Processors (and subcontractors or people working for processors) can never process personal data on behalf of processors unless they have clear instructions for processing that data. So, no initiatives if you don`t have a clear mandate (RGPD Article 29). The person in charge of processing determines the purposes and means used to process personal data. Therefore, if your company or organization decides why and how personal data should be handled, it is responsible for the processing. People who process personal data within your organization perform your duties as data manager. As you may know, this site is run by the encrypted messaging provider ProtonMail (and funded in part by the European Union`s Horizon 2020 programme). As part of our RGPD compliance efforts, we have made our own data processing agreements available to all our users for download, control and signature. And the principles of Article 5 of the RGPD on the processing of personal data apply to both data processors and processors. Your company/organization is a common responsible leader when it determines, in conjunction with one or more organizations, why and how personal data should be processed. Joint air traffic controllers must enter into an agreement defining their respective responsibilities for compliance with the RGPD rules.
Key aspects of the agreement must be communicated to those whose data is being processed. The data processor only processes personal data on behalf of the processor. The data transformer is usually a third party outside the company. However, in the case of business groups, one company can act as a processor for another company. Therefore, if you have outsourced a number of tasks involving personal data and the company to which you outsourced it is too busy and you need to find another company for a particular task (or that costs less, as is often the case in so many activities), you need to know and approve it. The same applies if there are changes (even temporary ones). 8. The data protection impact analysis and the data protection subcontractor provide the company with appropriate support for all data protection impact assessments and prior consultations with supervisory authorities or other data protection authorities; that the company considers reasonably necessary in accordance with section 35 or 36 of the RGPD or equivalent provisions of another data protection law, in any case only with respect to the processing of the company`s personal data by contract processors and taking into account the nature of the processing and information available to processors. The data exporter is the customer, a user of services provided by the processor, the entity that has executed an agreement and accepts standard contractual clauses as a data exporter. (C) The parties are working to implement a data processing agreement in line with the requirements of the current legal framework for data processing and the 2016/679 European Parliament and Council 27 April 2016 on the protection of individuals in the processing of personal data and the free movement of personal data and repealing Directive 95/46/EC (General Data Protection Regulation).