Sub processor data processing agreements

Answer:

My assumption would be that all of your subcontractor would have a commercial contract in place with you. So the Processing Agreement would need to be a part of that contract regarding if we are talking about a Frame Agreement or a “one off” agreement.

Based on GDPR article28(4) - “Processor” (https://advisera.com/eugdpracademy/gdpr/processor/). Where a Data Processor engages another Data Processor for carrying out specific Processing activities on behalf of the Company, the same data protection obligations (as set o ut in the contract between the Company and the Data Processor shall be imposed on that other Data Processor by way of a contract. The initial Data Processor shall remain fully liable to the Company for the performance of that other Data Processor's obligations.

So, because is you are responsible also for the actions of your sub processors I would strongly recommend to have a formal process in place.

Thanks Andrei. We do have contracts in place with sub-contractors and suppliers we use on a regular basis however we often need to source additional "local" suppliers on an adhoc basis. It doesn’t make sense to issue a contract and processing agreement to a local cleaner / gardener / decorator or maintenance contractor / holiday let / hotel as a one-off and these individuals and small local businesses wouldn't have any understanding about what they are signing. Timings are a challenge too as many of these requirements are urgent which makes getting this amount of paperwork signed unrealistic.

I'd like to know if there is a simpler process / document we could employ in these circumstances. Would it be sufficient for us to ask them to sign some kind of job instruction form which incorporates a declaration to confirm that they meet the following regulations under the General Data Protection Regulations 2018:

As a third party processor of personal data you hold please can you confirm:

• You have a Data Protection Policy and comply with General Data Protection Regu lations
• Data you process is stored securely
• You do not share data you process with any other person or business

Many thanks,

Debbie

You can call the document that you sign with the supplier however you want. The main point is that is a legally binding document and is consistent with the requirements of the EU GDPR art.28 – “Processors” (https://advisera.com/eugdpracademy/gdpr/processor/). Bear in mind that in some cases if the subprocessors act outside their processing mandate (contrary to your instructions) you may need to be able to enforce penalties on them.

Thanks Andrei