Article 28 Gdpr Data Processing Agreement

In essence, a CCA is a form of assurance that the subcontractor performs its duty of care to ensure the privacy of personal data. Yes, for example. B a controller and processor contract a privacy notice and the processor is in breach, the data protection authority could restrict the responsibility of the person in charge of handling the breaches. According to edPB, the instructions refer to each processing activity and may include “authorized and unacceptable processing of personal data, more detailed procedures, data backup possibilities, etc. The subcontractor must not go beyond what the person in charge of the processing ordered. [4] The Chief is responsible for evaluating and selecting the appropriate processor. In this regard, the processing manager must “seriously consider” several elements, including the subcontractor`s data protection policies, terms of use, recordings of processing activities, information management and security policies, external audit reports, recognized international certifications, such as ISO 27000 series. [1] The agreement between the processing manager and the subcontractor also mentions the purpose of the processing, the duration, the nature of the personal data to be processed, the categories of data that are covered by the processing, the obligations and rights of the person in charge of the processing. When the processor assigns processing activities to a subcontractor, it should only use processors with sufficient safeguards, including expertise, reliability and resources, to implement technical and organizational measures that meet the requirements of this regulation, including for processing security. In the event of a data breach (Articles 33 – 34 RGPD), the subcontractor immediately informs the person in charge of the processing.

[8] The EDPB also recommends providing “a notification period (for example. B the number of hours) and the point of contact for these communications in the contract. Finally, the contracts should specify how the subcontractor should inform the person in charge of the treatment in the event of an infringement. » [9] 1. When the processing is to be carried out on behalf of a processing manager, the processing manager uses only subcontractors who provide sufficient safeguards to implement the appropriate technical and organizational measures so that the treatment meets the requirements of this regulation and guarantees the protection of the rights of the person concerned. The person in charge of the treatment must therefore be very clear from the outset as to the extent of the treatment. The subcontractor assists the person in charge of the processing in carrying out the obligation to respond to the exercise of the human rights concerned. In accordance with Article 28, paragraph 3, point (f), of the RGPD, the agreement between the parties provides additional details on how the subcontractor assists the person in charge of the processing in accordance with Articles 32 to 36. As a general rule, assistance consists of the immediate transmission of requests received by the individuals concerned. However, in certain circumstances, the subcontractor is entrusted with more specific technical obligations, such as when it is able to extract and manage personal data. If you take the services of a processor In The Mouth, you will probably need a data processing agreement (Dpa).

Some popular processors (z.B. MailChimp) have included data processing agreements as part of their terms. If the processor is not provided, you must provide it yourself. To help you, we`ve prepared a free DPA model below. Article 28, paragraph 3, stipulates that the contract (or any other legislative act) must contain the following information regarding the treatment: the subcontractor cannot use another subcontractor without authorization and ensures that the new subcontractor will be subject to the data protection obligations provided by the contract between the processing manager and the subcontractor.