Storing backup and server image data
Assign topic to the user
Answer:
If by providing the service you described your company might have access to personal data stored by the customer you would have to comply with the requirements that the EU GDPR sets for data processors. These requirements are set forth in the GDPR regarding the processor obligations:
- To appoint a representative if based outside of the Union - art. 27 (https://advisera.com/eugdpracademy/gdpr/representatives-of-controllers-or-processors-not-established-in-the-union/ );
- To ensure certain minimum provisions in contracts with controllers – art. 28(3) (https://advisera.com/eugdpracademy/gdpr/processor/ );
- Not appoint sub-processors without specific or general authorization of the controller and to ensure there is a contract with the sub-processor containing certain minimum provisions - art. 28(2) & (4) (https://advisera.com/eugdpracademy/gdpr/processor/ );
- Only to process personal data on t he instructions of the controller unless required to process for other purposes by Union or Member State law (but not foreign law, such as US law) – art. 29 ( https://advisera.com/eugdpracademy/gdpr/processing-under-the-authority-of-the-controller-or-processor/) ;
- To keep a record of processing carried out on behalf of a controller – art.30 (https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/)
- To co-operate with the supervisory authorities – art. 31 (https://advisera.com/eugdpracademy/gdpr/cooperation-with-the-supervisory-authority/) ;
- To implement appropriate security measures – art. 32 (https://advisera.com/eugdpracademy/gdpr/security-of-processing/ );
- To notify the controller of any personal data breach without undue delay – art.33 (2) ( https://advisera.com/eugdpracademy/gdpr/notification-of-a-personal-data-breach-to-the-supervisory-authority/ ) ;
- To comply with the rules on transfers of personal data outside of the Union – art. 44 ( https://advisera.com/eugdpracademy/gdpr/general-principle-for-transfers/)
All of these requirements need to be put in your contracts with your customers, and are already included in the Supplier Data Processing Agreement that you can find in our EU GDPR implementation toolkit (https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/).
Comment as guest or Sign in
Jan 27, 2018