When a processing manager uses a subcontractor to process personal data on his or her behalf, there must be a written contract between the parties. Contracts between processing managers and subcontractors ensure that they understand their obligations, responsibilities and commitments. Contracts also help them comply with the RGPD and help officials demonstrate compliance with individuals and regulators. Are you ready for the RGPD? Our RGPD checklist can help you secure your business, protect your customers` data and avoid costly fines for non-compliance. 5. Insurance – In addition to all other assurances required by agreements between the negotiating parties, the data protection authority should require the subcontractor (or controller) to maintain an adequate level of assurance. Such assurance should at least cover privacy and cybersecurity liability (including costs arising from data destruction, hacking or intentional breaches, crisis management activities related to data breaches and data protection claims, data breaches and notification fees). Actual coverage amounts vary, based on the total amount of contracts and data processed. Download our checklist to see if your controller processor agreements cover all the necessary points.
6. Transfer of personal data – The subcontractor cannot transfer personal data (and does not allow its subcontractors to transmit personal data) without the prior approval of the responsible company. The subcontractor is aware that the processing manager must approve and document the existence of adequate protection of personal data after the transfer, using contracts offering sufficient guarantees (. B, for example, standard contractual clauses), unless there is another legal basis for the transfer. There are many ways to structure this issue and reference to the RGPD regulation itself is essential. ☐ the subcontractor must delete all personal data (at the choice of the processing manager) at the end of the contract or return it to the processing manager, and the subcontractor must also delete existing personal data, unless the law requires its storage; and ☐ given the nature of the processing and the information available, the subcontractor assists the processing manager in carrying out his RGPD obligations with respect to processing security, notification of personal data breaches and data protection impact analyses; A data protection impact analysis (including updating data protection effects) is a way to help you understand how your product or service endangers your customers` data and how to minimize those risks. The British Information Commissioner `ICO` has a checklist of data protection impact analysis on its website. The RGPD requires organizations to conduct this type of analysis when considering using individuals` data so that they “probably lead to a high risk to [their] rights and freedoms.” The OIC recommends that you do so at any time if you are about to process personal data. 7. Audits – All data protection authorities should have the right to obtain compliance information (SOC 1, SOC 2 or any other audit report). In some cases, the right to on-site control is required to demonstrate compliance for smaller processors. In other cases, on-site audits are not allowed for large processors (or large suppliers).
However, the right to conduct an on-site review as part of the application for an applicable data protection authority is still necessary and should be specified in the agreement.