When a subcontractor uses another organization (i.e. a subcontractor) to help process personal data for a processing manager, it must have a written contract with that subcontractor. In the case of a common processing manager, the data exchange agreement can also be used to define the responsibilities of companies sharing data in accordance with Article 26 of the RGPD. For international data transfers from the UK to other jurisdictions, please visit the ICO website. The RGPD does not require that the contract contain a provision that a subcontractor must keep records of the treatment it performs for the processing manager – whereas those records would be useful to the subcontractor to prove that it is in compliance with section 28. However, section 30, paragraph 2, sets out the requirements for subcontractors to keep records of their processing activities. More information about this can be found in our controller and processor guides. Compliance with an approved code of conduct or certification system can be used as proof of compliance with safety obligations. Codes of conduct and certifications can also help processors demonstrate sufficient guarantees that their treatment is in compliance with the RGPD. Both processors and subcontractors are required under Article 32 to take appropriate technical and organizational measures to ensure the security of the personal data they process, which may include, if applicable, the following provisions: This data processing agreement is adapted by the Data Protection Authority ProtonMail, which is located on this page. Organizations can use the following document as part of their compliance with the RGPD.
We appreciate the practical reality that it may not be possible to delete data from backups or archives at the end of a contract. If appropriate security measures are taken, such as data directly exceeding usage. B it may be acceptable that the data is not immediately deleted if the retention period is appropriate and the data is deleted in the afterthought as quickly as possible. B, for example, via the next erasure/destruction cycle of the subcontractor. More information is available on the information commissioner`s website. The OIC is the independent data protection regulator in the UK. The OIC explains that organizations must assess general compliance with data protection rules when reviewing data exchange. The OIC encourages the completion of a Data Protection Impact Analysis (DPIA) that is considered good practice for all large-scale projects related to the disclosure of personal data or routine data sharing plans, even if there is no specific or likely high-risk indicator.