When Is a Data Processing Agreement Needed

If you want to study in more detail the responsibilities of the data processor, you should visit this page. Where the controller entrusts processing activities to a processor, it should only use processors that offer sufficient guarantees, in particular in terms of expertise, reliability and resources, to take technical and organisational measures in accordance with the requirements of this Regulation, including the security of the processing. In the next part, you need to process the tasks of the controller. Here`s some information you really need to include: Since the GDPR came into effect, data protection authorities have shown their willingness to impose sanctions. And small and medium-sized enterprises have not been neglected. GDPR fines can go up to €20 million or 4% of the company`s global turnover. It is at this time that the processor must demonstrate its efforts to ensure the complete security of the controller`s data. Among other things, you should describe: What should be included in an ODA? The GDPR is highly prescriptive when it comes to DPA requirements. Article 28(3) states that data protection authorities must include specific details about the processing of personal data, including: As you can see, these rules affect a large majority of the world. Find out everything you need to know about data processing agreements by continuing the following article. Finally, one of the most important tasks of a data protection authority is to ensure that subcontractors provide sufficient guarantees for the protection of the data transmitted to them. Especially since in the event of a data breach – also on the part of the processor – the controller can be held liable. If required by the GDPR, the processor will appoint a data protection officer and both parties will have to agree on a regular review of the terms of the contract.

If you receive a DPA, make sure it clearly describes how the data can be used by the processor. Look for the elements of an DPA listed above and make sure they are detailed enough to leave no room for interpretation. Cloud service providers (“CSPs”) now have important responsibilities as processors and must act exclusively on the instructions of the controller when processing personal data. Currently, most CSPs offer their own standard data processing contracts alongside the SaaS (Software as a Subscription) agreement, and these may not be negotiable by a controller who wishes to subscribe to the use of or access to the platform offered by the CSP (e.g. B a data controller who wishes to use customer relationship management to effectively receive and track their customer requests or complaints). A data processing agreement is a legally binding contract that defines the rights and obligations of each party with regard to the protection of personal data (see “What is personal data?”). Article 28 of the GDPR covers data processing agreements under Section 3: An order processing contract defines clear roles and obligations for controllers and processors. This is a useful contract for any agreement between two parties working with customer or user data. It is imperative that the contract is concluded before processing.

A DPA is generally required for the following areas of work: This section aims to better understand the relationship between the primary data processor and sub-processors. It is worth including the following information in your agreements: Data processing agreements vary in complexity depending on the purpose of the service contract and, in practice, can take a long time depending on the relative bargaining power of the parties and the financial value of the transaction. Some controllers choose to include the data processing agreement in the service contract, while others include it as an annex to the service contract. Some examples of subcontractors are commercial agents such as sales agents OR marketing agents and certain consulting service providers, depending on the party that determines the “how” and “why” of the processing of personal data (i.e. the data controller) and who acts in accordance with these instructions (the data processor). Portal operators that aim to connect supply and demand actors do not need a data protection declaration. Even if personal data is exchanged, the creation of a DPA is not necessary in this case, as the users of the portal explicitly order the portal operator and its professional services. Therefore, portal operators do not need additional protection. The same applies to recruiters who transmit personal data to the respective companies.

In accordance with Article 28(3)(h) of the contract, the following must be required: If you are a controller and, as a result of outsourcing, wish to transfer your data to a third party, e.B. a cloud provider, you must sign a data protection agreement with that third party. If you are a business owner subject to the GDPR, it is in your best interest to have a data processing agreement: first, it is necessary for GDPR compliance, but the DPA also gives you peace of mind that the data processor you are using is qualified and capable. As mentioned in recital 81, whether you are a controller entering into a data protection agreement with a processor or you are a processor, it may seem difficult to ensure that the specific wording of your data protection officers meets these requirements. Fortunately, the European Commission has published examples of standard clauses to which controllers, processors and sub-processors can refer. Although these clauses are designed for international data transfers, a standard clause language approved by the EU is used, allowing organisations to access a true contractual language that meets the requirements of Article 28. The agreement should be as clear as possible on how the processor will help the controller to fulfil its obligations. Follow these steps when drafting a data processing agreement: If you run a large company, you will need to hire a Data Protection Officer (DPO) to monitor and enforce your privacy policies and data processing agreements.

The internet is full of the ability to disclose your customers` data, which can put your business in legal trouble with local authorities. The person who processes the data on behalf of a controller in accordance with the instructions of the controller. This leaves no room for misinterpretation if the provisions of other agreements conflict with the requirements of ODA. Processing by a processor shall be subject to a contract or other legal act under Union or Member State law which is binding on the processor vis-à-vis the controller and which defines the object and duration of the processing, the nature and purpose of the processing, the nature of the personal data and the categories of data subjects, as well as the obligations and rights of the controller. After that, it`s time to dig deeper into the technical requirements that the data processor must meet in order to comply with the provisions of the GDPR. According to Article 32 of the Regulation: To learn more about what the GDPR has to say about the role of the controller, here is a trifle that you can read from Article 24. Tim has over 20 years of experience representing a variety of emerging and established companies in the fields of technology, software, Bitcoin and professional services. .