Under section 28, the processing of personal data is permitted only “on documented instructions from the person in charge of the processing” (unless required by law). A data processor may also hire “subprocessors” to process data on its behalf, but only with the written permission of its processor. The subcontractor is responsible for the actions of these subprocessors vis-à-vis the processor. ☐ the subcontractor must take appropriate measures to ensure the safety of the processing; Processors must have a data processing agreement with all the data processors they use. The agreement can be written by the processor or the processor. However, it is binding on both parties. The data processor takes appropriate measures to prevent physical access, such as protected buildings. B, unauthorized access to personal data. The HubSpots IT agreement is an example of a DPA that contains the standard contractual clauses adopted by the European Commission, definitions of relevant terms, treatment details, processor obligations, etc. This data processing agreement (“DPA”) defines the data protection obligations of the parties arising from the processing of personal data by the data processor on behalf of the processor in connection with the offer, service agreement or other agreement between the parties (“arrangement”). Most of the mandatory requirements required by a data processing agreement are obligations for the data processor.
These are set out in Chapter 4 of the RGPD, with article 28 being particularly important. The data processor must allow the processor to conduct audits. These can be performed by another organization on behalf of the processing manager. The data processing agreement must allow it, but it can also lay the groundwork. (iv) Ensure that subcontractors undertake to process personal data in accordance with data protection legislation, 7.2 The data manager provides the data manager with appropriate cooperation so that the data protection officer can perform a data protection impact analysis that he must perform under the applicable data protection law.