First of all, data processing must sign data processing agreements with the data controllers with whom they work. A data processing agreement is a legally binding agreement (i.e.: A contract that clearly defines the responsibilities and expectations of each customer. It should also include a description of the appropriate security measures taken for the processing of data. If you have a data processing agreement, you will not only ensure that you comply with the GDPR, but also that all third parties you work with are also compliant. The following details are also required in a data processing agreement and are usually mentioned in an appendix for easier reference: A SaaS customer is liable to its customers/end users (whose personal data it collects and processes) in the event of a breach of the GDPR. Since the SaaS provider carries out the processing on behalf of the SaaS customer, the terms of the SaaS agreement, and not only the DPA, should contain appropriate clauses to protect the SaaS provider and the SaaS customer from data protection breaches, taking into account the different responsibilities of the data controller and the processor. Since the entry into force of the General Data Protection Regulation (GDPR) on 25 May 2018, SaaS providers and SaaS customers are legally required to include a written data processing agreement (DS) in the terms of their SaaS contracts. The DPA usually establishes a timeline for the SaaS agreement and must contain the specific and detailed mandatory obligations set out in the GDPR. The CCA must contain certain minimum durations. There is no specific format and controllers usually offer their form of data processing agreement when employing a processor.
The essential requirement is that the content of the data processing agreement complies with the legal requirements of the GDPR and that the contracting parties are free to define the form or layout and any additional clauses they may wish to include (e.g. B data breaches, contacts between the data protection officers of both parties and the procedure for processing a personal data breach in which the personal data the subject matter of the data processing agreement). .