Whenever a company that acts primarily as a personal data handler acts as responsible for the processing of a particular set of personal data, it is also jointly responsible for the control of this personal data. 4. Injury Notification – Subcontractors must notify the person in charge of treatment in accordance with the RGPD “immediately after the disclosure of a violation of personal data.” (Article 33, paragraph 2). The processing manager must report a data breach to the data protection authority within 72 hours of notification. In addition, Article 33, paragraph 3, of the RGPD contains a list of obligations to report violations that those responsible for processing must include in their notification to the data protection authority: some other liability clauses provide that the subcontractor compensates the person responsible for the treatment of potential third-party rights and all official sanctions resulting from the subcontractor`s actions. This can be vast and inoperable. The limitation of financial liability under the RGPD has become much more complex than under the Data Protection Act 1998, both because the nature of the obligations imposed on both parties has changed and because the consequences of the offences are much more serious. Parties wishing to limit their exposure should be realistic and not consider that it will be possible or desirable to simply transfer responsibility to the other party in all circumstances, but should adopt a more balanced approach to liability, based on the conditions of the RGPD and the origin of the injury in question. 3.2 Processing outside the scope of this data protection authority or contract requires prior written agreement between the customer and Datazoom regarding additional instructions for processing. If you store or otherwise process personal data on behalf of another company as a data processor, you need to make sure that you have a Dpa to legitimize this. As a general rule, data processing is not of primary interest for the end result of data processing.
A data processor will certainly benefit from the treatment. Otherwise, there would be no reason for them to do so. But they are dealing with personal data because someone has asked them to do it. When the company gives its course and begins to process personal data outside of this agreement, for example. B by collecting additional personal data that it has not been responsible for collecting or processing personal data in an unsealed manner, Article 28, paragraph 10, of the RGPD states that it is considered responsible for processing. For example, a data processor can only hire a subprocessor with the written consent of its processor (this may be a general agreement) The categories of data to which the client`s personal data relates Before we look at liability limitation, we must first consider how liability can be created under the RGPD. Although recital 146 explicitly states that those affected should be entitled to full and effective compensation, the provisions of Article 82 of the RGPD do not limit the scope of this provision to those concerned.