Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, known as the GDPR, redefines economic relationships between entities in the context of data transfer. Many companies using external service providers must transfer personal data of customers, employees, and contractors. To do this legally, it is necessary to conclude an appropriate agreement and comply with specific regulations.
What is entrusting the processing of personal data?
Outsourcing the processing of personal data occurs when a data controller transfers data to another entity (a processor) for processing on their behalf. This is typical when using services such as accounting, marketing, IT, or database management. It is crucial that the processor operates in accordance with the data controller's guidelines.
GDPR and the data processing agreement
The GDPR introduces a number of requirements regarding the processing of personal data. Primarily, the contract must be concluded in writing or electronically. It should specify in detail:
- Subject of processing: What data will be processed.
- Duration of processing: The period for which the data will be processed.
- Nature and purpose of processing: Why and how the data will be processed.
- Type of personal data: The specific type of data that will be processed.
- Categories of data subjects: The group of people whose data is processed.
- Obligations and rights of the controller: Detailed scope of obligations and rights of the data controller.
Obligations of the processor
The processor has obligations that must be clearly defined in the contract. These include:
- Data processing in accordance with the administrator's instructions.
- Protection of personal data: Implementation of appropriate technical and organizational measures.
- Confidentiality: Those with access to data must be bound by confidentiality obligations.
- Support for the controller: Assistance in fulfilling the controller's obligations towards data subjects.
- Deletion or return of data after termination of processing: After termination of the cooperation, the processor must return or delete the data.
- Documentation of activities: The processor must maintain documentation of data processing activities and make it available to the controller upon request.
Selecting the appropriate processor
The choice of a processor cannot be left to chance. The data controller must ensure that the selected entity ensures an adequate level of data security and complies with GDPR regulations. Before entering into a contract, it is advisable to conduct an audit or use control forms to verify the procedures used by the potential processor.
Differences between entrusting and disclosing personal data
It's important to distinguish between entrusting data processing and disclosing it. Entrusting occurs when a processor processes data in accordance with the controller's instructions. Disclosing data occurs when the data is transferred to another entity that independently determines the purposes and means of processing.
Consequences of the lack of an entrustment agreement
The absence of a data processing agreement when the data is actually processed by another entity constitutes a violation of the GDPR. This may result in administrative fines being imposed by the President of the Personal Data Protection Office and civil liability for data subjects. Therefore, it is crucial to always conclude appropriate data processing agreements.
Summary
Entrusting personal data processing in accordance with the GDPR requires diligence and attention to detail. Concluding a detailed contract that meets GDPR requirements and selecting reliable business partners are key steps in ensuring compliance. Adhering to these principles will minimize risk and protect the rights of data subjects.
This alert is for informational purposes only and does not constitute legal advice.
Legal status as of July 24, 2024
author:
