What Should A Data Processing Agreement Include
RGPD compliance requires processors to sign a data processing agreement with all parties acting on their behalf as data processors. If you need some definitions of these terms, you can find them in our article “What is the RGPD,” but as a general rule, a data processor is another company you use to help you store, analyze or communicate personal information. For example, if you are a health insurance fund and you share customer information via encrypted emails, this encrypted messaging service is a data processor. Or if you use Matomo to analyze traffic on your site, Matomo would also be a data editor. Q-AsMune company doesn`t really care about written contracts – is that a problem? Ignore the broader questions, not record a written agreement, and focus exclusively on the data elements – the answer is: “It`s important.” If you use a subcontractor to process personal data (including basic data such as a person`s name and contact information) on your behalf, or if you are a subcontractor working under the orders of a processing manager, there must be a brief written agreement. In the absence of a written contract, both parties violate the RGPD. Ok, I have a written agreement, if I have to – but can it only cover the data clause? Yes, in theory. The rest of the contract could be unwritten if you wanted to (although there are greater risks associated with not registering a written agreement). Each agreement must contain a data clause? No no.
Only contracts in which there is a flow of data from one party to another and the relationship between the parts of the processing managers and the subcontractor. Why do I need to know if I am a data manager or a data publisher? Unlike the old regulations, the RGPD applies to both processors and data processors. On the basis of this basic principle, a processor will inevitably want to place as much burden as possible on the data processor, as he sees it as an opportunity to delegate his responsibilities. If you are responsible for the treatment, this may be your valid goal. On the other hand, as a data controller, you want the person in charge of the processing to be fully responsible for compliance with the law and you do not want to assume additional responsibilities for the respect of people other than those directly submitted to the RGPD. So it`s probably a good idea to have two “standard” data clauses that you can use depending on the situation. So now I really have to include everything in the above list in my contracts where I reveal or receive personal data? What if I don`t? Yes, that is what you do. That is what the RGPD is asking for. If you do not, both parties could in theory be fined up to 20 million euros, or 4% of the world`s annual turnover (depending on the most important time). And if a person can prove that they have suffered damage (even minor reputational damage) as a result of your non-compliance, that person can claim damages against you. (C) The parties are working to implement a data processing agreement in line with the requirements of the current legal framework for data processing and the 2016/679 European Parliament and Council 27 April 2016 on the protection of individuals in the processing of personal data and the free movement of personal data and repealing Directive 95/46/EC (General Data Protection Regulation).