You have appropriate procedures in place regarding the work that processors do on your behalf.
Ways to meet our expectations:
- You have written contracts with all processors.
- If using a processor, you assess the risk to data subjects and make sure to effectively mitigate these risks.
- An appropriate level of management approves the contracts and both parties sign. The level of management required for approval is proportionate to the value and risk of the contract.
- Each contract (or other legal act) sets out details of the processing, including the:
- subject matter of the processing;
- duration of the processing;
- nature and purpose of the processing;
- type of personal data involved;
- categories of data subject; and
- controller’s obligations and rights, in accordance with the list set out in Article 28(3) of the GDPR.
- You keep a record or log of all current processor contracts, which you update when processors change.
- You review contracts periodically to make sure they remain up to date.
- If a processor uses a sub-processor to help with the processing it is doing on your behalf, they have written authorisation from your organisation and a written contract with that sub-processor.
Can you answer yes to the following questions?
- Are staff aware of the need for a written contract when using a processor?
- How do they make sure the contracts are kept up to date?
- Are the risks of using a processor mitigated effectively?
- Do you have an appropriate approval process for contracts?
- Is it easy for staff to find existing contracts where appropriate?