Overview of PASERO's personal data handling
When visiting the website, PASERO-MI Ltd. collects Personal Data on its visitors and registered users. We don’t sell your Personal Data to anybody. Read this quick overview or go to the full privacy policy here:
Registration and billing
- To provision you the service- Personal data: name, email address, billing information
- Third Parties used: Amazon Web Services, ProtonMail, online payment&accounting service provider, accountant
- Retention: 8 years if required by law
Visitors and cookies
- For user experience & statistics- Personal data: IP, browser info, webpage usage information
- Third Parties used: Amazon Web Services, Google Analytics
- Retention: 90 days
Content
- Personal data you might upload when using the service- Personal data: contract signatories and contacts, name and email address of users, e-mail address of your customers, free text within comments and descriptions
- Third Parties used: Amazon Web Services
- Retention: until you have an account
Rights and questions
- Rights regarding Personal Data for Registered users
PASERO contact information
- if you have any questions- PASERO-MI Ltd.
- H-1221 Budapest, Ady Endre ut 87, Hungary
- privacy@pasero.me
Data processing agreement – not just a template but qualifying data processors
Can you use a data processing agreement template?
The preparation and integration of the DPA into the main agreement has a significant impact on the future collaboration of the contracting parties. Additionally, it is one of the main documents for both parties to meet GDPR accountability compliance. The selection of a proper data processor and the custom tailoring of the agreement to the specific situation should be part of the negotiation process.
Selecting a proper data processor
A data processor must be well-qualified to provide the data processing services. This does not only mean to provide feature-rich services, but to have the needed technical and organizational measures (TOMs) to guarantee the needed data protection and security requirements. As only the data controller can know the associated risks and they have the accountability, the required level of TOMs should be negotiated mutually before entering into an agreement. If during the negotiations the data controller cannot gain certainty that the data processor can meet the needed assurances, these concerns should either be addressed in the DPA or a different data processor should be used.
Wider aspects to consider before starting data sharing
Evaluation of the data processor should include wider investigation into the capabilities of the organization. Do they have enough resources to handle extraordinary events, like incidents? Are they reliable, how is their overall reputation? If they had any previous incidents, what did they do to avoid further recurrences? Such information is usually collected via the use of questionnaires.
Provisions of the data processing agreement
Depending on the structure of the agreement, clauses related to the data sharing can be integrated into the main text or put into a data processing addendum. In general, for the sake of readability, a separate addendum is usually preferred. The main requirements relating to the provisions are prescribed by respective data protection law, but the agreement should not just be the repetition of relevant clauses. The DPA should include a meaningful determination of the responsibilities around the complete data processing, including all rights, accountabilities, and duties. An easy-to-understand description of the complete data processing flow is strongly advised to avoid any misunderstanding. Similarly, addressing the individual data subject rights and requests, and the exact processes to be followed for meeting these use cases should be included.
Of significance is the clarification of the duties associated with the personal data in case of termination of the agreement. Data protection law prescribes the general duties for such scenarios, but specific data formats and the burden for organizing eventual data transfers is not prescribed. These should be technically defined as much as possible in the agreement text, considering the complete data flow in which the data processor is integrated.
The resulting final text should be the result of the collaboration of multiple disciplines, including legal, business, and IT. This way the agreement will not just be a boilerplate but an actual reference to go back to in case of doubt. And through the process, the data controller also has a chance to grow and improve.
Get a demo!
Book a demo and let us show you, how we can take of the burden of managing your data processing agreements and help meet data protection regulatory compliance.
