If you operate a business that works with user data, you need an addendum to data processing. A data processing addendum helps your company in a legal dispute if a third party tries to abuse your user`s data. It provides protection to your company against any third-party actions that do not comply with the GDPR or other data protection laws. In this part of the contract, it is appropriate to include information according to which the processor must take all necessary technical and organizational measures before starting to process the personal data of users. Data mapping can be a very useful tool in this regard, as can carrying out a data protection impact assessment. Know rolesBefore you start creating a data protection authority, your organization needs to identify each party involved and define their main tasks for that specific agreement. Determine if more than one data processor or subprocessor is involved. It is also important to know that while subcontractors are supposed to act exclusively under the direction of the data controller, sub-processors act under the direction of the subcontractors. Therefore, the inclusion of clauses dealing with both roles can significantly reduce misunderstandings and misdirections that could otherwise prove costly. If your organisation is a joint controller and the means and purposes of your data processing are determined jointly, the other controllers may also need to be taken into account.
Although the GDPR does not explicitly state that joint controllers need a contract between them, it is strongly recommended to consider transparent written agreements between controllers that clearly state the agreed roles and obligations. EvaluateFinally, before creating a DPA, it is also strongly recommended to carry out supplier risk assessments. Determining in the agreement how each party is involved and at what level it reacts to DSARs will be of great value when the time comes. The most important elements to watch out for when signing a DPA The GDPR focuses primarily on personal data and data processing, subjects, controllers and processors. This requires signing a DPA with external data processors. If your organisation uses data on EU citizens, you must be GDPR compliant and use DPAs. Failure to do so could result in hefty fines and penalties. As you can see, this is a significant change in what is required by law, but in practice, you may have already incorporated many of these requirements into your existing contracts as privacy best practices. A data processing agreement (DPA) is a legally binding document to be concluded between the controller and the processor in writing or in electronic form. It governs the specificities of data processing – such as scope and purpose – as well as the relationship between the controller and the processor. Due to our client-side encryption, we cannot access our users` encrypted content and we cannot use encrypted information to identify an individual.
As a result, according to the GDPR, such content is not considered personal data from our point of view. However, in providing our services, we process certain unencrypted data, including personal data about users managed by our users (for example. B usernames, email addresses, file activity, and login attempts). With regard to this limited data, we act as a data processor. Our DPA covers this very limited personal data that we have about our customers, while the data in the customer files is outside the scope of the DPA. As you can see, these rules affect a vast majority of the world. Find out everything you need to know about data processing agreements by continuing the following article. Data processing agreements are designed to protect both your company and its users from improper processing of personal data that could result in damages or lawsuits. A data processing agreement is just as necessary for small businesses as it is for large ones. Article 30 requires controllers or their representatives to keep a record of processing activities under their supervision. This includes processing by the data controller`s data processor as governed by a data processing agreement.
According to the GDPR, the organization that defines the purpose of the data processing (i.e. the controller) has more legal obligations, but how the EU customer and the outsourcing company will protect this data is the responsibility of both parties – the EU company that needs to complete the application and the outsourcing company that needs data to carry out the project. To give you a better overview, let`s look at a general and simple example of a situation where a DPA is required between a data controller and a processor. Let`s say a company uses an email marketing tool like Mailchimp to distribute its internal and external newsletters. This way, they are able to measure and gain insights into how subscribers interact with emails. In this case, a DPA between the organization and the service (Mailchimp) is required, which must include the responsibilities that explain the processing of user requests or contact forms. In addition, it may also cover the following:• Definitions of the terms mentioned in the Data Protection Authority;• The type(s) of emails and data processed and categorized• Overview of the obligations between the Controller and the Processor under the GDPR • The different types of personal data and information obtained from the emails, how they are categorised • The categories of data subjects to whom the controller`s contacts could belong, such as.B. Employees, contractors, customers and other end users • The duration of storage and processing of emails • Details of email encryption and other security measures • Obligations and responsibilities of each party in the event of a data breach The General Data Protection Regulation (« GDPR ») is a new data protection law in the European Union (« EU ») that came into force on May 25, 2018. . . .