☐, the processor must ensure that the persons processing the data are subject to an obligation of trust; Article 35 sets out the data protection impact assessments, including when and how they should be carried out. Reference is also made to how data controllers and data processors should take into account compliance with contractual agreements (e.g. B data processing agreements) by others when carrying out data protection impact assessments. Controllers may only use processors who can provide sufficient guarantees that they are taking appropriate technical and organisational measures to ensure that their processing complies with the requirements of the GDPR and protects the rights of data subjects. This guide serves as an introduction to data processing agreements – what they are, why they are important, who they are and what they need to say. You can also follow the link to find a template for a GDPR data processing agreement that you can download, customize, and use for your business. Articles 28 to 36 of the GDPR define the conditions for the exchange of data and the conditions relating to personal data between the controller and the processors. Here are the main topics to cover in your data processing agreement. In essence, a DPA is a form of assurance that the processor or processor performs its duty of care in order to ensure the protection of personal data. For example, if a controller and subcontractor receives a DPA and the processor is the subject of a violation, the CCA could limit the controller`s liability in the event of a violation. ☐, the subcontractor must take appropriate measures to ensure the safety of processing; If you are a business owner subject to the GDPR, it is in your best interest to have a data processing agreement: first of all, it is necessary to comply with the GDPR, but the DPA also gives you the assurance that the data processor you use is qualified and capable. As mentioned in recital 81, the GDPR sets out certain guidelines on what should be included in a data processing agreement, which we will discuss later in this article.

☐, the processor must delete all personal data at the end of the contract or return them to the controller (at the choice of the controller), and the processor must also delete existing personal data, unless the law requires their retention; This prevents those responsible from using a data processor that quickly and easily complies with the rules, given that the contract requires the subcontractor to meet certain requirements and the data controller must play his or her part in complying with those requirements. . . .