We recommend that the contract be as clear as possible on how the subcontractor will assist the Federder in fulfilling its obligations. ☐ the subcontractor may act only on the documented instructions of the person in charge of the treatment, unless required by law, without going through those instructions; Both those responsible for the processing and the subcontractors are required, Under Article 32, to take appropriate technical and organisational measures to ensure the security of the personal data they process, which may include, if necessary, the following provisions: The RGPD certainly authorizes the use of standard contractual clauses of the European Commission or an supervisory authority (such as the ICO) in contracts between processors and subcontractors. However, no standard clause is currently available. If you are a transformer and you use a subprocessor to perform the processing on your behalf, you are fully responsible for compliance with the underordle. This means that, under section 82, paragraph 5, if a subcontractor is at fault, they can claim compensation for the subcontractor`s defects. You can then claim compensation from the subcontractor. This provision requires the subcontractor to provide the processing officer with proof that he has followed the entirety of section 28. For example, the subcontractor could do this by providing the necessary information to the processing manager or by submitting to a check or inspection. There are many common issues to discuss contracts and commitments. We have structured the guidelines so that they are discussed first. Then, problems specific to controllers and processors are dealt with separately.
Whether you are one or the other, we recommend that you first read the general sections and then read the sections that are specific to you. This will give you a complete understanding of the subject. A processing manager decides how the data is processed. A processor finalizes the action on behalf of the controller. Individuals and supervisory authorities (such as the OIC) can hold both processors and processors to account if they do not fulfill their responsibilities under the RGPD. ☐ the subcontractor must delete all personal data (at the choice of the processing manager) at the end of the contract or return it to the processing manager, and the subcontractor must also delete existing personal data, unless the law requires its storage; and on 13 September 2017, the UK supervisory authority, the Information Office (“ICO”), issued a draft guideline (the “guidelines”) for contracts between processing managers and subcontractors, in accordance with Article 28 of the RGPD.