In situations where a charity shares data on a single, discreet basis that has a limited impact on the privacy of data subjects, it is unlikely that a signed agreement will be necessary. However, it is worth checking that the recipient clearly understands their responsibility for the secure and GDPR-compliant management of information. Similarly, the GDPR requires that, where an controller mandates a processor to process personal data on its behalf, the controller and the processor must enter into a legally binding contract on that processing of personal data. An important change to this obligation is that the GDPR imposes more provisions for inclusion in data processing contracts. These mandatory provisions regarding inclusion in data processing contracts under the GDPR are listed below. In simpler situations, the controller who shares the data may consider that a simple confidentiality agreement is necessary for everything that is necessary. NDDs for example can be obtained here. Article 26 of the GDPR provides that joint controllers shall define “in a transparent manner” their respective compliance responsibilities, in particular with regard to the provision of information to data subjects and the exercise of data subjects` rights. The exception is given when EU law or the national law of an EU Member State determines the respective competences.
Examples of joint controllers Joint controllers working in the Community and voluntary sectors may jointly define the purposes and means of the processing of personal data where: controllers may only use processors who can provide sufficient guarantees to take appropriate technical and organisational measures to ensure that their processing meets the requirements of the GDPR in the commission human rights and the protection of the rights of the data subject. For the agreement to be effective, the parties must agree that it is feasible and practical. Both parties must sign it. (B) The company wishes to subcontract to the subcontractor certain services that involve the processing of personal data.