3. Subprocessor (i.e. part four): Although there is no official RGPD term, the subprocessing is a term widely used in practice. A subprocessor is an entity that performs processing operations on behalf of the processor. For example, a third-party CRM (Customer Relationship Management) provider that stores your customers` contact information is part of your own RGPD compliance. If you ask a third party to process or access personal data, that third party becomes a data processor while you are in charge of the data. When the regulation was first introduced, the issue of third parties and their relationship to organizations` compliance with the RGPD received a great deal of attention. Thanks for finally writing about > The RGPD: Why You Need to Check the Security of Your Third-Party Suppliers – IT Governance Blog In < Loved it! When verifying your relationship with third parties, organizations must: A third party performs activities that have an explicit or tacit agreement with an organization for commercial purposes. Under the agreement, companies give third parties the power and legal authority to act on their behalf. In this context, third parties are simply extensions of controllers and primary organizations; Therefore, compliance with the RGPD is an organic step in maximizing the effectiveness of all provisions under the regulation.
The RGPD stipulates that those responsible for processing are legally responsible for all acts of an applicable subcontractor, so that any non-compliance by the subcontractor results in non-compliance by the person in charge of the treatment. This form of shared responsibility is important and is a concept that companies should follow in developing their RGPD compliance initiatives. Now that we understand how organizations are classified and their relationships with each other, let`s now discuss the responsibilities of each type of organization in accordance with the RGPD, as well as the requirements for the conclusion of data protection agreements and some of the high requirements of the RGPD. You will find more information on post-RGPD adhesion during an interview with one of our experts. The most recent EU legislation regulating the circulation of personal data of EU citizens is THE REGLEMENT (EU) 2016/679 OF EUROPEAN PARLEMENT AND THE TIP OF 27 April 2016 (General Data Protection Regulation). Among the requirements for the collection, use and protection of personal data in commercial activities, the European Regulation sets out restrictions on the transmission of data collected to third parties, whether for personal use or for the benefit of third parties. Mayer Brown offers this list of some issues that need to be considered when verifying the compliance of your third-party agreements. While this is not obvious, proper documentation of data transfers is essential for each processing manager.