Even almost five years after the GDPR came into force, the following situation still occurs in some cases: service providers who have been or are to be commission to process personal data do not respond to requests to conclude, revise, or update a data processing agreement. This, in turn, presents major challenges for those responsible for data protection. On the one hand, the use of the relevant service provider is desir or may even already be taking place rategies for achieving a contract conclusion to sign a contract
First of all, it should be not that it is generally also in the interest of the service provider or contractor to conclude a contract for data processing. If data processing is carri out despite a non-existent contract, both parties – both the controller and the processor – are violating their obligations under the GDPR. This constitutes a breach of duty, ireland business fax list which can also be punish by the data protection supervisory authorities with a fine (Article 83 (4) (a) GDPR). If a request to conclude a contract for data processing does not elicit a response from the service provider, controllers are well advised to reiterate that this is a (mutual) legal requirement and that the agreement is therefore in the best interests of all parties involv.
Proactivity is requir: the case of Kolibri Images
Involving the data protection officer is not only helpful but also essential. It is also advisable to send the service provider a draft contract for review. At this point, how to fix the website took too long to respond error we would like to remind you of the fine impos by the data. Protection supervisory authority in Hamburg on the company Kolibri Images in 2018 (we reported on this ). The mail order company initially proactively contact. The Hessian supervisory authority and stat that a Spanish service provider it us had not sent it. Araft contract for order processing despite repeat requests. After Kolibri Images refus to send its own draft the responsible authority in Hamburg.
When arguments are no longer of any use
. Nevertheless, service providers cannot be “forced” to conclude a data processing agreement with the controller – even with sound arguments. If explaining the albania business directory data protection situation and proactively sending a draft contract prove. Ineffective, controllers should consider taking more drastic measures and threatening to award. The contract elsewhere or terminate the contract if the data processing agreement is not conclud. Within a previously defined period. If this also proves ineffective, further use of the service regulations and the resulting risk of fines.
What can be learn from this?
Data controllers should consider data protection when selecting service providers who will be gran . Access to personal data and make the willingness to enter into a contract for data processing a criterion for engagement. If service providers are already operating without a contract (contrary to legal requirements). Only the steps described above can be taken, and as a last resort, separation from the respective service provider can be initiated if the latter fails to comply.