3. The CNIL recommends that data processors take three steps: (i) assess the need to appoint a Data Protection Delegate (DPO) but recommends the appointment of a DPD, even if it is not mandatory, and refers to other guidelines for the April 5, 2017 notice on the WP29 DPD; (ii) the analysis and revision of existing contracts to bring them into compliance with Article 28 of the RGPD (examples of clauses to be adapted are proposed in the guide); and (iii) Establish a record of processing activities. If you enter into a service agreement directly with Citrix, this privacy policy applies. Otherwise, only the terms of your contract with partner Citrix apply. Such data processing clauses include both the information required by Article 28 of the RGPD (including various wording options) and some additional ”gilding” clauses (although the RGPD does not necessarily require it, these clauses are useful in reminding data processors of their new and direct responsibilities). Under the RGPD, data publishers themselves have new responsibilities and commitments, and data processors can now pay damages or be fined or otherwise punishable for non-compliance with the RGPD. 5. The CNIL provides practical examples of situations in which a data processor must expect significant administrative financial penalties (up to 2% or 4% of global turnover): 11.1 The subcontractor cannot transfer or authorise the transmission of data to countries outside the EU and/or the European Economic Area (EEA) without the company`s prior written agreement. When personal data processed under this agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the parties ensure that personal data is adequately protected. To do so, contracting parties, unless otherwise agreed, rely on standard contractual clauses approved by the EU for the transfer of personal data. 8.
The data protection impact analysis and the data protection subcontractor provide the company with appropriate support for all data protection impact assessments and prior consultations with supervisory authorities or other data protection authorities; that the company considers reasonably necessary in accordance with section 35 or 36 of the RGPD or equivalent provisions of another data protection law, in any case only with respect to the processing of the company`s personal data by contract processors and taking into account the nature of the processing and information available to processors. The CNIL guide presents in a Q-A format the essential requirements that all data processors must meet by May 25, 2018. The proposal contains the following provisions: (i) purpose, (ii) description of the processing carried out by data processing, (iii) duration of the contract, (iv) obligations of the data handler to the person in charge of the processing, with different possibilities depending on the conditions of sub-processing; (v) processing personal data for the sole purpose of the contract; (vi) processing personal data in accordance with the instructions of the processing manager; (vii) the confidentiality of personal data; (viii) obligations to data processing staff, ix) data protection by default data design and protection, (x) sub-treatment, (xi) information on the subjects, (xii) human rights, (xiii) notification in case of data breach, (xiv) support, (xv) , (xvii) delegated to data protection, (xviii) registration of processing activities, (xix) documentation and (xx) Finally, the CNIL contains standard data processing clauses to be included in service agreements (until standard contractual clauses are adopted by the European Commission – please note that there is no certitud
