Similarly, if, as a processing manager, you share personal data with an independent data manager (i.e. no common managers) I recommend reaching an agreement (especially where data sharing is systematic, large-scale or risky), even if the RGPD does not explicitly require it. The agreement helps you justify data sharing and demonstrate compliance issues and explains how the parties agree to resolve them. Accurate evaluation of data transfer to a processor, common controller or other independent controller is essential, as the type of agreement you need to make varies depending on the nature of the other party. If in doubt, seek legal advice. Even if data has been obtained for related and legitimate purposes, the sharing activity itself must be consistent with the principles and provisions of data protection legislation. If a processing manager is unable to assess the subcontractor`s compliance, additional information should be obtained to enable an informed decision as to whether or not the subcontractor`s services should be used. However, there are a number of clauses that should be included in a data-sharing agreement: you can either share data so that the two entities are common responsible persons, or that each of you is responsible for processing (or indeed, from the data manager to the data processing, although this is not taken into account in this article). The distinction between a common treatment manager and an independent treatment officer should be seen here: examples of joint treatment managers working in the community and voluntary sectors can jointly determine the purposes and means of processing personal data in situations where: the treatment managers must carry out a risk assessment by the supplier to ensure that the supplier has the means and the will to comply with data protection standards. The results of the evaluation must be documented before the start of the commercial commitment and before the transmission of personal data. In order to confirm these legal obligations, it is imperative, in accordance with the RGPD, for the processing managers to enter into data-sharing agreements with their subcontractors.

This partnership raises questions such as: „If there is a breach of personal data, who is responsible?“ This data processing agreement is adapted by the DPA De ProtonMail which is on this page. Organizations can use the following document as part of their compliance with the RGPD. Although Article 26 of the RGPD requires agreement between common treatment officials, it does not require a written agreement between joint treatment officials, but a written agreement attesting to the agreement is a proven method and helps to demonstrate accountability. Contracts between processing managers and subcontractors ensure that they understand their obligations, responsibilities and commitments. Contracts also help them comply with the RGPD and help officials demonstrate compliance with individuals and regulators. Article 28.4 states that the same data protection obligations apply even when a subcontractor assigns another subcontractor to specific processing activities on behalf of the processing manager. In the event of an infringement, the article specifies that if the other subcontractor does not comply with its data protection obligations, the first processor is fully responsible for fulfilling the obligations of that other subcontractor to the processor. „☐ given the type of processing and information available, the subcontractor must assist the processing manager in carrying out his treatment security obligations. , notification of data breaches of a personal nature and data impact analyses.