Blog

What To Look For In A Data Processing Agreement

This is not really new, as signing such a document is required by many other data protection regulations, including the UK Data Protection Act and the predecessor of the GDPR – Data Protection Directive 95/46/EC. The exact terms of a data processing agreement vary from one organization to another and depend on the specifics of the processing. However, Article 28 provides a precise picture of the minimum contract amount to be established. These bases are: (1) the purpose and duration of the processing, (2) the nature and purpose of the processing, (3) the type of personal data, (4) the categories of data subjects and (5) the obligations and rights of the controller. According to the GDPR, the organization that defines the purpose of the data processing (e.g. the controller) has more legal obligations, but how the EU customer and the outsourcing company will protect this data is the responsibility of both parties – the EU company that has to run the application and the outsourcing company that needs data to carry out the project. If you exchange personal data with other parties, you must have a data processing agreement. Articles 28 to 36 of the GDPR cover requirements for data processing and data processing agreements. Let`s take a look at the slightly more specific responsibilities of the different roles. 2. The parties agree that the supervisory authority has the right to carry out an audit of the data importer and any sub-processor having the same scope and subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law. When data is stored abroad, it is important to describe the measures that the processor must take to ensure a level of security equivalent to that guaranteed in the EU.

For example, in terms of data stored in the US, it`s a good idea to follow the Privacy Shield framework (but this may change due to the recent controversy). Given the number of details that need to be dealt with, this part should be included in a separate clause or even an annex to the contract. ODA would not be complete without the above annexes. They complement and develop previously agreed contractual agreements. Here`s what you need to include in both: Under European data protection law, the personal data of EU citizens may be processed by another party outside the European Union, provided that they sign a legal agreement governing such processing. This is what they call the DPA – Data Processing Agreement…

Sorry, the comment form is closed at this time.