Data Processing Agreement Template European Commission

Try to cover as much personal data as possible here. Note how Bitrix begins its clause with the fact that its personal data may contain the listed data types. This clearly shows that not all types of data on the list are necessarily processed, but it can be. In the absence of a data processing agreement or other written contract, it is unlawful for a data controller to use the services of a processor or for a data processor to process personal data on behalf of a data controller. Note that many of the GDPR requirements for data processing contracts are included in this list, for example. B the obligation for the processor to follow the instructions of the controller and to inform the controller if any of these instructions are contrary to data protection legislation. Using GDPR requirements as a guide for this section can be helpful in ensuring that both parties comply with the rules. This data processing agreement is adapted from the ProtonMail DPA that you will find on this page. Organizations can use the document below as part of their GDPR compliance.

The data controller has the right to verify the activities of the processor in order to ensure appropriate security, confidentiality and data protection measures. It is important to include this point in the GDPR data processing agreement in order to remind the processor that audits are part of the company agreement. In other words, if the data controller does not foresee a specific processing activity in the contract, you can only carry out the processing if you request explicit consent. Note that the 72-hour delay shown here may shorten it a bit. The controller is obliged to notify the infringement to his data protection authority within 72 hours. The receipt of a notification by its data processor towards the end of that period may lead to an absence of that period. The European Commission may decide that the standard contractual clauses offer sufficient data protection guarantees so that data can be transferred internationally. It may be a good idea to include this clause in your privacy policy, for example by asking a processor to process large amounts of special category data. DigitalOcean agrees, as a data processor, on carrying out audits in this clause of its DPA: the GDPR wants a complete record of transparency processing activities, both for supervisory authorities and for data subjects.

What do you need to have under Article 30? These requirements are not only applied to companies established in the European Union. Any company that collects personal data (including IP address or geolocation) of EU citizens is expected to comply with the rules of the GDPR. First, describe the purpose of the agreement. Indicate the parties involved and what the GDPR data processing agreement must obtain. The responsibilities of the controller should be clearly listed so that all parties understand how the company agreement works. The subcontractor must allow the manager to carry out audits. These can be performed by another organization on behalf of the data controller. The data processing agreement must allow this, but can also define the basis on which this can be done.