/var/folders/4v/ysbh515x4_zbmgnj1snlqn6m0000gn/T/com.microsoft.Word/WebArchiveCopyPasteTempFiles/uc?export=download&id=1XaEoShQqZod5KnqZT8N9eAFSEMaYhWaO&revid=0B_5p3NoMahnxaUNTZjRDSWszUFBuenVRME5kTFl2bWhyU1N3PQ

Data Transfer Policy

Introduction

This data transfers policy (“Policy”) explains how MSKnote transfer Personal Data to a Third Country for processing.

This Policy:

(a) forms part of MSKnote’s Data Protection Policy; and

(b) may be amended by MSKnote at any time, consistent with the requirements of applicable laws and regulations.

Any revisions will take effect from the date on which the amended Policy is published.

Definitions

“Data Controller” means the person or entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data;

“Data Processor” means any person or entity (other than an employee of the Data Controller) which processes Personal Data on behalf of the Data Controller;

“Data Subject” is as defined in the Data Protection Policy;

“Personal Data” is as defined in the Data Protection Policy;

“process” or “processing” or “processed” is as defined in the Data Protection Policy; and “Third Country” means any country outside the European Economic Area (“EEA”) which is not subject to an adequacy decision by the European Commission or whose laws do not provide an adequate level of protection for the rights of Data Subjects in respect of their Personal Data.

Words denoting the singular shall include the plural and vice versa.

Unless otherwise stated, all defined terms have the same meaning as defined in the Data Protection Policy.

Scope

This Policy covers:

(a) the transfer of Personal Data from the EEA to a Third Country; and

(b) the transfer of Personal Data from a Third Country to another Third Country.

Such transfers include, without limitation, transfers to an international organisation which has locations in both a Third Country and the EEA. If making a transfer to an international organisation located in a Third Country, simply because it has locations in both a Third Country and the EEA does not stop this transfer from being a transfer to a Third Country.

This Policy is a global policy which applies to transfers made by MSKnote globally. For the purposes of this Policy, the UK does not qualify as a Third Country because the EU General Data Protection Regulation 2016/679 (“GDPR”) will be directly effective in the UK from 25 May 2018 and will be transposed into UK national laws by virtue of the UK Data Protection Bill on or before the UK’s exit from the EU.

Transfers

When transferring Personal Data to Third Countries, in its capacity as a Data Processor, MSKnote shall ensure that, prior to any such transfer: (a) such transfers are permissible under any contract that is in place between the relevant MSKnote entity and the Data Controller on whose behalf such MSKnote entity is processing the Personal Data; and (b) the recipient of such Personal Data agrees to be bound by data protection obligations that are at least equivalent to those which apply to MSKnote.

When transferring Personal Data to Third Countries, in its capacity as a Data Controller, MSKnote shall ensure that, prior to any such transfer: (a) it has satisfactorily completed the Data Transfers Checklist (a copy of which can be obtained by emailing the DPO at tim.simms@msknote.com) in order to carry out appropriate due diligence to satisfy itself that the recipient of such Personal Data provides sufficient guarantees in respect of the Personal Data.

This includes ensuring that the recipient implements appropriate technical and organisational measures to safeguard the Personal Data against unauthorised or unlawful processing and ensuring that MSKnote when transferring the Personal Data has a contract in place with such recipient that includes data protection obligations that meet the minimum requirements of the GDPR; or ensuring that the recipient of Personal Data is Privacy Shield certified.

The general prohibition on transfers of Personal Data to Third Countries can be derogated from in certain specific situations.

A transfer, or set of transfers, may be made where the transfer is:

(a) made with the Data Subject’s informed consent;

(b) necessary for the performance of a contract between the Data Subject and the recipient or for pre-contractual steps taken at the Data Subject’s request;

(c) necessary for the performance of a contract made in the interests of the Data Subject between the controller and another person;

(d) necessary for important reasons of public interest;

(e) necessary for the establishment, exercise or defence of legal claims;

(f) necessary to protect the vital interests of the Data Subject or other persons, where the Data Subject is physically or legally incapable of giving consent; or

(g) made from a register which, by law, is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register).

Data Integrity

MSKnote shall only transfer any Personal Data in a manner that is consistent with the purposes for which such Personal Data was collected or otherwise processed. Prior to any such transfer, MSKnote shall take reasonable steps to ensure that the Personal Data being transferred is accurate, complete, relevant and up-to-date.

Notice

MSKnote shall ensure that any transfers of Personal Data are made within the parameters of any privacy or other notices that have been given to the Data Subjects to which the Personal Data relate. Any such notices about the possibility of transfer will have been given at the time the Personal Data was collected, in clear and transparent language. If no such privacy notices were given, then such notices will be given to the relevant Data Subjects prior to transfer, unless a derogation or exemption applies.

Data Minimisation

MSKnote agrees to limit the Personal Data to be transferred to the minimum necessary to fulfil the necessary processing purpose(s). The transfers shall be limited to those who need to know the same in connection with the processing purpose(s).

Document Control

The DPO is the owner of this Policy and is responsible for ensuring that this procedure is reviewed in line with the relevant review requirements - Annually.

This Policy was approved as stated in this Section and is issued on a version-controlled basis.

Version: 1.0

Date of Issue: July 10th 2018

Approved by: Tim Simms

Position: Data Protection Officer

MSKnote Data Transfer Policy 2018