to do so. A legal basis can be, for example, consent of the data subjects, or an agreement to which the data subject is a party.
When data is exchanged between two data controllers, both need a legal basis for this. A data exchange agreement then also needs to be concluded. When a data processor processes personal data on behalf of the controller, they are obliged to enter into a data processing agreement. The GDPR explains what such an agreement should contain.
Within the iSHARE SchemeTrust Framework, the participating parties are in control with respect to the types and amount of data they like to share and in this respect should also easily facilitate the conclusion of data processing or data sharing agreements. To facilitate participants in their GDPR compliance efforts between themselves, two contract templates can be used: depending on the role of the respective parties, they can either use the Data Processing Agreement or the Data Exchange Agreement as a basis for their contractual arrangements. Before using any of these contract templates, it should first and foremost be assessed whether the personal data can actually be lawfully processed or exchanged.
...