September 18, 2021 | Leave a comment

According to the EDPS (1), the two basic conditions for processors are a separate unit for the controller and (2) the processing of personal data on behalf of the controller. As a starting point, the Guidelines emphasise that, in accordance with Article 28(1), a controller has an obligation to verify processors and “be able to demonstrate that it has taken into account legally all the elements provided for by the GDPR”. This often requires “an exchange of relevant documents” such as privacy policy, terms of use, records of processing activities, records management policies, information security policies, external audit reports, and recognized certifications, such as the ISO 27000 series. Due Diligence: Controllers are required to use only subcontractors that offer sufficient guarantees for the processing to meet the requirements of the GDPR, so it is essential that controllers are due diligence to their subcontractors to confirm this. The extent of the duty of care is determined on a case-by-case basis by risk. Due diligence generally requires the subcontractor to provide the controller with documents that illustrate the level of guarantees provided by the processor, such as.B. privacy policy, terms of use, recording of processing activities, external audits, security standards, international certifications, etc. The verification should cover the knowledge, reliability and resources of the processor – the reputation of the market may also be relevant. A British company sells holidays in Australia. It sends the personal data of customers who have purchased the holiday to the hotels they have chosen in Australia to secure their bookings.

This is a limited transmission. The Privacy Shield imposes requirements on U.S. companies certified by the Personal Data Protection System and provides redress mechanisms for individuals. U.S. government departments, such as the Department of Commerce, oversee certification as part of the program. The details are essential to define the details of the processing within the DPA (purpose, duration of the processing, types of personal data, etc.). For example, for the list of categories of personal data, the mere reference to `personal data referred to in Article 4(1) of the GDPR` or `specific categories of personal data referred to in Article 9` would not suffice; Instead, data types should be listed, such as.B. “Health Record Information” or “Union Membership Information.” . . .