Data managers must be able to demonstrate, upon request, that proper data protection management is in place in the company and that data protection principles are being adhered to. Third parties and counterparties who process your company`s data should enter into a data processing agreement with you. These include Google with its analytics tool and similar services, as well as various marketing and newsletter tools that can be integrated into your website. This includes, for example, payment providers embedded in your online store. The exchange of data within a group is favoured by recital 48 of the RGPD as a „legitimate interest”. The manager, who is part of a group of companies, may transmit personal data within the group of companies, provided that the receiving companies belong to this group of companies, that the group of companies received is headquartered in the EU/EEA, that it has internal administrative purposes and that in the event of a joint agreement, an agreement has been reached in Article 26, paragraph 1, p. 2, of the DSGVO. In case of joint treatment, the Intercompany contract can be included. The legal basis is Article 6, paragraph 1, point (f) of the RGPD. First, one or more people responsible for implementing the RGPD in the company must be identified – this cannot or should not be delegated to data protection. Staff should be made aware of the subject matter and data processing processes must be communicated and documented through work instructions.
To this end, it is necessary, among other things, to establish records of treatment activities. A data processing contract must be concluded for customers, partners, suppliers – in short „transformers „. These commitments will be clarified in the next 5 points. „At the latest now, every data company should know that data processing agreements are needed. What has become evident to many companies continues to generate demand from other companies. If this is not yet the case, ask the relevant data processing providers for a „DPA.” – frank Trautwein. However, order processing must be clearly separated from data transmission, i.e. only in the absence of order processing.
Since these separations are clean, the data should not be pressed into the Intercompany Agreement, the processing of orders. In the end, for another contract, the principle of contractual freedom is gilded – it means that everyone is free to shape them. The concept of an intercompany agreement is also not mandatory – a framework agreement on data protection is also possible.