Hi there, we are remittance Group, we deal with banks/remittance/agents in EU & all over the world. We are processor. The banks/agents are using our API. Our processing activities and central administration take place in Malaysia.
1. Do we need to register our Lead Supervisory Authority in Malaysia or in EU country? We don't have establishment in the EU but we have a branch in London but the processing activity do not take place in London. Please advise
2. Another question is does the GDPR Addendum needed to sign by both parties?? As some GDPR Addendum we received the signature isn't required.
1. In your case it is not about registering to Lead Supervisory Authority since you don't have multiple establishments in the EU. Because you have an establishment in UK it will most likely that the UK company will act as a representative in the Union. You need to check the ICO's website to find out more about the registration requirements (https://ico.org.uk/for-organisations/register/).
2. The GDPR Addendum/Data Processing Agreement needs to be signed by both parties as it is a legally binding document. Electronic signature works as well.
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https:/training.advisera.com/course/eu-gdpr-foundations-course/
Another question, if for the airtime, all the air time supplier deal with service provider and supplier, we are all sub-processor and it is bilateral way. how do we draft it in processor sub processor agreement? as we all could be processor and sub processor at any time. we cant put it as A is a processor, B is a sub processor, as A could be sub processor and B could be processor at anytime they could always change. Their relationship is bilateral. how should we draft the agreement?