2019-02-12 – The handling of sensitive personal data can be a sensitive issue. The RGPD more or less clearly defines areas of technical and organizational competence. There are several provisions for data processing agreements. However, these regulations are formulated in a theoretical context. Their practical application may leave some aspects obscure. Have you ever wondered if your work case requires a Dpa or not? We present five cases that do not require Dpa, although at first glance it looks like this. 2.2 Role of contracting parties. Between DigitalOcean and the customer, the customer is responsible for personal data and DigitalOcean only processes personal data as a processor on behalf of the customer. There is nothing in the agreement or this data protection authority that prevents DigitalOcean from using or transmitting data that DigitalOcean would collect and process independently of the Customer`s use of the Services. Since the RGPD came into force, data protection authorities have demonstrated their willingness to impose sanctions.
And small and medium-sized enterprises have not been neglected. RGPD fines can reach 20 million euros, or 4% of the company`s global turnover. 2.4 Digitalocean processing of personal data. As a processor, DigitalOcean processes personal data only for the following purposes: (i) processing for the performance of services in accordance with the agreement; (ii) the treatment to complete all the necessary steps to carry out the contract; and (iii) other appropriate customer instructions, as long as they comply with the terms of this Agreement and only in accordance with the Customer`s documented legal instructions. The parties agree that this data protection authority and the agreement require full and definitive instructions from the Client to DigitalOcean regarding the processing of personal data and the processing outside the scope of these instructions (if any) requires prior written agreement between the customer and DigitalOcean. Many CSps reserve the right to use personal data for different purposes that have not been agreed with their (client) processing manager, which is particularly common when cloud services are provided free of charge by the PSC. Processors are required to hire data processors who provide sufficient assurance that this personal data will be processed in accordance with the RGPD. Organizations must therefore check whether the use of the PSC will result in additional complications and risks and possibly a violation of the RGPD. Another scenario that involves a derogation from data processing agreements is the organization and conduct of in-depth clinical studies on drugs, which are organized and conducted by several contributors. In this case, different actors have access to the collected data, which can be used for various purposes. This means, for example, that sponsors, study centres and doctors decide how to process data collected in their respective sub-sectors. For more details, you can read the ProtonMail data processing agreement or the generic model of data processing agreements that we have made available on this site.