For more information, see the handy note: Brexit – impact on data protection. Treatment by a subcontractor is subject to a contract or other legal act, within the meaning of EU or Member State law, which is mandatory for the subcontractor with regard to the person in charge of the treatment and which defines the purpose and duration of the treatment, the nature and purpose of the treatment, the nature of the personal data and the categories of persons concerned. , as well as the obligations and rights of the person in charge of the treatment. 2 This contract or any other regulatory act requires, among other things, that the subcontractor: the processing managers be required to carry out a risk assessment of the supplier in order to ensure that the seller has the means and the will to comply with data protection standards. The results of the evaluation must be documented before the start of the commercial commitment and before the transmission of personal data.