Zenegy has completed a Transfer Impact Assessment (TIA) for Twilio, and it is attached for your reference.

Zenegy has completed a Transfer Impact Assessment (TIA) for MCA, and it is attached for your reference.

The data controller is aware of – and is obligated to make its employees aware – that the data processor's Services are made available through a cloud-based solution where the data processor makes use of software and IT systems, among other things, including servers provided by third parties. To the extent that the data processor's Services make use of or are based on services provided by subprocessors in third countries, the data controller hereby instructs and authorises the data processor to transfer personal data to the data processor's sub-processors in such third countries for the purpose of the data processor's provision of the Services to which the data controller subscribes to from the data processor, in accordance with Appendix E. The use of sub-processors in third countries must be subject to similar provisions to the provisions agreed between the data controller and the data processor, and the data processor is obliged to ensure that the transfer and data processing is carried out in accordance with applicable EU standard clauses for the transfer of personal data (EU standard contractual clauses). In its agreement with sub-processors, the data processor shall include the data controller as a third-party beneficiary in the event of the data processor's bankruptcy, so that the data controller can enter into the data processor's rights and assert them against sub-processors, cf. Clause 7.6. The transfer to third countries is done according to (i) EU-U.S. Data Privacy Framework, (ii) EU Commission standard regulation for data protection or (iii) the data protection regulation article 47, where transfer is done to one or several members of a corporate group subject to Binding Corporate Rules. EU Standard Contract Clauses (Module 3) Overview of companies with approved Binding Corporate Rules (pre-GDPR) Overview of companies with approved Binding Corporate Rules (pre-GDPR) If the data controller not in the Clauses or subsequently provide documented instructions pertaining to the transfer of personal data to a third country, the data processor shall not be entitled within the framework of the Clauses to perform such transfer.

For Twilio’s vedkommende benyttes Binding Corporate Rules (BCR) - forhåndsgodkendt af EU-Kommissionen - som behandlingsgrundlag for en del af deres overførsler. Dette beskriver Twilio også nærmere på deres hjemmeside: https://www.twilio.com/en-us/legal/binding-corporate-rules. Vi er ved at undersøge nærmere, i hvilket omfang Twilio også benytter SCC’er (standardkontrakterne) som overførselsgrundlag, og dermed i hvilket omfang dette er omfattet af den behandling, som vi har benyttet Twilio til.

For Mandrill er vores umiddelbare opfattelse baseret på det faktum, at personoplysningerne oftest allerede er er offentlig tilgængelig og/eller delt via sociale platforme samt at data er begrænset til navn, mobil og e-mail hvilket ikke vil have stor værdi i en efterforskning eller profilering. Selvom oplysningerne formelt måtte være omfattet af anvendelsesområdet, der er autoriseret under FISA 702, er hovedformålet med overvågningsprogrammerne under FISA 702 at indhente signalefterretninger (SIGNINT). Ved indsamling af offentligt tilgængelige oplysninger er der derimod tale om indsamling af open source efterretninger (OSINT). Henset navnlig til, at mange af oplysningerne allerede er offentligt tilgængelige, er det Datatilsynets umiddelbare opfattelse i praksis ikke være omfattet af de overvågningsprogrammer, der er autoriseret under FISA 702. Se bl.a. eksempel 10 i Datatilsynets cloud-vejledning (side 27): https://www.datatilsynet.dk/Media/637824109172292652/Vejledning%20om%20cloud.pdf. Som nævnt er vi dog ved at undersøge nærmere, om der er andre forhold, der bør tages i betragtning.

All Zenegy sub-processors based in the U.S. have certified under the EU-U.S. Data Privacy Framework, so no additional measures for data transfers are required.