Section 32 sets out the security requirements for processing managers and subcontractors to protect the rights and safety of their persons. These security measures are outlined in the RGPD guidelines on appropriate data processing agreements. The term ”treatment” appears in this article with a repugnant frequency. In the definitions of the RGPD, the treatment essentially refers to everything you can do with someone`s personal data: collect it, store it, monetize it, destroy it, etc. While a data processing agreement may seem to want to protect the processing manager from legal problems when a data publisher is wrong about its data, it does much more. When the processor assigns processing activities to a subcontractor, it should only use processors with sufficient safeguards, including expertise, reliability and resources, to implement technical and organizational measures that meet the requirements of this regulation, including for processing security. The contract (or any other legislative act) contains details of the treatment, including: those responsible for processing can only use subcontractors who can provide sufficient safeguards to take appropriate technical and organizational measures to ensure that their treatment meets the requirements of the RGPD and protects the rights of the persons concerned. It may seem at first glance like an overwhelming list, but many items are similar or work in relation to others. Many others are obvious or necessary safeguards to ensure full and open communication between parties who share and process personal data and their supervisory authorities.
For example, if you collect users` personal data on your website and then use a third party to process an aspect of your business strategy, you want to know that this data processor works within the framework of RGPD compliance and does what it should do with your users` important data. If you don`t know it yet, according to the RGPD, a processing manager is essentially the owner of the personal data involved. The person in charge of the processing probably collected the data and determined how and why it is processed. The ferders often use data editors to help them with a large number of tasks. Since the RGPD came into force, data protection authorities have demonstrated their willingness to impose sanctions. And small and medium-sized enterprises have not been neglected. RGPD fines can reach 20 million euros, or 4% of the company`s global turnover. Under Article 28, paragraph 3, point h), the agreement must be required: the agreement must take into account the fact that the subcontractor must assist the processor in fulfilling its obligations, taking into account the type of treatment and the information available: those responsible for processing should carry out a number of due diligence activities concerning the processors they use.
, which can be grouped into a data protection review. , documentation of data processing activities and, of course, verification.