A so-called data processing agreement must be concluded with each processor of personal data (i.e. someone / an organisation that processes data on behalf of the data controller). This agreement must contain the commitments with regard to the protection of personal data, the security measures and compliance with the obligation to report data breaches.
Among other things, the following must be included in the agreement:
- Purposes of the data processing;
- Type of personal data being processed;
- Categories of data subjects;
- Appropriate security measures;
- Conducting audits;
- Erasure of the data.
