COMPETENT SUPERVISORY AUTHORITY Sample Clauses

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

COMPETENT SUPERVISORY AUTHORITY. 3.1. In respect of the New Standard Contractual Clauses: 3.1.1. Module 2: Transfer Controller to Processor 3.1.2. Module 3: Transfer Processor to Processor 3.2. Where Customer is the data exporter, the supervisory authority shall be the competent supervisory authority that has supervision over the Customer in accordance with Clause 13 of the New Standard Contractual Clauses.

COMPETENT SUPERVISORY AUTHORITY. MODULE ONE: Transfer controller to controller MODULE TWO: Transfer controller to processor MODULE THREE: Transfer processor to processor

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission where the EU GDPR applies and the United Kingdom Information Commissioner’s Office where the UK GDPR applies. Telstra protects all third country transfers of Personal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices party access is vetted and approved, and access is revoked immediately upon termination. Data centre physical access: Telstra restricts entry into server rooms and protects against unauthorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unauthorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Network User and Authorised User Personal Data. Contracts: In addition to clauses required under data protection laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Network User and Authorised User Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Network User and Authorised User Pe...

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission where the EU GDPR applies and the United Kingdom Information Commissioner’s Office where the UK GDPR applies. Telstra protects all third country transfers of Personal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices applying strict controls around access to repositories containing Telstra source code. Change and Configuration Management Process and procedures: Telstra does not permit Authorised User and External Parties’ Personal Data to be used for development purposes – non-production and production environment must be separated and, at a minimum, enforce logical isolation. System and server configuration: Telstra maintains security configuration baselines consistent with industry accepted hardening standards, which address all known security vulnerabilities, and communicates these to relevant personnel. Servers are specifically configured to prevent Authorised User and External Parties’ Personal Data from being exported to unauthorised users. Cryptography Cryptographic algorithms: Only Telstra approved algorithms may be used, and Telstra requires that system configuration support is removed for all weak, non-approved algorithms. Access to encryption keys is recorded and audited at least annually. Data Protection Information classification: Authorised User and External Parties’ Personal Data is classified as such to meet applicable requirements under data protection laws. This enables Telstra to remove Authorised User and External Parties’ Personal Data from datasets, if not required to provide the agreed service or meet regulatory requirements, and to remove or protect direct identifiers of personal da...

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 A. Data importer/sub-processor has implemented and shall maintain a security program in accordance with industry standards. B. More specifically, data importer/sub-processor’s security program shall include: Data importer/sub-processor implements suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment (namely telephones, database and application servers and related hardware) where the personal data are processed or used, including: establishing security areas; protection and restriction of access paths; establishing access authorizations for employees and third parties, including the respective documentation; all access to the data center where personal data are hosted is logged, monitored, and tracked; and the data center where personal data are hosted is secured by a security alarm system, and other appropriate security measures. Data importer/sub-processor implements suitable measures to prevent their data processing systems from being used by unauthorized persons, including: use of adequate encryption technologies; identification of the terminal and/or the terminal user to the data importer/sub-processor and processing systems; automatic temporary lock-out of user terminal if left idle, identification and password required to reopen; automatic temporary lock-out of the user ID when several erroneous passwords are entered, log file of events, monitoring of break-in-attempts (alerts); and all access to data content is logged, monitored, and tracked. Data importer/sub-processor commits that the persons entitled to use their data processing system are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that personal data cannot be read, copied or modified or removed without authorization. This shall be accomplished by various measures including: employee policies and training in respect of each employee’s access rights to the personal data; allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions; roles; monitoring capability in respect of individuals who delete, add or modify the personal data; release of data only to authorized persons, including allocation of differentiated access rights and use of adequate encryption technologies; and control of files, controlled and documented...

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 … Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. [Examples of possible measures: Measures of pseudonymisation and encryption of personal data Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage Measures for ensuring physical security of locations at which personal data are processed Measures for ensuring events logging Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability Measures for allowing data portability and ensuring erasure] For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter …

COMPETENT SUPERVISORY AUTHORITY. The supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13.

COMPETENT SUPERVISORY AUTHORITY. MODULE TWO: Transfer controller to processor