When Do You Need A Data Processing Agreement

What should my company do to ensure compliance? First, identify every relationship your company has with suppliers, customers, subcontractors, contractors, agents, resellers, distributors, etc., where you share personal information with them or disclose personal information. Second, for each of these relationships, identify whether you are the data controller or the data processor. It`s likely that, depending on the answer, you`ll want to accept a slightly different data clause – as a data controller, you`ll inevitably want to deal with as much of the load on the data processor as possible, but as a data processor, you want the data controller to be fully responsible for compliance with the law. Finally, determine if there is a written contract between the two parties. If there is an existing contract, you will have to agree to a modification of this contract (which, in principle, should not be a problem because the other party should also be interested in amending this contract to comply with the GDPR). If you do not have an existing contract, you must enter into a written agreement to ensure that the agreement contains the required data clause. Depending on the schedule, you may be able to use the “model clauses” published by the European Commission or the UK government. Any contract you enter into that involves a flow of personal data must include an appropriate data clause that complies with the GDPR. In accordance with Article 28(3)(h), the agreement must require: the agreement must contain these conditions in order to ensure the continued protection of personal data after the end of the contract. This reflects the fact that it is ultimately up to the controller to decide what to do with the personal data processed once the processing has been completed.

☐, the Processor must delete all personal data at the end of the contract or return it to the Controller (at the Choice of the Controller), and the Processor must also delete the existing personal data, unless the law requires its storage; and portal operators that aim to connect supply and demand actors do not need ODA. Even if personal data is exchanged, the creation of a DSG is not necessary in this case, as portal users explicitly order the portal operator and its professional services. Therefore, portal operators do not need additional protection. The same applies to recruiters who transmit personal data to the respective companies. If a processor uses another organisation (i.e. a sub-processor) to assist it in processing personal data for a controller, it must enter into a written contract with that processor. ☐, the processor must undergo audits and inspections. The processor shall also provide the controller with all the information it needs to ensure that both comply with their obligations under Article 28.

Many CSPs reserve the right to use personal data for various purposes that have not been agreed with their controller (customer), which is particularly common when cloud services are provided free of charge by the CSP. For this reason, signing a data processing agreement (DPA) is crucial, especially when outsourcing software development. .