Data Sharing Agreement Gdpr Article

Even if data has been obtained for related and legitimate purposes, the sharing activity itself must be consistent with the principles and provisions of data protection legislation. With regard to the first paragraph, point h), the subcontractor immediately informs the person in charge of the processing when he believes that an instruction is contrary to this regulation or other data protection provisions of the Union or Member States. First, does the agreement involve the transfer of personal data from one party to another, or is the data transferred in both directions? If you have legitimate interests, you must inform the people concerned of the data sharing and grant them the right to opt-out. As a general rule, this is done through your privacy policy and you may need to update it and send it to your affected individuals if you have not yet informed them of the data sharing. The person in charge of the processing should only use subcontractors capable of providing sufficient safeguards to take appropriate technical and organisational measures for the implementation of the RGPD and the guarantee of the rights of the persons concerned. (a) personal data is only processed on documented instructions from the person in charge of the processing, including the transfer of personal data to a third country or international organisation, unless required by EU law or by the law of the Member States to which the subcontractor is subject; in this case, the subcontractor informs the person in charge of the processing of this legal requirement prior to processing, unless that law prohibits this information for important public interest reasons; LocalActivities is responsible for the processing because it has opted for the purposes and means of using personal data, i.e. to collect registration information for an event they organized. Brexit: On 31 January 2020, the UK ceased its activities as an EU member state and entered a period of implementation during which it remains subject to EU legislation. During this period, the EU RGPD applies to the UK and the UK generally remains treated as an EU state (and EEA) for data protection purposes in the EEA and the UK. All references to EEA or EU states should therefore be read in this practical note to include the UK by the end of the transposition period. The UK RGPD is not applicable until 31 December 2020 at 11pm and is in effect.

For more information, see the handy note: Brexit – impact on data protection. Treatment by a subcontractor is subject to a contract or other legal act, within the meaning of EU or Member State law, which is mandatory for the subcontractor with regard to the person in charge of the treatment and which defines the purpose and duration of the treatment, the nature and purpose of the treatment, the nature of the personal data and the categories of persons concerned. , as well as the obligations and rights of the person in charge of the treatment. 2 This contract or any other regulatory act requires, among other things, that the subcontractor: the processing managers be required to carry out a risk assessment of the supplier in order to ensure that the seller has the means and the will to comply with data protection standards. The results of the evaluation must be documented before the start of the commercial commitment and before the transmission of personal data.