Our data protection authority provides a number of guarantees to companies that entrust us with personal data. For example, the ProtonMail data processing agreement promises the use of technical security measures such as encryption, as specified in Article 32 of the GDPR. It also provides adequate assistance to controllers in carrying out a data protection impact assessment. There are some important things to keep in mind with this agreement: Joint controllers must create a “joint controller agreement” (this is our term and not the GDPR) that defines their respective responsibilities for GDPR compliance, including: This excerpt from the agreement shows how the two controllers divide some of the GDPR`s responsibilities to each other: Joint controllers must allocate their GDPR compliance responsibilities “seamlessly” among what we call “joint controllers”. Agreement. The “essence” of this agreement must be made available to the people concerned. If you are a business owner subject to the GDPR, it is in your best interest to have a data processing agreement: first, it is necessary to comply with the GDPR, but the DPA also gives you assurance that the data processor you use is qualified and capable. As mentioned in recital 81, as you may be aware, this website is operated by the encrypted email provider ProtonMail (and partly funded by the European Union`s Horizon 2020 programme). As part of our GDPR compliance efforts, we have made our own data processing agreement available to all our corporate users for download, review and signature. A property management maintains student dormitories for the owner, the university. On behalf of the university, the company enters into rental agreements with students and pursues rent arrears.

She collects the rent and passes it on to the university after receiving a commission. The EU`s General Data Protection Regulation takes a more serious approach to contracts than previous EU data regulations. If your company is subject to the GDPR, you must have a written data processing agreement with all your subcontractors. Yes, a data processing contract is boring paperwork. But it`s also one of the most basic steps in GDPR compliance and necessary to avoid GDPR fines. For this purpose, Facebook has created its addendum on the page statistics controller. Here is an excerpt from this joint plea agreement: GDPR compliance requires data controllers to sign a data processing agreement with all parties acting as data processors on their behalf. If you need definitions of these terms, you can find them in our article “What is GDPR”, but generally a data processor is another company you use to help you store, analyze or disclose personal data. For example, if you are a health insurance company and you share customer information via encrypted emails, this encrypted email service is a data processor. Or if you use Matomo to analyze traffic to your website, Matomo will also be a data processor.

The Joint Corporate Controller Agreement should define the roles and responsibilities of each group member, including: In this article, we will look at how joint controllers, the GDPR requirements of the joint controller, and how to create a “joint controller agreement”. We will incorporate some of the recent guidelines of the European Data Protection Board (BEP). When the CJEU ruled that Facebook and the administrators of the Facebook pages were jointly liable, Facebook had to act to ensure that it complied with Article 26 of the GDPR. This meant establishing a joint controller agreement with page administrators. A data processing agreement is a legally binding contract that defines the rights and obligations of each party with regard to the protection of personal data (see “What is personal data?”). Article 28 of the GDPR covers data processing agreements under Section 3: However, there are two levels of fines, depending on the severity and nature of the breach. Fines imposed by the GDPR for breaches related to subcontractors are usually the first step, which, according to the guidelines, can reach up to €10 million or 2% of global revenue. In any case, it is much less painful to sign a data processing agreement and comply with the conditions than to pay a GDPR fine. We hope this guide helps you. For easier to understand help on GDPR compliance, check out our GDPR checklist. 1.1.8.2 a transfer of the company`s personal data from a processor to a sub-processor or between two entities of a processor in all cases where such a transfer would be prohibited by data protection laws (or by the terms of data transfer agreements established to meet data transfer restrictions of data protection laws); (c) the Parties seek to implement an agreement on data processing in accordance with the requirements of the applicable legal framework for data processing and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

. . .