If your company complies with the RGPD, all data processors you use should do the same, including a compliant data processing agreement. Here is an excerpt from Article 28 that deals with the requirements of the data processor: if your data provider were to break compliance, mishandle the data or be the victim of a data breach, a data processing agreement can legally protect you by demonstrating that you have complied with your due diligence obligations to ensure that the company you worked with has followed the correct procedures. A data processing agreement is established to ensure that the processor properly processes the data of the processor. The RGPD is very specific to the tasks of the person in charge of the processing and the subcontractor, and Article 28, paragraph 3, of the RGPD stipulates that there must be a written contract between the processing manager and the subcontractor, which clearly defines the purpose of the processing and its duration, as well as the nature and purpose of the processing, the types of personal data, the particular categories of data and the obligations and rights of both parties. (C) The parties are working to implement a data processing agreement in line with the requirements of the current legal framework for data processing and the 2016/679 European Parliament and Council 27 April 2016 on the protection of individuals in the processing of personal data and the free movement of personal data and repealing Directive 95/46/EC (General Data Protection Regulation). Processors should have carried out a number of due diligence activities involving the transformers they use, which can be grouped together as data protection verification, documentation of data processing activities and obvious verification. This provision requires the subcontractor to provide the processing officer with proof that he has followed the entirety of section 28. For example, the subcontractor could do this by providing the necessary information to the processing manager or by submitting to a check or inspection. In accordance with Article 28, paragraph 3, point h), the agreement must require: the RGPD sets out certain guidelines on what should be included in a data processing agreement that we will discuss later in this article. If you are a contractor subject to the RGPD, it is in your best interest to have a data processing agreement: it is first required for RGPD compliance, but the privacy policy also gives you assurance that the data processor you are using is qualified and competent. As stated in recital 81: If you exchange personal data with other parties, you should have a data processing agreement.
Sections 28 to 36 of the RGPD cover the requirements for data processing and data processing agreements. Let`s take a look at responsibilities that are a little more specific to different roles. The RGPD applies to both processing managers and subcontractors based in the EU (for example. B through EU legal entities), but also for all processors who are not established in the EU, where processing activities are linked either to the provision of goods or services to the persons concerned in the EU (whether payment is necessary) or to monitoring the behaviour of persons to the extent that such behaviour takes place in the EU. For more details, you can read the ProtonMail data processing agreement or the generic model of data processing agreements that we have made available on this site. ☐ given the nature of the processing and the information available, the subcontractor assists the processing manager in carrying out his RGPD obligations with respect to processing security, notification of personal data breaches and data protection impact analyses; When a processing manager uses a subcontractor to process personal data on his or her behalf, there must be a written contract between the parties.