A data processing agreement is concluded between the controller and the processor, which stipulates the following:
- Subject of the contract (what data are processed and for what purpose).
- Term of the agreement (how long and until what term the data needs to be processed, including storage).
- Obligation of the processor (purpose of data processing, means, obligations to observe the principles of data processing).
- Duty of the controller (provision of data, setting of processing purposes, etc.).
- Reporting obligation if a data processing breach is detected.
- Penalties and consequences if a data processing violation is established.
- Conditions for terminating the contract.
Why is it mandatory for the controller to enter into a data processing agreement with the processor?
All responsibility for the processing of personal data lies with the controller (even if all data is processed and stored by the processor). If the supervisory authority (the State Data Inspectorate) imposes a penalty, it will be imposed on the controller. It is therefore important to conclude a properly legal agreement on the processing of personal data, which clearly sets out the rights and obligations of both parties, the limits of liability and the consequences in the event of a breach of the processing. The contract is necessary not only in the interests of the controller, but also in the interests of the processor, so that the processor cannot be sued for unfounded claims for damages.