Specific obligations for RGPD processors are listed below and must be reflected in the agreement between the processor and the processor (or the transformer and subprocesser). In each scenario, the parties should understand and record the underlying personal data that is transferred in order to know their own responsibilities and the responsibilities of the third party concerned that are expressed in the transfer agreement. According to the RGPD (as in the old European data protection system), the default position is that EU personal data cannot be transferred or accessed outside the EEA unless certain conditions are met. For example, if the European Commission has made a decision on a suitability for a given country; or if appropriate security measures have been put in place, such as mandatory business rules (C.B), standard contractual clauses (CSR) or Privacy Shield certification; or where exceptions apply to certain situations (narrowly interpreted). The delegation agreement should define the conditions on which it is based and, if necessary, include the appropriate adequacy mechanism in the agreement itself, for example with regard to the use of standard clauses. The transmission of personal data to another processor is only permitted if certain conditions apply, as well as for transfers to a data processor outside the EEA. Similarly, the transfer contract must define the legal basis for direct and indirect transfers as well as subsequent transfers. A person responsible for the processing of the data transfer agreement for the subcontractor must look at 1.1.6 “DATA protection legislation”: EU Directive 95/46/EC, which is transposed into the national law of each Member State and amended, replaced or replaced from time to time, including the RGPD and laws transposing or supplementing the RGPD; 11.1 The subcontractor may not transfer or authorize the transfer of data to countries outside the EU and/or the European Economic Area (EEA) without the company`s prior written consent. When personal data processed under this agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the parties ensure that personal data is adequately protected.