The EDPB also recommends providing “a notification period (for example. B the number of hours) and the point of contact for these communications in the contract. Finally, the contracts should specify how the subcontractor should inform the person in charge of the treatment in the event of an infringement. »  1. When the processing is to be carried out on behalf of a processing manager, the processing manager uses only subcontractors who provide sufficient safeguards to implement the appropriate technical and organizational measures so that the treatment meets the requirements of this regulation and guarantees the protection of the rights of the person concerned. The person in charge of the treatment must therefore be very clear from the outset as to the extent of the treatment. The subcontractor assists the person in charge of the processing in carrying out the obligation to respond to the exercise of the human rights concerned. In accordance with Article 28, paragraph 3, point (f), of the RGPD, the agreement between the parties provides additional details on how the subcontractor assists the person in charge of the processing in accordance with Articles 32 to 36. As a general rule, assistance consists of the immediate transmission of requests received by the individuals concerned. However, in certain circumstances, the subcontractor is entrusted with more specific technical obligations, such as when it is able to extract and manage personal data. If you take the services of a processor In The Mouth, you will probably need a data processing agreement (Dpa).
Some popular processors (z.B. MailChimp) have included data processing agreements as part of their terms. If the processor is not provided, you must provide it yourself. To help you, we`ve prepared a free DPA model below. Article 28, paragraph 3, stipulates that the contract (or any other legislative act) must contain the following information regarding the treatment: the subcontractor cannot use another subcontractor without authorization and ensures that the new subcontractor will be subject to the data protection obligations provided by the contract between the processing manager and the subcontractor.