Q-AsMune company doesn`t really care about written contracts – is that a problem? Ignore the broader questions, not record a written agreement, and focus exclusively on the data elements – the answer is: « It`s important. » If you use a subcontractor to process personal data (including basic data such as a person`s name and contact information) on your behalf, or if you are a subcontractor working under the orders of a processing manager, there must be a brief written agreement. In the absence of a written contract, both parties violate the RGPD. Ok, I have a written agreement, if I have to – but can it only cover the data clause? Yes, in theory. The rest of the contract could be unwritten if you wanted to (although there are greater risks associated with not registering a written agreement). Each agreement must contain a data clause? No no. Only contracts in which there is a flow of data from one party to another and the relationship between the parts of the processing managers and the subcontractor. Why do I need to know if I am a data manager or a data publisher? Unlike the old regulations, the RGPD applies to both processors and data processors. On the basis of this basic principle, a processor will inevitably want to place as much burden as possible on the data processor, as he sees it as an opportunity to delegate his responsibilities. If you are responsible for the treatment, this may be your valid goal. On the other hand, as a data controller, you want the person in charge of the processing to be fully responsible for compliance with the law and you do not want to assume additional responsibilities for the respect of people other than those directly submitted to the RGPD. So it`s probably a good idea to have two « standard » data clauses that you can use depending on the situation.
So now I really have to include everything in the above list in my contracts where I reveal or receive personal data? What if I don`t? Yes, that is what you do. That is what the RGPD is asking for.