Welcome to RORA

Our model

Your Role

Contracting at RORA

Candidate hub

Explore

Policies

GDPR and Processing data outside of the EEA

Background

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third-party countries or international organisations, to ensure that the level of protection of individuals afforded by the GDPR is not undermined.

Allowed international transfers of data under GDPR

Under the GDPR, there are two main ways to transfer personal data to a non-EEA country or international organisation:

on the basis of an adequacy decision, or,

on the basis of appropriate safeguards (including enforceable rights and legal remedies for individuals)

RORA’s responsibilities as a Data Processor

As a data processor RORA must:

Follow the controller’s instructions

Keep records of processing operations

Ensure the security of processing

Respect and uphold the binding controller-processor contract

Obtain the authorisation of the controller before engaging a new sub-processor (and give the controller a possibility to object). If applicable, a processor - sub-processor contract must be put in place and equate to the initial contractor- processor contract

Notify personal data breaches to data controller

Notify GDPR breaches to the controller

Be accountable for the processing operations: e.g. practising data protection by design & default

Appoint a data protection officer when necessary

Ensure that international transfers are authorised by the controller and comply with the GDPR

Cooperate with data protection authorities

RORA’s processing of personal data outside of the EEA

RORA’s team is split across the UK and India.

For the team in the UK

The European Commission has granted the UK an adequacy decision and so for the purposes of GDPR is equivalent in it’s levels of protection to the processing of data within the EU.

For the team in India

There is no adequacy decision in place for India and so RORA has ensured there are adequate data protection safeguards in place to allow for the processing of personal data by the team there.

RORA’s data processing safeguards for processing data in India

GDPR lists a series of transfer tools containing “appropriate safeguards” that may be used in the absence of adequacy decisions.

RORA utilises:

Standard data protection clauses;

Data protection policies - including codes of conduct;

Ad hoc contractual clauses (where specifically requested)

Standard data protection clauses

RORA has standard data protection clauses within:

it’s

terms of service⁠

with it’s partners (clients); and

it’s

terms⁠

with it’s employees and contractors.

These standard terms can be viewed on the RORA website (http://www.joinrora.com)

⁠
`Data protection policies`⁠
⁠

RORA has detailed data protection policies, which the team must adhere to detailed in it’s

Team Handbook⁠

These policies give a clear code of conduct for it’s team while processing data (including those outside of the EEA) - these set out principles for processing data that is:

lawfully, fairly and in a transparent manner;

collected only for specified, explicit and legitimate purposes;

adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;

accurate, and where necessary, kept up to date;

not kept in a form which permits identification of data subjects for longer than is necessary;

secure, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

Ad hoc contractual clauses

Where required by a Data Controller, RORA may enter into ad hoc contractual clauses for additional data security measures, to ensure adequacy of protection under the Controller’s data processing policies.

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.