Here is an excerpt from article 28 that deals with data processing requirements: the RGPD sets out certain guidelines on what should be included in a data processing agreement that we will discuss later in this article. When personal data is transferred to the third country (EEA) (regardless of the side), “standard contractual clauses” must be concluded to ensure data security outside the EU. This agreement ensures that the requirements of the RGPD will be relevant independently of national legislation. The RGPD defines the fundamental principles of the minimum requirements to be included in each data processing agreement. These requirements are primarily aimed at ensuring that individuals are protected by a system of checks and balances between the processor and the data processor, but these guidelines also provide several levels of protection to all parties involved. 1.1.10 “subprocessor” refers to any person mandated by or on behalf of the subcontractor to process personal data on behalf of the company in connection with the agreement. Processing managers can only use subcontractors who can provide sufficient safeguards to take appropriate technical and organizational measures to ensure that their treatment meets the requirements of the RGPD and protects the rights of those concerned. There are two roles for each party in the contract: controller and processor. However, these roles are not in conflict – for example.B.
both parties may be responsible for the processing of personal data. In general, given that the EU`s general data protection regulation is still in force for some time and that its concepts of `controller` and `processor` are still in force much longer, it seems that there is an established practice for identifying third parties and where they fit into this image. However, there are still situations in which this remains a major challenge for both the organisations concerned and the data protection authorities. In light of the above, it can be concluded with caution that, although the RGPD processor is certainly not subject to the definition of a third party within the CCAC, there may be situations in which a person or organization, particularly a service provider who is not a third party under the CCAC , would nevertheless be one-third under the RGPD, depending on the extent of the independence and discretionary treatment of personal data to provide services that are the contract. An important example is payment management schemes which, under the RGPD, are generally considered independent and third-party actors, but which could be defined as service providers and are not third parties under the CCAC, provided the necessary contractual arrangements are in place. ☐ the subcontractor must take appropriate steps to assist the processing manager in responding to individuals` requests in the exercise of their rights; 1.1.3 “contract processor,” a subprocessor; By providing these clauses as part of the agreement, the processor limits his guilt by making available to the data processor everything he needs to carry out his duties properly. Article 31 provides that processors and data processors (or their representatives) cooperate with supervisory authorities. This balance gives each party a certain degree of responsibility for the other, which occurs lifeless, without the other`s knowledge. The short answer is “yes.” The processing managers are responsible for compliance with the law by all third-party developers they use, so your contract with a processing manager as a subcontractor covers compliance with the RGPD.
For more details, you can read the ProtonMail data processing agreement or the generic model of data processing agreements that we have made available on this site. In addition, the company has appropriate guarantees regarding the transfer of data to the third country. One of these guarantees was mentioned in paragraph 1 – it is a standard contractual clause document.