A data transfer agreement with a third-party recipient should clarify the nature of the data transfer arrangement between the Collector and the third party and the respective roles and responsibilities of the parties.
The data transfer agreement should be in writing (see BP 3), i.e. in the form of a contract or a memorandum of understanding. The agreement must stipulate the specifically designated purpose(s) for which the audio data may be used by the third party and the third party’s commitment to adhere to said purpose(s).1 The agreement may also indicate the parameters of the transfer relationship, for example, whether the information sharing will be proactive (whereby the Collector agrees to send all collected and relevant audio data to the third-party recipient) or reactive (requiring the third-party recipient to request the data from the Collector, and potentially also specify the parameters requested, e.g., all data collected concerning a certain timeframe and/or location). Parameters of the agreement may additionally include transfer procedures, such as including an itemised list of the data files in the transfer to be approved and signed by the sender prior to transfer and by the recipient upon receipt.
The data transfer agreement should be drafted and signed with the advice of competent legal representation. It should be signed by the Collector and the relevant third party before any information sharing takes place, and securely stored (see BP 6).
Tech Specs & Resources
Refer to BP 6, Technical Specifications + Resources, ‘Data Transfer’.
For an indication of what information may be helpful to document regarding the transfer of data from one actor to another, see e.g., The Folke Bernadotte Academy and The Swedish National Defence College, A Handbook on Assisting International Criminal Investigations (2011), page 57.
On the desirability of crafting data-sharing policies, see e.g., OHCHR, Berkeley Protocol, page 49.
Legal Framework
See section 4.2.4.B on ‘Data Transfers’ under the GDPR.
See also Ljubljana-The Hague Convention, Article 16 on ‘Use and protection of personal data’.
Applicable Ethical Principles Accountability; Accuracy, Impartiality, and Objectivity.
Footnotes
-
Ljubljana-The Hague Convention, Article 16(1). Additionally, this practice is an extension of the purpose limitation requirement under the right to privacy and data protection, see ECtHR, Guide to the Case-Law of the European Court of Human Rights: Data Protection (2022), paras. 117-120; Digital Rights Ireland v Minister for Communications, Marine and Natural Resources and others (CJEU), Judgment, para. 61; GDPR, Article 5(1)(b) and Recital 50. ↩