After that, it`s time to dig deeper into the technical requirements that the processor must meet to comply with the provisions of the GDPR. In accordance with Article 32 of the Regulation: processing by a processor is subject to a contract or other legal act under Union or Member State law which is binding on the processor vis-à-vis the controller and which specifies the object and duration of the processing, the nature and purpose of the processing. the nature of the personal data and the categories of data subjects, as well as the obligations and rights of the controller. Codes of conduct and certifications can help subcontractors demonstrate sufficient guarantees that their processing complies with the GDPR. (B) The Company wishes to subcontract certain services involving the processing of personal data to the Processor. In many business relationships, there will be a flow of data from one company to another – and if that data consists of “personal data” or in part, the law requires that certain provisions be included in a written agreement. And since the implementation of the GDPR, these “data processing clauses” have necessarily become a little longer than before. In the next part, you must deal with the obligations of the controller. Here`s some information you really need to include: The GDPR actually requires data controllers to have adequate data processing agreements when using a data processor, even though these contracts were essential to protect data controllers and their data subjects even before the GDPR. (C) the Parties shall endeavour to implement an agreement on data processing in accordance with the requirements of the applicable legal framework for data processing and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Article 28(3) of the GDPR explains in detail the eight topics that must be addressed in a DPA. In summary, what you need to include: in this part of the contract, it is worth including information that the data processor must take all necessary technical and organizational measures before starting to process users` personal data. The agreement must stipulate that the processor may only process personal data in accordance with the controller`s documented instructions (including in the case of an international transfer of personal data), unless it is obliged to do otherwise under EU or Member State law. ☐, taking into account the nature of the processing and the information available, the processor shall assist the controller in fulfilling its obligations under the GDPR with regard to the security of processing, the reporting of personal data breaches and data protection impact assessments; ☐, the processor must undergo audits and inspections. The processor shall also provide the controller with all the information it needs to ensure that both comply with their obligations under Article 28. What should be included in an ODA? The GDPR is very prescriptive when it comes to DPA requirements. .