Data Processing Agreement Edpb
If a processor goes beyond the instructions of the processor, it is considered a controller of the activity in question. Subcontractors often ignore this situation when they decide to use personal data for their own purposes, for example. B for the development of their own activities or for research and development purposes. In this case, the organization may be “punished if it goes beyond the instructions of the person in charge of the treatment.” The scope of this case-by-case risk assessment should depend on the nature, scope, context and purpose of the treatment and should take into account the subcontractor`s expertise, reliability and resources, as well as its reputation. Today, data processing agreements have many forms, ranging from a simple re-application of the main requirements of Article 28 of the RGPD to detailed contractual provisions. Some have provided detailed security requirements, while others merely repeat the general requirements of section 32 of the RGPD; Some of them refer to a service agreement to describe the main characteristics of the treatment (subject, duration, nature, purpose, etc.), while others contain a specific appendix that describes these points. We have seen that organizations use short data processing agreements, with very few details for low-risk processing operations (they think) entrusted to subcontractors, and very detailed processing agreements for data-intensive or risky activities. And not all of these agreements are considered worthy by the EDPB. Although the other topics are subject to a thorough review, the analysis of guidelines on the relationship between processing managers and subcontractors – in particular the discussion of Article 28 (DSB) data processing agreements – should be examined in detail by companies using data protection authorities. This is particularly true given the emphasis placed on data protection authorities in the context of international data transfers to Schrems II.
On the obligation: to provide the processing manager with all the information necessary for the demonstration of compliance, including “all information relating to how the processing activity is carried out on behalf of the processing manager”,. For example, “information relating to the operation of the systems used, security measures, retention, retention, data transmission, access to data and data recipients, subcontractors used, etc.” and, where appropriate, disclosure of relevant parts of the subcontractor`s records. The EDPB specifies that the contract must be signed by the parties. This means that the white documents and confidentiality policies submitted by the subcontractors cannot be considered sufficient to meet the requirements of Section 28 of the RGPD, unless they are included in a contractual agreement executed by both parties. In cases where a Community law applicable to the subcontractor or a right of reflection of a Member State requires the processing of data that does not depend on the person in charge of the treatment, the subcontractor must inform the person in charge of the treatment before the start of the treatment.