With regard to the common managers of treatment, we believe that the main aspects of the guidelines are: Article 28 sets out the basic rules for subcontractors under the RGPD. A subcontractor may want to use the services of another subcontractor to support the treatment it performs on behalf of the processing manager. In short, it is sometimes a “subcontractor,” when it is not a term of the RGPD itself. Before employing a subcontractor, the original subcontractor must inform the person in charge of the treatment and obtain prior, specific or general written authorization. While a data processing agreement may seem to want to protect the processing manager from legal problems when a data publisher is wrong about its data, it does much more. In theory, before the RGPD came into force (based on the instructions of the processing manager), subcontractors would have had to comply with the rules on cross-border data transfers. However, in practice, the possibility of direct legal liability for processors (as well as the contractual liability of processors to processors to processors) creates a new category of risk for processors who make such transfers. This means that every time a processing manager uses a subcontractor to process personal data, there is a written contract linking the subcontractor to the processing manager of his or her processing activities. ☐ the subcontractor may act only on the documented instructions of the person in charge of the treatment, unless required by law, without going through those instructions; Some large data processors will have contracts that they will use with all their customers that might be adapted for this purpose, but it would be wise to ensure that this contract protects you from your point of view and is not only in the interest of the data processor. This could make you vulnerable in certain situations. While this reduces the responsibility of the processor for data mismanagement by the data processor, the contract also requires the processor to perform his duty of care to ensure that the subcontractor he uses is credible and capable. For more details, you can read the ProtonMail data processing agreement or the generic model of data processing agreements that we have made available on this site.
When the processor assigns processing activities to a subcontractor, it should only use processors with sufficient safeguards, including expertise, reliability and resources, to implement technical and organizational measures that meet the requirements of this regulation, including for processing security. CNIL, Subcontractor`s Guide (2017) – Guidelines from the CNIL, the French supervisory authority, which contain the presentation of the data processing agreement between controllers and subcontractors.