8. Subprocessors – RGPD 28 (2) requires the subcontractor not to subcontract without the authorization of the processor, and dSGVO 28 (a) (a) requires the subcontractor to comply with the instructions of the processor during processing. Many Dpa`s are written where the processor has the ability to name a subprocessor, and the controller has the right to object, but the controller can only object for “legitimate/legal reasons.” The RGPD does not require any reason to give the processor a reason. However, a good way to manage this section is the ability to oppose and for the processor to provide another possible subprocessor. If no choice can be made, the controller must reserve the right to terminate the CCA. ☐ given the nature of the processing and the information available, the subcontractor assists the processing manager in carrying out his RGPD obligations with respect to processing security, notification of personal data breaches and data protection impact analyses; A data processing agreement is established to ensure that the processor properly processes the data of the processor. The RGPD sets out some guidelines on what needs to be incorporated into a data processing agreement that we will discuss later in this article. The EU`s general data protection regulation is more serious about contracts than previous EU data protection rules. If your organization is subject to the RGPD, you must have a written data processing agreement with all data processors. Yes, a data processing agreement is boring paperwork. But it is also one of the most fundamental steps of RGPD compliance and necessary to avoid RGPD sanctions. Like any contract, a data processing agreement should ensure that all parties act appropriately and stop the end of the contract.
All of this raises the bar for printing on a controller and its processor compared to any form of data processing, whether it`s Incloud or otherwise. By imposing instructions, setting procedures and enforcing security and legal data processing requirements, the processor not only protects himself, but ensures that the data processor acts within the framework of the RGPD to protect its individuals. Processors should have a data protection authority with all the data processors they use. Data processors should also have a data processing agreement with all the subprocessers they use. However, depending on the severity and nature of the injury, there are two levels of fines. Fines imposed on the RGPD for breaches of data processors are generally covered by the first stage, whose guidelines can be as serious as 10 million euros or 2% of global turnover. In any case, it is much less painful to sign a data processing agreement and to comply with the terms than to pay a penalty from the RGPD.