While a data processing agreement will not prevent all compliance violations by data processors, it establishes strict data processing rules and gives the processor some responsibility to ensure that these rules are followed. The following details are also required in a data processing agreement and are generally defined in a simple reference annex: although there are a number of jurisdictions considered by the EU to be „approved“ jurisdictions (such as Argentina, Canada and Israel), there is considerable uncertainty as to the best solution, given that the data protection shield is regularly checked by the European Commission for its robustness as a data transfer solution. Similarly, standard contractual clauses are currently under review at the European Court of Justice and the European Commission recently announced that it would review all countries that have in the past been deemed „appropriate“ to ensure that their legislation is always useful in ensuring adequate protection of human rights. All of this raises the bar for printing on a controller and its processor compared to any form of data processing, whether it`s Incloud or otherwise. With regard to the RGPD, the data protection officer appoints a data protection delegate and both parties must agree on a periodic review of the contractual terms. If you are a contractor subject to the RGPD, it is in your best interest to have a data processing agreement: it is first required for RGPD compliance, but the privacy policy also gives you assurance that the data processor you are using is qualified and competent. As noted in recital 81, you may have contacted a customer with your organization to enter into a data processing agreement and ask yourself whether it is imperative to operate businesses under the RGPD or whether a simple clause stating that „the service provider is required to comply with existing data protection and data protection legislation“ is sufficient to comply with the General Data Protection Regulation (RGPD 2016/679). The RGPD requires that a processor who hires a data processor be required to enter into a written contract or legislation in accordance with section 28.3 of the RGPD. Many processors offer hosted or cloud-based services that are not in the EU, but clearly have the effect of capturing the processor through the RGPD.

For treatment, managers or processors who are not established in the EU but who are covered by the RGPD must, subject to certain exceptions, appoint a written representative. This representative must be established in a Member State where the persons concerned are processed by the person in charge of the processing or the subcontractor (or in which most of them are located). If you share personal information with a data editor to perform a task, you should essentially have an agreement with that manager.