The EU`s general data protection regulation is more serious about contracts than previous EU data protection rules. If your organization is subject to the RGPD, you must have a written data processing agreement with all data processors. Yes, a data processing agreement is boring paperwork. But it is also one of the most fundamental steps of RGPD compliance and necessary to avoid RGPD sanctions. This guide serves as an introduction to data processing agreements – what they are, why they are important, who they are and what they need to say. You can also follow the link to find a RGPD data processing model that you can download, customize and use for your business. RGPD compliance requires processors to sign a data processing agreement with all parties acting on their behalf as data processors. If you need some definitions of these terms, you can find them in our article “What is the RGPD,” but as a general rule, a data processor is another company you use to help you store, analyze or communicate personal information. For example, if you are a health insurance fund and you share customer information via encrypted emails, this encrypted messaging service is a data processor. Or if you use Matomo to analyze traffic on your site, Matomo would also be a data editor. The persons authorized to process personal data are workers and temporary workers involved in the processing processing. In accordance with Article 28, paragraph 3, point b), of the RGPD, agents undertake strict confidentiality. This can be done either by a specific contractual agreement or by legal obligations already taken.
A processing manager and a subcontractor who enter into a data protection agreement are required to sign a written contract (including electronic form, Article 28, paragraph 9, of the RGPD) to document and clarify the extent of the subcontractor`s actions, powers and obligations. The agreement between the processing manager and the subcontractor also indicates the purpose of the processing, the duration, the nature of the personal data to be processed, the categories of data that are outsourced and the obligations and rights of the processing manager. If the subcontractor receives the approval of the processing manager, section 28, paragraph 4, of the RGPD becomes relevant. As a result, when a subcontractor requires another subcontractor to carry out certain activities, the same data protection obligations are imposed on that other subcontractor as the one stipulated in the “primary” data processing agreement (between the processing manager and the subcontractor).  A subcontractor may process data without, against or above the instructions of the person in charge of the processing, if required by EU law or by other laws of the applicable Member States. This is why it seems important to negotiate data processing agreements carefully, including with regard to the existence of such a legal requirement. However, depending on the severity and nature of the injury, there are two levels of fines. Fines imposed on the RGPD for breaches of data processors are generally covered by the first stage, whose guidelines can be as serious as 10 million euros or 2% of global turnover. In any case, it is much less painful to sign a data processing agreement and to comply with the terms than to pay a penalty from the RGPD. We hope this guide will help. Other easy-to-digest helps for RGPD compliance can be accessed in our RGPD checklist.