« Return to Previous Page

What Should A Data Processing Agreement Contain

This section aims to shed light on the relationship between the primary data processor and sub-processors. It`s worth including the following information in your agreements: These provisions may appear in different sections of a data processing agreement, and an organization that creates a data processing agreement will likely want to further expand the details of each of those agreements. For example, point (c) of Article 28(3), which sets out security requirements, may be included in a section of the contract dedicated to the security measures agreed by a subcontractor and may contain additional information, such as. B the availability of audits. If you are a business owner subject to the GDPR, it is in your best interest to have a data processing agreement: first, it is necessary to comply with the GDPR, but the DPA also gives you assurance that the data processor you use is qualified and capable. As explained in recital (81), the exact terms of a data processing agreement vary from organisation to organisation and depend on the details of the processing. However, Article 28 provides a precise picture of the minimum contract amount to be established. These bases are: (1) the purpose and duration of the processing, (2) the nature and purpose of the processing, (3) the type of personal data, (4) the categories of data subjects and (5) the obligations and rights of the controller. What does the GDPR definition really mean? As before, there must always be a written contract when a company processes personal data on behalf of another company, but even a “basic” clause will now be much longer and more detailed, often encompassing a few pages of text. In addition, a controller is only allowed to use processors that offer sufficient guarantees to take appropriate technical and organisational measures to meet the requirements of the GDPR and to protect the rights of the data subject. Examples of factors to be considered when assessing the suitability of a processor include:• the extent to which the processor can demonstrate compliance with industry standards (if any);• whether it has sufficient technical expertise to help the controller fulfil its obligations under the GDPR;• whether the processor can provide relevant documents such as a privacy policy; Records management policy and/or information security policy;• whether or not the processor can demonstrate compliance with an approved code of conduct or certification scheme.

Keeping records of processing activities would be useful for the processor to demonstrate compliance with Article 28. .

Comments are closed.