The adoption of the General Data Protection Regulation (GDPR ) has created additional obligations for processors and data controllers, to which subcontracting agreements must adapt.
These new rules have led to a growing awareness of the responsibilities and obligations of subcontractors, as illustrated by the drafting of model contract clauses by subcontractors.
Understanding your role as an RGPD subcontractor
When one entity manages personal data on behalf of another, it is recognized as a processor under the RGPD. This is also the case for "turnkey" solutions that process personal data.
In this case, as part of its missions, the web development agency has access to personal data of its professional clients' customers.
From then on, this IT service provider must ensure compliance with the instructions defined by the data controller (company owning the site or application) and provide for the various obligations incumbent on them on the basis of the applicable regulations (articles 4.7, 4.8 and 28.10 of the RGPD)
On the other hand, if the processor uses the data from this processing on its own behalf (e.g. customer management, accounting), it is considered to be the controller for this specific processing.
Why is it crucial to have a clear RGPD contract?
The controller and processor must draw up a contract that includes several mandatory mentions under Article 28 of the RGPD.
The role of a competent lawyer in this process is to organize the respective obligations of both parties, to integrate all the mandatory mentions according to the situation and to implement these obligations.
How to define and manage data processing?
Your RGPD contract must clearly define the object, duration, nature and purpose of the processing, as well as the categories of data and data subjects.
Any processing operation not provided for in the contract requires written instructions from the controller or renegotiation of the contract.
In addition, this contract makes it possible to provide for the use of other subcontractors by the IT service provider.
Secure RGPD outsourcing with the help of a lawyer
Indeed, procedures can be implemented to document, make available to the controller at any time documents attesting to compliance with the RGPD or ensure that:
- the subcontractor uses RGPD-compliant tools;
- maintaining technical safety ;
- the processor assists the controller in responding to requests to exercise the rights of data subjects;
- the data controller's instructions are given in writing;
- the processor maintains and draws up a processing register on behalf of the controller.
There are many obligations that subcontractors must comply with in the course of their work.
In short, navigating through the sometimes murky waters of the RGPD can be complex.
Whether you're a controller or processor, working with an RGPD lawyer to draft your subcontracting agreement will secure your operations, enabling you to comply with the regulations and protect the personal data you process.
If you have any further questions or need help drafting your RGPD subcontracting agreement, please don't hesitate to contact me.
