If you are proposing to transfer personal data to third parties and these third parties need consent to process it (for example. B they plan to send direct marketing emails to the people concerned), you will also need permission to transmit personal data to these third parties and these third parties should be explicitly mentioned in their consent. This will help reduce risk and clarify how data can (and can) be used, especially when sharing is systematic, contains detailed information or contains specific category data. LocalActivities is therefore responsible for ensuring and demonstrating compliance with data protection principles for this processing, even if the actual processing is done by another company. The EU`s general data protection regulation is more serious about contracts than previous EU data protection rules. If your organization is subject to the RGPD, you must have a written data processing agreement with all data processors. Yes, a data processing agreement is boring paperwork. But it is also one of the most fundamental steps of RGPD compliance and necessary to avoid RGPD sanctions. This relates to issues such as who is responsible authority, your role and responsibility to other organizations, and what should be covered by written contractual agreements when transmitting the data. In situations where a charity shares data on a single, discrete basis with a limited impact on the privacy of the individuals involved, it is unlikely that a signed agreement will be necessary.
However, it is interesting to verify that the recipient clearly understands their responsibility for the safe and consistent management of information. Although Article 26 of the RGPD requires agreement between common treatment officials, it does not require a written agreement between joint treatment officials, but a written agreement attesting to the agreement is a proven method and helps to demonstrate accountability. “responsible,” the individual or corporation, the public authority, the agency or any other agency that, alone or in conjunction with others, determines the purposes and means of processing personal data; Where the purposes and means of this treatment are determined by EU law or By Member State law, the person responsible for the treatment or the specific criteria for appointing it can be provided for by EU law or by Member State law; In simpler situations, the person in charge of the processing that provides the data in common can obtain a simple confidentiality agreement that is necessary as anything that is needed. You`ll find sample NDAs here. However, depending on the severity and nature of the injury, there are two levels of fines. Fines imposed on the RGPD for breaches of data processors are generally covered by the first stage, whose guidelines can be as serious as 10 million euros or 2% of global turnover. In any case, it is much less painful to sign a data processing agreement and to comply with the terms than to pay a penalty from the RGPD. We hope this guide will help. Other easy-to-digest helps for RGPD compliance can be accessed in our RGPD checklist. As the person in charge of processing, it is your responsibility to ensure that the required contractual conditions are included and adapted to treatment. You also need to think about the need for a written contract (with controller-processor relationships, a contract is a legal requirement under the RGPD) and other steps you can take to ensure that you are responsible.