The GDPR requires the following to be included in your data processing agreement: What should be included in a data protection authority? The GDPR is highly prescriptive when it comes to DPA requirements. Article 28(3) provides that the data protection authority must contain specific details on the processing of personal data, including: A processor may not use the services of a sub-processor without the specific or general prior written consent of the controller. If an authorisation is granted, the subcontractor must conclude a contract with the sub-processor. The contractual conditions relating to Article 28(3) shall ensure a level of protection of personal data equivalent to that of the contract between the controller and the processor. Subcontractors shall remain liable to the controller for compliance with the sub-processors they obtain. This guide serves as an introduction to data processing agreements – what they are, why they are important, who they are and what they need to say. You can also follow the link to find a template GDPR data processing agreement that you can download, customize, and use for your business. Since many data controllers work with more than one processor or subcontractor, creating a new DPA is daunting for any partnership. For this reason, many service providers such as Amazon Web Services and SalesForce have made their ADPs available to online controllers.

The following details are also required in a data processing agreement and are usually set out in an annex for easier reference: The data processing agreement, as it is commonly known, is an important contractual document that defines the responsibilities and responsibilities of the controller and processor. If a processor uses another organisation (i.e. a sub-processor or a "different" processor) to support its processing of personal data on behalf of a controller, it must have a written contract with that processor. These articles constitute the core of the GDPR guidelines regarding data processing agreements and the components of such agreements. This can be a lot to understand when you first read it, so let`s go over the key points as they apply to you and your GDPR-compliant data processing agreements. 1.1.8.2 a transfer of the Company`s personal data from a Processor to a Sub-Processor or between two entities of a Processor at a time, where such transfer would be prohibited by data protection laws (or by the terms of data transfer agreements entered into to comply with the data protection restrictions of data protection laws); The term "treatment" appears in this article with disgusting frequency. In the GDPR definitions, processing essentially refers to everything you can potentially do with an individual`s personal data: collect, store, monetize, destroy, etc. All of this sets the bar higher in terms of the pressure that weighs on both a controller and its processor in terms of any form of data processing, whether cloud or otherwise.

Cloud service providers ("CSPs") today have important responsibilities as processors and must act solely on the instructions of the controller when processing personal data. Currently, most CSPs offer their own standard data processing agreements alongside the software as a subscription agreement (SaaS), and these may not be negotiable by a controller who wishes to subscribe to or access the platform offered by the CSP (e.g.B a data controller who wishes to use customer relationship management to effectively receive and track their customer inquiries or complaints). .