Try to cover as much personal data as possible here. Note how Bitrix begins its clause with the fact that its personal data may contain the listed data types. This clearly shows that not all types of data on the list are necessarily processed, but it can be. In the absence of a data processing agreement or other written contract, it is unlawful for a data controller to use the services of a processor or for a data processor to process personal data on behalf of a data controller. Note that many of the GDPR requirements for data processing contracts are included in this list, for example. B the obligation for the processor to follow the instructions of the controller and to inform the controller if any of these instructions are contrary to data protection legislation. Using GDPR requirements as a guide for this section can be helpful in ensuring that both parties comply with the rules. This data processing agreement is adapted from the ProtonMail DPA that you will find on this page. Organizations can use the document below as part of their GDPR compliance.
What do you need to have under Article 30? These requirements are not only applied to companies established in the European Union. Any company that collects personal data (including IP address or geolocation) of EU citizens is expected to comply with the rules of the GDPR. First, describe the purpose of the agreement. Indicate the parties involved and what the GDPR data processing agreement must obtain. The responsibilities of the controller should be clearly listed so that all parties understand how the company agreement works. The subcontractor must allow the manager to carry out audits. These can be performed by another organization on behalf of the data controller. The data processing agreement must allow this, but can also define the basis on which this can be done.