What Is A Data Processor Agreement
c. Even if the data importer is unable to pass on a subcontract to the data exporter, the parties agree that the data importer makes available to the data exporter (on a confidential basis) all the information it needs under such a subcontracting agreement. 3. Data protection provisions for the sub-treatment of the contract covered in paragraph 1 are governed by the law of the Member State in which the data extract is drawn up. Processors should have carried out a number of due diligence activities involving the transformers they use, which can be grouped together as data protection verification, documentation of data processing activities and obvious verification. A subcontractor cannot support the services of a subprocessor without the express or written prior written permission of the processor. When authorization is granted, the subcontractor must enter into a contract with the subcontractor. The contractual terms of Article 28, paragraph 3, must provide a level of protection for personal data equivalent to that of the contract between the processing manager and the subcontractor. Transformers are responsible for processing compliance with the subprocessings they use.
2. The parties agree that the supervisory authority has the right to carry out a check on the importer of data and a subprocesser with the same scope and conditions as in the case of a control of the data exporter in accordance with existing data protection legislation. Cloud service providers (“CSPs”) now have a key responsibility as data processors and must act exclusively on the instruction of the data processor when processing personal data. Currently, most PSCs offer, in addition to the SaaS (SaaS) agreement, their own standard data processing agreements that cannot be negotiated by a processing manager who wishes to subscribe or access it (for example. B a data manager who wants to use customer relationship management to effectively receive and track customer requests or complaints). Treatment by a subcontractor is subject to a contract or other legal act, within the meaning of EU or Member State law, which is mandatory for the subcontractor with regard to the person in charge of the treatment and which defines the purpose and duration of the treatment, the nature and purpose of the treatment, the nature of the personal data and the categories of persons concerned. , as well as the obligations and rights of the person in charge of the treatment. Product access: a subset of our employees has access to customer products and data via controlled interfaces. Access to a subset of staff means providing effective customer support, solving potential problems, detecting and responding to security incidents, and implementing data security. Access is made possible by “just-in-time” access requirements. all of these requirements are recorded. Role-specific access is granted to staff and audits of high-risk privileges are initiated on a daily basis.
Staff roles are checked at least once every six months.