Data Processing Agreement Guidance

The EDPB`s opinion builds on this requirement and recommends that the data protection authority describe how the subcontractor facilitates the rights of the individual concerned and set a timetable in which the subcontractor informs the processing manager when receiving a human rights requirement. As a starting point, the guidelines emphasize that, in accordance with Article 28, paragraph 1, a processor has a positive obligation to review processors and “should be able to demonstrate that he has seriously considered all the elements contained in the RGPD.” This often requires “an exchange of relevant documentation,” such as privacy policy, terms of use, processing records, data management policies, information security policies, external audit reports and all certifications recognized as the iso 27000 series. They are important because data protection laws usually require an agreement each time: to perform a task with personal data on their behalf. There are serious consequences for the instruction controller or processor if it does not have a controller. We have written everything about how they are prescribed by law. In accordance with Article 28, paragraph 3, point g), a data protection authority must require the subcontractor to delete or return personal data in its possession as soon as the person in charge of the processing is no longer able to put its services in the mouth. The EU`s general data protection regulation is more serious about contracts than previous EU data protection rules. If your organization is subject to the RGPD, you must have a written data processing agreement with all data processors. Yes, a data processing agreement is boring paperwork. But it is also one of the most fundamental steps of RGPD compliance and necessary to avoid RGPD sanctions.

The parties can negotiate their own contract or use standard contractual clauses adopted by the European Commission or a supervisory authority in accordance with the coherence mechanism. The Danish supervisory authority has adopted such a document. However, in this context, the standard contractual clauses must be distinguished from the standard contractual clauses of the European Commission, which are used for cross-border data transfers and which are of course the subject of a strong debate after Schrems II. “[Optional] The following EU/Member State legislation, applicable to the subcontractor, requires the storage of personal data after the end of processing services: ……………. The subcontractor undertakes to process the data exclusively for the purposes of this Act and under strictly applicable conditions. When a subcontractor uses another organization (i.e. a subcontractor) to help process personal data for a processing manager, it must have a written contract with that subcontractor. Note that DPA headminers also refers to the “rights and freedoms of the person concerned.” This is also in line with the EDPB`s recommendations. ☐ the subcontractor must delete all personal data (at the choice of the processing manager) at the end of the contract or return it to the processing manager, and the subcontractor must also delete existing personal data, unless the law requires its storage; and processing managers can only use subcontractors who can provide sufficient safeguards to take appropriate technical and organizational measures to ensure that their treatment complies with the requirements of the RGPD and protects the rights of those concerned.

This entry was posted in Uncategorized by Sirkka. Bookmark the permalink.