A subcontractor cannot support the services of a subprocessor without the express or written prior written permission of the processor. When authorization is granted, the subcontractor must enter into a contract with the subcontractor. The contractual terms of Article 28, paragraph 3, must provide a level of protection for personal data equivalent to that of the contract between the processing manager and the subcontractor. Transformers are responsible for processing compliance with the subprocessings they use. Previously, the 1988 and 2003 Data Protection (“DPA”) legislation included obligations to both those responsible for processing and subcontractors involved in the processing of personal data. The introduction of the RGPD means that the obligations of processors involved in the processing of personal data will be extended and strengthened. Whether you are acting as a controller or as a transformer under the RGPD is a matter of facts that you must judge on a case-by-case basis. For example, processors can only process personal data on the documented instructions of a department head. On the other hand, a responsible holder defines the purposes and means of processing personal data. Both those responsible for the processing and the subcontractors are required, Article 32, to take appropriate technical and organizational measures to ensure the security of the personal data they process, which may include, if applicable, the following elements: in accordance with Article 28, paragraph 3, point a), the contract provides that the subcontractor`s handling of personal data may only be consistent with the documented instructions of the processor (including international transmission of personal data) unless necessary under EU or contract law.
7.1 The subcontractor will immediately inform the company that the subcontractor will be aware of a breach of personal data relating to the company`s personal data and will provide the company with sufficient information to enable it to fulfil all reporting or information obligations of the persons concerned regarding the breach of personal data in accordance with data protection legislation. Processing managers can only use subcontractors who can provide sufficient safeguards to take appropriate technical and organizational measures to ensure that their treatment meets the requirements of the RGPD and protects the rights of those concerned. An obligation under the RGPD is the obligation for processors to enter into a legally binding contract when a processor instructs a subcontractor to process personal data on its behalf. In the event of a subcontractor`s solicitation, the RGPD requires processors to use only processors with sufficient safeguards to take appropriate technical and organizational steps to respect the RGPD and protect the rights of the individual concerned. Similarly, the RGPD requires the processing manager and subcontractor to enter into a legally binding contract for the processing of personal data when a user responsible for processing entrusts the processing of personal data to a subcontractor. A significant change to this obligation is that the RGPD impose more provisions for inclusion in data processing contracts. These binding provisions for inclusion in data processing contracts under the RGPD are listed below. (B) The company wishes to provide the data processor with certain services that involve the processing of personal data. ☐ given the nature of the processing and the information available, the subcontractor must inform the processing manager in carrying out his or her GNI obligations with respect to processing security, reporting of violations of personal data and impact assessments on the date.