Let us put that in context. Imagine that you are an individual (data subject) who makes online purchases in an e-commerce store. A big part of the GDPR is to provide clear information about your data protection practices in plain language. The processor must expressly agree to comply with the obligations arising from Article 32 of the GDPR. This part of the GDPR concerns the security of data processing. It is necessary for data processors and data controllers to integrate certain security measures into their data processing activities. This is because during this relationship, the controllers will share legally protected personal data with data processors and a data protection authority will help the processor agree to process the data adequately. A data processing agreement is a contract between a data controller and a data processor that governs the processing of personal data of data subjects. These terms are defined in Article 4 of the GDPR: as we want to help our users on as many fronts as possible, we have created a DPO appointment letter template. The template is currently available via Quip (where you can export to different file formats, top left) and .docx direct download: many data processing agreements contain this information in the form of a calendar or appendix at the end of the agreement. The GDPR requires a data processor to record its activities. Acceptance of this requirement is implicit in some of the clauses we have seen above.

However, many data processing agreements are also included as an explicit requirement for the data processor, as well as the conditions under which these records are to be shared. The e-commerce-shop asks you for your credit card data to make a payment. Memory is responsible for the data. It decides on the purpose (to sell you a product) and the means (the use of your credit card data) of the processing of your personal data. This is a data processing agreement of Voluum (Codewise) that defines the nature and purposes of the processing on behalf of the data controllers: you provide your credit card data through a payment service such as PayPal. Here is PayPal the subcontractor. It processes the payment on behalf of the data controller – the e-commerce store. Most of the mandatory conditions required in a data processing agreement are the obligations of the processor. These are defined in Chapter 4 of the GDPR, article 28 being particularly important.

You need to make sure that you only pass on your users` data to companies that are GDPR compliant. And you are legally obliged to enter into a contract with all data processors – that is, with anyone who processes personal data on your behalf. Other examples of data processors are companies that offer services in the following areas: they should then give the names of the parties to the agreement (an appropriate manager representing your company and the DSB) and spaces for each to sign their name and write the date. The GDPR implies new obligations for data processors. As the European Commission says, data processors cannot “hide” behind their data controllers. However, the main obligation to retain personal data lies with the data controller. A data subject may be a data subject, a data controller and a data processor, depending on his or her relationship with a number of personal data. A company that acts primarily as a data processor will often be responsible for the data.

1.1.8.2 the transmission of personal data of the company of a subcontractor to a subcontractor or between two entities of a subcontractor, if such transfer was prohibited by data protection legislation (or by the terms of data transfer agreements concluded to address the data protection limitations of data protection legislation); (C) The Parties shall endeavour to implement an IT agreement in accordance with the requirements of the existing legal framework on data processing and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation). . . .