In accordance with Article 28, paragraph 3, point h), the agreement must require that those responsible for the processing use only subcontractors with sufficient safeguards to meet the conditions of the RGPD and guarantee the protection of the rights of the persons concerned. While small businesses may not need such large or in-depth data processing agreements, they should still have them when using third-party services or data processors with which they share their users` personal data. Record-keeping of processing operations would be useful for the subcontractor to demonstrate compliance with section 28. Section 30, paragraph 2, sets out the requirements for subcontractors to keep records of their processing activities. If your data processing violates compliance, mishandles data or is the victim of a data breach, a data processing agreement can legally protect you by proving that you have performed your due diligence to ensure that the company you worked with has followed the appropriate procedures. With regard to international data transfers, Privacy Shield is an authorized solution as personal data from the EEA arrives in the United States, but if data is transferred across many borders, other solutions, such as standard contractual clauses approved by the European Commission or binding business rules, may be more appropriate. Article 31 provides that processors and data processors (or their representatives) cooperate with supervisory authorities. The subcontractor cannot hire another subcontractor without authorization and ensure that the new subcontractor will be subject to the data protection obligations under the contract between the processing manager and the subcontractor. In particular, the processor should not use another processor without a written or specific authroisation prior to the controller.
If the controller`s authorization is general, the controller must be informed of the modification (either the complement or replacement) of the processors and the possibility of appealing. This is consistent with the requirements that the RGPD compliance and supplier management must ensure on the person in charge of the processing. This duration of the contract should apply to subcontractor staff as well as all temporary and third-party workers who have access to personal data. Article 33 and Article 34 concern regular procedures for notifying the supervisor of security breaches and the persons concerned regarding personal data. These include the processor, who informs the appropriate authority, and the data processor who informs the processor, as described in the RGPD guidelines on appropriate treatment arrangements. When a subcontractor acts outside the instructions of the treatment manager to decide the purpose and means of treatment, he is considered responsible for the treatment of that treatment and assumes the same responsibility as a person responsible for the treatment. Our DATA AGENCY provides a number of guarantees to companies that entrust us with personal data. For example, ProtonMail`s data processing agreement promises the use of technical security measures, such as encryption, in accordance with Article 32 of the RGPD. In addition, it provides appropriate support to those responsible for processing in the implementation of a data protection impact assessment. ☐ the subcontractor must delete all personal data (at the choice of the processing manager) at the end of the contract or return it to the processing manager, and the subcontractor must also delete existing personal data, unless the law requires its storage; and 11.1 The subcontractor may not transfer or authorize the transfer of data to countries outside the EU and/or the European Economic Area (EEA) without the company`s prior written consent.
When personal data processed under this agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area,