The DPA of Uruguay, one of the only countries recognized as “adequate” destinations for cross border data transfers from the European Union – has issued updated guidance on the content of cross border data transfer agreements in the wake of SchremsII:

All contracts need to include:

  • purpose of processing
  • applicable data protection law
  • definitions
  • content of the transfer (as accurately and completely as possible)
  • onward transfers (and what are the conditions to enable them)
  • transparency (all the information required in the privacy notice, including processor and sub-processors)
  • the data processing operation (including technical and organizational measures)
  • dispute resolution mechanisms
  • supervisory authority
  • data protection impact assessment
  • access by foreign authorities (measures must be taken so that access is not made to all data, but only to those strictly necessary for compliance with the corresponding court order. The person in charge located in national territory should provide information on request or at the first possible opportunity.)

For controller to controller transfer also add:

  • legal basis for the processing and the transfer
  • joint and several liability
  • engaging processors
  • data breach notification

For controller to processor transfers add:

  • specific retention term
  • data breach notification
  • engagement of sub-processors
  • data subject rights process