The subcontractor deletes or returns all personal data at the end of the processing services at the choice of the processing manager. Our DATA AGENCY provides a number of guarantees to companies that entrust us with personal data. For example, ProtonMail`s data processing agreement promises the use of technical security measures, such as encryption, in accordance with Article 32 of the RGPD. In addition, it provides appropriate support to those responsible for processing in the implementation of a data protection impact assessment. If you pass on personal data that you have trusted to another company, a contract should essentially be entered into to ensure that everyone is doing it properly. The processing of the data by the person in charge of the processing should only be treated by the person in charge of the processing. The subcontractor must have adequate information security, must not resort to subcontracting without knowing and the consent of the person in charge of the processing, must cooperate with the authorities in case of request, report to the person in charge of the data protection, as soon as he is aware of them, give the person in charge of the processing the opportunity to carry out audits verifying compliance with the DSGVO , to help the person in charge of the treatment, to respect the rights of the people concerned. , should assist the processing manager in dealing with the consequences of data breaches, delete or return all personal data at the end of the contract, at the choice of the processing manager, and inform the processing manager if the processing instructions violate the RGPD. Since processors and processors are also required to comply with the RGPD, international data transfers should provide appropriate solutions for the transfer of personal data from the EU or, more correctly, to other european Economic Area jurisdictions. Both processors and subcontractors are required to take appropriate technical and organizational measures to ensure the security of the personal data they process, which may include, if necessary, the following: the agreement requires the subcontractor to take all necessary security measures to meet the security requirements of the treatment (see Article 32).
The subcontractor provides the processing manager with all the information necessary to demonstrate compliance with the obligations set out in Article 28 of the RGPD. This includes immediate notification from the processing manager when an instruction is contrary to the RGPD or other European data protection provisions. The RGPD applies to both processing managers and subcontractors based in the EU (for example. B through EU legal entities) but also to all processors and processors who are not established in the EU when processing activities are linked to the provision of goods or services to the persons concerned in the EU (regardless of that: if a payment is necessary) or monitoring the behaviour of people to the extent that such behaviour takes place within the EU.