Article 29 provides that data must always be processed solely on the instructions of the data controller. In essence, the data controller is the owner of such data and is responsible for it, so no body should ever process such data unless the data controller has invited them to do so (except in cases where Union or Member State law so requires). 8. The data protection impact assessment and prior consultation processor shall provide the undertaking with appropriate assistance for all data protection impact assessments and prior consultations with supervisory or other competent data protection authorities that the undertaking deems reasonably necessary in accordance with Articles 35 or 36 of the GDPR or equivalent provisions of another Data Protection Act. in any case, only with regard to the processing of the company`s personal data by and taking into account the nature of the processing and the information available to the subcontractors. For example, if you collect personal data from users on your website and you use a third party to process an aspect of your business strategy, you want to know that that data caterer is operating within the framework of GDPR compliance and is doing what it should be doing with your users` important data. This data processing agreement is adapted from the ProtonMail DPA that you will find on this page. Organizations can use the document below as part of their GDPR compliance. Whether you are a data controller, a data controller or both, it is important to understand the data processing agreements and have them if necessary. These are the necessary minimum requirements, but the controller and the subcontractor may agree to supplement them with their own conditions.

Each of these terms is discussed below. If you transmit personal data to a processor to perform a task, you should have an agreement with that data provider. That duration of the contract should make it clear that it is the controller and not the processor who has overall control over what happens to the personal data. The GDPR effectively requires data controllers to enter into appropriate processing agreements when using a data processor, whereas these contracts were already essential before the GDPR for the protection of data controllers and their data subjects.