Data Processing Agreement
I have a question about GDPR I hope you can help with.
We have some customers (data controllers) for which we are processing data, however, we have no Data Processing Agreement in place with the customer.
Is it our responsibility to approach the customer who is the data controller to ensure a DPA is in place and, if so, what is the best way to approach this?
Assign topic to the user
Yes, according to article 28 GDPR about the Data processor, it is stated that “The processor shall not engage another processor without prior specific or general written authorization of the controller. In the case of general written authorization, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.”
Consider that the last paragraph of Article 28 GDPR states also “if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.”
I suggest you attaching your DPA draft to your Service agreement in order to demonstrate your compliance and awareness to data protection, control the security measure you can guarantee, and jointly determine the purposes and limits of data processing with the controller. Proposing a draft of DPA can increase the perception of your professional skills.
Here you can find more materials on data processors:
- EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
- Article 28 – Processor: https://advisera.com/eugdpracademy/gdpr/processor/
- Supplier Data Processing Agreement: https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/
Comment as guest or Sign in
Feb 26, 2020