Since the RGPD came into force, data protection authorities have demonstrated their willingness to impose sanctions. And small and medium-sized enterprises have not been neglected. RGPD fines can reach 20 million euros, or 4% of the company`s global turnover. The agreement requires the subcontractor to take all necessary security measures to meet treatment safety requirements (see Article 32). People often refer to a DPA and it has two meanings. The first is the data protection authority and the second is the data processing agreement. Some people talk about a computer addendum. This is used when there is an existing agreement and you want to add the required data protection clauses by adding an addendum to the existing agreement. This duration of the contract should make it clear that it is the person in charge of the processing, not the subcontractor, who has overall control over what happens to personal data. A data processing contract is a legally binding contract that establishes each party`s rights and obligations with respect to the protection of personal data (see „What is personal data?“). Article 28 of the RGPD includes the data processing agreements covered in Section 3: This site is operated, as you may be know, by the encrypted e-mail provider ProtonMail (and partly funded by the European Union`s Horizon 2020 programme). As part of our RGPD compliance efforts, we have made our own data processing agreements available to all our users for download, control and signature.

These agreements existed before data protection legislation prescribed them and were essential to the protection of those responsible for processing and those involved by imposing obligations on subcontractors. When a subcontractor acts outside the instructions of the treatment manager to decide the purpose and means of treatment, he is considered responsible for the treatment of that treatment and assumes the same responsibility as a person responsible for the treatment. What does the definition of the RGPD really mean? As before, there must always be a written contract when a company processes personal data on behalf of another company, but even a „basic“ clause will now be much longer and more detailed and will often be available on a few pages of text. In addition, a processor is only authorized to use data processors that provide sufficient safeguards to implement appropriate technical and organizational measures to meet the requirements of the RGPD and protect the rights of the individual concerned.