The processing of the data by the person in charge of the processing should only be treated by the person in charge of the processing. The subcontractor must have adequate information security, must not resort to subcontracting without knowing and the consent of the person in charge of the processing, must cooperate with the authorities in case of request, report to the person in charge of the data protection, as soon as he is aware of them, give the person in charge of the processing the opportunity to carry out audits verifying compliance with the DSGVO , to help the person in charge of the treatment, to respect the rights of the people concerned. , should assist the processing manager in dealing with the consequences of data breaches, delete or return all personal data at the end of the contract, at the choice of the processing manager, and inform the processing manager if the processing instructions violate the RGPD. ☐ given the nature of the processing and the information available, the subcontractor assists the processing manager in carrying out his RGPD obligations with respect to processing security, notification of personal data breaches and data protection impact analyses; Article 28, paragraph 3, point h) requires that the agreement be required: Article 30 stipulates that those responsible for the processing or their representatives must keep records of the processing activity under their control. This includes the processing by the data processor of the processor in accordance with a data processing agreement. By providing these clauses as part of the agreement, the processor limits his guilt by making available to the data processor everything he needs to carry out his duties properly. 5. Insurance – In addition to all other assurances required by agreements between the negotiating parties, the data protection authority should require the subcontractor (or controller) to maintain an adequate level of assurance. Such assurance should at least cover privacy and cybersecurity liability (including costs arising from data destruction, hacking or intentional breaches, crisis management activities related to data breaches and data protection claims, data breaches and notification fees). Actual coverage amounts vary, based on the total amount of contracts and data processed. ☐ the subcontractor must take appropriate steps to assist the processing manager in responding to individuals` requests in the exercise of their rights; The agreement stipulates that the subcontractor may only process personal data in accordance with the documented instructions of the processing manager (including during the international transfer of personal data), except in cases where EU or contract law requires it. If you exchange personal data with other parties, you should have a data processing agreement. Sections 28 to 36 of the RGPD cover the requirements for data processing and data processing agreements.
Let`s take a look at responsibilities that are a little more specific to different roles. ☐ the subcontractor must delete all personal data (at the choice of the processing manager) at the end of the contract or return it to the processing manager, and the subcontractor must also delete existing personal data, unless the law requires its storage; and this site is operated, as you may know, by the encrypted messaging provider ProtonMail (and partly funded by the European Union`s Horizon 2020 programme).