Sharing data or transferring personal data to a data processor requires an element of due diligence to take place in order to ensure that data subjects remain protected. One of the main concerns is to ensure that a compliant contract is in place between the data controller and the data processor. All processing by a data processor must be governed by a contract, which stipulates a number of specified clauses and the details the processing which will take place. These clauses ensure a legal obligation exists to protect the data subject’s data and their rights and should any of these clauses not be present, then the contract with the data processor should be considered none compliant.
It is also a requirement that the data processor provides sufficient guarantees that it has ‘technical and organisational measures’ in place to protect personal data. These guarantees may be included in the contract or where there might be a higher risk to the data subject then it is recommended that these measures may be reviewed separately in a data protection security assessment.
If a data processor needs to engage with another data processor when sharing data, then they must first obtain the permission of the data controller in writing before doing so.
Additional safeguards will also be required if the transfer of personal data is an international transfer and the country to which the data being transferred is not an adequate country under the EU’s adequacy list.
How can ProvePrivacy Help?
ProvePrivacy allows RoPA users to review each data transfer associated with an activity, the Data Sharing Assessment includes Contract, International Safeguards and Security Assessment, and also includes a Data Sharing Agreement Assessment for Joint Controllers.
