What are the new obligations for the subcontractor ?
According to Article 4 of the GDPR, the subcontractor is "the natural or legal person, public authority, service or other body that processes personal data on behalf of the controller". / p>
A contract must define the obligations of the subcontractor, as specified in Article 28 of the GDPR (for more information, see the FAQ regarding the obligation to draw up a contract between the controller and the contractor).
Thus, it will be necessary for the subcontractor to:
- treat the data only on the basis of the documented instructions of the controller, even with regard to transboundary flows
- to inform on the confidentiality of data
- to inform on the exercise of the rights of data subjects
- to provide appropriate assistance to the person responsible technical and organizational measures, as far as possible, to fulfill the obligation to respond to requests from data subjects
- to provide appropriate support to the controller to ensure compliance with its obligations in view of the nature of the processing and the information available to the subcontractor
- delete the data concerned at the end of processing, or their return to the controller or their conservation if it is required by a national provision or
- provide the controller with all the information necessary to demonstrate compliance with those obligations and to enable audits, including inspections, by the controller or other auditor that it has mandated, and contribute to these audits
- in the case of the recruitment of a subsequent subcontractor, to obtain the prior written authorization of the controller in respect of this recruitment which must be formalized by a contract mentioning all the obligations listed above