When a subcontractor uses another organization (i.e. a subcontractor) to help process personal data for a processing manager, it must have a written contract with that subcontractor. To meet the requirements of the RGPD, an organization must enter into a legally binding data processing contract (a written contract or other legal act) for the data processor, as a data provider that uses the services of a data processor for the processing of personal data on its behalf. Article 28.3 of the RGPD defines what should be included in this written contract: the EU`s General Data Protection Regulation takes a more serious approach to contracts than previous EU data rules. If your organization is subject to the RGPD, you must have a written data processing agreement with all data processors. Yes, a data processing agreement is boring paperwork. But it is also one of the most fundamental steps of RGPD compliance and necessary to avoid RGPD sanctions. When the processor assigns processing activities to a subcontractor, it should only use processors with sufficient safeguards, including expertise, reliability and resources, to implement technical and organizational measures that meet the requirements of this regulation, including for processing security. This is part of the “due diligence” referred to in the RGPD data processing requirements, requiring processors to ensure that the data processors they use are credible and compliant with the DMPP. Article 33 and Article 34 concern regular procedures for notifying the supervisor of security breaches and the persons concerned regarding personal data.
These include the processor, who informs the appropriate authority, and the data processor who informs the processor, as described in the RGPD guidelines on appropriate treatment arrangements. It is likely that your client, who is also a data manager, will simply tell you what to do. In addition, as a data processor, you should take all the steps of the organization and comply with the technical requirements set by the data protection authority. In some cases, processing managers may require a subcontractor to certify or develop business rules approved by EU regulators. However, there is a very low probability that this will happen, as there is no standard RGPD certification yet and all available options are too complicated. A data processing agreement (DPA), also known as computer addendum, is a contract between computer controllers and data publishers or subprocessors. These agreements are designed to ensure that each company works in partnership in accordance with the RGPD or other applicable data protection laws to protect the interests of both parties. Suppose an IT outsourcing company X is mandated by an EU customer to develop a data management application for a healthcare facility. Of course, they need access to patients` personal (and sometimes sensitive) information. Although they will not store it on a device, it still falls under the category “Personal Data Processing.” Whatever the purpose of a software product, a subcontracting company develops a code with which it processes customer data from its customers. Even if they don`t store data, they have access to a database.
As a result, the conditions for the protection, processing, storage and use of this data must be agreed upon.