What Should Be Included In A Data Processing Agreement

There is no particular format, and controllers generally suggest their form of data processing agreement when hiring a processor. The essential condition is that the content of the data processing agreement is in line with the legal requirements of the RGPD and that the contracting parties are then free to determine the form or layout and, if necessary, the additional clauses they wish to include (. For example, data protection compensation, contacts of data protection delegates of one of the parties, and procedures for dealing with a breach of personal data subject to the personal data processing contract). The RGPD requires data processing that is responsible for processing data to have appropriate processing agreements when using a data processor, even though these contracts were already essential, prior to the RGPD, for the protection of processors and their individuals. By imposing instructions, setting procedures and enforcing security and legal data processing requirements, the processor not only protects himself, but ensures that the data processor acts within the framework of the RGPD to protect its individuals. Articles 28 to 36 of the RGPD set out the conditions for data exchange and conditions for personal data between processing managers and subcontractors. Here are the main topics you need to address in your data processing contract. Since the RGPD came into force, data protection authorities have demonstrated their willingness to impose sanctions. And small and medium-sized enterprises have not been neglected. RGPD fines can reach 20 million euros, or 4% of the company`s global turnover.

In this part of the contract, as in virtually all other types of contracts, you define the definitions of terms that will then be used in the document. Among other things, you should define: in this section of the schedule, the processor must present its backup policies as well as measures to ensure data redundancy, recoverability and high availability. This section deals with issues related to the electronic transmission of the input command. The data processor should demonstrate that personal data cannot be read, copied, modified or deleted by unauthorized persons during data transfer. This guide aims to give you some useful tips to create a good DPA. But in this case, there is no one-way solution. When creating your own version of this document, you should also consider your industry regulations and other specific business requirements. While this reduces the responsibility of the processor for data mismanagement by the data processor, the contract also requires the processor to perform his duty of care to ensure that the subcontractor he uses is credible and capable. Sections 28 to 36 of the RGPD cover the requirements for data processing and data processing agreements. This is a fairly large amount of information, but let`s break it down into more manageable terms that you can apply to your business. In this part of the contract, it is worth including information that the data processor should implement all technical and organizational measures before starting processing users` personal data.

Given the complexity of the task, it is advisable to have a data processing agreement as a separate document. Whether you`re a controller entering a DPA with a processor, or you`re a processor that comes into contact with a subprocessor to make sure your data protection authorities` specific text meets these requirements.