11.1 The subcontractor may not transfer or authorize the transfer of data to countries outside the EU and/or the European Economic Area (EEA) without the company`s prior written consent. When personal data processed under this agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the parties ensure that personal data is adequately protected. To do so, contracting parties, unless otherwise agreed, rely on standard contractual clauses approved by the EU for the transfer of personal data. With regard to the RGPD, the data protection officer appoints a data protection delegate and both parties must agree on a periodic review of the contractual terms. This appendix complements the points of a data protection statement on technical and organisational measures. In this part of the agreement, the data processor should demonstrate its ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services and to implement a periodic audit, evaluation and evaluation process for the effectiveness of technical and organizational measures to ensure safe processing (both citations are extracted from Article 32 of the RGPD). A first urgent question when creating a data processing agreement is whether the organization acts as a controller or processor. The IAPP has previously written in detail about the processor`s determination in relation to the processor, but in a nutshell, a responsible supplier is the unit that “determines the purposes and means of processing personal data,” while a subcontractor processes this personal data on behalf of the processor. Under the RGPD, personal data is all information about an identified or identifiable individual.
Processing performs all transactions involving personal data. It seems that the text of the RGPD dwells on these definitions. As you may know, this site is run by the encrypted messaging provider ProtonMail (and funded in part by the European Union`s Horizon 2020 programme). As part of our RGPD compliance efforts, we have made our own data processing agreements available to all our users for download, control and signature. The RGPD imposes many obligations on companies that wish to collect and use personal data about their customers (we have discussed them in many articles on our blog, be sure to check them). One of the most important obligations is to sign data protection authorities with any other entity with access to this data. If you want to know how to establish a legal data processing agreement, you are in the right place. In this blog post, we will take you through all the important elements of a DPA under RGPD.