For example, VoluumDSP (Codewise) states in its data processing agreement that its customers are the controller and data processor. Therefore, “Codewise processes personal data only on your behalf and in accordance with your instructions”. Without a data processing agreement or other written contract, it is illegal for a data controller to use the services of a data processor or for a data processor to process personal data on behalf of a data controller. A data processing agreement comes into force when a controller cooperates with a processor. A data processor may not process data in a manner that violates data protection regulations, even on instructions from the data controller. In this way, both parties are required to comply with the compliant data protection standards. For this reason, the processor must describe the certified framework it uses for the transfer of consumer data from the EU to other countries. According to Article 28, a processor may only process personal data “on the documented instruction of the controller” (unless required by law). A processor may also engage “sub-processors” to carry out data processing on its behalf, but only with the written consent of its controller. The processor shall be liable to the controller for the acts of such sub-processors. The article obliges controllers and processors to carry out a DPIA if a processing activity is classified as high risk. You must complete a DPIA before processing.
Data controllers must have a data processing agreement with all data processors they use. The agreement may be established by the controller or processor. However, it is binding on both parties. 8. Data Protection Impact Assessment and Prior Consultation The Processor will provide the Company with reasonable assistance in carrying out data protection impact assessments and prior consultations with supervisory or other competent data protection authorities, if the Company deems it reasonably necessary in accordance with Articles 35 or 36 of the GDPR or equivalent provisions of any other data protection law. in any case, exclusively with regard to the processing of the Company`s personal data by and taking into account the nature of the processing and the information available to the appointed processors. Both the controller and the processor must also ensure that any person working with the data (or having access) processes the data only in accordance with the instructions given to the controller (as specified in Article 29). This is another integral part of any GDPR data processing agreement. Before the controller can transfer consumer data to a processor in good faith, all obligations of the processor in relation to personal data must be described in detail. 7.2 The Processor shall provide reasonable cooperation to the Data Controller to enable it to carry out a data protection impact assessment, which it is required to carry out under applicable data protection legislation.
“Data Exporter” means “Controller” in this particular Agreement. In other words, if the controller does not provide for a specific processing activity under the contract, you will not be able to carry out the processing unless you obtain your explicit consent. The protection of personal data has always been a top priority for Templafy and we welcome the new General Data Protection Regulation (GDPR), which will come into force on May 25, 2018. A requirement of the GDPR is that we must describe how we ensure compliance with the GDPR and commit to it in a data processing agreement with our customers. Are you a data controller working with a data processor or vice versa? If this is the case, you must document your relationship in writing with a data processing agreement (DPA). i) Personal data in accordance with Articles 9 or 10 of Regulation 2016/679 of 27. April 2016 It is important to determine which party is responsible for responding to EU consumers` requests in accordance with their rights as data subjects. As stated in the GDPR, EU citizens are granted eight fundamental rights that controllers and processors must respect.
A GDPR data processing agreement is required whenever a data controller engages a data processor to provide data processing services. If the data processing is carried out by a processor, it is essential to have a clear data processing agreement. Not only is this a legal requirement, but it also allows you to define the conditions under which you do business and reduce the possibility of litigation. 10.2. The controller is responsible, inter alia, for ensuring that there is a legal basis for the processing of personal data that the processor is responsible for carrying out. 13.1. Upon expiry of the term or termination of the Contract, the Controller (at the choice of the Controller) will destroy or return to the Controller all Data in its possession or control. The controller reserves the right to delete personal data from all sites after 90 days if the data controller has not chosen either option. This requirement does not apply to the extent that the data processor is required by applicable law to retain all or part of the data.
In the HubSpot APD, you can see that the data processor helps with inquiries about consumer rights if the controller is unable to do so: Since HubSpot uses this agreement with many different controllers, the introduction is very general. If you are the controller, you may want to be more specific and name the exact parties involved in each data processing agreement you create. (iii) provide the Processor, upon request, at any time with a copy of the Data Processing Agreement(s) between the Processor and the Processors. The term of the Agreement is sometimes referred to as the “Term”. This is usually not given in months or years. Instead, it sets out the conditions under which the agreement ends. It is normal for a contract to contain such a clause. It is necessary in a data processing agreement to ensure that data processors cannot process personal data indefinitely. Then you can go into more detail about who the agreement applies to and what role each party will play. Appropriate security measures must be taken before personal data can change hands.