Compliance with the EU`s General Data Protection Regulation (GDPR) can take a lot of work. You need to make sure that you process your users` personal data in a transparent manner, that you store it securely and that you only ask them for the information you really need. But that is only part of what is needed. International data transfers can be made under certain conditions, even if the third country has received an adequacy decision from the European Commission. The U.S. has not received a matching decision – but transfers are allowed if the U.S. recipient is part of the Privacy Shield Framework. As the processing manager, you are responsible for the confidentiality of consumer data in your possession. Any entity that processes your customers` data must commit to keeping all personal data confidential.
To ensure transparency and accountability, processing managers have 72 hours to report security incidents after they are identified. Processors must report security events to the controller “without undue delay.” In addition, the processor and subcontractor must ensure that anyone working with the data (or having access) processes the data only in accordance with the instructions of the processor (as stated in section 29). Since the law largely applies to data processors, you can require the subcontractor/controller to take the initiative, if necessary, to carry out the activity. The subcontractor must process personal data “only on the documented instructions of the processing manager.” This is the reason for the data processing agreement itself, but it must also be explicitly stated in the agreement. The company also contains a separate schedule that lists the strict security measures put in place by the subcontractor to ensure data protection: in other words, if the processing manager does not provide for specific processing activity under the contract, you can only perform the processing if you request an express authorization. A processor must facilitate the rights of those involved, but may need the help of the data processor.