There are situations where an entity may be a data controller or a data processor, or both. For more details, you can read the ProtonMail data processing agreement or read the generic model data processing agreement that we have made available on this website. 1.1.4 “data protection laws” means your data protection legislation and, where applicable, the data protection legislation of another country; A data processing agreement is a legally binding contract that defines the rights and obligations of each party with regard to the protection of personal data (see “What is personal data?”). Article 28 of the GDPR includes the data processing agreements referred to in section 3: a processor may not use the services of a processor without the prior written or specific consent of the controller. If an authorization is granted, the subcontractor must enter into a contract with the subcontractor. The contractual conditions relating to Article 28(3) must offer an equivalent level of protection for personal data as in the contract between the controller and the processor. Subcontractors remain responsible to the person responsible for the respect of the sub-transformers they have. A data processing agreement (DSG) is a legal capacity signed by the controller and the processor, either in writing or in electronic form, and whose purpose is to regulate the conditions for the processing of personal data of EU citizens. Personal data is any information that can identify a person, i.e. first and last name, date of birth, place of residence. Controllers may only use processors who can provide sufficient guarantees that they are taking appropriate technical and organisational measures to ensure that their processing complies with the requirements of the GDPR and protects the rights of data subjects.
If you are a business owner subject to the GDPR, it is in your best interest to have a data processing agreement: first of all, it is necessary to comply with the GDPR, but the DPA also gives you the assurance that the data processor you use is qualified and capable. As set out in recital 81☐, the processor may only respond to the documented instructions of the controller, unless required by law, without acting in the absence of such instructions; ☐, the processor must take appropriate measures to assist the controller in responding to an individual`s requests on the exercise of their rights. ☐, the processor must ensure that the persons processing the data are subject to an obligation of trust; In accordance with the GDPR, a controller can be held liable for a data protection breach, even if it occurred on the side of the processor. It is therefore in the interest of both parties to ensure that the processor has the necessary bandwidth to protect all data transmitted by the controller. The smaller the risks, the better. However, in the event of a breach, the processor should be able to take immediate measures to minimise its impact. 8. The data protection impact assessment and prior consultation processor shall provide the company with appropriate assistance for all data protection impact assessments and prior consultations with supervisory or other competent data protection authorities that the company deems reasonably necessary in accordance with Articles 35 or 36 of the GDPR or equivalent provisions of another lo i on data protection.
in any event, only with regard to the processing of the company`s personal data by and taking into account the type of processing and information available to the processors. . . .