In cases where the commissioned service involves the processing of personal data, a data processing agreement will be necessary. This service provider will then be the entity processing personal data (the processor).
Requirements for the entrustment agreement
The applicable personal data protection law, the GDPR, clearly states that if processing is to be carried out on behalf of a developer (data controller), the developer must only use the services of processors that provide sufficient guarantees for the implementation of appropriate technical and organizational measures to ensure that the processing meets the requirements of the GDPR and protects the rights of data subjects. In other words, the developer is responsible for selecting an appropriate processor that understands and complies with the principles of personal data processing.
Article 28 of the GDPR also specifies that data processing by a processor is based on a contract (or other legal instrument subject to EU or local law) binding the processor and the controller, specifying the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, the obligations and rights of the controller.
Such a data processing agreement (because we will focus on it in this article) must provide in particular that the processor:
processes personal data only on documented instructions from the controller – which also applies to transfers of personal data to a third country or an international organisation – unless such an obligation is imposed on it by Union law or the law of the Member State to which the processor is subject; in such a case, before starting processing, the processor shall inform the controller of this legal obligation, unless that law prohibits the provision of such information on important grounds of public interest;
ensures that persons authorised to process personal data have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality;
takes all measures required under Article 32 of the GDPR (i.e. security measures)
complies with the terms of use of the services of another processor:
does not use the services of another processor without the prior specific or general written consent of the controller. In the case of general written consent, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes;
If a processor uses another processor to perform specific processing activities on behalf of the controller, the same data protection obligations are imposed on that other processor under the contract as are set out in the contract between the controller and the processor, in particular the obligation to provide sufficient guarantees to implement appropriate technical and organizational measures to protect data. If that other processor fails to comply with its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations;
taking into account the nature of the processing, where possible, helps the controller, through appropriate technical and organisational measures, to fulfil its obligation to respond to requests from the data subject in the exercise of their rights specified in the GDPR (e.g. the right to delete data, update data);
taking into account the nature of the processing and the information available to it, helps the controller to fulfill its obligations regarding: data security, reporting a breach, conducting a data protection impact assessment or prior consultations,
after the end of the provision of services relating to processing, at the choice of the controller, deletes or returns all personal data to the controller and deletes existing copies unless Union or Member State law requires storage of the personal data;
makes available to the controller all information necessary to demonstrate compliance with the obligations set out above and enables and contributes to the controller or an auditor authorised by the controller carrying out audits, including inspections;
immediately inform the controller if, in its opinion, an instruction issued to it constitutes an infringement of the GDPR or other EU or Member State data protection provisions.
The most common cases of entrustment in the development industry
To illustrate when a data processing agreement would america phone number list be necessary, I'll try to provide a few examples. In practice, these types of services often involve the processing of personal data on behalf of the developer, and therefore, a data processing agreement will be necessary:
storing a database of potential customers on servers, maintaining the IT system,
obtaining personal data at real estate fairs,
obtaining personal data via electronic forms, e.g. when building a landing page,
obtaining personal data from sales intermediaries who act on behalf of the developer (e.g. collecting personal data on forms and in the developer's system),
sending a newsletter or real estate sales offers by a marketing agency,
management of common property, including settlements with owners,
receiving and handling customer complaints,
direct contact with the client to remove the fault in the apartment,
protection of persons and property, in the scope of: monitoring, registration of persons/vehicles.
This is not an exhaustive list, but merely examples of when a data protection agreement should most likely be concluded with a service provider. In reality, depending on the situation and the nature of the collaboration, there may be even more such cases.
Entrustment agreement – what next?
We must remember that simply signing a contract does not guarantee data processing in compliance with the GDPR. It turns out that the processor's data processing must be periodically verified, for example, through inspections/audits. The form of such verification is optional, but the developer, as the data controller, should demonstrate that they have verified the processor's level of GDPR compliance before entering into cooperation and regularly throughout it. After all, they are entrusting the processor with processing a mass of sensitive personal data, for which they remain responsible—despite outsourcing the service to a professional.