As a company or organization you work together with other partners such as a Social Secretariat, an accountant, an IT supplier and so on. To share or process data with these companies, you, as the controller, are obliged to draw up a contract that will be signed by them. As a controller you must have a view and certainty about what happens to the personal data that you store. It is certainly not the case that a processor of your data such as a social secretariat lets you sign an agreement, because then a processor would act as a controller.
As the controller, you establish the agreements that must be accepted by the processors!
Is a processor agreement mandatory?
A processing agreement is indeed required to be drawn up and signed by the organizations that can process the personal data through your organization.
The controller and the processor may choose to use an individual agreement or standard contract clauses, which are either established directly by the Commission or by a supervisory authority under the coherence mechanism and subsequently by the Commission.
What must be included in a processing agreement?
The most important topics in a processor agreement or Data Processing Agreement;
A description of the parties
DPO of the processor (if applicable)
The obligation to appropriate technical and organizational security
Conditions for subcontractors
Nature and purpose of the processing
Duration of processing
…