THIS CLOUD DATA PROCESSING AGREEMENT (“CDPA”) IS ENTERED INTO BETWEEN QDRANT SOLUTIONS GMBH, CHAUSEESTR. 86, 10115 BERLIN, GERMANY (“QDRANT”) AS A PROCESSOR AND THE CUSTOMER MENTIONED AS SUCH IN THE ORDER (“CUSTOMER”) AS THE CONTROLLER CONCERNING THE PROCESSING OF PERSONAL DATA IN THE CONTEXT OF THE PERFORMANCE OF THE AGREEMENT CONCLUDED BETWEEN QDRANT AND THE CUSTOMER PURSUANT TO THE QDRANT CLOUD TERMS AND CONDITIONS (“CLOUD SERVICE AGREEMENT”).
QDRANT AND THE CUSTOMER MAY EACH HEREINAFTER BE REFERRED TO INDIVIDUALLY AS A “PARTY” OR COLLECTIVELY AS THE “PARTIES”.
THIS CDPA FORMS AN INTEGRAL PART OF THE CLOUD SERVICE AGREEMENT BETWEEN THE PARTIES. THE TERMS AND CONDITIONS OF THIS CDPA ARE LEGALLY BINDING FOR THE PARTIES UPON CONCLUSION OF THE CLOUD SERVICE AGREEMENT.
THE TERMS AND CONDITIONS OF THIS CDPA SHALL APPLY MUTATIS MUTANDIS IF THE CUSTOMER PROCESSES PERSONAL DATA FOR CLIENTS OF THE CUSTOMER AS A PROCESSOR AND USES QDRANT AS A SUB-PROCESSOR.
IN THE EVENT OF ANY CONFLICT BETWEEN THE PROVISIONS OF THIS CDPA AND THE CLOUD SERVICE AGREEMENT, THIS CDPA SHALL PREVAIL.
The provision of the services agreed in the Cloud Service Agreement (the “Services”) by Qdrant requires the processing of data provided or made available to Qdrant by the Customer in the course of the cooperation. If and to the extent that such data consists of or contains personal data within the meaning of the applicable data protection laws (“Data Protection Laws”), in particular the EU General Data Protection Regulation (“GDPR”), the provisions of this CDPA shall apply to their processing by Qdrant. The Parties acknowledge and agree that the Customer is the sole controller in relation to such personal data as between the Parties and that Qdrant does not acquire any rights of its own in such personal data but may and will process them solely in its capacity as a processor for the Customer.
Within the scope of the cooperation, the Customer will transmit, make available or otherwise make accessible to the Customer personal data. The Customer agrees and understands that Qdrant will not monitor Customer personal data or Customer’s use of any such personal data, unless the Customer submits an explicit written request to Qdrant to access its personal data. In any other case, only the Customer knows which data comprise the personal data. As between the Parties, it is, therefore, the sole responsibility and liability of the Customer to ensure that personal data is collected and transmitted, provided, or otherwise made accessible to Qdrant in compliance with applicable Data Protection Laws and, in particular, (a) to always observe the principles relating to processing of personal data including, without limitation, the principles of purpose limitation and data minimization; (b) to have a legal basis for its processing; and (c) to properly inform data subjects of the collection and processing of their personal data, including their transfer to Qdrant.
As a processor, Qdrant will process personal data of the Customer on behalf of the Customer exclusively in accordance with the provisions of this CDPA and the documented instructions of the Customer. If Qdrant is required by the law of the EU or an EU Member State to which Qdrant is subject to process personal data for other purposes, Qdrant shall inform the Customer before such processing takes place, unless the law requiring such processing prohibits Qdrant from informing the Customer because of an important public interest. Qdrant shall ensure and regularly check that in its area of responsibility the processing of the Customer’s personal data is carried out in accordance with the provisions of this CDPA, with the applicable Data Protection Laws and in particular with the GDPR.
The details of the processing are specified in the following paragraphs. However, to the extent necessary for a particular Service, the Parties shall further specify the details of the processing in the Cloud Service Agreement or in a supplemental agreement to such Cloud Service Agreement. In consideration of the Customer’s responsibilities as a controller, also the responsibility to request such further specification remains with the Customer. The foregoing shall apply without restriction if the processing under this CDPA involves special categories of personal data.
Qdrant processes the personal data of the Customer for the provision of the Services as further described in the Cloud Service Agreement.
Qdrant will generally process the personal data of the Customer for the duration of the Services according to the Cloud Service Agreement, unless otherwise agreed in writing.
The Customer may transfer, provide, or make available to Qdrant personal data, the scope of which is determined and controlled by the Customer, and such personal data may relate to the following categories of data subjects:
Personal data of the Customer may include the following types of personal data:
Personal data of the Customer will be processed by Qdrant only on its own or its authorized sub-contractors’ premises. The processing activities will therefore be carried out, subject to paragraph 2, (a) in the member states of the European Union, (b) in another state party to the Agreement on the European Economic Area or (c) in a third country for which an adequacy decision of the European Commission within the meaning of Art. 45 of the GDPR is available. In the cases of lit. (c), Qdrant will obtain appropriate instructions from the Customer before the transfer to such third country.
Cross-border data transfers shall otherwise only be permitted on a corresponding instruction of the Customer and only if the requirements of Data Protection Laws are fulfilled. Without prejudice to the foregoing, and in addition to any further obligations under applicable Data Protection Laws, Qdrant shall observe the following paragraphs.
(a) Where the Processing is subject to the GDPR, any transfer of personal data to a third country outside the EU/EEA shall (i) be permissible only upon Customer’s instruction; and (ii) be carried out in accordance with an adequacy decision of the European Commission or, in the absence of such an adequacy decision, in accordance with another transfer mechanism pursuant to Art. 46 et seqq. of the GDPR. Where Customer itself is located outside the EU/EEA, Qdrant relies on the EU standard contractual clauses pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries (“SCC”) for the transfer of personal data to third countries, whereby Module Four (Processor to Controller) terms shall apply, and the SCC will be deemed completed as follows:
(b) Where the Processing is subject to the UK Data Protection Act 2018 and the GDPR as implemented by such Act (“UK GDPR”), any transfer of personal data to a third country other than the UK shall (i) be permissible only upon Customer’s instruction; and (ii) be carried out in accordance with an adequacy decision of the competent authorities under the UK GDPR or, in the absence of such an adequacy decision, in accordance with another transfer mechanism pursuant to Art. 46 et seqq. of the GDPR (as implemented by the UK GDPR). Where Qdrant relies on the SCC for the transfer of personal data to third countries, Module Four (Processor to Controller) terms shall apply as amended by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”), and the SCC and the UK Addendum will be deemed completed as follows:
(c) Where the Processing is subject to the Swiss Federal Act on Data Protection (Bundesgesetz über den Datenschutz; “FDPA”), any transfer of personal data to a third country other than Switzerland shall (i) be permissible only upon Customer’s instruction; and (ii) be carried out in accordance with an adequacy decision of the competent authorities under the FDPA or, in the absence of such an adequacy decision, in accordance with another transfer mechanism pursuant to Art. 16 et seqq. of the FDPA. Where Qdrant relies on the SCC for the transfer of personal data to third countries, Module Four (Processor to Controller) terms shall apply as amended by the Recognition dated 27 August 2021 (”Swiss Addendum”), and the SCC and the Swiss Addendum will be deemed completed as follows:
The Parties agree and the Customer understands that the provisions of this CDPA shall include the general instructions of the Customer valid at the time of the entry into force of this CDPA regarding the processing of personal data of the Customer in the context of the provision of the Services.
In accordance with Data Protection Laws, the Customer may at any time issue individual instructions regarding the processing of the Customer’s personal data. Unless such individual instructions are required to comply with applicable Data Protection Laws, individual instructions which deviate from the provisions of this CDPA, or which impose additional requirements on Qdrant, require Qdrant’s prior consent and shall be made in accordance with the change procedure agreed in the Cloud Service Agreement (if any).
In the relationship between the Parties, the Customer shall ensure that any instruction regarding the processing of personal data of the Customer complies with Data Protection Laws and that the processing of personal data of the Customer in accordance with its instructions does not lead to Qdrant violating Data Protection Laws and in particular the GDPR. If Qdrant is of the opinion that a particular instruction violates applicable Data Protection Laws, it shall inform the Customer thereof without undue delay. Furthermore, Qdrant is entitled to suspend the execution of the instruction until the Customer confirms the instruction.
Instructions from the Customer are always given in text form by the authorized persons of the Customer. Verbal instructions are to be confirmed by the Customer in writing or in text form. The Customer shall document all individual instructions issued within the scope of the cooperation and present them to Qdrant upon request. The Customer will use the following communication channels for issuing instructions, the accessibility of which shall be ensured by Qdrant at all times during the term of this CDPA: privacy@qdrant.com Qdrant shall inform the Customer in writing of any change in the aforementioned communication channels.
Employees of Qdrant: (a) who have access to personal data of the Customer have committed themselves to confidentiality or are subject to a corresponding legal duty of confidentiality; (b) will only process personal data of the Customer in accordance with the instructions of the Customer, unless otherwise required to do so in accordance with applicable Data Protection Laws; and (c) will be trained from time to time with regard to Qdrant’s obligations under this CDPA, under Data Protection Laws and in particular under the GDPR.
Qdrant may not make copies or duplicates of the Customer’s personal data without the Customer’s prior written consent. However, copies are exempt from this insofar as they are necessary to ensure proper data processing and the proper provision of the Services(including data backups), as well as copies that are necessary to comply with legal retention obligations.
Qdrant shall appoint a data protection officer if and to the extent the legal requirements for appointment are met. The contact details of such data protection officer will be provided to the Customer upon request.
Qdrant shall implement the technical and organizational measures listed in Annex 2 before the start of processing and maintain them during the term of this CDPA. These are data security measures to ensure a risk-adequate level of protection with regard to the confidentiality, integrity, availability, and resilience of the systems. The state of the art, the implementation costs and the nature, scope, and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 (1) of the GDPR shall be taken into account.
As the technical and organizational measures are subject to technical progress and technological development, Qdrant is permitted to take alternative and appropriate measures to keep the technical and organizational measures up to date, provided that the security level of the measures specified in Annex 2 is not impaired. Qdrant shall document such changes and provide the Customer with a copy of the current list of technical and organizational measures upon request. Significant changes to the measures require the prior written consent of The Customer.
The Customer grants Qdrant a general authorization to appoint sub-processors, subject to the provisions of this § 7. The sub-processors that Qdrant has appointed at the effective date of this CDPA are listed in Annex 3. The Customer explicitly grants permission to the involvement of the sub-processors listed in Annex 3 in the provision of the Services.
Qdrant shall impose privacy, confidentiality and data security obligations on any sub-processor that are at least as stringent as those set forth in the present CDPA. Where a sub-processor fails to fulfil its data protection obligations with respect to the processing of personal data, Qdrant shall remain fully liable to the Customer for the performance of that sub-processor’s obligations.
Qdrant shall give the Customer prior written notice of the appointment of any new sub-processor. If, within thirty (30) days of receipt of that notice, the Customer notifies Qdrant in writing of any reasonable objection to the proposed appointment, the Parties shall negotiate in good faith a mutually acceptable alternative. If no such alternative is agreed within two (2) months of the objection, the Customer will have the right to terminate the Cloud Service Agreement to the extent it relates to Services which require use of the proposed sub-processor.
The Parties agree that auxiliary service providers of the Customer are not sub-processors within the meaning of the Data Protection Laws; this includes, in particular, transport services of postal or courier services, money transport services, telecommunication services, security services and cleaning services. However, the Customer will enter into customary confidentiality agreements with such service providers.
Upon the Customer’s written request, Qdrant shall assist the Customer in the event of an investigation by or inquiry from a regulatory or similar authority if and to the extent such investigation or inquiry relates to the Services. Qdrant will take all necessary steps requested by the Customer to assist the Customer in fulfilling its obligations in connection with any such investigation or inquiry. If an investigation or inquiry by a regulatory authority, including a supervisory or similar authority, involves Qdrant itself, Qdrant shall promptly notify the Customer thereof, to the extent permitted, and cooperate with such investigation or inquiry.
Qdrant shall inform the Customer without undue delay if it detects a breach of the security measures agreed under this CDPA (“Security Incident”), in particular if such Security Incident has led or could lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data of the Customer that Qdrant processes on behalf of the Customer under this CDPA. If, as a result of a Security Incident, the Customer has a legal obligation to provide information due to a risk to the rights and freedoms of natural persons (in particular, but not limited to, the information obligations under Articles 33, 34 of the GDPR), Qdrant will reasonably assist the Customer in fulfilling these information obligations upon request. Inasmuch as Qdrant is not at fault for the Security Incident, support shall be provided against a remuneration to be calculated in accordance with the Cloud Service Agreement.
Qdrant shall reasonably cooperate and assist the Customer, taking into account the nature of the processing and the information available to Qdrant, in any data protection impact assessments required with respect to the data processing for the Services under Art. 35 of the GDPR and in any regulatory consultations that the Customer considers itself obliged to undertake with respect to such data protection impact assessment under Art. 36 of the GDPR. Such assistance shall be made subject to a remuneration to be calculated in accordance with the Cloud Service Agreement.
Qdrant shall notify the Customer of any complaint, communication or request received directly from a data subject concerning his or her personal data, without responding to such request, unless otherwise authorized by the Customer. Qdrant shall reasonably assist the Customer with any complaints, communications or requests it receives from a data subject, subject to a remuneration to be calculated in accordance with the Cloud Service Agreement.
Upon the Customer’s written request during the term of the Cloud Service Agreement or upon termination or expiration of the Cloud Service Agreement, Qdrant shall either return or destroy the Customer’s personal data as instructed by the Customer. If Data Protection Laws to which Qdrant is subject prevent Qdrant from returning or destroying all or part of the Customer’s personal data, Qdrant warrants that it will ensure the confidentiality of such the Customer’s personal data and will no longer actively process such the Customer’s personal data, and that it will ensure the return or destruction of such the Customer personal data upon the Customer’s request when the legal obligation to return or destroy the personal data is no longer in effect.
Qdrant shall prepare a report on the deletion or destruction of the Customer’s personal data, which shall be submitted to the Customer upon request.
The Customer is entitled to enter Qdrant’s and its authorized sub-processors' business premises, in which personal data of the Customer are processed on behalf of the Customer, during normal business hours at its own expense, without unreasonable disruption of operations and while maintaining the business secrets of Qdrant and its authorized sub-processors, in order to verify compliance with this CDPA, applicable Data Protection Laws and in particular the GDPR. The Customer will inform Qdrant in due time (generally at least two weeks in advance) about all circumstances related to the performance of an audit.
As a rule, the Customer may conduct one audit per calendar year. This does not affect the right of the Customer to conduct further audits in case of special incidents.
If the Customer commissions a third party to carry out the audit, the Customer must obligate the third party in writing in the same way as the Customer is obligated to Qdrant on the basis of this CDPA. In addition, the Customer must oblige the third party to secrecy and confidentiality, unless the third party is subject to a professional obligation of secrecy. At Qdrant’s request, the Customer shall provide Qdrant without delay with the confidentiality agreements concluded with the third party. The Customer must not appoint a competitor of Qdrant to carry out the inspection.
Without prejudice to the Customer’s right to carry out on-site inspections, Qdrant may demonstrate compliance with this CDPA by complying with an approved code of conduct pursuant to Art. 40 of the GDPR, certification according to a recognized certification mechanism pursuant to Art. 42 of the GDPR and by submitting suitable, up-to-date certificates, reports or report extracts from independent bodies (e.g. certified accountant, auditor, data protection officer, IT security department, data protection auditors or quality auditors) or by a suitable certificate after an IT security or data protection audit - e.g. according to DIN ISO 27001 -(“Audit Report”), if and to the extent that the Customer can convince itself in a suitable manner of Qdrant’s compliance with this CDPA by means of the Audit Report.
If and inasmuch as Qdrant did not force an audit by fault, support during such audit shall be provided only against a remuneration to be calculated in accordance with the Cloud Service Agreement.
This CDPA shall be governed by the same law as the Cloud Service Agreement, unless the Cloud Service Agreement is governed by the law of a third country outside the EU/EEA, in which case the law of the Federal Republic of Germany shall apply to this CDPA. Any disputes arising out of or in connection with this CDPA shall be subject to the exclusive jurisdiction of the court agreed between the Parties in the Cloud Service Agreement, unless the Parties have agreed in the Cloud Service Agreement that a court in a third country outside the EU/EEA shall have jurisdiction, in which case the competent courts in Berlin, Germany shall have exclusive jurisdiction over any disputes arising out of or in connection with this CDPA.
Amendments and supplements to this CDPA must be made in writing. This shall also apply to the written form requirement. If they do not comply with this form, they shall be invalid.
Should any provision of this CDPA be or become invalid, this shall not affect the validity of the remaining provisions. In such a case, the Parties shall be obliged to cooperate in the creation of regulations by means of which a result is achieved which comes as close as possible in legal terms to the invalid provision.
Standard Contractual Clauses
It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can be achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.
A. LIST OF PARTIES
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Name: Qdrant Solutions GmbH
Address: Chausseestr. 86, 10115 Berlin, Germany
Contact person’s name, position and contact details: André Zayarni, Managing Director, privacy@qdrant.com
Activities relevant to the data transferred under these Clauses: Provision of the Services described in the Cloud Service Agreement, including the storage of Customer personal data on a cloud infrastructure
Signature and date: signed electronically upon conclusion of the Cloud Service Agreement
Role (controller/processor): processor
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
Name: as stated in the Cloud Service Agreement
Address: as stated in the Cloud Service Agreement
Contact person’s name, position and contact details: as stated in the Cloud Service Agreement
Activities relevant to the data transferred under these Clauses: uploading of Customer personal data to the Qdrant cloud infrastructure for the purpose of using the Services provided under the Cloud Service Agreement
Signature and date: signed electronically upon conclusion of the Cloud Service Agreement
Role (controller/processor): controller or processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
As set forth in the CDPA
Categories of personal data transferred
As set forth in the CDPA
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
As set forth in the CDPA
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Data may be transferred continuously throughout the term of the CDPA
Nature of the processing
As set forth in the CDPA
Purpose(s) of the data transfer and further processing
As set forth in the CDPA
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the Cloud Service Agreement
For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing
n.a.
Technical and Organizational Measures
Specify the Technical & Organizational Measures (TOMs) ensuring protection of Personal Data and, if applicable, adherence by the Provider to an approved code of conduct or to an approved certification mechanism
1. Technical & Organizational Security Measures
1.1 Confidentiality
Physical access control Measures to prevent unauthorized access to data processing facilities
x magnetic or chip cards
x keys
x electronic door openers
x facility security services
x entrance security staff
☐ personnel and visitor badges
x visitor protocols
x alarm systems
x video/CCTV systems
☐ other:
Electronic access control Measures to prevent unauthorized use of the data processing and data storage systems
x (secure) passwords
x automatic blocking/locking mechanisms
x secure authentication process
x multi-factor authentication
x intrusion detection and prevention system
☐ other:
Internal access control Measures to prevent unauthorized reading, copying, changes or deletions of data within the system
x rights authorization concept
x documented assignment of rights and roles
x need-based rights of access
x restriction of writing and modification permissions
x logging of system access events
x mobile device policy
x clean desk policy
☐ other:
Isolation control Measures to ensure isolated processing of data, which are collected for differing purposes
x multi-client capability
x separation in organizational / departmental boundaries
x separation of testing and production environment
x physical separation of systems, databases and data carriers
x sandboxing
☐ other:
1.2 Integrity
Data transfer control Measures to prevent unauthorized reading, copying, changes or deletions of data during electronic transfer or transport
x encryption in rest
x encryption in transit
☐ encryption of data carriers and storage media
☐ mobile device management
x virtual private networks (VPN)
x electronic signatures
☐ other:
Data entry control Measures to verify whether and by whom personal data are entered into a data processing system, changed or deleted
x logging of access and modifications
x verification of data sources (authenticity)
x document management
☐ other:
1.3 Availability and resilience
Measures to prevent accidental or willful destruction or loss and ensure rapid recovery x virus protection
x backup strategy
☐ uninterruptible power supply (UPS)
x virus protection
x firewall
x spam filter
x reporting procedures and contingency planning
x redundancy of hard- and software as well as infrastructure
x repair strategies and alternative processes
x fire and smoke detectors
x fire extinguishers
☐ water leakage detector
☐ rules of substitution for absent employees
☐ other:
1.4 Testing, assessment and evaluation
Process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
x documentation of business and operating procedures, data stocks, data flows and IT systems
x process for regular monitoring, assessment and evaluation of data protection and information security measures
x data protection management system
x data protection by design and default process
x incident response management system
x information security management system
☐ information security certification (e.g. ISO 27001)
☐ other:
1.5 Order or contract control
Measures to ensure that no third-party data processing as per Article 28 GDPR takes place without corresponding instructions from Viatris
x clear and unambiguous contractual arrangements with service providers
x obligation to data secrecy and confidentiality agreements with service providers
x formalized order management
x strict controls on selection of service providers
x security pre-evaluation of service providers
x supervisory follow-up checks of service providers
1.6 Data protection controls
Measures to ensure compliance with other data protection principles and requirements
x procedures for pseudonymization
☐ procedures for anonymization
x automatic blocking and erasure routines
x regular data protection and information security trainings for personnel (at least, once per year)
x obligation to data secrecy for personnel
x appointment of data protection officer
x up-to-date record of processing activities
x procedures for data subject requests
x procedures for data protection incidents and personal data breaches
☐ other:
Pre-Approved Sub-Processors
Qdrant uses the services of the following sub-processors for the provision of the Services and the processing of the Customer’s personal data:
| Name of sub-Processor | Address | Task to be performed | International transfer (if applicable) |
|---|---|---|---|
| Please briefly explain processing activities | Please indicate to which country personal data is transferred if personal data is transferred to a country/recipient outside the EU/EEA | ||
| AWS | Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxemburg | Cloud platform provider. | |
| Auth0 (by Octa) | Auth0, Inc., 10800 NE 8th Street, Suite 600, Bellevue, WA 98004, U.S.A. | Authentication service provider. Stores the email and optional name (first, and last name) of the user. | EU-US Data Privacy Framework, Art. 45 of the GDPR |
| Google Cloud Platform | Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland | Cloud platform provider. | |
| Microsoft Azure | Microsoft, Redmond, 1 Microsoft Way, United States | Cloud platform provider. | |
| Mailjet | Mailjet SAS, 4, rue Jules Lefebvre, 75009 Paris, France | Transactional Email Provider | |
| Mailchimp | The Rocket Science Group, LLC, 675 Ponce De Leon Ave NE Suite 5000, Atlanta, GA 30308, United States | Email Service Provider | EU-US Data Privacy Framework, Art. 45 of the GDPR |
| Freshdesk | 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403, USA | Support Ticket Tool | EU-US Data Privacy Framework, Art. 45 of the GDPR |
| Hubspot | 25 First Street, Cambridge, MA 02141, USA | CRM System | EU-US Data Privacy Framework, Art. 45 of the GDPR |