The entity also contains a separate annex indicating the strict security measures put in place by the processor to ensure data protection: while the notification of breaches to the controller and supervisory bodies is non-negotiable, you may not be required to report them to the data subjects. Article 34 lays down the conditions for informing data subjects as follows: Article 36 follows the question of the FDFA raised in Article 35, concerning notification to the supervisory authority. It stipulates that controllers must consult the supervisory authority when a DSFA presents a high risk and the controller nevertheless wishes to process the data. `Processing by a processor shall be covered by a contract or other legal act under Union or Member State law which is binding on the processor vis-à-vis the controller and defines the object and duration of the processing, the nature and purpose of the processing, the nature of the personal data and the categories of data subjects, as well as the obligations and rights of the controller”.; The subcontractor is a software development company that has been commissioned by the data controller to provide the data controller with software as a support service for the production of business documents. The content of this DPA reflects the limited amount of personal data processed by the processor for the data controller. Let us put that in context. Imagine that you are an individual (data subject) who makes online purchases in an e-commerce store. 2.3 The processing of data by the processor includes the acts defined in the agreement. The controller must report any serious breach of personal data protection to its data protection authority. Here too, the subcontractor plays a role. He must “immediately inform the controller after having become aware of a breach of the protection of personal data”. 8. The data protection impact assessment and prior consultation processor shall provide the company with appropriate assistance for all data protection impact assessments and prior consultations with supervisory authorities or other competent data protection authorities that the company deems reasonably necessary under Articles 35 or 36 of the GDPR or equivalent provisions of another law on data protection.
in any case, only with regard to the processing of the company`s personal data by and taking into account the nature of the processing and the information available to the subcontractors. 13.1. Upon expiry of the term or termination of the agreement, the processor has destroyed or handed over all data in its possession or control (at the choice of the controller). The Data Controller reserves the right to delete personal data from all sites after 90 days if the Data Controller has not chosen either option. This requirement does not apply to the extent that current legislation obliges the processor to retain some or all of the data. While the GDPR Data Processing Agreement, which you ultimately agree with, may deviate from the aforementioned examples, your data protection authority should serve its ultimate goal of protecting consumer data in all aspects of a data processing agreement if you insert the aforementioned core clauses and comply with the requirements of the GDPR throughout the document. . . .