Article 28 of the RGPD
Article 28 of the RGPD: subcontractors
Visit general data protection regulation (RGPD) is a European Union (EU) regulation governing the collection, processing and use of personal data. The RGPD came into force on May 25, 2018 and applies to all organizations that process personal data of people located in the EU, whether they are located in the EU or not.
Article 28 of the RGPD deals with processors. A processor is an entity that processes personal data on behalf of a controller. The controller is responsible for compliance with the RGPD for all personal data it processes, including that processed by the processor.
What is a subcontractor?
A processor is an entity that processes personal data on behalf of a controller. The controller is responsible for compliance with the GDPR for all personal data it processes, including that processed by the processor.
For example, a company selling products online may be responsible for processing customers' personal data, such as name, address and e-mail address. The company may use a subcontractor to host its website, process payments or send e-mails to customers. In this case, the processor will process personal data on behalf of the company and the company will be responsible for compliance with the RGPD for this personal data.
Subcontractor's obligations
Article 28 of the RGPD requires the controller to enter into a written contract with the processor. This contract must define the processor's obligations in terms of personal data protection. In particular, the contract must provide for the following:
- The purposes of personal data processing ;
- The nature of the personal data to be processed ;
- Duration of treatment ;
- The security measures taken by the processor to protect personal data;
- The rights of the controller and data subjects;
- Procedures for notifying personal data breaches.
The controller must also ensure that the processor has the necessary human and technical resources to comply with the GDPR. The controller must also be able to monitor the processor to ensure that it complies with its personal data protection obligations.
The contract must also specify that the processor is required to comply with the obligations of the RGPD and conform to the company's personal data protection policies and procedures.
The consequences of a subcontractor's failure to comply with the RGPD
In the event of non-compliance with the RGPD by the processor, the controller may be held liable. The controller may also be liable to pay damages to the data subjects.
Examples of subcontractors
Examples of subcontractors are as follows:
- Web hosts
- Payment processors
- E-mail service providers
- Marketing agencies
- Accounting firms
- Lawyers
- Consultants
How do I choose a subcontractor?
When choosing a subcontractor, it is important to take the following factors into account:
- The subcontractor's experience in protecting personal data;
- The subcontractor's security policies and procedures;
- The processor's ability to comply with the RGPD;
- Subcontractor's references;
- The cost of the subcontractor's services.
In brief
Article 28 of the GDPR is important because it ensures that personal data is protected when processed by a processor. The controller must take all necessary measures to ensure that the processor complies with its obligations to protect personal data.
Choosing a subcontractor is an important decision. It's important to consider all the above elements to ensure that the chosen processor will comply with the GDPR and protect your company's personal data.
In the event of non-compliance with the RGPD by the processor, the company may be held liable. The company may also be required to pay damages to data subjects.
This example illustrates the importance of choosing a subcontractor that complies with the RGPD and has the human and technical resources needed to protect personal data.
