1) That the processor agrees to process personal data only on the written instruction of the controller.2) Any person who works with the personal data is obliged to maintain confidentiality. 3) That appropriate technical and organisational measures are taken to ensure data security.4) The processor undertakes not to subcontract to another processor, unless the controller has expressly indicated this in writing. This would mean that the same data protection obligations as set out between the controller and the processor would have to be agreed with the sub-processor (in accordance with Article 28(2) to (4) of the GDPR).5) The processor undertakes to assist the controller in complying with its obligations under the GDPR, in particular with regard to the rights of the data subject. 6) That the processor agrees to assist the controller in complying with the GDPR with regard to Article 32 of the GDPR (security of data processing) and Article 36 of the GDPR (consultation of the data protection authority before it is classified as high risk with the processing). 7) The Processor undertakes to delete all personal data or to return the data to the Data Controller upon termination of the Services. 8) That the processor must allow the controller to carry out an audit and that it provides the necessary information to demonstrate compliance with the regulations. While there may be many of these points that you need to include, it not only ticks a box on the list of GDPR compliance tasks, but also gives your organization and the parties involved the opportunity to clarify what is expected and how tasks should be performed. In addition, these points also provide your business with a space to identify potential issues and rethink procedures to further align them with the GDPR. Example of a DPA controller only uses subcontractors with sufficient guarantees to comply with the conditions of the GDPR and ensure the protection of the rights of data subjects. Controllers must ensure that the processing is carried out in accordance with the provisions of the GDPR. Last week, the entry into force of the EU`s General Data Protection Regulation (GDPR) attracted a lot of attention. Virtually all companies that process the personal data of EU citizens are affected and must take serious organisational and technical measures to comply with the new rules. An important element of the legislation is the obligation of controllers to conclude a data processing agreement (DPA) with processors.

To help you prepare for the GDPR, last Wednesday we hosted a webinar on the specifics of a data processing agreement and the process of signing a contract with Tresorit. In this blog post, we`d like to summarize the key elements of our webinar to give you a complete picture of everything you need to know about an APD. If you provide data processing, in particular to customers who work with user data in the EU, you should be familiar with the creation and management of data protection officers. In this part of the contract, it is appropriate to include information according to which the processor must take all necessary technical and organizational measures before starting to process the personal data of users. If you receive a DPA, make sure it clearly describes how the data can be used by the processor. Look for the elements of an DPA listed above and make sure they are detailed enough to leave no room for interpretation. If you run a large company, you need to hire a Data Protection Officer (DPO) to monitor and enforce your privacy policies and data processing agreements. The internet is full of the ability to disclose your customers` data, which can put your business in legal trouble with local authorities. Finally, one of the most important tasks of a data protection authority is to ensure that subcontractors provide sufficient guarantees for the protection of the data transmitted to them. Especially since in the event of a data breach – also on the part of the processor – the controller can be held liable.

This is not really something new, as signing this type of document is required by many other data protection regulations, including the UK Data Protection Act and the predecessor of the GDPR – Data Protection Directive 95/46/EC. However, with many ambiguous requirements for data controllers, processors and sub-processors, companies may still have questions about certain legal requirements, e.B what needs to be included in a data processing agreement. These data processing agreements (DPAs) are essential to ensure the protection of the personal data of data subjects. This Annex supplements the points of a data protection agreement on technical and organisational measures. In this part of the agreement, the processor should demonstrate its ability to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services, as well as to establish a procedure for the regular review, evaluation and evaluation of the effectiveness of technical and organisational measures to ensure the security of the processing (both quotes are extracts from Article 32 of the GDPR). The processor shall take all necessary measures pursuant to Article 32 in relation to data protection and cybersecurity. However, there are two levels of fines, depending on the gravity and nature of the infringement. Fines imposed by the GDPR for breaches related to subcontractors are usually the first step, which, according to the guidelines, can reach up to €10 million or 2% of global revenue. In any case, it is much less painful to sign a data processing agreement and comply with the conditions than to pay a GDPR fine. We hope this guide helps you. For easier to digest help on GDPR compliance, check out our GDPR checklist.

Portal operators that aim to connect supply and demand actors do not need a data protection declaration. Even if personal data is exchanged, the creation of a DPA is not necessary in this case, as the users of the portal explicitly order the portal operator and its professional services. Therefore, portal operators do not need additional protection. The same applies to recruiters who transmit personal data to the respective companies. For an organization to comply with the requirements of the GDPR, as a data controller using the services of a data processor to process personal data on its behalf, it must enter into a data processing agreement (a written contract or other legal act) that is legally binding on the data processor….