☐ taking into account the type of processing and the information available, the processor must assist the controller in the performance of its obligations relating to processing security, reporting of personal data protection breaches and data protection impact assessment; Here`s what Debenhams asks of its data providers in the event of a data protection breach: you should nevertheless ensure that you insert a clause that instructs the subcontractors to immediately inform the data controllers of personal data protection breaches. LinkedIn has a clause in its data processing agreement that covers all security issues, including security measures and notifications regarding personal data protection breaches. Various data processing agreements come close to this, with different degrees of detail. For example, there is only a small part of this section of the TimeTac agreement: the controller and the processor must also ensure that anyone who works with the data (or has access to it) only processes the data in accordance with the instructions of the controller (as set out in Article 29). The GDPR requires a data processor to record its activities. Acceptance of this requirement is implicit in some of the clauses we have seen above. However, many data processing agreements are also included as an explicit requirement for the data processor, as well as the conditions under which these records are to be shared. Remember that the data processing agreement is a contract that governs how the data controller and the processor do business. Where a controller uses a processor to process personal data on his or her behalf, there must be a written contract between the parties. Here is an excerpt from this section of The B2B Marketing Lab`s agreement that covers commitments: Twitter`s data processing agreement provides a useful example. Twitter agrees to « offer you adequate cooperation and support with regard to your obligations with regard to law enforcement requests, data protection breaches, data subjects` rights and requests from supervisory authorities »: try to cover as much personal data as possible. Note how Bitrix begins its clause with the fact that its personal data may contain the listed data types. This clearly shows that not all types of data on the list are necessarily processed, but it can be.
Make sure that you do not process data or share data with subcontractors without this agreement existing and being signed by both parties. The processor may process personal data « only on the documented instruction of the controller ». This is the reason for the data processing agreement itself, but must also be explicitly included in the agreement. In other words, if the data controller does not foresee a specific processing activity in the contract, you can only carry out the processing if you request explicit consent.. . . .