Organizations may receive "love letters" from their data processors claiming that they meet all GDPR requirements. However, these documents are not enough to ensure compliance with GDPR's Verse 28, which outlines specific and concrete requirements.
To meet GDPR requirements, organizations and their data processors must enter into a Data Processing Agreement (DPA) or Data Processing Amendment. This agreement must include details such as the subject and duration of processing, nature and purpose of processing, type of personal data, categories of data subjects, and the duties and rights of the controller.
The data processor must also ensure that they process personal data only according to documented instructions from the controller and take necessary measures to secure the information. They must provide sufficient guarantees that the processing will meet GDPR requirements, including appropriate technological and organizational measures.
If a processor employs another processor for specific processing operations, they must ensure that the same obligations are imposed on the other processor as stipulated in the contract between the controller and the processor.
If the processor fails to meet its data protection obligations, the initial processor will bear full responsibility towards the controller for fulfilling the obligations of that processor.
In short, don't be fooled by love letters. Make sure to enter into a Data Processing Agreement that meets all GDPR requirements to ensure that personal data is processed securely and in compliance with the law.
Comments