Where the subcontractor uses subcontractors outside the EU/EEA area for the processing of personal data, this processing must be carried out in accordance with the eu`s standard contractual clauses for transfer to third countries or any other expressly declared legal basis for the transfer of personal data to a third country. To avoid doubts, the same applies when data is stored in the EU/EEA but can be accessed from sites outside the EU/EEA. The RGPD requires data processing agreements between responsible data controllers and data publishers, as well as requirements for what should be included in these agreements. Sections 28 to 36 of the RGPD cover the requirements for data processing and data processing agreements. This is a fairly large amount of information, but let`s break it down into more manageable terms that you can apply to your business. Product access: a subset of our employees has access to customer products and data via controlled interfaces. Access to a subset of staff means providing effective customer support, solving potential problems, detecting and responding to security incidents, and implementing data security. Access is made possible by “just-in-time” access requirements. all of these requirements are recorded. Role-specific access is granted to staff and audits of high-risk privileges are initiated on a daily basis. Staff roles are checked at least once every six months. This duration of the contract should make it clear that it is the person in charge of the processing, not the subcontractor, who has overall control over what happens to personal data.
If you exchange personal data with other parties, you should have a data processing agreement. Sections 28 to 36 of the RGPD cover the requirements for data processing and data processing agreements. Let`s take a look at responsibilities that are a little more specific to different roles. ☐ given the nature of the processing and the information available, the subcontractor assists the processing manager in carrying out his RGPD obligations with respect to processing security, notification of personal data breaches and data protection impact analyses; If your company complies with the RGPD, all data processors you use should do the same, including a compliant data processing agreement. Definition according to the RGPDIf a data processor performs processing on behalf of a processor, the processor does not comply with the RGPD, unless there is a written contract between the two parties that contains at least the following clauses: Articles 33 and 34 include due notice procedures of the supervisory authority and the persons concerned regarding security breaches concerning personal data.