Data Processing Agreement
CRM systems are processors. Therefore, a data processing agreement must be concluded.
Recital 81 of the GDPR also states that only processors that provide sufficient guarantees – in particular in terms of expertise, reliability and resources – that technical and organisational measures are taken, including for the security of the processing, which meet the requirements of the GDPR should be used.
It is therefore important to pay attention to the following points when selecting a new CRM system or reviewing an existing CRM system under data protection law:
- Is the processor reliable? For this, it is helpful to look at empirical values and evaluations.
- Where is the data processed or where is the server located? It is advisable to ensure that the data is processed in Europe. For data transfers to third countries and the USA, the processor should have suitable guarantees in place.
- Which subcontractors are used? The level of data protection agreed between the controller and processor should not be undermined by subcontracting the data processing