The development of data processing agreements, in the category in which each party is concerned, should be clearly and clearly defined from the outset. Of course, this is easier said than done, as an organization can act as controller or processor depending on the circumstances and both parties are often controllers. If you are a contractor subject to the RGPD, it is in your best interest to have a data processing agreement: it is first required for RGPD compliance, but the privacy policy also gives you assurance that the data processor you are using is qualified and competent. As noted in recital 81, audit requirements can be cumbersome for both the processing manager and the subcontractor, particularly from a financial point of view. However, the correct review procedures set out in the agreements could not only prevent companies from obtaining possible fines under the RGPD, but also help to avoid international attention. One of the lessons to be learned from Facebook`s experience with Cambridge Analytica is that contractual insurance may not be enough; in some cases, full control may be required to confirm that subcontractors are complying with the security obligation, including access restrictions, or to delete data if necessary. To meet the requirements of the RGPD, an organization must enter into a legally binding data processing contract (a written contract or other legal act) for the data processor, as a data provider that uses the services of a data processor for the processing of personal data on its behalf. Article 28.3 of the RGPD specifies what should be included in this written contract: (B) The company wishes to transmit to the data processor certain services that involve the processing of personal data. 10.2 The company`s information and audit rights are given only to the extent that the agreement does not give them any further information or review rights to meet the relevant requirements of the Data Protection Act.

Under Article 83, fines of up to EUR 10,000,000 or, in the case of a company, up to 2% of the previous year`s global turnover, depending on the highest amount, may be sought for breaches of Article 28 obligations and in other articles that may be involved in a data processing agreement. Therefore, the inability of a processing manager to obtain these guarantees, in accordance with Article 28, could lead to the application of these fines and impose a heavy responsibility on the person responsible for the processing in order to ensure compliance. Other issues that can be addressed in data processing agreements include more detailed provisions on the use of subprocessings, notifications and responses to violations, data transfers and possibly compensation clauses. In essence, a CCA is a form of assurance that the subcontractor performs its duty of care to ensure the privacy of personal data. Yes, for example. B a controller and processor contract a privacy notice and the processor is in breach, the data protection authority could restrict the responsibility of the person in charge of handling the breaches.