The GDPR requires controllers and processors to enter into a Data Processing Agreement (DPA) to regulate outsourced data processing. [1] Although supervisory authorities (AS)[2] and the European Commission (EC)[3] have the power to issue standard contractual clauses as DPAs[4], so far only Danish SA has issued a number of DPA clauses. (See our WSGR Data Advisor article on the final publication of Danish standard contractual clauses for supplier agreements: a new standard?). Danish CTCs and DPA CTAs can be used as a model for ODA throughout the EU. This data processing agreement is based on the ProtonMail DPA, which can be found on this page. Organizations can use the following document as part of their GDPR compliance. HubSpot`s data processing agreement provides an example of a data protection agreement that includes the standard contractual clauses adopted by the European Commission, definitions of relevant terms, details of processing, obligations of subcontractors and more. The ODA CSCs will enter into force on 27 June 2021. Controllers and processors then have four options: (i) rely on the DPA CTCs as a whole (e.g. .B. as a stand-alone contract or as a complement to.B a broader contract, e.g. a framework contract for services), (ii) rely on the DPA CLAs as a whole and add other additional clauses or guarantees, [5] iii) rely in part on DPA CTCs (e.B. by including selected clauses in existing templates), or iv) continue to rely on their own templates (as long as they contain all the provisions required by the GDPR).
[6] Although companies are free to choose whether or not to use DPA SCC, they are likely to become the «gold standard» in the EU. (For an analysis of the new CTCs governing the transfer of personal data (new CCTs), see our article WSGR Data Advisor A new data transfer mechanism is available for EU personal data.) 1.1.4 «Data Protection Laws» means the data protection laws of the EU and, where applicable, the data protection laws of another country; DPA CCTs meet the requirements of the GDPR for outsourced data processing. Key provisions to be considered or not when reviewing the use of DPA CTCs include: On 4 June 2021, the European Commission published its long-awaited new set of Standard Contractual Clauses for Outsourced Data Processing (CSC DPA). These DPA CCAs are a model contract that organizations can use to comply with the General Data Protection Regulation (GDPR) rules on outsourced data processing. 1.1.8.2 a transfer of the company`s personal data from a processor to a sub-processor or between two entities of a processor in all cases where such a transfer would be prohibited by data protection laws (or by the terms of data transfer agreements established to meet data transfer restrictions of data protection laws); (c) the Parties seek to implement a data processing agreement that meets the requirements of the applicable legal framework for data processing and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27. April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). [5] Unless the additional clauses or guarantees directly or indirectly conflict with the data protection officers or affect the fundamental rights or freedoms of the data subjects. (B) The Company wishes to subcontract certain services involving the processing of personal data to the Processor. 11.1 The Processor may not transfer or authorise the transfer of data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company. Where personal data processed under this Agreement are transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected.
To do this, unless otherwise agreed, the parties rely on EU-approved standard contractual clauses for the transfer of personal data. 8. Data Protection Impact Assessment and Prior Consultation The Processor shall provide the Company with appropriate assistance in data protection impact assessments and prior consultations with supervisory or other competent data protection authorities that the Company deems reasonably necessary under Article 35 or 36 of the GDPR or equivalent provisions of any other protection law data. in any case, only with regard to the processing of the company`s personal data by and taking into account the nature of the processing and the information available to the subcontractors. .