Back to Course

Data Protection in the Marketing Department

0% Complete
0/0 Steps
Lesson Progress
0% Complete

Responsible businesses often commission external service providers (“processor”) to process personal data if they cannot do so themselves for capacity reasons or lack of expertise. In order to secure the transfer of data to the processor, a so-called data processing agreement (DPA for short) is required.

According to Art. 4 No. 7 GDPR, the controller is the person who alone or jointly decides on the purpose and means of the processing of personal data. This means that processing by a processor exists if a controller has personal data processed on behalf.

Service providers who work independently and are not bound by instructions based on their expertise or special occupation are not considered processors. These are, for example, tax consultants and lawyers. Here, no DPA is necessary.

The aim of the DPA is to ensure that the processor only processes the data entrusted to it for the purposes for which the controller collected the data. In addition, the service provider is obliged to protect the data to an appropriate extent.

The company that has personal data processed by another entity must also ensure data protection in this second instance.The transferred data may only be processed by the processor on the basis of the agreement reached and taking into account the specific instructions of the controller.

The controller thus controls every step of the data processing and remains the master of the data. If a data breach occurs with a processor, the processor must inform the controller immediately.