please wait, site is loading

Blog

What Is A Dpa Agreement

Opublikowano: Grudzień 20th, 2020 by foto-klinika |

In spring 2018, the European Union adopted a regulation on virtually all companies related to the personal data of EU citizens, the General Data Protection Regulation (GDPR). Under this legislation, any EU country and any other country that processes the personal data of EU citizens must take serious measures to ensure its protection. An important element of RGPD compliance is the signing of a Data Processing Agreement (DPA) between data managers and data processors. What does this mean and how does it matter in outsourcing software development? That is what we will talk about in this message. Q-AsMy`s business doesn`t really care about written contracts – is that a problem? Ignore the broader questions, not record a written agreement, and focus exclusively on the data elements – the answer is: “It`s important.” If you use a subcontractor to process personal data (including basic data such as a person`s name and contact information) on your behalf, or if you are a subcontractor working under the orders of a processing manager, there must be a brief written agreement. In the absence of a written contract, both parties violate the RGPD. Ok, I have a written agreement, if I have to – but can it only cover the data clause? Yes, in theory. The rest of the contract could be unwritten if you wanted to (although there are greater risks associated with not registering a written agreement). Each agreement must contain a data clause? No no. Only contracts in which there is a flow of data from one party to another and the relationship between the parts of the processing managers and the subcontractor. Why do I need to know if I am a data manager or a data publisher? Unlike the old regulations, the RGPD applies to both processors and data processors. On the basis of this basic principle, a processor will inevitably want to place as much burden as possible on the data processor, as he sees it as an opportunity to delegate his responsibilities.

If you are responsible for the treatment, this may be your valid goal. On the other hand, as a data controller, you want the person in charge of the processing to be fully responsible for compliance with the law and you do not want to assume additional responsibilities for the respect of people other than those directly submitted to the RGPD. So it`s probably a good idea to have two “standard” data clauses that you can use depending on the situation. So now I really have to include everything in the above list in my contracts where I reveal or receive personal data? What if I don`t? Yes, that is what you do. That is what the RGPD is asking for. If you do not, both parties could in theory be fined up to 20 million euros, or 4% of the world`s annual turnover (depending on the most important time). And if a person can prove that they have suffered damage (even minor reputational damage) as a result of your non-compliance, that person can claim damages against you.