The contract (or any other legislative act) contains details of the treatment, including: this duration should cover the subcontractor`s staff as well as all temporary and third-party workers who have access to personal data. If you exchange personal data with other parties, you should have a data processing agreement. Sections 28 to 36 of the RGPD cover the requirements for data processing and data processing agreements. Let`s take a look at responsibilities that are a little more specific to different roles. ☐ the subcontractor must take appropriate measures to ensure the safety of the processing; Managing data processing agreements is a very complex undertaking that can easily become confusing when addressed manually. The IITR compliance kit allows you to remedy this problem. The tool provides you with contract templates that are legally watertight. In addition, you can centrally store the DPAs you create with different service providers. On the one hand, this procedure helps you to keep an overview. On the other hand, you are optimally prepared if you face a review by the authorities. When a subcontractor uses another organization (i.e.
a subcontractor) to help process personal data for a processing manager, it must have a written contract with that subcontractor. The RGPD requires data processing agreements between responsible data controllers and data publishers, as well as requirements for what should be included in these agreements. The agreement must say that at the end of the contract the subcontractor: Given the complexity of the task, it is advisable to have a data processing agreement as a separate document. A data processing contract is a legally binding contract that establishes each party`s rights and obligations with respect to the protection of personal data (see “What is personal data?”). Section 28 of the RGPD applies to data processing agreements covered in Section 3: this section makes it clear that data processors can only process data in the manner prescribed by the processor, unless certain exceptions apply. For more details, you can read the ProtonMail data processing agreement or the generic model of data processing agreements that we have made available on this site. Under Article 28, paragraph 3, point h), the agreement must require that small businesses do not need such a large or in-depth set of data processing agreements, but should nevertheless have them when using third-party services or data processors with which they share their users` personal data. The RGPD defines the fundamental principles of the minimum requirements to be included in each data processing agreement. These requirements are primarily aimed at ensuring that individuals are protected by a system of checks and balances between the processor and the data processor, but these guidelines also provide several levels of protection to all parties involved.