Data Processing Agreement

Yes, according to article 28 GDPR about the Data processor, it is stated that “The processor shall not engage another processor without prior specific or general written authorization of the controller. In the case of general written authorization, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.”

Consider that the last paragraph of Article 28 GDPR states also “if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.”

I suggest you attaching your DPA draft to your Service agreement in order to demonstrate your compliance and awareness to data protection, control the security measure you can guarantee, and jointly determine the purposes and limits of data processing with the controller. Proposing a draft of DPA can increase the perception of your professional skills.

Here you can find more materials on data processors:

• EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
• Article 28 – Processor: https://advisera.com/eugdpracademy/gdpr/processor/
• Supplier Data Processing Agreement: https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/