GDPR: Pushing Papers

Naar blogoverzicht
23 July 2018

A big part of GDPR concerns keeping track of what you do via written documentation. In previous posts, we discussed the different roles, responsibilities they have, and under which types of legal basis you can process data. All of this needs to be documented by the controllers and processors, so they can actually show how and why they are processing the data.

The basis of this register is the Data Processing Agreement (DPA) which is a contract between a controller and a processor, or a processor and a sub-processor. This outlines which data can be processed, in what way, and all other conditions regarding the processed data. To be fully compliant with GDPR, the DPA between a processor and a sub-processor should contain the same conditions as the DPA between the controller and the processor.

In practice, this is kind of impossible in some cases, especially when dealing with larger companies. It's not very easy to ask Facebook or Google to change their DPA to be in line with the DPA you've signed with your controller. The GDPR isn't clear on how you should handle these kind of situations right now, but this will probably clearer after a couple of months.

So what does this have to do with you?

You need to be able to identify if you’re going to process a new kind of personal data or are going to let a new 3rd party process your data. If this is the case, you need to get it registered and approved. To make our lives easier, there are digitized registers available on the market.

Upcoming topic: We're going to check which kind of personal data there actually are and how you can identify them.

Share this post on social media

Van Nelleweg 1, 3044 BC Rotterdam
+31 (0)10 71 44 646