In large business groups, joint management of basic data or certain categories of data includes operational objects such as products, suppliers, customers and employees. If this data is used by several companies in a group for the parallel conduct of business activities, a CCA is not required. What does my company need to do to ensure compliance? First, identify each relationship your company has with suppliers, customers, subcontractors or contractors, agents, resellers, distributors, etc., in which you provide them with personal data or in which you are dividing personal data. Second, for each of these relationships, identify whether you are the data manager or you are the data processor. Depending on the answer, you would like to agree on a slightly different data clause – as the data manager, you will inevitably want to transfer as many loads as possible to the data processor, but as the data manager, you want the processor to be fully responsible for compliance with the law. Finally, it is established that there is a written contract between the two parties. If there is an existing contract, you must accept a change to that contract (which, in principle, should not be a problem, as the other party should also be interested in amending the contract in order to comply with the RGPD). If you do not have an existing contract, you must enter into a written agreement to ensure that the agreement contains the necessary data clause. Depending on the timetable, you may be able to use the “standard clauses” published by the European Commission or the UK government.
All contracts that you enter into that contain a personal data stream should include an appropriate data clause that corresponds to the RGPD. The agreement stipulates that the subcontractor may only process personal data in accordance with the documented instructions of the processing manager (including during the international transfer of personal data), except in cases where EU or contract law requires it. It is imperative that the contract be concluded before processing. The following areas of work generally require a DPA: another scenario that involves a derogation from data processing agreements is that of in-depth clinical studies on drugs, organized and carried out by several contributors. In this case, different actors have access to the collected data, which can be used for various purposes. This means, for example, that sponsors, study centres and doctors decide how to process data collected in their respective sub-sectors.