- Cloud Applications
- Cloud Solutions
From May 25 2018 any business in the European union or EEA that processes personal data has to comply with the GDPR. With the GDPR come changes that also affect the data processing agreement. But what exactly are these changes to the processing agreement? And how do they affect existing agreements with your suppliers?
A data processing agreement (DPA) establishes how a processor is to handle personal data. It is an agreement between the controller of the personal data and the party processing the personal data for them. Cloud service providers are generally data processors.
In a data processing agreement, things such as the purpose of the data processing are recorded. The DPA also includes the kind of personal data that will be processed. When a processor processes personal data for a controller, the person legally responsible, a data processing agreement between both parties is mandatory.
The controller determines the purpose and means of the data processing. When your business processes employees’ personal data, a salary slip is a good example. The business is then responsible for these data.
The processor works with the personal data on behalf of the controller. For example the payroll office that pays out the salaries for your company.
The controller and the processor have to make agreements about the processing, because both parties are obliged to have such an agreement as part of their documentation. The data processing agreement is free of format, to make it possible for you to include it in your own General Terms and Conditions. Do make sure that your General Terms and Conditions are applicable and binding. Most of the time a separate agreement is drawn up to have all the provisions grouped together.
A data processing agreement has to state which data processes it concerns. Is also has to include which parties are involved in the processing of certain personal data. It is advisable include in the data processing agreement who is responsible for reporting any data breaches. Wonder what else that should be in a data processing agreement? Or if your processing agreement is ready for the GDPR? What should definitely be in the processing agreement is in this checklist:
Processing personal data happens all the time. An external helpdesk being able to consult the data, is considered processing. When you have already concluded a data processing agreement with your suppliers, chances are that many of the requirements have already been met.
Teaming up with Eshgro means you can rest assured knowing you are using a fully GDPR-compliant cloud service. Do you have any questions about the GDPR? Contact Eshgro for more information.
Starting May 25 2018 any business in the European Economic Area (EEA) that processes personal data has to comply with the GDPR. This regulation replaces existing national legislation. The GDPR states requirements that have to be met when processing personal data. With the new regulation, the EU wants to return to her citizens the control of their personal data. There are strict conditions and the GDPR is obligatory. Violations will be heavily penalised, with the risk of high fines of up to €20,000,000 or 4% of your annual turnover! Plenty of reasons to take this seriously.