Data Processing Agreement Pro Controller
To meet the requirements of the RGPD, an organization must enter into a legally binding data processing contract (a written contract or other legal act) for the data processor, as a data provider that uses the services of a data processor for the processing of personal data on its behalf. Article 28.3 of the RGPD specifies what should be included in this written contract: many PSCs reserve the right to use personal data for different purposes that have not been agreed with their processing manager (client), which is particularly common when cloud services are provided free of charge by the PSC. Processors are required to hire data processors who provide sufficient assurance that this personal data will be processed in accordance with the RGPD. Organizations must therefore check whether the use of the PSC will result in additional complications and risks and possibly a violation of the RGPD. Cloud service providers (“CSPs”) now have a key responsibility as data processors and must act exclusively on the instruction of the data processor when processing personal data. Currently, most PSCs offer, in addition to the SaaS (SaaS) agreement, their own standard data processing agreements that cannot be negotiated by a processing manager who wishes to subscribe or access it (for example. B a data manager who wants to use customer relationship management to effectively receive and track customer requests or complaints). 8. The data protection impact analysis and the pre-consultation subcontractor provide the company with appropriate support for all data protection impact assessments and prior consultations with supervisory authorities or other relevant data protection authorities that the company deems reasonably necessary under Articles 35 or 36 of the RGPD or the equivalent provisions of another data protection law. , in any event exclusively with regard to the company`s handling of personal data and taking into account the nature of the processing and data protection information. that are available to contract processors.
Data processing agreements vary in complexity depending on the purpose of the service delivery contract and may, in practice, benefit from considerable negotiating time depending on the relative bargaining strength of the parties and the financial value of the transaction. Some processing companies choose to include the data processing contract in the service delivery contract, while others incorporate it as an annex to the service delivery contract. Some examples of data processing are sales agents such as sales agents or marketing agents and certain advisory service providers, depending on which party processes personal data (i.e. the processor) and responds to these instructions (the data processor).