Together with the EEA Comptroller`s CSC, the European Commission intends to make a standard data processing agreement available to RGPD organisations in accordance with the requirements of the RGPD, as stipulated in Article 28, paragraph 7, of the RGPD. In addition to the data protection obligations set out in the contractual clauses, the CSSS includes, for the processing of EEA controllers and processors, a number of annexes to be filled out by the parties, including a detailed description of the data processing activity; Information security measures instructions from the processing manager, specific restrictions and/or safety precautions regarding the handling of sensitive personal data; Subcontractors involved in data processing activities; measures by which the data processor must assist the processor. Under Article 28, paragraph 3, point a), the contract provides that the subcontractor can process personal data only in accordance with the documented instructions of the processing manager (including during the international transfer of personal data), unless this is imposed by other provisions of EU or Member State legislation. However, depending on the severity and nature of the injury, there are two levels of fines. Fines imposed on the RGPD for breaches of data processors are generally covered by the first stage, whose guidelines can be as serious as 10 million euros or 2% of global turnover. In any case, it is much less painful to sign a data processing agreement and to comply with the terms than to pay a penalty from the RGPD. We hope this guide will help. Other easy-to-digest helps for RGPD compliance can be accessed in our RGPD checklist. The subcontractor only processes personal data on documented instructions from the processor, unless the law requires a different act and, in these circumstances, the subcontractor notifies the processing manager of the legal requirements prior to processing, unless the law prohibits such information for reasons of general interest. This also applies to the transfer of personal data to a third country or an international organization.
EEA Comptroller CCS should assist third-party organizations in the EEA to carry out certain data processing activities on their behalf (i.e. «data processors») in order to meet their obligations under the EU General Data Protection Regulation (GDPR). In particular, Article 28 of the RGPD requires processors to enter into an agreement (or other act) when outsourcing data processing activities to a data processor and sets out the data protection obligations that must be covered by such a data processing agreement. These data protection obligations include the data handler`s obligations with respect to: (1) compliance with the processing instructions of the processing manager; (2) the return or erasure of data at the end of data processing services; (3) information security; (4) assist the processing manager in fulfilling his or her obligations under the RGPD, among others. B for personal data requests, notification of data breaches and data protection impact assessments; (5) accreditation and assistance from the treatment manager or other examiner; and (6) subprocessing engagement. The agreement between the processing manager and the subcontractor also indicates the purpose of the processing, the duration, the nature of the personal data to be processed, the categories of data that are outsourced and the obligations and rights of the processing manager. The scope of this case-by-case risk assessment should depend on the nature, scope, context and purpose of the treatment and should take into account the subcontractor`s expertise, reliability and resources, as well as its reputation. When a subcontractor acts outside the instructions of the processor in such a way that he decides the purpose and means of the processing