The OIC said it had „not given a satisfactory explanation” for the failure of Yahoo`s UK subsidiary to protect data and described the company`s „inadequacies” as „systemic” issues that „have existed for a long time without being detected or corrected”. The deficiencies „put at risk the personal data of up to 515,121 people,” he said. Like many international companies, Yahoo has servers in the United States on which the personal data of its users, including UK account holders, is stored. By recording personal data on the servers, Yahoo Inc. was considered by the OIC to be a data processor acting on behalf of the UK arm of Yahoo in the processing of personal data of UK account holders. Yahoo! UK Services Limited was fined following a cyberattack in 2014 that led hackers to obtain the security information of some Yahoo employees, which allowed them to access personal data estimated at 500 million user accounts worldwide. The OIC said more than 515,000 of the accounts were in Britain and that Yahoo`s UK subsidiary was the data controller responsible for the security of personal data for these account holders. An intra-group SCC would need certain types of framework document and I do not understand why this document could not be designed in such a way that SCCs cover several jobs/orders, provided that the specific information that needs to be included in the schedules/additions to the CSCs is properly referenced. 8 COOPERATION WITH SUPERVISORY AUTHORITIES 8.1 The data exporter undertakes to deposit with the supervisory authority a copy of this contract if it so requires or where such deposit is required by current data protection legislation.8.2 The parties agree that the supervisory authority has the right to carry out a control of the data importer and a possible subcontractor of the same magnitude and subject to the same conditions, 8.3 The data importer shall immediately inform the data exporter of the existence of the legislation applicable to it or of a subcontractor which prevents the performance of a check by the data importer or a subcontractor in accordance with paragraph 2. In this case, the data exporter has the right to take the measures provided for in clause 5(b). . . .

.