RGPD compliance requires processors to sign a data processing agreement with all parties acting on their behalf as data processors. If you need some definitions of these terms, you can find them in our article “What is the RGPD,” but as a general rule, a data processor is another company you use to help you store, analyze or communicate personal information. For example, if you are a health insurance fund and you share customer information via encrypted emails, this encrypted messaging service is a data processor. Or if you use Matomo to analyze traffic on your site, Matomo would also be a data editor. The person in charge of the processing is the person or company that determines the conditions for processing the data. In software development, it`s a customer. A data processor is a person or company that processes data on behalf of a processor in accordance with the instructions of the processor. When outsourcing, he is an entrepreneur. “responsible,” an organization that determines the purposes and means of processing personal data. (C) The parties are working to implement a data processing agreement in line with the requirements of the current legal framework for data processing and the 2016/679 European Parliament and Council 27 April 2016 on the protection of individuals in the processing of personal data and the free movement of personal data and repealing Directive 95/46/EC (General Data Protection Regulation). 6.1 Processing sites. DigitalOcean can transmit and process customer data in the U.S. and around the world, where DigitalOcean, its related companies and/or subprocessings maintain data processing operations.
DigitalOcean uses appropriate safeguards to protect personal data wherever it is processed, in accordance with the requirements of data protection legislation. To meet the requirements of the RGPD, an organization must enter into a legally binding data processing contract (a written contract or other legal act) for the data processor, as a data provider that uses the services of a data processor for the processing of personal data on its behalf. Article 28.3 of the RGPD defines what should be included in this written contract: this guide serves as an introduction to data processing agreements – what they are, why they are important, who they are and what they have to say. You can also follow the link to find a RGPD data processing model that you can download, customize and use for your business. 8.1 To the extent that the client is not able to independently access relevant personal data within the Services, DigitalOcean (at the customer`s expense) will provide appropriate cooperation, given the nature of the treatment, to assist the client with appropriate technical and organizational measures, where possible, to respond to requests from individuals or data protection authorities in relation to the processing of personal data under the agreement. In the event that such a request is addressed directly to DigitalOcean, DigitalOcean will not respond directly to this communication without the customer`s prior consent, except under a legal obligation to do so. If DigitalOcean is required to respond to such a request, DigitalOcean will immediately notify the Customer and provide a copy of the request, unless that request is prohibited by law. The processing manager must ensure that the scope of the subcontractor`s CCA does not exceed the original legal basis for data processing. In other words, the outsourcing company should be able to use the data for purposes defined in the agreement.
It is the controller`s responsibility to check how the processor uses the data it transmits to them. ☐ given the nature of the processing and the information available, the subcontractor must inform the person in charge of the processing in the execution of its RGPD obligations with regard to the security of the processing, the reporting of data breaches to