Article 28, paragraph 3, expressly states that “treatment by a subcontractor is subject to a contract or other legal act under EU or Member State law.” This is part of a Voluum (Codewise) data processing agreement that outlines the nature and purposes of the processing it will perform on behalf of processing managers: the RGPD requires that the following information be included in your data processing agreement: although there are many more types of IT services, these are just a few common examples to illustrate the types of situations. require a data processing agreement between the two parties. In this agreement, “customer” means “data responsible,” since Questback is the processor for other companies and those other companies are Questback`s customers and data managers in the relationship. What treatment activities are included? The RGPD does not say, but it gives three scenarios in which you might need one: 5.1. The data processor will implement and maintain data protection security and organization measures throughout the life of the data protection authority to protect personal data from accidental or unlawful destruction, loss, damage or tampering, as well as any disclosure, misuse or other unauthorized processing. , in violation of the requirements of data protection legislation. (i) that the person in charge of the processing has the appropriate legal basis for the transfer and processing of personal data, including, if necessary, the corresponding qualifications of the person concerned; and “treatment by a subcontractor is subject to a contract or other legal act, within the meaning of EU or Member State legislation, which is mandatory for the subcontractor with regard to the person responsible for the treatment and which defines the purpose and duration of the treatment, the nature and purpose of the treatment, the nature of the personal data and the categories of persons concerned , as well as the obligations and rights of the person in charge of the treatment.” As HubSpot uses this agreement with many different controllers, the intro is very widespread. If you are in charge of the processing, you can be more specific and specify which parties are involved in any data processing agreement you have entered into. In recital 81, “at the end of the treatment, the subcontractor should return or delete the personal data at the choice of the person in charge of the treatment on behalf of the person in charge of the processing.” (B) The company wishes to provide the data processor with certain services that involve the processing of personal data.