The agreement must say that at the end of the contract, the subcontractor must: what should be included in a CCA? The RGPD is very prescriptive when it comes to dpa requirements. Article 28, paragraph 3, stipulates that the data protection authority must contain specific information on the processing of personal data, including: this is a standard element of any contract. As always, we should mention that any treaty changes must be accepted by both parties. However, in the case of a data protection authority, it should be noted that such a document replaces all other agreements between the data processor and the processor. As in any other case, the provisions of this part of the contract should be tailored to the specific needs of the organization and to the sectoral requirements. The RGPD has no legal restrictions on the form of the data processing agreement, but when the subcontractor is outside the EU and the international data transfer takes place, there are specific requirements regarding the format of the documentation. B, for example standard contractual clauses, binding rules, etc. If you want to take a closer look at the responsibilities of the data provider, go to this page. ☐ the subcontractor must be audited and inspected. The subcontractor must also provide the processing officer with all the information necessary to ensure that both parties comply with their article 28 obligations.
What does my company need to do to ensure compliance? First, identify each relationship your company has with suppliers, customers, subcontractors or contractors, agents, resellers, distributors, etc., in which you provide them with personal data or in which you are dividing personal data. Second, for each of these relationships, identify whether you are the data manager or you are the data processor. Depending on the answer, you would like to agree on a slightly different data clause – as the data manager, you will inevitably want to transfer as many loads as possible to the data processor, but as the data manager, you want the processor to be fully responsible for compliance with the law. Finally, it is established that there is a written contract between the two parties. If there is an existing contract, you must accept a change to that contract (which, in principle, should not be a problem, as the other party should also be interested in amending the contract in order to comply with the RGPD). If you do not have an existing contract, you must enter into a written agreement to ensure that the agreement contains the necessary data clause. Depending on the timetable, you may be able to use the „standard clauses“ published by the European Commission or the UK government. All contracts that you enter into that contain a personal data stream should include an appropriate data clause that corresponds to the RGPD. Managing data processing agreements is a very complex undertaking that can easily become confusing when addressed manually. The IITR compliance kit allows you to remedy this problem. The tool provides you with contract templates that are legally watertight.
In addition, you can centrally store the DPAs you create with different service providers. On the one hand, this procedure helps you to keep an overview. On the other hand, you are optimally prepared if you face a review by the authorities. This is because this information should be treated more limitedly than normal types of personal data.