The GDPR allows the European Commission and supervisory authorities (such as the OIC) to adopt standard clauses included in contracts between controllers and subcontractors. These clauses can offer a simple way to ensure that contracts between controllers and subcontractors correspond to the GDPR. They may also be part of a certification scheme for the detection of a compliant treatment where the systems have been approved. That duration of the contract should make it clear that it is the controller and not the processor who has overall control over what happens to the personal data. Where a processor uses another organisation (i.e. a processor) to assist it in processing personal data for a controller, it must enter into a written contract with that processor. ☐, the subcontractor must take appropriate measures to ensure the safety of processing; 12.1 Confidentiality. Each party shall keep confidential the agreement and information it receives about the other party and its activities related to this agreement (“Confidential Information”) and may not use or disclose such confidential information without the prior written consent of the other party, unless: (a) disclosure is required by law; (b) the relevant information is already publicly available. We appreciate the practical reality that it may not be possible for data in backups or archives to be deleted immediately after the termination of a contract. If appropriate security measures are taken, such as.B. It may be acceptable for the data not to be erased immediately if the retention period is reasonable and the data is then erased as soon as possible, for example.B. in the next deletion/destruction cycle of the processor.
In accordance with Article 28(3)(c), the contract shall oblige the subcontractor to take all necessary security measures to meet the requirements of Article 32 with regard to the safety of processing. See our GDPR security guidelines for more information. 10.2 The company`s access and audit rights are only created pursuant to point 10.1, unless the contract grants them other access and audit rights in accordance with the relevant requirements of data protection legislation. In accordance with point (f) of Article 28(3), the contract stipulates that, taking into account the nature of the processing and the information available, the processor must assist the controller in the performance of its obligations: where a controller uses a processor to process personal data on its behalf, there must be a written contract between the parties. (B) The company wishes to subcontract to the subcontractor certain services that involve the processing of personal data. ☐, the processor must delete all personal data at the end of the contract or return them to the controller (at the choice of the controller), and the processor must also delete existing personal data, unless the law requires their retention; and the contract must contain these conditions in order to ensure the continuous protection of personal data after the end of the contract. This reflects the fact that, ultimately, it is up to the controller to decide what will happen to the personal data processed once the processing has been completed. 184.108.40.206 the transmission of personal data of the company of a subcontractor to a subcontractor or between two entities of a subcontractor, if such transfer was prohibited by data protection legislation (or by the terms of data transfer agreements concluded to address the data protection limitations of data protection legislation); ☐, the processor must undergo audits and inspections.
The processor must also provide the controller with all the information it needs to ensure that both parties comply with their obligations under Article 28. A subcontractor may not use the services of a subcontractor without the prior written or specific authorization of the controller. If an authorization is granted, the subcontractor must enter into a contract with the subcontractor. . . .