b. Investigation. Snap is committed to taking immediate steps to investigate the personal data breach, to identify, prevent and mitigate the effects of such a personal data breach and, with the prior consent of the data controller, to perform any recovery or other action necessary to remedy the personal data breach. The GDPR requires data processing agreements between data controllers and data processors and also has requirements for what should be included in these agreements. One way to coordinate the madness is Microsoft`s ongoing list of contractors with access to customer data. The list includes more than 100 companies and is published with the promise that the names of new subcontractors will be published at least six months before their approval to provide services with customer data. For smaller organizations with much smaller lists of processors, the process of adding new subprocessors can be a more personalized notification process, especially since few organizations have the ability to delay customer data service for up to six months. GDPR data processing agreements must be particularly detailed. They should include: a. Notification. In accordance with Article 33 of the GDPR, the UK GDPR and the LGPD, where applicable, Snap will notify the controller without undue delay and, if possible, no more than 72 hours after becoming aware of a personal data breach.
Snap will also provide the Data Controller with a description of the personal data breach, the type of data that was the subject of the personal data breach (to the extent snap is aware), the categories of data subjects and other information required by applicable data protection law as soon as such information can be collected or becomes available. and Snap will cooperate with any reasonable request from the data controller regarding the personal data breach. If the subcontractor plans to use sub-processors, a section describing the subcontract relationships is also required. The processor requires the written consent of the controller for the use of sub-processors, who must ensure data protection and regularly undergo a compliance check. Small businesses often use third-party service providers or data processors to help them with areas that large companies could handle in-house, such as payment processing. B and customer service. For example, if you operate a small website and use a third-party service to process online payments, you must have a contract in place to ensure that your payment processor processes eu citizens` payment data in accordance with the GDPR. Controllers only use processors with sufficient safeguards to comply with the conditions of the GDPR and ensure the protection of the rights of data subjects. Article 30 requires controllers or their representatives to keep records of the processing activity under their control. This includes processing by the controller`s data processor in accordance with a data processing agreement.
If your data processor violates compliance, mishandles data, or becomes a victim of a data breach, a data processing agreement can legally protect you by proving that you have completed your due diligence to ensure that the company you have partnered with has followed the appropriate procedures. There are a few other things that data controllers want to make sure they have been included in their data processing agreements. Article 28 lays down requirements for the processing of personal data by processors. For example, controllers are required to “use only processors who provide sufficient safeguards for the implementation of appropriate technical and organisational measures” to ensure that the processing complies with the requirements of the GDPR and protects the rights of data subjects. Processors may also not engage sub-processors without the specific or general written consent of the controller. 6. Conduct appropriate background checks and require employees, suppliers and others with access to the customer`s personal data to enter into written confidentiality agreements. Article 35 explains data protection impact assessments, including when and how they are to be carried out. It shall also mention how controllers and processors should take into account the other Member State`s compliance with contractual agreements (e.B. data processing agreements) when carrying out data protection impact assessments.
In order to ensure that the processor correctly processes the data of the controller, a data processing contract is established. A data processing agreement (DPA) is an agreement between a data controller (e.g. B a company) and a subcontractor (e.g. B, one third). It regulates the processing of personal data for commercial purposes. An DPA can also be called a GDPR data processing agreement. Data controllers must have an APD with all the data processors they use. Processors must also have a data processing agreement with all sub-processors they use. The GDPR sets out some guidelines on what should be included in a data processing agreement, which we will discuss later in this article.
If your business is GDPR compliant, all the data processors you use should be, and that includes a compliant data processing agreement. Data processing agreements existed long before the draft GDPR was drafted, and some companies operating in data-driven fields may already have examples of these agreements. The Data Protection Directive, Directive 95/46/EC, contained much stricter requirements for processors, and the responsibility for ensuring compliance was in the hands of the controller. Under the GDPR, controllers and processors can be held liable for violations and can expect high fines and penalties for non-compliance. These documents must be updated to comply with the GDPR. All such records must be recorded in writing and made available to a supervisory authority upon request. Organizations with fewer than 250 employees are exempt from these requirements unless they regularly process data, process data that could compromise the rights and freedoms of data subjects, including, but not limited to, the processing of special categories of data or criminal history information. The processor shall take all necessary measures pursuant to Article 32 in relation to data protection and cybersecurity.
(iii) enter into a legally binding contract between you as a data exporter and Snap as or on behalf of Snap; And our data protection authority gives a number of guarantees to companies that entrust us with personal data. .